Re: [RFC PATCH 0/7] Support writing grub modules in Rust

[Daniel Axtens]

Heinrich Schuchardt <xypron.glpk@gmx.de> writes:

> On 8/24/21 3:32 PM, Daniel Axtens wrote:
>> grub is a trusted component of the secure boot process, including
>> "traditional" GPG-based secure boot, UEFI-based secure boot, and the
>> WIP secure boot process using appended signatures. Most of grub is
>> written in C and has suffered from a number of memory-unsafety issues
>> in the past, something about which many of us have very distinct and
>> unpleasant memories!
>>
>> Rust is a systems programming language suitable for low-level
>> code. Rust can provide strong compile-time guarantees about memory
>> safety. It also is reasonably easy for Rust code to interoperate with
>> C.
>>
>> Grub's modular design may work in our favour here. Potentially
>> vulnerable components such as image and file-system parsers are
>> written as individual modules. Can we progressively rewrite these
>> modules in a safer language?
>>
>> This patch set provides my efforts so far in making this possible.
>>
>> It allows a module written almost entirely in Rust to be built and
>> run (in qemu) on x86_64-{emu,efi}, arm64-efi and powerpc-ieee1275.
>>
>> It still needs work, but it's at the stage where it's not entirely
>> trivial, and where I want to start getting more feedback on it.
>>
>> There are a few comments on things that need to be changed further on
>> in the series, but I think the biggest overarching change we probably
>> want to move towards doing more of what the Rust for Linux (kernel)
>> project has done: drop Cargo and build everything (except tests)
>> directly with rustc. This is a pain because Cargo is magic, but it
>> will resolve some hairy issues.
>>
>> (For example, currently on x86_64 platforms you can't have multiple
>> Rust modules because each defines a __rust_probestack intrinsic
>> despite my attempts to disable it. IMO that's a rustc bug and I have
>> reported it. But, there are other intrinsics that Rust code could
>> validly call, and we don't want implementations linked into each
>> module, we want the modules to call into the kernel. This is - as far
>> as I can tell - impossible to do with Cargo builds; we need finer
>> control.)
>>
>> Another big issue where we want to follow the Rust for Linux project
>> is how to handle failing allocations: by default in Rust that kills
>> your program (!), a situation which is entirely unacceptable for the
>> linux kernel. It's also unacceptable in Grub, so we should figure out
>> how they avoid it and learn from them.
>>
>> I have proposed a Linux Plumbers talk in the systems boot stream to
>> discuss this further. I'd also welcome on-list discussions.
>>
>> (Now, back to addressing the review comments on my previous patch
>> series!)
>
> Hello Daniel,
>
> riscv64 is one of the architectures supported by GRUB. Why is it missing
> in your series?

I simply didn't try it. I figured the 4 platforms I tried were
sufficient to demonstrate things and that people who were interested in
other platforms could create their own target.json files and post them.

It's probably easy enough to add support as LLVM and Rust support riscv64.

You could try creating a riscv64-efi.json yourself based on:

rustc +nightly -Z unstable-options --target=riscv64-unknown-linux-gnu \
--print target-spec-json > grub-core/lib/rust/targets/riscv64-efi.json

and then modify the resultant json file to disable hard float etc, set
singlethread mode, set necessary code model flags, etc. (You can compare
the target.json files for other targets to see what I mean.)

Kind regards,
Daniel

>
> Best regards
>
> Heinrich
>
>>
>> Daniel Axtens (7):
>>    emu: support grub_memalign
>>    Rust: module build infrastructure
>>    Rust: add a slightly more idiomatic wrapper around command handling
>>    Rust: add the rust_hello module
>>    powerpc: Support Rust
>>    x86_64-efi: Support Rust
>>    arm64-efi: Support Rust
>>
>>   .gitignore                                    |  1 +
>>   Makefile.util.def                             |  6 ++
>>   conf/Makefile.common                          |  1 +
>>   configure.ac                                  | 71 +++++++++++++++++++
>>   gentpl.py                                     | 28 +++++++-
>>   grub-core/Makefile.am                         | 20 ++++++
>>   grub-core/Makefile.core.def                   |  9 +++
>>   grub-core/commands/rust-hello/.gitignore      |  1 +
>>   grub-core/commands/rust-hello/Cargo.lock      | 24 +++++++
>>   grub-core/commands/rust-hello/Cargo.toml      | 16 +++++
>>   grub-core/commands/rust-hello/src/lib.rs      | 57 +++++++++++++++
>>   grub-core/commands/rust-hello/wrap.c          |  8 +++
>>   grub-core/kern/emu/mm.c                       |  6 ++
>>   grub-core/lib/rust/bindings.h                 |  4 ++
>>   grub-core/lib/rust/conftest/Cargo.lock        |  7 ++
>>   grub-core/lib/rust/conftest/Cargo.toml        | 10 +++
>>   grub-core/lib/rust/conftest/src/lib.rs        | 10 +++
>>   grub-core/lib/rust/grub/.gitignore            |  1 +
>>   grub-core/lib/rust/grub/Cargo.toml            |  8 +++
>>   grub-core/lib/rust/grub/src/command.rs        | 50 +++++++++++++
>>   grub-core/lib/rust/grub/src/lib.rs            | 64 +++++++++++++++++
>>   grub-core/lib/rust/targets/arm64-efi.json     | 27 +++++++
>>   .../lib/rust/targets/powerpc-ieee1275.json    | 28 ++++++++
>>   grub-core/lib/rust/targets/x86_64-efi.json    | 27 +++++++
>>   grub-core/lib/rust/targets/x86_64-emu.json    | 27 +++++++
>>   include/grub/dl.h                             | 21 +++++-
>>   include/grub/mm.h                             |  2 -
>>   tests/test_rust.in                            | 19 +++++
>>   28 files changed, 547 insertions(+), 6 deletions(-)
>>   create mode 100644 grub-core/commands/rust-hello/.gitignore
>>   create mode 100644 grub-core/commands/rust-hello/Cargo.lock
>>   create mode 100644 grub-core/commands/rust-hello/Cargo.toml
>>   create mode 100644 grub-core/commands/rust-hello/src/lib.rs
>>   create mode 100644 grub-core/commands/rust-hello/wrap.c
>>   create mode 100644 grub-core/lib/rust/bindings.h
>>   create mode 100644 grub-core/lib/rust/conftest/Cargo.lock
>>   create mode 100644 grub-core/lib/rust/conftest/Cargo.toml
>>   create mode 100644 grub-core/lib/rust/conftest/src/lib.rs
>>   create mode 100644 grub-core/lib/rust/grub/.gitignore
>>   create mode 100644 grub-core/lib/rust/grub/Cargo.toml
>>   create mode 100644 grub-core/lib/rust/grub/src/command.rs
>>   create mode 100644 grub-core/lib/rust/grub/src/lib.rs
>>   create mode 100644 grub-core/lib/rust/targets/arm64-efi.json
>>   create mode 100644 grub-core/lib/rust/targets/powerpc-ieee1275.json
>>   create mode 100644 grub-core/lib/rust/targets/x86_64-efi.json
>>   create mode 100644 grub-core/lib/rust/targets/x86_64-emu.json
>>   create mode 100644 tests/test_rust.in
>>