2025-09-05 –, Room 1
QEMU 9.2.0 was released in December 2024 with experimental Rust support. By now the strengths and challenges of writing QEMU code in Rust have become more apparent. This talk will summarize the whys and hows of Rust for QEMU development, tailored for people who are interested in getting involved.
We will briefly go over the following topics:
- We know Rust has memory safety. How much memory safety is achievable in QEMU and why (not)?
Machines and devices need to interact with internal APIs and Rust is no exception. This means we cannot make fundamental assumptions that make our lives easier, such as "the code that calls my function obeys the same static analysis my code does". The borrow checker is not immediately valuable when C code does not utilise it.
We can create abstractions that leverage safe code, for example we can ensure exclusive access with locks/interior mutability or by simply trusting API contracts. We will demystify the unsafe
keyword and understand how it helps in allowing safe code.
- What are the steps for onboarding a device/subsystem to Rust?
We will show how to declare code to Meson, how to use external dependencies, how to generate required C bindings with bindgen
and most importantly, how to write safe wrappers for them in qemu-api
crate library.
- Rust language and ecosystem idioms/practices/abstractions we can use.
Rust can heavily utilize boilerplate code generation with procedural and declarative macros: we can use them to safely bridge our code with QEMU APIs, such as qdev
.
Rust can statically check that invariants hold: we will see how to do that with exhaustive pattern matching, strong typing, dead code lints, state machines, builder pattern.
- Potential future work ideas (such as QEMU internals and not just device models, async + executors, custom QEMU-specific lints, etc)
If time allows, we will also show a simple "Hello world" device implementation.