refactor the shared/encrypted bitmaps to be partition-wide

Author: sluck-msft

openhcl/underhill_mem/src/init.rs

@@ -6,6 +6,7 @@
 use crate::HardwareIsolatedMemoryProtector;
 use crate::MemoryAcceptor;
 use crate::mapping::GuestMemoryMapping;
+use crate::mapping::GuestValidMemory;
 use anyhow::Context;
 use futures::future::try_join_all;
 use guestmem::GuestMemory;
@@ -207,12 +208,19 @@ pub async fn init(params: &Init<'_>) -> anyhow::Result<MemoryMappings> {
         // Do not register this mapping with the kernel. It will not be safe for
         // use with syscalls that expect virtual addresses to be in
         // kernel-registered RAM.
+
+        tracing::debug!("Building valid encrypted memory view");
+        let valid_encrypted_memory = Arc::new({
+            let _span = tracing::info_span!("create encrypted memory bitmap").entered();
+            GuestValidMemory::new(params.mem_layout, true)?
+        });
+
         tracing::debug!("Building VTL0 memory map");
         let vtl0_mapping = Arc::new({
             let _span = tracing::info_span!("map_vtl0_memory").entered();
             GuestMemoryMapping::builder(0)
                 .dma_base_address(None) // prohibit direct DMA attempts until TDISP is supported
-                .use_bitmap(Some(true))
+                .use_partition_valid_memory(Some(valid_encrypted_memory.clone()))
                 .build(&gpa_fd, params.mem_layout)
                 .context("failed to map vtl0 memory")?
         });
@@ -280,26 +288,33 @@ pub async fn init(params: &Init<'_>) -> anyhow::Result<MemoryMappings> {
         // confused about shared memory, and our current use of kernel-mode
         // guest memory access is limited to low-perf paths where we can use
         // bounce buffering.
+
         tracing::debug!("Building shared memory map");
+
+        let valid_shared_memory = Arc::new({
+            let _span = tracing::info_span!("create shared memory bitmap").entered();
+            GuestValidMemory::new(params.complete_memory_layout, false)?
+        });
+
+        // Update the shared mapping bitmap for pages used by the shared
+        // visibility pool to be marked as shared, since by default pages are
+        // marked as no-access in the bitmap.
+        tracing::debug!("Updating shared mapping bitmaps");
+        for range in params.shared_pool {
+            valid_shared_memory.update_valid(range.range, true);
+        }
+
         let shared_mapping = Arc::new({
             let _span = tracing::info_span!("map_shared_memory").entered();
             GuestMemoryMapping::builder(shared_offset)
                 .shared(true)
-                .use_bitmap(Some(false))
+                .use_partition_valid_memory(Some(valid_shared_memory.clone()))
                 .ignore_registration_failure(params.boot_init.is_none())
                 .dma_base_address(Some(dma_base_address))
                 .build(&gpa_fd, params.complete_memory_layout)
                 .context("failed to map shared memory")?
         });
 
-        // Update the shared mapping bitmap for pages used by the shared
-        // visibility pool to be marked as shared, since by default pages are
-        // marked as no-access in the bitmap.
-        tracing::debug!("Updating shared mapping bitmaps");
-        for range in params.shared_pool {
-            shared_mapping.update_bitmap(range.range, true);
-        }
-
         tracing::debug!("Creating VTL0 guest memory");
         let vtl0_gm = GuestMemory::new_multi_region(
             "vtl0",
@@ -308,6 +323,7 @@ pub async fn init(params: &Init<'_>) -> anyhow::Result<MemoryMappings> {
         )
         .context("failed to make vtl0 guest memory")?;
 
+        tracing::debug!("Creating VTL1 guest memory");
         let vtl1_gm = if params.maximum_vtl >= Vtl::Vtl1 {
             // TODO CVM GUEST VSM: This should not just use the vtl0_gm. This
             // could also be further tightened -- whether or not VTL 1 is
@@ -349,7 +365,8 @@ pub async fn init(params: &Init<'_>) -> anyhow::Result<MemoryMappings> {
         let private_vtl0_memory = GuestMemory::new("trusted", vtl0_mapping.clone());
 
         let protector = Arc::new(HardwareIsolatedMemoryProtector::new(
-            shared_mapping.clone(),
+            valid_encrypted_memory.clone(),
+            valid_shared_memory.clone(),
             vtl0_mapping.clone(),
             params.mem_layout.clone(),
             acceptor.as_ref().unwrap().clone(),

openhcl/underhill_mem/src/lib.rs

@@ -34,6 +34,7 @@ use hvdef::hypercall::AcceptMemoryType;
 use hvdef::hypercall::HostVisibilityType;
 use hvdef::hypercall::HvInputVtl;
 use mapping::GuestMemoryMapping;
+use mapping::GuestValidMemory;
 use memory_range::MemoryRange;
 use parking_lot::Mutex;
 use registrar::RegisterMemory;
@@ -382,7 +383,8 @@ struct HypercallOverlay {
 }
 
 struct HardwareIsolatedMemoryProtectorInner {
-    shared: Arc<GuestMemoryMapping>,
+    valid_encrypted: Arc<GuestValidMemory>,
+    valid_shared: Arc<GuestValidMemory>,
     encrypted: Arc<GuestMemoryMapping>,
     default_vtl_permissions: DefaultVtlPermissions,
     vtl1_protections_enabled: bool,
@@ -394,14 +396,16 @@ impl HardwareIsolatedMemoryProtector {
     /// `shared` provides the mapping for shared memory. `vtl0` provides the
     /// mapping for encrypted memory.
     pub fn new(
-        shared: Arc<GuestMemoryMapping>,
+        valid_encrypted: Arc<GuestValidMemory>,
+        valid_shared: Arc<GuestValidMemory>,
         encrypted: Arc<GuestMemoryMapping>,
         layout: MemoryLayout,
         acceptor: Arc<MemoryAcceptor>,
     ) -> Self {
         Self {
             inner: Mutex::new(HardwareIsolatedMemoryProtectorInner {
-                shared,
+                valid_encrypted,
+                valid_shared,
                 encrypted,
                 // Grant only VTL 0 all permissions. This will be altered
                 // later by VTL 1 enablement and by VTL 1 itself.
@@ -504,7 +508,7 @@ impl ProtectIsolatedMemory for HardwareIsolatedMemoryProtector {
         let gpns = gpns
             .iter()
             .copied()
-            .filter(|&gpn| inner.shared.check_bitmap(gpn) != shared)
+            .filter(|&gpn| inner.valid_shared.check_valid(gpn) != shared)
             .collect::<Vec<_>>();
 
         tracing::debug!(
@@ -524,12 +528,12 @@ impl ProtectIsolatedMemory for HardwareIsolatedMemoryProtector {
 
         // Prevent accesses via the wrong address.
         let clear_bitmap = if shared {
-            &inner.encrypted
+            &inner.valid_encrypted
         } else {
-            &inner.shared
+            &inner.valid_shared
         };
         for &range in &ranges {
-            clear_bitmap.update_bitmap(range, false);
+            clear_bitmap.update_valid(range, false);
         }
 
         // There may be other threads concurrently accessing these pages. We
@@ -605,7 +609,7 @@ impl ProtectIsolatedMemory for HardwareIsolatedMemoryProtector {
                         .expect("previous gpns was already checked");
 
                 for &range in &rollback_ranges {
-                    clear_bitmap.update_bitmap(range, true);
+                    clear_bitmap.update_valid(range, true);
                 }
 
                 // Figure out the index of the gpn that failed, in the
@@ -637,12 +641,12 @@ impl ProtectIsolatedMemory for HardwareIsolatedMemoryProtector {
 
         // Allow accesses via the correct address.
         let set_bitmap = if shared {
-            &inner.shared
+            &inner.valid_shared
         } else {
-            &inner.encrypted
+            &inner.valid_encrypted
         };
         for &range in &ranges {
-            set_bitmap.update_bitmap(range, true);
+            set_bitmap.update_valid(range, true);
         }
 
         if !shared {
@@ -695,7 +699,7 @@ impl ProtectIsolatedMemory for HardwareIsolatedMemoryProtector {
 
         // Set GPN sharing status in output.
         for (gpn, host_vis) in gpns.iter().zip(host_visibility.iter_mut()) {
-            *host_vis = if inner.shared.check_bitmap(*gpn) {
+            *host_vis = if inner.valid_shared.check_valid(*gpn) {
                 HostVisibilityType::SHARED
             } else {
                 HostVisibilityType::PRIVATE
@@ -739,7 +743,7 @@ impl ProtectIsolatedMemory for HardwareIsolatedMemoryProtector {
                 // find all accepted memory. When lazy acceptance exists,
                 // this should track all pages that have been accepted and
                 // should be used instead.
-                if !inner.encrypted.check_bitmap(gpn) {
+                if !inner.valid_encrypted.check_valid(gpn) {
                     if page_count > 0 {
                         let end_address = protect_start + (page_count * PAGE_SIZE as u64);
                         ranges.push(MemoryRange::new(protect_start..end_address));
@@ -793,7 +797,7 @@ impl ProtectIsolatedMemory for HardwareIsolatedMemoryProtector {
         let inner = self.inner.lock();
 
         // Protections cannot be applied to a host-visible page
-        if gpns.iter().any(|&gpn| inner.shared.check_bitmap(gpn)) {
+        if gpns.iter().any(|&gpn| inner.valid_shared.check_valid(gpn)) {
             return Err((HvError::OperationDenied, 0));
         }