feat: add narrow shared memory accessor to UninitializedSandbox#1270
feat: add narrow shared memory accessor to UninitializedSandbox#1270danbugs wants to merge 1 commit intohyperlight-dev:mainfrom
Conversation
danbugs
requested review from
dblnz,
devigned,
jprendes,
ludfjig,
marosset,
simongdavies and
syntactically
as code owners
danbugs
force-pushed
the
danbugs/expose-sandbox-mem-api
branch
from
c26238f to
0aa3f86
Compare
danbugs
added
area/API
|
I wouldn't like this to be part of the public API. Can we go into a little more detail about how this is being used right now, and whether there are alternative ways to get the same result? |
What region is it writing too?
If we constrained the usage to something like |
|
The main worry I have is public usage of this API which is probably somethign we don't want. I'd also want to know what it's useful more specifically, but I'd be open to add this under a new feature flag with maybe a scary name since that would discourage general use |
hmm, it seems the requirement is some system need some extra metadata during boot sequence, I wonder for those systems not using paging (or maybe even with paging), if they could use the sratch region or a subset of it? |
|
I have the same concerns other people mentioned around here. Exposing an implementation detail binds us to keeping it that way. |
|
Addressed the concerns about exposing pub fn guest_memory_ptr(&mut self, gpa: u64) -> Result<*mut u8>This does bounds-checked GPA-to-host-pointer translation — the caller provides a guest physical address and gets back a host pointer into the mapped sandbox memory. The API no longer exposes Nanvix uses this for its credits-based flow control: the host and guest agree on a fixed GPA ( This is narrower than the previous |
danbugs
force-pushed
the
danbugs/expose-sandbox-mem-api
branch
10 times, most recently
from
845885e to
01aa81e
Compare
Expose a scoped GuestSemaphore type behind the "guest-semaphore" feature flag. The semaphore encapsulates a single u64 counter at a guest physical address, with checked increment()/decrement() methods that use volatile writes. This is narrower in scope than the previous guest_memory_ptr() API: instead of exposing arbitrary host-side pointers to guest memory, it provides exactly the counting semaphore primitive that the consumer needs. Signed-off-by: danbugs <danilochiarlone@gmail.com>
danbugs
force-pushed
the
danbugs/expose-sandbox-mem-api
branch
from
01aa81e to
54975ae
Compare
5 participants
Summary
Adds a public
shared_mem_mut()method toUninitializedSandboxthat returns a mutable reference to the sandbox'sExclusiveSharedMemory.This provides a narrow, type-safe accessor for downstream consumers (e.g., Nanvix) that need to write data into the sandbox's shared memory region before initialization, without exposing the internal
SandboxMemoryManageror itsmgrfield.Motivation
Downstream projects like Nanvix need to write configuration data (e.g., a credits counter) into the sandbox's shared memory at a known GPA offset before evolving it into an initialized sandbox. Previously this required making
mgrandSandboxMemoryManagerpublic, leaking implementation details. This PR provides a minimal accessor that exposes only what is needed.Changes
src/hyperlight_host/src/sandbox/uninitialized.rs: Addpub fn shared_mem_mut(&mut self) -> &mut ExclusiveSharedMemoryNo visibility changes to
SandboxMemoryManageror themgrfield. Additive-only API, no behavioral changes.Test plan
cargo clippypasses (linux + windows feature combinations)cargo test -p hyperlight-host --no-default-features -F "kvm,init-paging" --libpasses (83 tests)