Re: [PATCH 01/18] rust: add untrusted data abstraction

From: Alistair Francis

Date: Fri May 15 2026 - 01:53:22 EST

On Fri, May 8, 2026 at 3:18 PM Dirk Behme <dirk.behme@xxxxxxxxxxxx> wrote:
>
> Hi Alistair,
>
> On 08.05.2026 05:16, alistair23@xxxxxxxxx wrote:
> > From: Benno Lossin <benno.lossin@xxxxxxxxx>
> >
> > When reading data from userspace, hardware or other external untrusted
> > sources, the data must be validated before it is used for logic within
> > the kernel. This abstraction provides a generic newtype wrapper
> > `Untrusted`; it prevents direct access to the inner type. The only way
> > to use the underlying data is to call `.validate()` on such a value.
> >
> > Doing so utilizes the new `Validate` trait that is responsible for all
> > of the validation logic. This trait gives access to the inner value of
> > `Untrusted` by means of another newtype wrapper `Unvalidated`. In
> > contrast to `Untrusted`, `Unvalidated` allows direct access and
> > additionally provides several helper functions for slices.
> >
> > Having these two different newtype wrappers is an idea from Simona
> > Vetter. It has several benefits: it fully prevents safe access to the
> > underlying value of `Untrusted` without going through the `Validate`
> > API. Additionally, it allows one to grep for validation logic by simply
> > looking for `Unvalidated<`.
> >
> > Any API that reads data from an untrusted source should return
> > `Untrusted<T>` where `T` is the type of the underlying untrusted data.
> > This generic allows other abstractions to return their custom type
> > wrapped by `Untrusted`, signaling to the caller that the data must be
> > validated before use. This allows those abstractions to be used both in
> > a trusted and untrusted manner, increasing their generality.
> > Additionally, using the arbitrary self types feature, APIs can be
> > designed to explicitly read untrusted data:
> >
> > impl MyCustomDataSource {
> > pub fn read(self: &Untrusted<Self>) -> &Untrusted<[u8]>;
> > }
> >
> > Cc: Simona Vetter <simona.vetter@xxxxxxxx>
> > Signed-off-by: Benno Lossin <benno.lossin@xxxxxxxxx>
> > Message-ID: <20240925205244.873020-2-benno.lossin@xxxxxxxxx>
>
>
> Today, randomly, I was about to ask Benno if there are any plans to
> continue with his great untrusted work. Just to find that you are
> carrying this forward. Many thanks!
>
> While trying to figure out some history of this patch, it looks to me
> that the version you are using is Benno's v2:
>
> https://lore.kernel.org/rust-for-linux/20240925205244.873020-2-benno.lossin@xxxxxxxxx/
>
> ?
>
> While the latest version from Benno I found is a v4:
>
> https://lore.kernel.org/rust-for-linux/20250814124424.516191-3-lossin@xxxxxxxxxx/
>
> Is there any reason not to use that?

Nope, there isn't, I just didn't know it existed. I have updated to
using the v4 submission

>
> While at this, do you have any plan to add the `Validate` trait as well?
>
> https://lore.kernel.org/rust-for-linux/20250814124424.516191-4-lossin@xxxxxxxxxx/

I am using the `Validate` trait, so yes :) I have pulled in patched 1,
2 and 3 from the v4 series.

>
> Thanks
>
> Dirk
>
> P.S.: Carrying this patch forward, please check if it needs an update
> regarding new "rules". E.g. it looks to me that there should be an
> update regarding the vertical style for imports?
>
> https://docs.kernel.org/rust/coding-guidelines.html#imports

Thanks, I have fixed that up.

Alistair