A new Rust API for marking user‑space buffers as untrusted lands in the kernel’s driver‑core branch, aiming to force explicit validation before any kernel use and to tighten security for upcoming Rust drivers.
Linux Kernel Introduces Rust‑Based Untrusted Data API
The kernel maintainers have merged a prototype Rust interface that forces developers to treat any data arriving from user space as untrusted until it passes an explicit validation step. The change appears in the untrusted branch of driver-core.git and is slated for review during the Linux 7.2 merge window.
Technical specifications
- Wrapper type –
Untrusted<T>encapsulates a generic payloadT. The type can only be constructed from raw pointers received via system calls; direct construction from safe Rust code is prohibited. - Validate trait – A new trait
Validatedefinesfn validate(self) -> Result<Trusted<T>, Error>. Implementations exist for common kernel structures such as&[u8],IoVec, andUserSlice. - IOVec integration – The first consumer of the API is the I/O‑vector handling code. Calls that previously accepted
&[IoVec]now requireUntrusted<IoVec>and must invokevalidate()before any DMA mapping or copy‑to‑user. - Error handling – Validation failures return a kernel‑space
Errorthat maps to-EFAULTfor the originating syscall, preserving existing user‑space semantics. - Documentation – The patch series includes a
Documentation/rust/untrusted_data_api.rstfile that outlines usage patterns, safety contracts, and migration steps for existing Rust drivers.
The work is led by Benno Lossin, who has been coordinating Rust‑related patches in the kernel for the past year. Greg Kroah‑Hartman has queued the changes into a dedicated branch, allowing reviewers to test the API in isolation before it reaches the main driver core.
Market and ecosystem implications
- Security posture – By forcing explicit validation, the API reduces the attack surface for memory‑corruption bugs that stem from unchecked user buffers. Early benchmarks from the patch series show a 3 % overhead for validation logic on typical network packet paths, a trade‑off many distributions consider acceptable for the added safety margin.
- Rust driver adoption – The presence of a vetted untrusted‑data model removes a major hurdle for third‑party developers who have been hesitant to write Rust drivers that interact with user space. Companies such as Red Hat and Intel have already expressed interest in evaluating the API for their upcoming storage and networking stacks.
- Tooling impact – The new trait integrates with the existing
rustclint suite used in kernel builds. Developers will see warnings if they attempt to bypassUntrustedwrappers, encouraging a consistent coding style across the code base. - Release timeline – If the API clears the 7.2 merge window, it will become part of the first stable kernel release that ships with official Rust support. That milestone could accelerate the migration of legacy C drivers to Rust, especially in areas where security audits are costly.
Outlook
The untrusted data API represents a concrete step toward a safer Rust ecosystem inside the Linux kernel. By codifying the “validate‑then‑use” pattern, the kernel gains a measurable defense against a class of bugs that have historically required extensive manual review. The next few weeks will reveal how quickly driver maintainers adopt the wrapper in real‑world code and whether the modest performance cost holds up under heavy‑load workloads.
{{IMAGE:2}}
For the full patch series and documentation, see the official kernel repository.
Comments
Please log in or register to join the discussion