whp: support dynamically mapping/unmapping regions from the surrogate

This changes the representation of a memory region on Windows to
include a file mapping from which it is derived, allowing the WHP code
to dynamically map any files necessary into the surrogate.  This
removes the restriction that all mappings into a hyperlight VM on
Windows must come from a single file-backed host mapping.

Signed-off-by: Lucy Menon <168595099+syntactically@users.noreply.github.com>

Author: syntactically

src/hyperlight_host/src/hypervisor/crashdump.rs

@@ -86,11 +86,11 @@ impl GuestView {
         let regions = ctx
             .regions
             .iter()
-            .filter(|r| !r.host_region.is_empty())
+            .filter(|r| !r.guest_region.is_empty())
             .map(|r| VaRegion {
                 begin: r.guest_region.start as u64,
                 end: r.guest_region.end as u64,
-                offset: r.host_region.start as u64,
+                offset: <_ as Into<usize>>::into(r.host_region.start) as u64,
                 protection: VaProtection {
                     is_private: false,
                     read: r.flags.contains(MemoryRegionFlags::READ),
@@ -225,8 +225,8 @@ impl ReadProcessMemory for GuestMemReader {
                 let offset = base - r.guest_region.start;
                 let region_slice = unsafe {
                     std::slice::from_raw_parts(
-                        r.host_region.start as *const u8,
-                        r.host_region.len(),
+                        <_ as Into<usize>>::into(r.host_region.start) as *const u8,
+                        r.guest_region.len(),
                     )
                 };
 
@@ -463,9 +463,20 @@ mod test {
     #[test]
     fn test_crashdump_dummy_core_dump() {
         let dummy_vec = vec![0; 0x1000];
+        use crate::mem::memory_region::{HostGuestMemoryRegion, MemoryRegionKind};
+        #[cfg(target_os = "windows")]
+        let host_base = crate::mem::memory_region::HostRegionBase {
+            from_handle: windows::Win32::Foundation::INVALID_HANDLE_VALUE.into(),
+            handle_base: 0,
+            handle_size: -1isize as usize,
+            offset: dummy_vec.as_ptr() as usize,
+        };
+        #[cfg(not(target_os = "windows"))]
+        let host_base = dummy_vec.as_ptr() as usize;
+        let host_end = <HostGuestMemoryRegion as MemoryRegionKind>::add(host_base, dummy_vec.len());
         let regions = vec![MemoryRegion {
             guest_region: 0x1000..0x2000,
-            host_region: dummy_vec.as_ptr() as usize..dummy_vec.as_ptr() as usize + dummy_vec.len(),
+            host_region: host_base..host_end,
             flags: MemoryRegionFlags::READ | MemoryRegionFlags::WRITE,
             region_type: crate::mem::memory_region::MemoryRegionType::Code,
         }];

src/hyperlight_host/src/hypervisor/gdb/mod.rs

@@ -141,8 +141,9 @@ impl DebugMemoryAccess {
                     DebugMemoryAccessError::TranslateGuestAddress(mem_offset as u64)
                 })?;
 
+                let host_start_ptr = <_ as Into<usize>>::into(reg.host_region.start);
                 let bytes: &[u8] = unsafe {
-                    slice::from_raw_parts(reg.host_region.start as *const u8, reg.host_region.len())
+                    slice::from_raw_parts(host_start_ptr as *const u8, reg.guest_region.len())
                 };
                 data[..read_len].copy_from_slice(&bytes[region_offset..region_offset + read_len]);
 
@@ -211,11 +212,9 @@ impl DebugMemoryAccess {
                     DebugMemoryAccessError::TranslateGuestAddress(mem_offset as u64)
                 })?;
 
+                let host_start_ptr = <_ as Into<usize>>::into(reg.host_region.start);
                 let bytes: &mut [u8] = unsafe {
-                    slice::from_raw_parts_mut(
-                        reg.host_region.start as *mut u8,
-                        reg.host_region.len(),
-                    )
+                    slice::from_raw_parts_mut(host_start_ptr as *mut u8, reg.guest_region.len())
                 };
                 bytes[region_offset..region_offset + write_len].copy_from_slice(&data[..write_len]);
 

src/hyperlight_host/src/hypervisor/hyperlight_vm.rs

@@ -61,8 +61,6 @@ use crate::hypervisor::virtual_machine::{
     HypervisorType, MapMemoryError, RegisterError, RunVcpuError, UnmapMemoryError, VmError, VmExit,
     get_available_hypervisor,
 };
-#[cfg(target_os = "windows")]
-use crate::hypervisor::wrappers::HandleWrapper;
 use crate::hypervisor::{InterruptHandle, InterruptHandleImpl, get_max_log_level};
 use crate::mem::memory_region::{MemoryRegion, MemoryRegionFlags, MemoryRegionType};
 use crate::mem::mgr::SandboxMemoryManager;
@@ -325,8 +323,6 @@ impl HyperlightVm {
         entrypoint: u64,
         rsp: u64,
         #[cfg_attr(target_os = "windows", allow(unused_variables))] config: &SandboxConfiguration,
-        #[cfg(target_os = "windows")] handle: HandleWrapper,
-        #[cfg(target_os = "windows")] raw_size: usize,
         #[cfg(gdb)] gdb_conn: Option<DebugCommChannel<DebugResponse, DebugMsg>>,
         #[cfg(crashdump)] rt_cfg: SandboxRuntimeConfig,
         #[cfg(feature = "mem_profile")] trace_info: MemTraceInfo,
@@ -343,9 +339,7 @@ impl HyperlightVm {
             #[cfg(mshv3)]
             Some(HypervisorType::Mshv) => Box::new(MshvVm::new().map_err(VmError::CreateVm)?),
             #[cfg(target_os = "windows")]
-            Some(HypervisorType::Whp) => {
-                Box::new(WhpVm::new(handle, raw_size).map_err(VmError::CreateVm)?)
-            }
+            Some(HypervisorType::Whp) => Box::new(WhpVm::new().map_err(VmError::CreateVm)?),
             None => return Err(CreateHyperlightVmError::NoHypervisorFound),
         };
 
@@ -500,8 +494,10 @@ impl HyperlightVm {
         if [
             region.guest_region.start,
             region.guest_region.end,
-            region.host_region.start,
-            region.host_region.end,
+            #[allow(clippy::useless_conversion)]
+            region.host_region.start.into(),
+            #[allow(clippy::useless_conversion)]
+            region.host_region.end.into(),
         ]
         .iter()
         .any(|x| x % self.page_size != 0)

src/hyperlight_host/src/hypervisor/surrogate_process.rs

@@ -15,60 +15,162 @@ limitations under the License.
 */
 
 use core::ffi::c_void;
+use std::collections::HashMap;
+use std::collections::hash_map::Entry;
 
+use hyperlight_common::mem::PAGE_SIZE_USIZE;
 use tracing::{Span, instrument};
 use windows::Win32::Foundation::HANDLE;
 use windows::Win32::System::Memory::{
-    MEMORY_MAPPED_VIEW_ADDRESS, UNMAP_VIEW_OF_FILE_FLAGS, UnmapViewOfFile2,
+    MEMORY_MAPPED_VIEW_ADDRESS, MapViewOfFileNuma2, PAGE_NOACCESS, PAGE_PROTECTION_FLAGS,
+    PAGE_READWRITE, UNMAP_VIEW_OF_FILE_FLAGS, UnmapViewOfFile2, VirtualProtectEx,
 };
+use windows::Win32::System::SystemServices::NUMA_NO_PREFERRED_NODE;
 
 use super::surrogate_process_manager::get_surrogate_process_manager;
 use super::wrappers::HandleWrapper;
+use crate::HyperlightError::WindowsAPIError;
+use crate::{Result, log_then_return};
+
+#[derive(Debug)]
+pub(crate) struct HandleMapping {
+    pub(crate) use_count: u64,
+    pub(crate) surrogate_base: *mut c_void,
+}
 
 /// Contains details of a surrogate process to be used by a Sandbox for providing memory to a HyperV VM on Windows.
 /// See surrogate_process_manager for details on why this is needed.
 #[derive(Debug)]
 pub(super) struct SurrogateProcess {
-    /// The address of memory allocated in the surrogate process to be mapped to the VM.
-    /// This includes the first guard page
-    pub(crate) allocated_address: *mut c_void,
+    /// The various mappings between handles in the host and surrogate process
+    pub(crate) mappings: HashMap<usize, HandleMapping>,
     /// The handle to the surrogate process.
     pub(crate) process_handle: HandleWrapper,
 }
 
 impl SurrogateProcess {
     #[instrument(skip_all, parent = Span::current(), level= "Trace")]
-    pub(super) fn new(allocated_address: *mut c_void, process_handle: HANDLE) -> Self {
+    pub(super) fn new(process_handle: HANDLE) -> Self {
         Self {
-            allocated_address,
+            mappings: HashMap::new(),
             process_handle: HandleWrapper::from(process_handle),
         }
     }
+
+    pub(super) fn map(
+        &mut self,
+        handle: HandleWrapper,
+        host_base: usize,
+        host_size: usize,
+    ) -> Result<*mut c_void> {
+        match self.mappings.entry(host_base) {
+            Entry::Occupied(mut oe) => {
+                oe.get_mut().use_count += 1;
+                Ok(oe.get().surrogate_base)
+            }
+            Entry::Vacant(ve) => {
+                // Use MapViewOfFile2 to map memory into the surrogate process, the MapViewOfFile2 API is implemented in as an inline function in a windows header file
+                // (see https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-mapviewoffile2#remarks) so we use the same API it uses in the header file here instead of
+                // MapViewOfFile2 which does not exist in the rust crate (see https://github.com/microsoft/windows-rs/issues/2595)
+                let surrogate_base = unsafe {
+                    MapViewOfFileNuma2(
+                        handle.into(),
+                        self.process_handle.into(),
+                        0,
+                        None,
+                        host_size,
+                        0,
+                        PAGE_READWRITE.0,
+                        NUMA_NO_PREFERRED_NODE,
+                    )
+                };
+                let mut unused_out_old_prot_flags = PAGE_PROTECTION_FLAGS(0);
+
+                // the first page of the raw_size is the guard page
+                let first_guard_page_start = surrogate_base.Value;
+                if let Err(e) = unsafe {
+                    VirtualProtectEx(
+                        self.process_handle.into(),
+                        first_guard_page_start,
+                        PAGE_SIZE_USIZE,
+                        PAGE_NOACCESS,
+                        &mut unused_out_old_prot_flags,
+                    )
+                } {
+                    log_then_return!(WindowsAPIError(e.clone()));
+                }
+
+                // the last page of the raw_size is the guard page
+                let last_guard_page_start =
+                    unsafe { first_guard_page_start.add(host_size - PAGE_SIZE_USIZE) };
+                if let Err(e) = unsafe {
+                    VirtualProtectEx(
+                        self.process_handle.into(),
+                        last_guard_page_start,
+                        PAGE_SIZE_USIZE,
+                        PAGE_NOACCESS,
+                        &mut unused_out_old_prot_flags,
+                    )
+                } {
+                    log_then_return!(WindowsAPIError(e.clone()));
+                }
+                ve.insert(HandleMapping {
+                    use_count: 1,
+                    surrogate_base: surrogate_base.Value,
+                });
+                Ok(surrogate_base.Value)
+            }
+        }
+    }
+
+    pub(super) fn unmap(&mut self, host_base: usize) {
+        match self.mappings.entry(host_base) {
+            Entry::Occupied(mut oe) => {
+                oe.get_mut().use_count -= 1;
+                if oe.get().use_count == 0 {
+                    let entry = oe.remove();
+                    self.unmap_helper(entry.surrogate_base);
+                }
+            }
+            Entry::Vacant(_) => {
+                #[cfg(debug_assertions)]
+                panic!("Attempted to unmap from surrogate a region that was never mapped")
+            }
+        }
+    }
+
+    fn unmap_helper(&self, surrogate_base: *mut c_void) {
+        let memory_mapped_view_address = MEMORY_MAPPED_VIEW_ADDRESS {
+            Value: surrogate_base,
+        };
+        let flags = UNMAP_VIEW_OF_FILE_FLAGS(0);
+        if let Err(e) = unsafe {
+            UnmapViewOfFile2(
+                self.process_handle.into(),
+                memory_mapped_view_address,
+                flags,
+            )
+        } {
+            tracing::error!(
+                "Failed to free surrogate process resources (UnmapViewOfFile2 failed): {:?}",
+                e
+            );
+        }
+    }
 }
 
 impl Default for SurrogateProcess {
     #[instrument(skip_all, parent = Span::current(), level= "Trace")]
     fn default() -> Self {
-        let allocated_address = std::ptr::null_mut();
-        Self::new(allocated_address, Default::default())
+        Self::new(Default::default())
     }
 }
 
 impl Drop for SurrogateProcess {
     #[instrument(skip_all, parent = Span::current(), level= "Trace")]
     fn drop(&mut self) {
-        let process_handle: HANDLE = self.process_handle.into();
-        let memory_mapped_view_address = MEMORY_MAPPED_VIEW_ADDRESS {
-            Value: self.allocated_address,
-        };
-        let flags = UNMAP_VIEW_OF_FILE_FLAGS(0);
-        if let Err(e) =
-            unsafe { UnmapViewOfFile2(process_handle, memory_mapped_view_address, flags) }
-        {
-            tracing::error!(
-                "Failed to free surrogate process resources (UnmapViewOfFile2 failed): {:?}",
-                e
-            );
+        for mapping in self.mappings.values() {
+            self.unmap_helper(mapping.surrogate_base);
         }
 
         // we need to do this take so we can take ownership