What is necessary for Rust on CHERIoT?

[davidchisnall]

What is necessary for Rust on CHERIoT?

[davidchisnall]

CHERI Rust work has been done by several groups including the University of Kent. CHERIoT's LLVM has caught up to a version of LLVM that they need. There are a few steps to getting Rust working well on CHERIoT:

Initial support for nostd with no integration with the platform should mostly just work if we adopt the existing work (modulo testing and so on). This is sufficient to run Rust in a compartment, but with FFI interfaces via C/C++ for all cross-compartment work. We hope to start on this over the summer.

The next step is some minimal work to make nostd+alloc work with our (memory safe) allocator.

After that, we will need to incrementally add Rust versions of the language extensions and the various things that depend on inline assembly in CHERIoT, for example exposing Rust functions as cross-compartment calls, importing MMIO objects, and so on.

Finally, there is scope for CHERIoT to protect some bits of the Rust type system in the presence of cross-compartment calls. For example, we should be able to make borrowed references both deeply immutable and uncapturable implicitly when they are passed across a compartment boundary. This makes Rust much more interesting for CHERIoT because these guarantees can be enforced even in the presence of C/C++ FFI. We may be able to make some FFI not unsafe if it does not take any mutable pointers, or takes only mutable pointers to things where mutating them cannot violate type safety (for example, reading into a byte buffer).