So there's no reason for secret (entropy) generation to ever fail.
Now suppose a program passes to the kernel an invalid pointer. Why might that have happened?
You'd obviously never do that *deliberately*, especially if the API is to kill the process! So it must be a mistake.
Conversation
Now suppose the mistake is under the control of an attacker: you definitely want to fail immediately, as this means the attacker has the ability to cause writes to memory that shouldn't be overwritten. That's exploitable, and failing fast is the best you can do.
1
2
Even if the mistake isn't under the control of an attacker, you still might as well fail the process.
Ensuring a valid pointer is passed to the kernel is trivial, and even if the function returned an error you'd almost always immediately panic() anyway, killing the process.
1
2
By killing the process for you in the event of a programming bug, the kernel is effectively doing the programmers job for them by handling the error. Error handling code is hard to test, so reducing the amount of error handling code is *really* valuable.
1
8
No surprise that were seeing this in Fushcia: it's written in Rust, and a very common thing to see in Rust API design is for the API to panic immediately if passed invalid parameters that would only be caused by a programming mistake. Killing the process is the kernel equivalent.
2
1
8
Replying to
Have they started writing kernel code in Rust? I thought that the kernel was still all C++.
2
1
1
Replying to
I could be wrong on that! The source code for the Zircon kernel isn't available AFAICT.
I'm 95% sure that Fushcia has a whole has major rust components though as it's been mentioned in /r/rust multiple times.
Anyway, even if it's not, still accurate to say that's Rust-like. :)
1
Source code was all available. Not sure why some is unavailable at the moment. The core kernel code is written in C++ since it's based on lk. It's a microkernel though, so the drivers, filesystems, network stack, etc. aren't part of the core kernel. The network stack is in Go.
1
1
They do have Rust integrated and seemingly either use it for something or plan to use it in the future. I'm not sure where it's actually being used though. It wasn't in the core kernel but it's worth noting they didn't make that from scratch but rather started from little kernel.
1
Part of the advantage of using a microkernel is that it's very realistic to outright replace the individual components one-by-one, so rewriting them in other languages is quite feasible. I don't think they have enough developers who know Rust to use it much at this point though.
1
1
It seems like the issue with the source code is just that their web interface is a bit messed up at the moment. It's still available if you access it through fuchsia.googlesource.com/fuchsia/+/refs instead of trying to get to it from the repository index page or fuchsia.googlesource.com/zircon.