Re: [RFC PATCH 0/7] Support writing grub modules in Rust

From: Heinrich Schuchardt
Subject: Re: [RFC PATCH 0/7] Support writing grub modules in Rust
Date: Wed, 25 Aug 2021 07:34:16 +0200
On 8/24/21 3:32 PM, Daniel Axtens wrote:
grub is a trusted component of the secure boot process, including
"traditional" GPG-based secure boot, UEFI-based secure boot, and the
WIP secure boot process using appended signatures. Most of grub is
written in C and has suffered from a number of memory-unsafety issues
in the past, something about which many of us have very distinct and
unpleasant memories!

Rust is a systems programming language suitable for low-level
code. Rust can provide strong compile-time guarantees about memory
safety. It also is reasonably easy for Rust code to interoperate with

Grub's modular design may work in our favour here. Potentially
vulnerable components such as image and file-system parsers are
written as individual modules. Can we progressively rewrite these
modules in a safer language?

This patch set provides my efforts so far in making this possible.

It allows a module written almost entirely in Rust to be built and
run (in qemu) on x86_64-{emu,efi}, arm64-efi and powerpc-ieee1275.

It still needs work, but it's at the stage where it's not entirely
trivial, and where I want to start getting more feedback on it.

There are a few comments on things that need to be changed further on
in the series, but I think the biggest overarching change we probably
want to move towards doing more of what the Rust for Linux (kernel)
project has done: drop Cargo and build everything (except tests)
directly with rustc. This is a pain because Cargo is magic, but it
will resolve some hairy issues.

(For example, currently on x86_64 platforms you can't have multiple
Rust modules because each defines a __rust_probestack intrinsic
despite my attempts to disable it. IMO that's a rustc bug and I have
reported it. But, there are other intrinsics that Rust code could
validly call, and we don't want implementations linked into each
module, we want the modules to call into the kernel. This is - as far
as I can tell - impossible to do with Cargo builds; we need finer

Another big issue where we want to follow the Rust for Linux project
is how to handle failing allocations: by default in Rust that kills
your program (!), a situation which is entirely unacceptable for the
linux kernel. It's also unacceptable in Grub, so we should figure out
how they avoid it and learn from them.

I have proposed a Linux Plumbers talk in the systems boot stream to
discuss this further. I'd also welcome on-list discussions.

(Now, back to addressing the review comments on my previous patch

Hello Daniel,

riscv64 is one of the architectures supported by GRUB. Why is it missing
in your series?

Best regards


Daniel Axtens (7):
   emu: support grub_memalign
   Rust: module build infrastructure
   Rust: add a slightly more idiomatic wrapper around command handling
   Rust: add the rust_hello module
   powerpc: Support Rust
   x86_64-efi: Support Rust
   arm64-efi: Support Rust

  .gitignore                                    |  1 +
  Makefile.util.def                             |  6 ++
  conf/Makefile.common                          |  1 +                                  | 71 +++++++++++++++++++                                     | 28 +++++++-
  grub-core/                         | 20 ++++++
  grub-core/Makefile.core.def                   |  9 +++
  grub-core/commands/rust-hello/.gitignore      |  1 +
  grub-core/commands/rust-hello/Cargo.lock      | 24 +++++++
  grub-core/commands/rust-hello/Cargo.toml      | 16 +++++
  grub-core/commands/rust-hello/src/      | 57 +++++++++++++++
  grub-core/commands/rust-hello/wrap.c          |  8 +++
  grub-core/kern/emu/mm.c                       |  6 ++
  grub-core/lib/rust/bindings.h                 |  4 ++
  grub-core/lib/rust/conftest/Cargo.lock        |  7 ++
  grub-core/lib/rust/conftest/Cargo.toml        | 10 +++
  grub-core/lib/rust/conftest/src/        | 10 +++
  grub-core/lib/rust/grub/.gitignore            |  1 +
  grub-core/lib/rust/grub/Cargo.toml            |  8 +++
  grub-core/lib/rust/grub/src/        | 50 +++++++++++++
  grub-core/lib/rust/grub/src/            | 64 +++++++++++++++++
  grub-core/lib/rust/targets/arm64-efi.json     | 27 +++++++
  .../lib/rust/targets/powerpc-ieee1275.json    | 28 ++++++++
  grub-core/lib/rust/targets/x86_64-efi.json    | 27 +++++++
  grub-core/lib/rust/targets/x86_64-emu.json    | 27 +++++++
  include/grub/dl.h                             | 21 +++++-
  include/grub/mm.h                             |  2 -
  tests/                            | 19 +++++
  28 files changed, 547 insertions(+), 6 deletions(-)
  create mode 100644 grub-core/commands/rust-hello/.gitignore
  create mode 100644 grub-core/commands/rust-hello/Cargo.lock
  create mode 100644 grub-core/commands/rust-hello/Cargo.toml
  create mode 100644 grub-core/commands/rust-hello/src/
  create mode 100644 grub-core/commands/rust-hello/wrap.c
  create mode 100644 grub-core/lib/rust/bindings.h
  create mode 100644 grub-core/lib/rust/conftest/Cargo.lock
  create mode 100644 grub-core/lib/rust/conftest/Cargo.toml
  create mode 100644 grub-core/lib/rust/conftest/src/
  create mode 100644 grub-core/lib/rust/grub/.gitignore
  create mode 100644 grub-core/lib/rust/grub/Cargo.toml
  create mode 100644 grub-core/lib/rust/grub/src/
  create mode 100644 grub-core/lib/rust/grub/src/
  create mode 100644 grub-core/lib/rust/targets/arm64-efi.json
  create mode 100644 grub-core/lib/rust/targets/powerpc-ieee1275.json
  create mode 100644 grub-core/lib/rust/targets/x86_64-efi.json
  create mode 100644 grub-core/lib/rust/targets/x86_64-emu.json
  create mode 100644 tests/

