From: "Theodore Ts'o" <tytso@mit.edu>
To: Linus Walleij <linus.walleij@linaro.org>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
Jens Axboe <axboe@kernel.dk>,
Christoph Hellwig <hch@infradead.org>,
Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>,
ksummit@lists.linux.dev
Subject: Re: [Ksummit-discuss] [TECH TOPIC] Rust
Date: Sat, 25 Jun 2022 22:52:27 -0400 [thread overview]
Message-ID: <YrfJ63hN+htFMQVA@mit.edu> (raw)
In-Reply-To: <CACRpkdY1UUqvhKj+a9hOkQo1XG27TvLqweB-EgMdrFuzP38Afw@mail.gmail.com>
On Sun, Jun 26, 2022 at 12:29:27AM +0200, Linus Walleij wrote:
>
> I think it is important to keep in mind that Rust may save us
> from a few crashes when used in drivers, but that can't be the
> main target for Rust.
>
> Rust needs to be put facing the enemy, i.e. people who exploit the
> kernel to run arbitrary code and gain local root.
In order to solve the problem you've articulated, the entire kernel
would have to be rewritten in Rust. And that's not going to happen
for... a while.
Rust has more opportunities to improve things in drivers because (a)
they aren't tested as well (for example, it's a lot harder for fuzzers
to exercise drivers if the hardware isnt available on the VM or server
where the fuzzers are running), and (b) very often drivers are written
by less experienced engineers --- in some cases the drivers are
authored by hardware engineers.
> OK the USB protocol may be close to the driver but
> I'm thinking the network stack and I think during initial review I
> suggested things like ksmbd as Windows SMB is known to have been
> exploited by intelligence agencies we know things like that is facing
> the enemy. I don't know what the ksmbd people feel about that, or
> nfsd for that matter, but this kind of code is what matters most
> for Rust deployment to pay off.
ksmbd needs to interface with a large number of subsystems that are
written in C. So even if you rewrite ksmbd in Rust, it will need to
made a huge number of unsafe calls into C code. Speaking personally
my solution for ksmbd is "Just Say No". Obviously, that won't be a
solution for everyone, but if you want a short-term solution, and you
care more about security than performance, I'd suggest using a
userspace file server, such as Samba or Ganesha.
Cheers,
- Ted
next prev parent reply other threads:[~2022-06-26 2:53 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-18 20:33 [TECH TOPIC] Rust Miguel Ojeda
2022-06-18 20:42 ` Laurent Pinchart
2022-06-18 20:42 ` [Ksummit-discuss] " Laurent Pinchart
2022-06-18 20:44 ` Laurent Pinchart
2022-06-18 20:44 ` [Ksummit-discuss] " Laurent Pinchart
2022-06-18 20:49 ` Miguel Ojeda
2022-06-19 6:13 ` Christoph Hellwig
2022-06-19 6:13 ` [Ksummit-discuss] " Christoph Hellwig
2022-06-19 10:04 ` Laurent Pinchart
2022-06-19 10:04 ` [Ksummit-discuss] " Laurent Pinchart
2022-06-19 12:56 ` James Bottomley
2022-06-19 12:56 ` [Ksummit-discuss] " James Bottomley
2022-06-19 13:19 ` Jens Axboe
2022-06-19 13:19 ` [Ksummit-discuss] " Jens Axboe
2022-06-19 13:53 ` Laurent Pinchart
2022-06-19 13:53 ` [Ksummit-discuss] " Laurent Pinchart
2022-06-19 14:27 ` James Bottomley
2022-06-19 14:27 ` [Ksummit-discuss] " James Bottomley
2022-06-19 14:45 ` [MAINTAINER SUMMIT] Are we becoming too fearful? [was Re: [TECH TOPIC] Rust] James Bottomley
2022-06-19 14:45 ` [Ksummit-discuss] " James Bottomley
2022-06-22 9:59 ` Linus Walleij
2022-06-22 10:57 ` Laurent Pinchart
2022-06-22 12:01 ` Linus Walleij
2022-06-22 12:09 ` Laurent Pinchart
2022-06-22 23:13 ` NeilBrown
2022-06-23 11:37 ` James Bottomley
2022-06-25 12:03 ` [Ksummit-discuss] " Mauro Carvalho Chehab
2022-06-25 11:45 ` [Ksummit-discuss] [TECH TOPIC] Rust Mauro Carvalho Chehab
2022-06-25 14:15 ` James Bottomley
2022-06-25 16:18 ` Mauro Carvalho Chehab
2022-06-25 22:29 ` Linus Walleij
2022-06-26 2:52 ` Theodore Ts'o [this message]
2022-06-26 3:18 ` Al Viro
2022-06-19 13:49 ` Laurent Pinchart
2022-06-19 13:49 ` [Ksummit-discuss] " Laurent Pinchart
2022-06-19 19:08 ` Geert Uytterhoeven
2022-06-19 19:08 ` [Ksummit-discuss] " Geert Uytterhoeven
2022-06-19 20:57 ` Matthew Wilcox
2022-06-20 13:53 ` Linus Walleij
2022-06-20 14:08 ` James Bottomley
2022-06-21 15:11 ` Dan Carpenter
2022-06-23 10:58 ` [TECH TOPIC] Why is devm_kzalloc() harmful and what can we do about it Laurent Pinchart
2022-06-23 11:24 ` Dan Carpenter
2022-06-23 11:31 ` Laurent Pinchart
2022-06-21 9:49 ` [TECH TOPIC] Rust David Woodhouse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YrfJ63hN+htFMQVA@mit.edu \
--to=tytso@mit.edu \
--cc=James.Bottomley@hansenpartnership.com \
--cc=axboe@kernel.dk \
--cc=hch@infradead.org \
--cc=ksummit@lists.linux.dev \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linus.walleij@linaro.org \
--cc=mchehab@kernel.org \
--cc=miguel.ojeda.sandonis@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).