feat: add narrow shared memory accessor to UninitializedSandbox#1270
feat: add narrow shared memory accessor to UninitializedSandbox#1270danbugs wants to merge 2 commits intohyperlight-dev:mainfrom
Conversation
danbugs
requested review from
dblnz,
devigned,
jprendes,
ludfjig,
marosset,
simongdavies and
syntactically
as code owners
danbugs
force-pushed
the
danbugs/expose-sandbox-mem-api
branch
from
c26238f to
0aa3f86
Compare
danbugs
added
area/API
|
I wouldn't like this to be part of the public API. Can we go into a little more detail about how this is being used right now, and whether there are alternative ways to get the same result? |
What region is it writing too?
If we constrained the usage to something like |
|
The main worry I have is public usage of this API which is probably somethign we don't want. I'd also want to know what it's useful more specifically, but I'd be open to add this under a new feature flag with maybe a scary name since that would discourage general use |
hmm, it seems the requirement is some system need some extra metadata during boot sequence, I wonder for those systems not using paging (or maybe even with paging), if they could use the sratch region or a subset of it? |
|
I have the same concerns other people mentioned around here. Exposing an implementation detail binds us to keeping it that way. |
|
Addressed the concerns about exposing pub fn guest_memory_ptr(&mut self, gpa: u64) -> Result<*mut u8>This does bounds-checked GPA-to-host-pointer translation — the caller provides a guest physical address and gets back a host pointer into the mapped sandbox memory. The API no longer exposes Nanvix uses this for its credits-based flow control: the host and guest agree on a fixed GPA ( This is narrower than the previous |
danbugs
force-pushed
the
danbugs/expose-sandbox-mem-api
branch
6 times, most recently
from
e4f9d2b to
edf452d
Compare
Replace the public shared_mem_mut() API (which exposed the full SharedMemory trait and raw base_ptr()) with a narrower guest_memory_ptr(gpa) method that takes a guest physical address, validates it falls within the sandbox's allocated memory region, and returns the corresponding host pointer. This addresses review feedback requesting that raw shared memory not be part of the public API surface. Signed-off-by: danbugs <danilochiarlone@gmail.com>
danbugs
force-pushed
the
danbugs/expose-sandbox-mem-api
branch
from
edf452d to
e18f1a1
Compare
5 participants
Summary
Adds a public
shared_mem_mut()method toUninitializedSandboxthat returns a mutable reference to the sandbox'sExclusiveSharedMemory.This provides a narrow, type-safe accessor for downstream consumers (e.g., Nanvix) that need to write data into the sandbox's shared memory region before initialization, without exposing the internal
SandboxMemoryManageror itsmgrfield.Motivation
Downstream projects like Nanvix need to write configuration data (e.g., a credits counter) into the sandbox's shared memory at a known GPA offset before evolving it into an initialized sandbox. Previously this required making
mgrandSandboxMemoryManagerpublic, leaking implementation details. This PR provides a minimal accessor that exposes only what is needed.Changes
src/hyperlight_host/src/sandbox/uninitialized.rs: Addpub fn shared_mem_mut(&mut self) -> &mut ExclusiveSharedMemoryNo visibility changes to
SandboxMemoryManageror themgrfield. Additive-only API, no behavioral changes.Test plan
cargo clippypasses (linux + windows feature combinations)cargo test -p hyperlight-host --no-default-features -F "kvm,init-paging" --libpasses (83 tests)