Fact-checked by Grok 2 weeks ago

Rust for Linux

Rust for Linux is an ongoing initiative to incorporate the Rust programming language into the Linux kernel, enabling the creation of kernel drivers, subsystems, and abstractions in Rust to enhance memory safety and mitigate vulnerabilities inherent in traditional C-based development. The project's core objective is to evaluate Rust's suitability for kernel programming, allowing it to coexist with the existing C codebase through specialized bindings and infrastructure. Initial mainline support for Rust was merged into the Linux kernel with version 6.1, released in December 2022. The project gained momentum in 2021, with early patch sets submitted in July and the inaugural Rust for Linux conference (Kangrejos) held in September, following preliminary integration into the linux-next tree in March. Originating from hobbyist experiments dating back to , it evolved into a structured effort driven by contributors such as Miguel Ojeda and Wedson Almeida Filho, the latter of whom retired from the project in August 2024 amid integration challenges. Key motivations include Rust's ability to eliminate approximately two-thirds of kernel vulnerabilities stemming from issues, such as overflows and use-after-free errors, while maintaining performance parity with C through zero-cost abstractions and no garbage collection overhead. As of November 2025, Rust support remains experimental and geared toward developers, with no production-ready in-tree modules yet, though the first experimental drivers—such as those for physical layers (PHYs) accepted in kernel version 6.8 in 2024—and the panic logging driver merged in version 6.12 in November 2024, demonstrate growing integration. Despite interoperability hurdles requiring "unsafe" blocks for C-Rust interactions, toolchain evolution, and resistance from some C-centric maintainers, kernel leaders including and have affirmed 's role in new code development, establishing policies to protect C maintainers while permitting in dedicated subdirectories; community debates continue amid anticipation for major GPU drivers in late 2025 or early 2026. Future expansions target areas like , storage, and scheduler enhancements, with improved tooling and pipelines anticipated to facilitate broader adoption.

Background

The Rust Programming Language

Rust is a language initially sponsored by Research and now maintained by the Rust Foundation and its community, designed to deliver performance comparable to C while enforcing and preventing common programming errors such as dereferences and data races at . This approach allows developers to write efficient, low-level code without the overhead of a garbage collector or , making it suitable for resource-constrained environments. By leveraging checks, Rust aims to eliminate entire classes of bugs that plague traditional systems languages, promoting reliable without sacrificing speed. The originated as a personal side project by Graydon Hoare in 2006 while he was employed at , evolving from his interest in safe and concurrent programming paradigms. Mozilla began officially sponsoring the project in 2009, providing resources for its growth into a full-fledged language. The first stable release, Rust 1.0, arrived on May 15, 2015, marking a commitment to "stability without stagnation" through regular six-week release cycles. As of November 2025, Rust has reached version 1.91.1, incorporating stabilized features such as async/await syntax for asynchronous programming, which had been introduced in earlier editions. At the core of Rust's design are its model, borrowing rules, , and the borrow checker, which collectively ensure without runtime costs. The model assigns a single owner to each value, automatically handling deallocation when the owner goes out of to prevent memory leaks and use-after-free errors. Borrowing rules allow temporary references to data—either mutable or immutable—without transferring ownership, but enforce strict constraints: only one mutable borrow or multiple immutable borrows can exist simultaneously, avoiding issues. , denoted by annotations like 'a, track the validity of references to ensure they do not outlive the data they point to. The borrow checker, a key component of the Rust , verifies these rules at , rejecting unsafe code patterns and guaranteeing . Rust's relevance to systems programming stems from its zero-cost abstractions, which provide high-level constructs like iterators and that compile to efficient without runtime penalties, matching C's performance in benchmarks for compute-intensive tasks. Additionally, it enables "fearless concurrency" through the Send and Sync traits: Send marks types safe for transfer between threads, while Sync ensures safe shared access across threads, preventing data races by design and allowing developers to leverage parallelism confidently. These features make particularly appealing for building concurrent, high-performance applications in systems contexts.

Linux Kernel Overview

The Linux kernel is a monolithic yet modular operating system originally developed by as a personal project in 1991 to create a free alternative to systems. It is primarily written in , with small portions in for performance-critical sections such as low-level hardware interactions. This design combines the efficiency of a —where core services run in a single address space for direct hardware access—with modularity, allowing dynamic extension without recompiling the entire . At its core, the Linux kernel comprises several fundamental subsystems that manage system resources and operations. These include , which handles allocation, paging, and swapping to optimize resource utilization; process scheduling, which determines task execution order using algorithms like the (CFS) to balance fairness and performance; and device drivers, which provide interfaces for hardware interaction ranging from storage to network peripherals. The modular architecture is enabled through loadable kernel modules (LKMs), which are dynamically loadable components—typically device drivers, filesystem support, or extensions—that can be inserted or removed at runtime to adapt the kernel to specific hardware or functionality needs without rebooting. The kernel's development follows a decentralized, community-driven model coordinated primarily through the (LKML), where contributors worldwide submit patches, debate implementations, and review code. Strict coding standards, enforced via tools like checkpatch.pl, ensure consistency and readability across the codebase. Despite these rigorous practices, the kernel faces persistent security challenges, with memory-related errors such as buffer overflows and use-after-free bugs, alongside concurrency issues like race conditions, accounting for around two-thirds of all historical vulnerabilities reported in (CVEs). By November 2025, the kernel exceeds 40 million lines of code, reflecting its vast scope and ongoing evolution, with stable releases occurring approximately every 9-10 weeks—the latest stable version being 6.17.8 as of November 2025, following the established cadence of major updates.

Development History

Project Initiation

The Rust for Linux project was kicked off in 2020 by Miguel Ojeda, a Linux kernel developer at Linaro, through initial experimentation and organization of efforts to integrate into the kernel. In July 2020, Ojeda contributed to early discussions on the (LKML) proposing in-tree Rust support for kernel modules, particularly drivers. The project quickly gained backing from industry leaders including , , and AWS, who recognized Rust's value in enhancing kernel security. The primary motivations stemmed from the Linux kernel's vulnerability to memory safety issues inherent in C, which account for an estimated 60-70% of security bugs in C-based system software. Rust was seen as an ideal solution to enable writing safer drivers and modules—especially those prone to concurrency and memory errors—while maintaining the performance and low-level control required for kernel code, without needing to rewrite the existing C codebase. Early goals focused on prototyping Rust abstractions and bindings for core kernel APIs, such as those for memory allocation and I/O, while ensuring full ABI compatibility with to allow seamless interoperation. The first proof-of-concepts in centered on simple kernel modules, like basic character devices and network drivers, demonstrated through out-of-tree repositories that compiled code against kernel headers using tools like bindgen for type-safe interfaces. The project received its official reveal during a dedicated session at the Linux Plumbers Conference in August 2020, where developers discussed technical barriers and prototypes. By the end of 2020, basic support was available in out-of-tree builds, enabling experimental development.

Key Milestones and Releases

The Rust-for-Linux project began organized development in 2021 with the creation of its primary repository, where initial efforts focused on experimental components such as a Rust-based allocator and abstractions for to facilitate integration. In 2021, the inaugural Rust for Linux conference, known as Kangrejos, was held to discuss progress and future directions. A pivotal advancement occurred in October 2022, when merged the initial infrastructure into the tree for version 6.1, providing foundational support for compiling and loading out-of-tree modules while establishing build tooling and basic APIs. This merge, finalized on October 3, laid the groundwork for in-kernel experimentation without altering core codebases. Progress accelerated in 2023 and 2024, with Linux 6.8—released on March 10, 2024—introducing the first in-tree experimental drivers, including a PHY driver that demonstrated practical usage in device handling. Similarly, efforts on an NVMe host controller driver in advanced as an experimental , evaluating and in storage subsystems. By Linux 6.15, released on May 25, 2025, the project achieved a "big victory" through expanded abstractions and the integration of substantial drivers, such as the initial stub for the Nova GPU driver, enhancing graphics subsystem support. In 2025, Rust integration deepened with later kernel versions, such as Linux 6.17 and beyond, incorporating into core drivers, notably GPU components via the project for series hardware, enabling native rendering acceleration. An August 2025 project goals update from the team emphasized stabilization efforts for unstable language features critical for kernel development. By November 2025, the Linux 6.18 release candidate included additional hybrid C/ components, such as enhanced IPC and storage abstractions, reflecting broader adoption in and device . Key events in 2025 included the Kernel Recipes conference talk "A Rusty Odyssey," which outlined the timeline of Rust's evolution within the (DRM) subsystem, highlighting safety improvements in graphics drivers. Contributions from organizations like Ferrous Systems, through expertise in embedded Rust safety, and the Rust Foundation, via funding and ecosystem alignment, have supported these advancements.

Technical Foundations

Kernel Integration Architecture

The integration of into the relies on a core architecture that enables code to compile as loadable kernel modules (LKMs) while interfacing seamlessly with the existing codebase. Bindings between and are generated using the bindgen tool, which processes headers to create Rust-safe wrappers for kernel APIs, ensuring type-safe access to low-level structures and functions. The kernel provides dedicated crates, such as those under the kernel namespace, offering abstractions that mirror interfaces; for instance, the kernel::sync module wraps synchronization primitives like spinlocks and mutexes, allowing developers to use familiar kernel semantics without direct unsafe calls. This architecture maintains the kernel's modular design, where components can be developed and maintained independently but interact via stable exports. The build system for Rust kernel code is fully integrated into the kernel's Kbuild framework, treating Rust as a first-class language alongside . Makefiles invoke the rustc directly—bypassing —to compile Rust sources into object files, with support for and as the preferred for optimal . Rust operates in a no_std environment, excluding the to avoid dependencies on user-space features, and instead uses kernel-specific implementations for allocation and other basics, such as the rust_alloc for heap integration. Application Binary Interface (ABI) stability between Rust and is achieved through extern "C" linkages, which define function signatures and data layouts compatible with the kernel's ABI, preventing breakage during kernel updates. Configuration options like CONFIG_RUST enable this support, detected automatically if the meets requirements. Rust LKMs load and unload using the kernel's standard module system, coexisting with C modules without modifications to the core loader. Initialization and cleanup are handled via Rust equivalents of C's module_init and module_exit macros, which register entry points for module insertion and removal, ensuring proper resource management during runtime. For example, a Rust module might use these macros to set up abstractions for device drivers, integrating with the kernel's slab allocator or other subsystems upon loading. This approach preserves the kernel's hot-pluggable nature, allowing Rust modules to be dynamically inserted via tools like insmod or modprobe. The toolchain for kernel development has evolved to prioritize stability and accessibility. Early efforts required nightly for unstable features, but by 2025, the minimum stable version is 1.78.0 (released May 2024), with ongoing work to eliminate all nightly dependencies through stabilized alternatives. Features like pin_init—a library for safe, fallible initialization of pinned structures—are now supported via stable crates maintained by the Rust-for-Linux project. Prebuilt and toolchains, including bindgen and libclang, are distributed from to simplify setup across distributions, enabling builds with commands like make LLVM=1 rustavailable to verify compatibility.

Memory and Concurrency Safety Features

Rust's memory safety model, enforced at by the borrow checker, prevents common kernel vulnerabilities such as use-after-free and double-free errors by tracking and of references. In the context, this eliminates entire classes of memory bugs without introducing checks, ensuring that invalid memory accesses are caught during compilation rather than execution. To handle kernel objects that must remain at fixed addresses, such as DMA buffers, Rust employs the Pin abstraction, which guarantees that pinned data cannot be moved after initialization, preventing invalidation of hardware pointers. This is particularly vital for device drivers, where by peripherals requires stable memory locations, and Pin integrates seamlessly with kernel allocation APIs to maintain safety invariants. For concurrency safety, Rust's Send and Sync traits ensure that data is only shared across threads in thread-safe manners, inherently preventing data races by restricting unsynchronized mutable access. In the kernel, these traits are leveraged through wrappers like Mutex<T>, which encapsulate C's raw_spinlock_t to provide safe, interrupt-context-compatible locking; only types implementing Sync can be protected by such mutexes, enforcing atomicity without race conditions. Kernel-specific adaptations further enhance safety by using opaque types for C interop, such as wrapping bindings::task_struct in an Opaque struct to prevent direct, unsafe field access and force mediated interactions via safe APIs. Additionally, error handling employs Result types for fallible operations like memory allocations, propagating errors explicitly and avoiding unchecked returns that could lead to null pointer dereferences in C code. These features collectively address a significant portion of historical kernel vulnerabilities; for instance, according to a 2020 analysis, approximately 65% of CVEs in security updates were attributed to memory unsafety issues, many of which 's model mitigates at with zero overhead.

Implementation and Usage

Developing Rust Kernel Modules

To develop modules, developers first need to set up the source tree. This involves cloning the official repository using from git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git. Once cloned, configure the kernel build by running [make menuconfig](/page/Menuconfig) and enabling the CONFIG_RUST option under the "General setup" submenu; this option only appears if a compatible is detected, which can be verified beforehand with make LLVM=1 rustavailable. The build process requires a full (recommended over , which is experimental), invoked via make LLVM=1 to compile components alongside code. For documentation, run make LLVM=1 rustdoc to generate docs from source, viewable in the Documentation/output/rust/rustdoc/ directory. Testing Rust kernel modules typically leverages the KUnit unit-testing framework, adapted for Rust through macros like #[kunit_tests]. Enable CONFIG_KUNIT and CONFIG_RUST in the kernel configuration, then execute tests using the kunit.py script with options such as ./tools/testing/kunit/kunit.py run --make_options LLVM=1 --arch x86_64 --kconfig_add CONFIG_RUST=y; this builds and runs tests in an isolated environment. For broader integration testing, boot the kernel in QEMU or KVM emulators to load and verify modules dynamically, often using sample code from the samples/rust/ directory as a starting point. KUnit supports Rust's assert! and assert_eq! macros, along with the ? operator for error propagation, allowing tests to validate kernel APIs without full hardware. Additionally, kernel selftests in tools/testing/selftests/rust/ can be run with make TARGETS="rust" kselftest for runtime checks. In coding Rust kernel modules, the module! macro serves as the primary entry point declaration, encapsulating initialization and exit functions analogous to C's module_init and module_exit, while also handling module parameters and firmware dependencies. Kernel APIs are accessed through the kernel crate, providing wrappers like the pr_info! macro for logging informational messages at level 6, formatted similarly to Rust's print!. Errors are managed using core::result::Result types, with fallible operations propagating via the ? operator to ensure robust handling without panics, which are discouraged in kernel contexts. The Rust integration architecture exposes these APIs via bindings that allow seamless interaction with the C-based kernel core. Best practices emphasize maximizing safe Rust constructs to leverage memory and concurrency guarantees, reserving unsafe blocks solely for foreign function interface (FFI) interactions with C code; each such block must include a // SAFETY: comment justifying its soundness and preventing undefined behavior. Naming follows Rust idioms—snake_case for functions and variables, CamelCase for types—while adapting kernel-specific terms (e.g., GpioLine for GPIO lines) to align with existing APIs. Code should adhere to rustfmt defaults for formatting, including 4-space indentation and a 100-character line limit, with make LLVM=1 rustfmtcheck used during development to enforce consistency. Clippy lints can be enabled via CLIPPY=1 in the build to catch idiomatic issues early. Key tools for development include rust-analyzer for IDE integration, configured by running make LLVM=1 rust-analyzer to generate a rust-project.json file compatible with editors like VS Code or Vim. The standard cargo tool is not utilized, as the kernel's Kbuild system directly invokes rustc for compilation, cross-compiling the core library subset without the full Rust standard library. This setup ensures modules build as loadable kernel modules (LKMs) or built-ins, testable in isolation before upstream submission.

Deployed Rust Components in the Kernel

The integration of into the began with foundational components in early releases. version 6.1, released in December 2022, introduced initial support, including a -based allocator designed to provide memory allocation capabilities within the kernel's ecosystem. This allocator serves as a core building block for abstractions, enabling safe for subsequent components. In kernel 6.2, sample drivers such as the rust_pci were added, offering basic abstractions for device handling to facilitate driver development and testing. By 2025, more advanced components have entered the mainline , focusing on drivers for critical hardware interfaces. An experimental implementation of an NVMe driver is under development, with recent rebases targeting 6.15 as of mid-2025, focusing on safe management and handling for high-performance solid-state drives; it has not yet been merged into the mainline . In the graphics domain, code has been integrated into the (DRM) subsystem, including utilities like the panic screen generator, which encodes crash information for easier debugging. Representative examples include the first network PHY driver merged in 6.8, which manages transceivers for Ethernet connections, and patches for an LED driver submitted in October 2025 for potential inclusion in 6.18, controlling hardware indicators with minimal overhead. Ongoing efforts highlight Rust's application in GPU drivers. The Asahi GPU driver for , developed as part of the project, is written in to interface with the kernel's framework, enabling graphics acceleration on M-series chips; groundwork for mainline integration advanced during the development of kernel 6.17 in 2025. Similarly, the Nova driver for GPUs represents an experimental successor to Nouveau, implemented in to support GSP-based hardware with modular components for firmware loading and ; core components have been merged into mainline as of November 2025, with further enablement patches targeting kernel 6.19. Rust components primarily target driver subsystems, such as network, storage, and GPU interfaces, where can mitigate common vulnerabilities. As of mid-2025, accounts for a growing but small fraction of the 's , with accelerating for new s amid the overall 40 million lines of kernel source. The -based , essential for Android's , was merged in October 2025, exemplifying vendor-specific extensions. These components are enabled through configuration options prefixed with CONFIG_RUST, such as CONFIG_RUST=y for general support, which must be selected during compilation if a compatible toolchain is available. Out-of-tree modules are prevalent among vendors; for instance, has incorporated extensions in Android variants to enhance security in device drivers.

Adoption and Impact

Current Status in 2025

As of November 2025, support remains integrated into the mainline starting from version 6.1, allowing developers to write kernel modules and abstractions in alongside code. The 6.18 release candidate incorporates a substantial volume of new code, including enhancements to driver core frameworks for DebugFS, support, and integration, as well as locking primitives like generic atomic variables to facilitate hybrid / shared memory models. Official documentation for kernel is hosted at docs./rust/, providing guides on setup, coding guidelines, and bindings. Several major distributions provide toolchain support, enabling experimentation with -based kernel modules. For instance, has supported kernel module development since version 23.04. Android's upcoming kernel integrations, starting with version 6.12 in late 2025, enable the first production drivers for enhanced security in mobile environments, exemplified by Google's implementation of the driver mainlined in kernel 6.18. Project metrics indicate growing community engagement, with hundreds of contributions to kernel code in the first half of 2025 alone, reflecting sustained developer interest despite ongoing debates. Empirical analyses show that code in the kernel reduces the incidence of bugs and data races compared to equivalent implementations, contributing to overall stability in affected subsystems. The Foundation's 2025 updates highlight the initiative as a pivotal advancement in applying to foundational systems software. Vendor support continues to drive adoption, with actively contributing to Rust for Linux through its Android team, including the Binder driver and evaluations of additional components. is integrating into Azure infrastructure, including components for cloud workloads.

Security and Performance Benefits

's integration into the provides significant security advantages by leveraging its guarantees, which eliminate entire classes of vulnerabilities prevalent in C-based , such as buffer overflows, use-after-free errors, and data races. These protections stem from 's model and borrow checker, enforced at , preventing common memory-related bugs that account for a substantial portion of vulnerabilities. For instance, memory safety issues have historically comprised roughly two-thirds of past CVEs, and -written components inherently mitigate this risk without relying on runtime checks or mitigations. Empirical analyses of drivers confirm reduced incidence of bugs compared to equivalent C implementations, with case studies showing minimal use of unsafe (around 3%) and fewer overall errors. In terms of performance, Rust maintains parity with C through zero-cost abstractions, compiling to efficient machine code without garbage collection overhead, making it suitable for kernel environments. Benchmarks of Rust-based drivers, such as a native UDP implementation, reveal only marginal overhead—typically 0.7% to 3% in encapsulated scenarios—while delivering comparable throughput to C counterparts. Rust's concurrency model further enhances efficiency in multi-core systems by enabling safe parallel execution without data races; prototypes in systems like Tock OS demonstrate reductions in interrupt handling latency by up to 3x using eBPF integration. Beyond direct security and speed gains, Rust facilitates easier maintenance of kernel code by boosting maintainer confidence in refactoring and patch acceptance, leading to fewer regressions over time. It also supports advanced tools, such as Prusti, which enable deductive proofs of correctness for safe code, including extensions, thereby strengthening overall reliability. Studies from 2025, including those on framekernel architectures like Asterinas, affirm these benefits by demonstrating a sound, minimized (about 14% of the codebase) with performance on par with , underscoring 's role in enhancing safety without compromising efficiency.

Challenges and Future Directions

Technical and Toolchain Hurdles

The integration of into the relies on the nightly channel of the Rust compiler due to dependencies on several unstable features, which introduces risks of breakage from frequent changes. For instance, features such as arbitrary_self_types and derive_coerce_pointee remain unstable as of November 2025, with ongoing efforts to stabilize them. Full elimination of such dependencies is a priority but unlikely in the short term. This reliance on nightly builds complicates long-term maintenance and stability for kernel developers, as updates can alter behavior without notice. Interfacing Rust code with the existing C-based kernel necessitates the use of unsafe blocks, particularly for foreign function interface (FFI) calls and low-level operations, which comprise a notable portion of Rust kernel modules. An empirical analysis of upstream Rust-for-Linux drivers reveals that unsafe code appears commonly across major components, often unavoidable for C interoperability, though proper encapsulation can preserve overall safety guarantees. For example, in analyzed drivers like GPU (107 instances) and NVMe (44 instances), many unsafe uses stem from missing abstractions. Additionally, the kernel's real-time constraints pose challenges, as Rust's no_std environment lacks comprehensive ecosystem support for certain utilities, with approximately 6,408 crates fully compatible as of a 2023 study, and conversion from std-dependent code requiring significant refactoring. These gaps limit the availability of safe abstractions for time-sensitive operations. Rust kernel development also encounters performance hurdles in the build process, with compile times generally longer than equivalent C code due to the language's complex type system and monomorphization. Debugging remains more cumbersome without mature toolchain integration; full GDB support for Rust kernel modules has improved in 2025 but still lags behind C, requiring specialized scripts or tools for effective tracing. As of 2025, certified toolchains like —a qualified distribution for safety-critical systems—have been tested for building the , achieving qualifications such as Class C for medical devices and supporting no_std environments. However, ongoing concerns with unstable features and toolchain evolution continue to restrict 's adoption to peripheral drivers rather than core subsystems.

Community Debates and Roadmap

The integration of into the has sparked ongoing debates within the , particularly around ideological differences and pace. In early 2025 LKML threads, some maintainers expressed resistance, labeling the push for as driven by rather than practical necessity, amid discussions on influence and patch reviews for abstractions like allocators. has voiced support for 's inclusion to enhance safety but criticized aspects of its implementation, such as overly rigid formatting checks and the slow rate of adoption, noting in October 2025 that such practices hinder efficient merging. Counterarguments from proponents, including kernel maintainers like , emphasize 's proven safety benefits in reducing memory vulnerabilities, as evidenced by its use in early driver code without introducing regressions. Debates persist into late 2025, with discussions on the pace of adoption continuing. The Rust for Linux community has grown steadily, with contributions accelerating through collaborative efforts and external support. By mid-2025, the project saw increased participation from developers, bolstered by the Foundation's ongoing initiatives to stabilize kernel-relevant tooling and language features. Partnerships with organizations like the have funded key work on abstractions and testing, aiding broader adoption. Events such as Kernel Recipes 2025 featured dedicated sessions on writing Rust drivers and timelines of Rust in the DRM subsystem, highlighting progress and fostering discussion among kernel hackers. Looking ahead, the project's roadmap for 2025-2026 prioritizes stabilizing support for the stable , enabling more reliable in-kernel use without nightly dependencies. Expansion efforts include integrating into additional subsystems like networking and filesystems, building on recent kernel releases that enhanced handling for modular development. For GPU drivers, full in-tree implementations are advancing, with the -based driver for GPUs submitted ahead of 6.15 and ongoing work toward compatibility to replace legacy Nouveau components, with further enablement in 6.19. Future directions point toward deeper integration, including potential Rust usage in non-driver core kernel components to further mitigate safety issues, as explored in empirical studies of the project's impact. Additionally, Rust's synergy with eBPF promises safer kernel extensions, leveraging libraries like Aya to write verifiable programs that run in the kernel sandbox without compromising performance.