Which came first, the snapshot or the sandbox?

This commit changes the Hyperlight API so that every sandbox is
created from a snapshot. This is useful for several reasons; most
immediately, in the same commit, note that it allows us to avoid
precommitting to a size for the page table region, so we no longer
need to estimate that regin's size.

Signed-off-by: Simon Davies <simongdavies@users.noreply.github.com>
Co-authored-by: Lucy Menon <168595099+syntactically@users.noreply.github.com>

Author: simongdavies

src/hyperlight_common/src/arch/amd64/layout.rs

@@ -0,0 +1,18 @@
+/*
+Copyright 2025  The Hyperlight Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+ */
+
+// Keep in mind that the minimum upper half GVA is 0xffff_8000_0000_0000
+pub const SNAPSHOT_PT_GVA: usize = 0xffff_ff00_0000_0000;

src/hyperlight_common/src/arch/amd64/vmem.rs

@@ -54,7 +54,7 @@ pub const PAGE_RW: u64 = 1 << 1;
 pub const PAGE_NX: u64 = 1 << 63;
 /// Mask to extract the physical address from a PTE (bits 51:12)
 /// This masks out the lower 12 flag bits AND the upper bits including NX (bit 63)
-pub(crate) const PTE_ADDR_MASK: u64 = 0x000F_FFFF_FFFF_F000;
+pub const PTE_ADDR_MASK: u64 = 0x000F_FFFF_FFFF_F000;
 const PAGE_USER_ACCESS_DISABLED: u64 = 0 << 2; // U/S bit not set - supervisor mode only (no code runs in user mode for now)
 const PAGE_DIRTY_CLEAR: u64 = 0 << 6; // D - dirty bit cleared (set by CPU when written)
 const PAGE_ACCESSED_CLEAR: u64 = 0 << 5; // A - accessed bit cleared (set by CPU when accessed)

src/hyperlight_common/src/layout.rs

@@ -0,0 +1,20 @@
+/*
+Copyright 2025  The Hyperlight Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+ */
+
+#[cfg_attr(target_arch = "x86_64", path = "arch/amd64/layout.rs")]
+mod arch;
+
+pub use arch::SNAPSHOT_PT_GVA;

src/hyperlight_common/src/lib.rs

@@ -27,6 +27,9 @@ pub mod flatbuffer_wrappers;
 /// FlatBuffers-related utilities and (mostly) generated code
 #[allow(clippy::all, warnings)]
 mod flatbuffers;
+// cbindgen:ignore
+pub mod layout;
+
 /// cbindgen:ignore
 pub mod mem;
 

src/hyperlight_guest_bin/src/paging.rs

@@ -38,7 +38,37 @@ pub fn ptov(x: u64) -> *mut u8 {
 //       virtual address 0, and Rust raw pointer operations can't be
 //       used to read/write from address 0.
 
-struct GuestMappingOperations {}
+// We get this out of CR3 the first time that we do any mapping
+// operation. In the future, if snapshot/restore changes to be able to
+// change the snapshot pt base, we will need to modify this.
+static SNAPSHOT_PT_GPA: spin::Once<u64> = spin::Once::new();
+
+struct GuestMappingOperations {
+    snapshot_pt_base_gpa: u64,
+    snapshot_pt_base_gva: u64,
+}
+impl GuestMappingOperations {
+    fn new() -> Self {
+        Self {
+            snapshot_pt_base_gpa: *SNAPSHOT_PT_GPA.call_once(|| {
+                let snapshot_pt_base_gpa: u64;
+                unsafe {
+                    asm!("mov {}, cr3", out(reg) snapshot_pt_base_gpa);
+                };
+                snapshot_pt_base_gpa
+            }),
+            snapshot_pt_base_gva: hyperlight_common::layout::SNAPSHOT_PT_GVA as u64,
+        }
+    }
+    fn phys_to_virt(&self, addr: u64) -> u64 {
+        if addr >= self.snapshot_pt_base_gpa {
+            self.snapshot_pt_base_gva + (addr - self.snapshot_pt_base_gpa)
+        } else {
+            // Assume for now that any of our own PTs are identity mapped.
+            addr
+        }
+    }
+}
 impl hyperlight_common::vmem::TableOps for GuestMappingOperations {
     type TableAddr = u64;
     unsafe fn alloc_table(&self) -> u64 {
@@ -50,13 +80,15 @@ impl hyperlight_common::vmem::TableOps for GuestMappingOperations {
         addr + offset
     }
     unsafe fn read_entry(&self, addr: u64) -> u64 {
+        let addr = self.phys_to_virt(addr);
         let ret: u64;
         unsafe {
             asm!("mov {}, qword ptr [{}]", out(reg) ret, in(reg) addr);
         }
         ret
     }
     unsafe fn write_entry(&self, addr: u64, entry: u64) {
+        let addr = self.phys_to_virt(addr);
         unsafe {
             asm!("mov qword ptr [{}], {}", in(reg) addr, in(reg) entry);
         }
@@ -90,7 +122,7 @@ pub unsafe fn map_region(phys_base: u64, virt_base: *mut u8, len: u64) {
     use hyperlight_common::vmem;
     unsafe {
         vmem::map(
-            &GuestMappingOperations {},
+            &GuestMappingOperations::new(),
             vmem::Mapping {
                 phys_base,
                 virt_base: virt_base as u64,

src/hyperlight_host/src/error.rs

@@ -32,7 +32,7 @@ use thiserror::Error;
 
 #[cfg(target_os = "windows")]
 use crate::hypervisor::wrappers::HandleWrapper;
-use crate::mem::memory_region::{MemoryRegion, MemoryRegionFlags};
+use crate::mem::memory_region::MemoryRegionFlags;
 use crate::mem::ptr::RawPtr;
 
 /// The error type for Hyperlight operations
@@ -150,7 +150,7 @@ pub enum HyperlightError {
 
     /// Memory region size mismatch
     #[error("Memory region size mismatch: host size {0:?}, guest size {1:?} region {2:?}")]
-    MemoryRegionSizeMismatch(usize, usize, MemoryRegion),
+    MemoryRegionSizeMismatch(usize, usize, String),
 
     /// The memory request exceeds the maximum size allowed
     #[error("Memory requested {0} exceeds maximum size allowed {1}")]

src/hyperlight_host/src/mem/exe.rs

@@ -64,6 +64,15 @@ pub(crate) struct LoadInfo {
     pub(crate) info: Arc<dyn UnwindInfo>,
 }
 
+impl LoadInfo {
+    pub(crate) fn dummy() -> Self {
+        LoadInfo {
+            #[cfg(feature = "mem_profile")]
+            info: Arc::new(DummyUnwindInfo {}),
+        }
+    }
+}
+
 impl ExeInfo {
     pub fn from_file(path: &str) -> Result<Self> {
         let mut file = File::open(path)?;