Google recently rewrote the firmware for protected virtual machines in its Android Virtualization Framework using the Rust programming language and wants you to do the same, assuming you deal with firmware.
In a write-up on Thursday, Android engineers Ivan Lozano and Dominik Maier dig into the technical details of replacing legacy C and C++ code with Rust.
“You’ll see how easy it is to boost security with drop-in Rust replacements, and we’ll even demonstrate how the Rust toolchain can handle specialized bare-metal targets,” said Lozano and Maier.
Easy is not a term commonly heard with regard to a programming language known for its steep learning curve.
Nor is it easy to get C and C++ developers to see the world with Rust-tinted lenses. Just last week, one of the maintainers of the Rust for Linux project - created to work Rust code into the C-based Linux kernel - stepped down, citing resistance from Linux kernel developers.
“Here’s the thing, you’re not going to force all of us to learn Rust,” said a Linux kernel contributor during a lively discussion earlier this year at a conference.
One of the deep-pocketed founding members of the Rust Foundation says it’s easy. I’m surprised.
Wut? They’re a member, because they find Rust useful. This is just them saying another time that they find Rust useful.
While they (and everyone using Rust) will benefit off of more people using Rust, it’s not like they have a vested interest to the point of spreading misinformation.
They’re a member, because they find Rust useful. This is just them saying another time that they find Rust useful.
Fans of a programming language stating they like the programming language is hardly thought-provoking stuff. There are also apps written in brainfuck and that means nothing as well.
Clearly Rust is a conspiracy.
Anyone in software development who was not born yesterday is already well aware of the whole FOMO cycle:
- hey there’s a shiny new tool,
- it’s so fantastic only morons don’t use it,
- oh god what a huge mistake I did,
- hey, there’s a shiny new tool,
I assume that you do know that tools improve objectively in the cycle and are making a joke on purpose.
Yeah, because the new tools are never actually better, right? If condescending luddites like you had your way we’d still be living in the literal stone age. At every step of the way, people like you have smugly said that the older, more established ways of doing things were good enough and new ways were just a fad that would die out.
Your favorite language was dismissed as fad when it was new. High level languages were a fad. Computing was a fad. Electricity was a fad. See a pattern?
Nice job projecting with the “only morons” bit, BTW, when it is in fact you who started off by denigrating people whose preferences are different from yours.
Here’s the thing, you’re not going to force all of us to learn Rust
That seems like a poor attitude imo.
A valid point tho. Generally it is difficult to ask everybody to learn a new language.
I mean, I work as a software engineering and if I’m not doing continuing ed, be it about architecture, storage, or new languages, I’m going to be of less value in the marketplace. I’ve learnt languages I didn’t particularly want to in the past for work (though I generally came to tolerate or even like some of them. Not lua, though; lua can go to hell).
If Rust truly is the better, safer option, then these people are holding everything back.
“learn Rust” in this case is learn it to a level where all of the little behaviour around cross language integrations are understood and security flaws won’t be introduced. Expert level.
It’s not “I did a pet project over the weekend”.
C/C++ is the bedrock of our modern civilization in some ways more fundamental than actual bedrock, the first step in getting any OS running is making it run C and after that you are basically done, it’s not surprising that developers resist, if nothing else it’s a common language, and standards are hard to change on the best of days. This isn’t just learning a language, it’s a complete paradigm shift.
It’s not a question of what’s the better option. In reality we have a lot of software that already exists and works, and you can’t replace it all in bulk at the same time. So the question is whether the implementation of Rust makes logistical sense, given the difficulties of maintaining currently existing software while replacing some parts of it.
It would be a valid point if he weren’t literally speaking over the people trying to tell him that they’re not demanding he learn Rust: https://youtu.be/WiPp9YEBV0Q?si=b3OB4Y9LU-ffJA4c&t=1548
Oh jeeze, you have no idea. You can watch it yourself: https://youtu.be/WiPp9YEBV0Q?si=b3OB4Y9LU-ffJA4c&t=1548
That timestamp is about where the audience member (a maintainer of ext4 and related utilities) starts speaking. The “here’s the thing” quote is around 28:40.
I mean aren’t they forcing everyone else to learn C/C++ otherwise? If we follow that logic, at least
I guess you can argue it’s already written in C. So that was always a requirement.
That way we’ll just find maintainers went near extinct over time, just like COBOL developers that are as rare as they are expensive. Only Linux kernel isn’t a bank, and maybe will not have as much money to pay to rare developers capable of maintaining C codebase
If the linux kernel had any real budget to speak of, they could hire rust experts to maintain the rust code. But the “linux” foundation spends 2% of its budget on Linux, this is the situation you end up with.
I believe that’s incorrect. The reporter who started this rumor either misunderstood the meaning of the chart or was lying through his teeth. I’ll find the original source and share it here later.
This is the actual source. If you simply scroll through it, you’ll see they’re investing in many things that move the Linux ecosystem forward. Open standards, open hardware, security in the software stack, providing for latest market needs, keeping an eye on legislation that could affect Linux, staying in touch with important entities in the industry, and so on.
Scroll down near the bottom and you’ll find where the reporter got their information from. It’s an expenditure chart and, sure enough, it says “Linux Kernel Support 2%” Note, however, that it also says:
- Community Tooling 5%
- Training and Certifications 7%
- Project Infrastructure 9%
- Project Support 64% (!)
Note that it doesn’t say how any of them is further divided. Remember all the things I mentioned earlier? All of that is value for Linux as a whole.
Software projects aren’t just about programming the big thing. Working on a large project will show you this. Could the foundation spend more on Linux? Maybe. But saying they only spend 2% on it is disingenuous.
The reporter doesn’t mention this in his clickbait piece, either because he doesn’t get it in the first place, or more likely because he just wants to push his views.
This is yet another example why Lunduke isn’t a credible source of news.
That seems like a poor attitude imo.
Why do you believe that forcing something onto everyone around you is justifiable? I mean, if what you’re pushing is half as good as what you’re claiming it to be, wouldn’t you be seeing people lining up to jump on the bandwagon?
It’s strange how people push tools not based on technical merits and technological traits, but on fads and peer pressure.
It is literally being pushed for its technical merits and traits.
Memory safe code with comparable performance in the kernel seems like an absolute no brainer.
Also if you watch the video all he’s asking for is consistent interfaces for the file systems. He’s not even trying to get them to use rust. And the guy starts screeching about how he’ll code however he wants.
Is it wrong to expect a consistent and well documented interface?
Pretty sure C is actually being pushed against its technical merits here.
It’s wrong to force it. Most choices in history don’t end up with the best one being used. Beta was better than VHS for example. Rust people are very bad at convincing others to try it, and objectively many people just don’t want to or don’t like it for various reasons.
Personally I highly dislike the syntax. People like familiar things, and to me it’s just too different from C++.
If anything I think Swift will be an easier sell when the speed and cross-platform issues are solved.
2024: Google says replacing C/C++ with Rust is easy
2025: Google buys Rust
2026: Google shuts down Rust
They need to tell that to Theodore Ts’o.
Rust is one of those things that every time I look into it, I don’t really follow what makes it so good. What’s a good starter project to learn the language and get a sense of what makes it worthwhile over the established stuff?
-
If your alternative is C++ then it removes the enormous burden of manually tracking lifetimes and doing manual memory management. C++ does have RAII which helps with that enormously but even then there are a gazillion footguns that Rust just doesn’t have - especially with the newer stuff like rvalue references, std::move, coroutines etc. It also saves you from C++'s dreaded undefined behaviour which is everywhere.
-
It has a very strong (and nicely designed) type system which gives an “if it compiles it works” kind of feel, similar to FP languages like Haskell (so they say anyway; I’ve not used it enough to know). The borrow checker strongly pushes you to write code in a style that somehow leads to less buggy code. More compiler errors, but much less debugging and fixing bugs.
-
The libraries and APIs are generally very well designed and nice to use. If you’ve ever used Dart or Go think how nice the standard library is compared to JavaScript or PHP. It took C++ like 2 decades to get
string::starts_withbut Rust started with it (and much more!). -
Fast by default.
-
Modern tooling. No project setup hassle.
-
It’s a value based language, not reference based. References are explicit unlike JavaScript, Java, C#, etc. This is much nicer and makes things like e.g. copying values a lot easier. JavaScript’s answer for ages was “serialise to JSON and back” which is crazy.
Downsides:
-
Slow compilation sometimes. I’d say it’s on par with C++ these days.
-
Async Rust is kind of a mess. They shipped an MVP and it’s still kind of hard to use and has unexpected footguns, which is a shame because sync Rust avoids footguns so well. Avoid async Rust if you can. Unfortunately sometimes you can’t.
-
Interop with C++ is somewhat painful because Rust doesn’t have move constructors.
Great language overall. Probably the best at the moment.
I disagree with 5.
I am an electronics engineer, so admittedly only ever worked with C and Python scripting (and not a programmer by any means) but I literally stopped learning rust for embedded because every single tooling setup step was wrong or failed for both chips I was testing out (NRF chip and an esp32-C3). Maybe only embedded rust was still a mess tooling-wise, but I have no use case for learning userspace rust first. It would just be a waste of my limited free time 😅
I just would like to learn from your experience.
I have a different background, can’t say I am developer but a coder who mainly do prototyping in short amount of time, and sometimes help out building microservices, backend stuffs. Go really fit the bill neatly for my job, so my first attempt jumping into the embedded world, as a hobbyist, was with TinyGo and found it completely different from userspace application development. To be honest, I did like it as a unified toolchain, but it was not yet that mature the time when I used it (I hope they are much better now) and I always had to go into the “machine” code file to find out things that should be documented better. That said, I was really happy when I got my head around multiplexed led array on the microbit, and even figured out how to drive a continuous rotation servo by timed highs and lows (TinyGo had no PWM support for microbit) for a car crusher, with an empty tissue box of course. Made my little one cry when he saw it the first time and thought his toy cars were crushed.
But when I got into more “serious” hobbyist realm, playing around with nRF52840, ESP32 and Cortex-M0, I found that Zephyr Project just feel right to me. Maybe because I am not a bare-metal magician by trade, I found the device tree concept so easy to understand and I managed to tune a DTS for ESP-EYE to use the correct address region for PSRAM, though I could only enable 4MB of it as I still couldn’t understand why there are 2 separated address regions for a total 8MB of PSRAM!
By pure coincidence, IoT became the next big thing for the company I work in, so I am thinking about getting more tools in my shed. I will definitely look into CircuitPython. Never learned Python before because I just don’t like it, without any objective reason I am afraid, but I reckon it is a great tool to build something really really quickly. Another language I want to learn, as you can tell, is Rust, because I can’t expect my colleagues to know Zephyr when FreeRTOS is just a much more popular choice. I think one day I will have to look into FreeRTOS again but wouldn’t hurt learning one more modern langauge that hopefully can do the trick easily.
However, with some initial digging, it scares me. From libraries and tutorials, one thing that bugs me is that it seems everyone has to do like Peripherals::take().unwrap() and many other long chains of method calls ending with .unwrap(). I feel like the borrow-checker is not quite ready for memory mapped IO but assumes every pointer is allocated on the heap. I just feel worried that one day they will say “okay, we actually need a different compiler for embedded, just like TinyGo for Go”, and I have to relearn. Another thing that I don’t know yet is, it seems not so easy to get them onto the chip? If I understand correctly, some of the nRF and ESP32 are on tier-1 support so I suppose they will be the easier choices to get started. I am interested to know from your experience what was wrong in the equation?
Thanks and my apologies for making it so long.
I think embedded Rust is simply really really new, and requires interacting with crusty C tools which is going to reduce reliability.
It’s also a little fragmented with people trying different things out (e.g. Embassy vs RTIC), and different chips getting different levels of support.
Totally different experience to desktop development.
I would add to the downside that it’s not the best programming language for game development, etc. There was some blog post about how troublesome is it to develop games using Rust due to some of the features that are good in other areas, like the whole concept of “immutable by default”.
I can also recommend D, if you want to deal with different issues, like the D Language Foundation fearing of change due to not wanting to deal with division from a new and incompatible version yet again, the GC being both a blessing and curse, if you want to go without a (tracing) GC you’ll need to go with a custom runtime that potentially missing many of its features, the attribute hell, etc.
Memory safety for one. C is very memory unsafe and that has been the source of a great, great number of software vulnerabilities over the years. Basically, in many C programs it has been possible to force them to execute arbitrary code, and if a program is running with root privileges, an attacker can gain full control over a system by injecting the right input.
I have very limited knowledge of rust, but from what I remember writing memory unsafe programs is nigh impossible as the code won’t really even compile. Someone else with more knowledge can probably give more detail.
