feat: use i686 layout for nanvix-unstable guests and make snapshot RWX (#1271)

danbugs · web-flow · commit 8950f2efd281 · 2026-03-10T09:41:50.000-07:00
When nanvix-unstable is enabled, select the i686 layout module on
x86_64 hosts. This ensures MAX_GPA/MAX_GVA use 32-bit address space
limits and the scratch region is placed at the top of 4 GiB.

Also makes the snapshot region RWX for nanvix-unstable guests since
they have no CoW page tables and need direct write access.

Key changes:
- Propagate nanvix-unstable from hyperlight-host to hyperlight-common
- Use i686 layout when nanvix-unstable is enabled on x86_64
- Gate SNAPSHOT_PT_GVA_* exports behind not(nanvix-unstable) and
  target_arch = "x86_64" (i686 layout never defines these symbols)
- Make snapshot writable for nanvix-unstable (no CoW means hardware
  needs direct write access)

Signed-off-by: danbugs &lt;danilochiarlone@gmail.com&gt;
diff --git a/src/hyperlight_common/src/arch/i686/layout.rs b/src/hyperlight_common/src/arch/i686/layout.rs
@@ -17,11 +17,9 @@ limitations under the License.
 // This file is just dummy definitions at the moment, in order to
 // allow compiling the guest for real mode boot scenarios.
 
-pub const MAX_GVA: usize = 0xffff_efff;
-pub const SNAPSHOT_PT_GVA_MIN: usize = 0xef00_0000;
-pub const SNAPSHOT_PT_GVA_MAX: usize = 0xefff_efff;
+pub const MAX_GVA: usize = 0xffff_ffff;
 pub const MAX_GPA: usize = 0xffff_ffff;
 
-pub fn min_scratch_size() -> usize {
-    1 * crate::vmem::PAGE_SIZE
+pub fn min_scratch_size(_input_data_size: usize, _output_data_size: usize) -> usize {
+    crate::vmem::PAGE_SIZE
 }
diff --git a/src/hyperlight_common/src/layout.rs b/src/hyperlight_common/src/layout.rs
@@ -14,11 +14,20 @@ See the License for the specific language governing permissions and
 limitations under the License.
  */
 
-#[cfg_attr(target_arch = "x86_64", path = "arch/amd64/layout.rs")]
 #[cfg_attr(target_arch = "x86", path = "arch/i686/layout.rs")]
+#[cfg_attr(
+    all(target_arch = "x86_64", not(feature = "nanvix-unstable")),
+    path = "arch/amd64/layout.rs"
+)]
+#[cfg_attr(
+    all(target_arch = "x86_64", feature = "nanvix-unstable"),
+    path = "arch/i686/layout.rs"
+)]
 mod arch;
 
-pub use arch::{MAX_GPA, MAX_GVA, SNAPSHOT_PT_GVA_MAX, SNAPSHOT_PT_GVA_MIN};
+pub use arch::{MAX_GPA, MAX_GVA};
+#[cfg(all(target_arch = "x86_64", not(feature = "nanvix-unstable")))]
+pub use arch::{SNAPSHOT_PT_GVA_MAX, SNAPSHOT_PT_GVA_MIN};
 
 // offsets down from the top of scratch memory for various things
 pub const SCRATCH_TOP_SIZE_OFFSET: u64 = 0x08;
diff --git a/src/hyperlight_host/Cargo.toml b/src/hyperlight_host/Cargo.toml
@@ -137,7 +137,7 @@ mshv3 = ["dep:mshv-bindings", "dep:mshv-ioctls"]
 gdb = ["dep:gdbstub", "dep:gdbstub_arch"]
 fuzzing = ["hyperlight-common/fuzzing"]
 build-metadata = ["dep:built"]
-nanvix-unstable = []
+nanvix-unstable = ["hyperlight-common/nanvix-unstable"]
 
 [[bench]]
 name = "benchmarks"
diff --git a/src/hyperlight_host/src/mem/shared_mem.rs b/src/hyperlight_host/src/mem/shared_mem.rs
@@ -679,7 +679,22 @@ impl GuestSharedMemory {
             MemoryRegionType::Scratch => {
                 MemoryRegionFlags::READ | MemoryRegionFlags::WRITE | MemoryRegionFlags::EXECUTE
             }
-            MemoryRegionType::Snapshot => MemoryRegionFlags::READ | MemoryRegionFlags::EXECUTE,
+            // Without nanvix-unstable (default), the snapshot is read-only
+            // because guest page tables provide CoW semantics for writable
+            // pages.  With nanvix-unstable there are no guest page tables,
+            // so the snapshot must be writable — otherwise writes (including
+            // the CPU setting the "Accessed" bit in GDT descriptors during
+            // segment loads) cause EPT violations that KVM retries forever.
+            MemoryRegionType::Snapshot => {
+                #[cfg(not(feature = "nanvix-unstable"))]
+                {
+                    MemoryRegionFlags::READ | MemoryRegionFlags::EXECUTE
+                }
+                #[cfg(feature = "nanvix-unstable")]
+                {
+                    MemoryRegionFlags::READ | MemoryRegionFlags::WRITE | MemoryRegionFlags::EXECUTE
+                }
+            }
             #[allow(clippy::panic)]
             // In the future, all the host side knowledge about memory
             // region types should collapse down to Snapshot vs
diff --git a/src/hyperlight_host/src/sandbox/snapshot.rs b/src/hyperlight_host/src/sandbox/snapshot.rs
@@ -265,6 +265,7 @@ fn filtered_mappings<'a>(
             return None;
         }
         // neither does the mapping of the snapshot's own page tables
+        #[cfg(not(feature = "nanvix-unstable"))]
         if mapping.virt_base >= hyperlight_common::layout::SNAPSHOT_PT_GVA_MIN as u64
             && mapping.virt_base <= hyperlight_common::layout::SNAPSHOT_PT_GVA_MAX as u64
         {

Original file line number	Diff line number	Diff line change
`@@ -265,6 +265,7 @@ fn filtered_mappings<'a>(`
`265`	`265`	`return None;`
`266`	`266`	`}`
`267`	`267`	`// neither does the mapping of the snapshot's own page tables`
	`268`	`+ #[cfg(not(feature = "nanvix-unstable"))]`
`268`	`269`	`if mapping.virt_base >= hyperlight_common::layout::SNAPSHOT_PT_GVA_MIN as u64`
`269`	`270`	`&& mapping.virt_base <= hyperlight_common::layout::SNAPSHOT_PT_GVA_MAX as u64`
`270`	`271`	`{`