Re: Why QEMU should move from C to Rust (clickbait alert ;))

[Sergio Lopez]

On Thu, Aug 06, 2020 at 11:24:13AM +0100, Stefan Hajnoczi wrote:
<snip>
> Conclusion
> ---------------
> Most security bugs in QEMU today are C programming bugs. Switching to
> a safer programming language will significantly reduce security bugs
> in QEMU. Rust is now mature and proven enough to use as the language
> for device emulation code. Thanks to vhost-user and vfio-user using
> Rust for device emulation does not require a big conversion of QEMU
> code, it can simply be done in a separate program. This way attack
> surfaces can be written in Rust to make them less susceptible to
> security bugs going forward.
> 

Having worked on Rust implementations for vhost-user-fs and
vhost-user-blk, I'm 100% sold on this idea.

That said, there are a couple things that I think may help getting
more people into implementing vhost-user devices in Rust.

 1. Having a reference implementation for a simple device somewhere
 close or inside the QEMU source tree. I'd say vhost-user-blk is a
 clear candidate, given that a naive implementation for raw files
 without any I/O optimization is quite easy to read and understand.

 2. Integrating the ability to start-up vhost-user daemons from QEMU,
 in an easy and portable way. I know we can always rely on daemons
 like libvirt to do this for us, but I think it'd be nicer to be able
 to define a vhost-user device from the command line and have QEMU
 execute it with the proper parameters (BTW, Cloud-Hypervisor already
 does that). This would probably require some kind of configuration
 file, to be able to define which binary provides each vhost-user
 device personality, but could also be a way for "sanctioning"
 daemons (through the configuration defaults), and to have them adhere
 to a standardized command line format.

Thanks,
Sergio.

signature.asc
Description: PGP signature