Rust in the Linux kernel (Google security blog)
Rust in the Linux kernel (Google security blog)
Posted Apr 17, 2021 20:00 UTC (Sat) by Vipketsh (guest, #134480)Parent article: Rust in the Linux kernel (Google security blog)
The other piece I'm curious about is the "trusting trust" problem. Years ago a lot of effort went into creating a chain of trust for C compilers to be reasonably sure there is no backdoor code that a compiler replicates into new compilers compiled by it. From what I remember reading some time ago there is no such chain from the initial rust compiler (written in C++) to the ones used today (written in rust). Considering how rust is written in rust and it's the only rust compiler available this may be quite hard. Is this problem solved today ? Are the rust people thinking about this ?
Posted Apr 17, 2021 20:21 UTC (Sat)
by rahulsundaram (subscriber, #21946)
[Link]
https://doc.rust-lang.org/edition-guide/editions/index.html
> Considering how rust is written in rust and it's the only rust compiler available this may be quite hard. Is this problem solved today ? Are the rust people thinking about this ?
Posted Apr 17, 2021 22:49 UTC (Sat)
by mathstuf (subscriber, #69389)
[Link] (1 responses)
The initial compilers were written in OCaml. When Rust was mature enough to bootstrap, migration to that was done.
There is mrustc (written in C++) which does not do lifetime verification. It can compile 1.19 and from there the compiler can be chained up. Its author has gone onto other academic ventures at this time however.
Posted Apr 18, 2021 18:03 UTC (Sun)
by Tobu (subscriber, #24111)
[Link]
Posted Apr 18, 2021 15:14 UTC (Sun)
by david.a.wheeler (subscriber, #72896)
[Link]
https://github.com/Rust-GCC/gccrs
A second rust compiler would enable use of diverse double-compiling (DDC) to counter the trusting trust attack:
Posted May 3, 2021 10:13 UTC (Mon)
by ksandstr (guest, #60862)
[Link]
This isn't something to pass over glibly, I might add. Any program that's expected to serve its users into perpetuity unchanged should be built by tools that're held to the same standard. In that regard C has a massive headstart, it having been used to implement second Unix, formally standardized a generation of man ago, and having multiple implementations within single-digit years of its first popularization.
Frequent standard revisions are also a point against allowing C++ in the kernel, though with how that language is enough of an arcane crock to prevent thousand-eyeballs review it's certainly relatively minor. One would hope that Rust doesn't also become a language where "shallow copy and invalidate source" operations require understanding of theory so extensive that it covers multiple four-letter acronyms which, even expanded, don't mean jack without a foot in the standards committee and/or a cheer squad's worth of americlaps[0].
[0] R-A-I-I! *clap* *clap* Resource *clap* Acquisition *clap* Is *clap* *clap* Initiali *clap* zation! *clap* *clap*
Rust in the Linux kernel (Google security blog)
Rust in the Linux kernel (Google security blog)
mrustc gets updated from time to time to shorten the bootstrap chain, here is the 1.39 update, before that it compiled 1.29 and 1.19 (there's 60 weeks between these Rust releases).
Rust in the Linux kernel (Google security blog)
Rust in the Linux kernel (Google security blog)
https://dwheeler.com/trusting-trust/
Rust in the Linux kernel (Google security blog)