allow creation of snapshots of secret hidden VMs

roypat · roypat · commit 816a07320dea · 2025-04-25T14:19:26.000+01:00
To take snapshots of secret hidden VMs, we need to bounce guest memory
through a userspace buffer. Reuse the `Bounce` wrapper type that is
already in use for loading the guest kernel / initrd.

Signed-off-by: Patrick Roy &lt;roypat@amazon.co.uk&gt;
diff --git a/src/vmm/src/resources.rs b/src/vmm/src/resources.rs
@@ -525,8 +525,7 @@ impl VmResources {
         // because that would require running a backend process. If in the future we converge to
         // a single way of backing guest memory for vhost-user and non-vhost-user cases,
         // that would not be worth the effort.
-        let regions =
-            crate::arch::arch_memory_regions(0, self.memory_size()).into_iter();
+        let regions = crate::arch::arch_memory_regions(0, self.memory_size()).into_iter();
         match guest_memfd {
             Some(file) => memory::file_shared(
                 file,
@@ -536,8 +535,11 @@ impl VmResources {
             ),
             None => {
                 if self.vhost_user_devices_used() {
-                    let memfd = create_memfd(self.memory_size() as u64, self.machine_config.huge_pages.into())?
-                        .into_file();
+                    let memfd = create_memfd(
+                        self.memory_size() as u64,
+                        self.machine_config.huge_pages.into(),
+                    )?
+                    .into_file();
                     memory::file_shared(
                         memfd,
                         regions,
diff --git a/src/vmm/src/vstate/vm.rs b/src/vmm/src/vstate/vm.rs
@@ -8,11 +8,14 @@
 use std::collections::HashMap;
 use std::fs::{File, OpenOptions};
 use std::io::Write;
-use std::os::fd::{AsRawFd, FromRawFd};
+use std::os::fd::{AsFd, AsRawFd, FromRawFd};
 use std::path::Path;
 use std::sync::Arc;
 
-use kvm_bindings::{KVM_MEM_LOG_DIRTY_PAGES, kvm_create_guest_memfd, kvm_userspace_memory_region, kvm_userspace_memory_region2, KVM_MEM_GUEST_MEMFD};
+use kvm_bindings::{
+    KVM_MEM_GUEST_MEMFD, KVM_MEM_LOG_DIRTY_PAGES, kvm_create_guest_memfd,
+    kvm_userspace_memory_region, kvm_userspace_memory_region2,
+};
 use kvm_ioctls::{Cap, VmFd};
 use vmm_sys_util::eventfd::EventFd;
 
@@ -23,7 +26,8 @@ use crate::persist::CreateSnapshotError;
 use crate::utils::u64_to_usize;
 use crate::vmm_config::snapshot::SnapshotType;
 use crate::vstate::memory::{
-    Address, GuestMemory, GuestMemoryExtension, GuestMemoryMmap, GuestMemoryRegion, GuestRegionMmap,
+    Address, GuestMemory, GuestMemoryExtension, GuestMemoryMmap, GuestMemoryRegion,
+    GuestRegionMmap, MaybeBounce,
 };
 use crate::vstate::vcpu::VcpuError;
 use crate::{DirtyBitmap, Vcpu, mem_size_mib};
@@ -350,7 +354,12 @@ impl Vm {
                 self.guest_memory().dump_dirty(&mut file, &dirty_bitmap)?;
             }
             SnapshotType::Full => {
-                self.guest_memory().dump(&mut file)?;
+                let secret_hidden = self
+                    .guest_memory()
+                    .iter()
+                    .any(|r| r.file_offset().is_some());  // FIXME
+                self.guest_memory()
+                    .dump(&mut MaybeBounce::new(file.as_fd(), secret_hidden))?;
                 self.reset_dirty_bitmap();
                 self.guest_memory().reset_dirty();
             }
