feat: use i686 layout for non-init-paging guests on x86_64

danbugs · danbugs · commit 2889e61010d9 · 2026-03-06T19:51:10.000Z
When the init-paging feature is disabled (e.g., 32-bit guests that
manage their own paging), select the i686 layout module instead of
amd64 on x86_64 hosts. This ensures MAX_GPA/MAX_GVA use 32-bit
address space limits, and the scratch region is placed correctly
at the top of 4 GiB physical memory.

Key changes:
- Set MAX_GVA = MAX_GPA (0xffff_ffff) in i686 layout so that
  identity-mapped guests get correct virtual addresses
- Remove SNAPSHOT_PT_GVA_* from i686 layout (no page tables)
- Gate SNAPSHOT_PT_GVA_* exports/usage behind init-paging feature
- Propagate init-paging feature from hyperlight-host to
  hyperlight-common via Cargo feature forwarding
- Make snapshot region writable for non-init-paging guests (no CoW
  page tables means the hardware needs direct write access)
- Fix min_scratch_size signature to match amd64 layout

Signed-off-by: danbugs &lt;danilochiarlone@gmail.com&gt;
diff --git a/src/hyperlight_common/src/arch/i686/layout.rs b/src/hyperlight_common/src/arch/i686/layout.rs
@@ -17,11 +17,9 @@ limitations under the License.
 // This file is just dummy definitions at the moment, in order to
 // allow compiling the guest for real mode boot scenarios.
 
-pub const MAX_GVA: usize = 0xffff_efff;
-pub const SNAPSHOT_PT_GVA_MIN: usize = 0xef00_0000;
-pub const SNAPSHOT_PT_GVA_MAX: usize = 0xefff_efff;
+pub const MAX_GVA: usize = 0xffff_ffff;
 pub const MAX_GPA: usize = 0xffff_ffff;
 
-pub fn min_scratch_size() -> usize {
-    1 * crate::vmem::PAGE_SIZE
+pub fn min_scratch_size(_input_data_size: usize, _output_data_size: usize) -> usize {
+    crate::vmem::PAGE_SIZE
 }
diff --git a/src/hyperlight_common/src/layout.rs b/src/hyperlight_common/src/layout.rs
@@ -14,11 +14,20 @@ See the License for the specific language governing permissions and
 limitations under the License.
  */
 
-#[cfg_attr(target_arch = "x86_64", path = "arch/amd64/layout.rs")]
 #[cfg_attr(target_arch = "x86", path = "arch/i686/layout.rs")]
+#[cfg_attr(
+    all(target_arch = "x86_64", feature = "init-paging"),
+    path = "arch/amd64/layout.rs"
+)]
+#[cfg_attr(
+    all(target_arch = "x86_64", not(feature = "init-paging")),
+    path = "arch/i686/layout.rs"
+)]
 mod arch;
 
-pub use arch::{MAX_GPA, MAX_GVA, SNAPSHOT_PT_GVA_MAX, SNAPSHOT_PT_GVA_MIN};
+pub use arch::{MAX_GPA, MAX_GVA};
+#[cfg(feature = "init-paging")]
+pub use arch::{SNAPSHOT_PT_GVA_MAX, SNAPSHOT_PT_GVA_MIN};
 
 // offsets down from the top of scratch memory for various things
 pub const SCRATCH_TOP_SIZE_OFFSET: u64 = 0x08;
diff --git a/src/hyperlight_host/Cargo.toml b/src/hyperlight_host/Cargo.toml
@@ -40,7 +40,7 @@ tracing = { version = "0.1.44", features = ["log"] }
 tracing-log = "0.2.0"
 tracing-core = "0.1.36"
 tracing-opentelemetry = { version = "0.32.1", optional = true }
-hyperlight-common = { workspace = true, default-features = true, features = [ "std", "init-paging" ] }
+hyperlight-common = { workspace = true, default-features = true, features = [ "std" ] }
 hyperlight-guest-tracing = { workspace = true, default-features = true, optional = true }
 vmm-sys-util = "0.15.0"
 crossbeam-channel = "0.5.15"
@@ -137,7 +137,7 @@ mshv3 = ["dep:mshv-bindings", "dep:mshv-ioctls"]
 gdb = ["dep:gdbstub", "dep:gdbstub_arch"]
 fuzzing = ["hyperlight-common/fuzzing"]
 build-metadata = ["dep:built"]
-init-paging = []
+init-paging = ["hyperlight-common/init-paging"]
 
 [[bench]]
 name = "benchmarks"
diff --git a/src/hyperlight_host/src/mem/shared_mem.rs b/src/hyperlight_host/src/mem/shared_mem.rs
@@ -679,7 +679,22 @@ impl GuestSharedMemory {
             MemoryRegionType::Scratch => {
                 MemoryRegionFlags::READ | MemoryRegionFlags::WRITE | MemoryRegionFlags::EXECUTE
             }
-            MemoryRegionType::Snapshot => MemoryRegionFlags::READ | MemoryRegionFlags::EXECUTE,
+            // For init-paging, the snapshot is read-only because guest page
+            // tables provide CoW semantics for writable pages.  For
+            // non-init-paging there are no guest page tables, so the snapshot
+            // must be writable — otherwise writes (including the CPU setting
+            // the "Accessed" bit in GDT descriptors during segment loads)
+            // cause EPT violations that KVM retries forever.
+            MemoryRegionType::Snapshot => {
+                #[cfg(feature = "init-paging")]
+                {
+                    MemoryRegionFlags::READ | MemoryRegionFlags::EXECUTE
+                }
+                #[cfg(not(feature = "init-paging"))]
+                {
+                    MemoryRegionFlags::READ | MemoryRegionFlags::WRITE | MemoryRegionFlags::EXECUTE
+                }
+            }
             #[allow(clippy::panic)]
             // In the future, all the host side knowledge about memory
             // region types should collapse down to Snapshot vs
diff --git a/src/hyperlight_host/src/sandbox/snapshot.rs b/src/hyperlight_host/src/sandbox/snapshot.rs
@@ -263,6 +263,7 @@ fn filtered_mappings<'a>(
             return None;
         }
         // neither does the mapping of the snapshot's own page tables
+        #[cfg(feature = "init-paging")]
         if mapping.virt_base >= hyperlight_common::layout::SNAPSHOT_PT_GVA_MIN as u64
             && mapping.virt_base <= hyperlight_common::layout::SNAPSHOT_PT_GVA_MAX as u64
         {

Original file line number	Diff line number	Diff line change
`@@ -263,6 +263,7 @@ fn filtered_mappings<'a>(`
`263`	`263`	`return None;`
`264`	`264`	`}`
`265`	`265`	`// neither does the mapping of the snapshot's own page tables`
	`266`	`+ #[cfg(feature = "init-paging")]`
`266`	`267`	`if mapping.virt_base >= hyperlight_common::layout::SNAPSHOT_PT_GVA_MIN as u64`
`267`	`268`	`&& mapping.virt_base <= hyperlight_common::layout::SNAPSHOT_PT_GVA_MAX as u64`
`268`	`269`	`{`