Merge branch 'main' into update-windows-crates

Author: simongdavies

docs/glossary.md

@@ -22,7 +22,7 @@ This is an application that consumes the Hyperlight library, in order to execute
 
 ## Host
 
-Host is the machine on which the [host application](#host-application) is are running. A host could be a bare metal or virtual machine, when the host is a virtual machine, the nested virtualization is required to run Hyperlight.
+Host is the machine on which the [host application](#host-application) is running. A host could be a bare metal or virtual machine, when the host is a virtual machine, the nested virtualization is required to run Hyperlight.
 
 ## Hypervisor
 
@@ -46,7 +46,7 @@ MSHV stands for Microsoft Hypervisor and is the name commonly used for Hyper-V w
 
 ## Guest
 
-A guest is a standalone executable binary that is executed inside a hypervisor [micro virtual machine](#micro-virtual-machine). By having purpose-fit guests binaries, as opposed to running a full operating system, is how Hyperlight achieves low-latency startup times of workloads, since it doesn't need to first boot an entire operating system before executing the workload.
+A guest is a standalone executable binary that is executed inside a hypervisor [micro virtual machine](#micro-virtual-machine). By having purpose-fit guests binaries, as opposed to running a full operating system, Hyperlight achieves low-latency startup times of workloads, since it doesn't need to first boot an entire operating system before executing the workload.
 
 The interface that a guest must implement is specific to the associated [host](#host) and the type of workloads that it may be specialized for executing, such as WebAssembly Modules (Wasm), or a specific language.
 

docs/security.md

@@ -4,11 +4,11 @@ A primary goal of Hyperlight is to safely execute untrusted or unsafe code.
 
 ## Threat Model
 
-Hyperlight assumes that guest binaries are untrusted, and are running arbitrary, potentially malicious code. Despite this, the host should never be compromised. This documents outlines some of the steps Hyperlight takes to uphold this strong security guarantee.
+Hyperlight assumes that guest binaries are untrusted, and are running arbitrary, potentially malicious code. Despite this, the host should never be compromised. This document outlines some of the steps Hyperlight takes to uphold this strong security guarantee.
 
 ### Hypervisor Isolation
 
-Hyperlight runs all guest code inside a Virtual Machine, Each VM only has access to a very specific, small (by default) pre-allocated memory buffer in the host's process, no dynamic memory allocations are allowed. As a result, any attempt by the guest to read or write to memory anywhere outside of that particular buffer is caught by the hypervisor. Similarly, the guest VM does not have any access to devices since non are provided by the hyperlight host library, therefore there is no file, network, etc. access available to guest code.
+Hyperlight runs all guest code inside a Virtual Machine, Each VM only has access to a very specific, small (by default) pre-allocated memory buffer in the host's process, no dynamic memory allocations are allowed. As a result, any attempt by the guest to read or write to memory anywhere outside of that particular buffer is caught by the hypervisor. Similarly, the guest VM does not have any access to devices since none are provided by the hyperlight host library, therefore there is no file, network, etc. access available to guest code.
 
 ### Host-Guest Communication (Serialization and Deserialization)
 

src/hyperlight_host/Cargo.toml

@@ -42,7 +42,7 @@ hyperlight-common = { workspace = true, default-features = true }
 vmm-sys-util = "0.12.1"
 crossbeam = "0.8.0"
 crossbeam-channel = "0.5.14"
-thiserror = "2.0.10"
+thiserror = "2.0.11"
 prometheus = "0.13.3"
 strum = { version = "0.26", features = ["derive"] }
 tempfile = { version = "3.15", optional = true }
@@ -96,7 +96,7 @@ opentelemetry = "0.27.0"
 opentelemetry-otlp = { version = "0.27.0", features = ["default"] }
 opentelemetry-semantic-conventions = "0.27.0"
 opentelemetry_sdk = { version = "0.27.0", features = ["rt-tokio"] }
-tokio = { version = "1.42.0", features = ["full"] }
+tokio = { version = "1.43.0", features = ["full"] }
 criterion = "0.5.1"
 tracing-chrome = "0.7.2"
 

src/hyperlight_host/examples/chrome-tracing/main.rs

@@ -36,9 +36,6 @@ fn main() -> Result<()> {
     let usandbox =
         UninitializedSandbox::new(GuestBinary::FilePath(simple_guest_path), None, None, None)?;
 
-    // NOTE: if replacing MultiUseSandbox with SingleUseSandbox, the function call will take ~50x longer because the drop
-    // happens inside `call_guest_function_by_name` rather than at the end of of this `main` block.
-
     let mut sbox = usandbox
         .evolve(Noop::<UninitializedSandbox, MultiUseSandbox>::default())
         .unwrap();

src/hyperlight_host/scripts/apply-kvm-perf-mitigation.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+set -Eeuo pipefail  
+kernel_version=$(uname -r)
+if [[ "$kernel_version" == 6.* ]]; then
+  if [[ $(cat /sys/devices/system/cpu/vulnerabilities/itlb_multihit) == "Not affected" ]]; then
+    KVM_VENDOR_MOD=$(lsmod |grep -P "^kvm_(amd|intel)" | awk '{print $1}')
+    sudo modprobe -r $KVM_VENDOR_MOD kvm
+    sudo modprobe kvm nx_huge_pages=never
+    sudo modprobe $KVM_VENDOR_MOD
+  fi
+  if [ -f /sys/fs/cgroup/cgroup.controllers ]; then
+    sudo mount -o remount,favordynmods /sys/fs/cgroup
+  fi
+fi

src/hyperlight_host/src/func/call_ctx.rs

@@ -20,7 +20,7 @@ use hyperlight_common::flatbuffer_wrappers::function_types::{
 use tracing::{instrument, Span};
 
 use super::guest_dispatch::call_function_on_guest;
-use crate::{MultiUseSandbox, Result, SingleUseSandbox};
+use crate::{MultiUseSandbox, Result};
 /// A context for calling guest functions.
 ///
 /// Takes ownership of an existing `MultiUseSandbox`.
@@ -99,100 +99,6 @@ impl MultiUseGuestCallContext {
     }
 }
 
-/// A context for calling guest functions. Can only be created from an existing
-/// `SingleUseSandbox`, and once created, guest functions against that sandbox
-/// can be made from this until it is dropped.
-#[derive(Debug)]
-pub struct SingleUseGuestCallContext {
-    sbox: SingleUseSandbox,
-}
-
-impl SingleUseGuestCallContext {
-    /// Take ownership  of a `SingleUseSandbox` and
-    /// return a new `SingleUseGuestCallContext` instance.
-    ///     
-    #[instrument(skip_all, parent = Span::current())]
-    pub(crate) fn start(sbox: SingleUseSandbox) -> Self {
-        Self { sbox }
-    }
-
-    /// Call the guest function called `func_name` with the given arguments
-    /// `args`, and expect the return value have the same type as
-    /// `func_ret_type`.
-    ///
-    /// Once the call is complete, the 'SingleUseSandbox' will no longer be useable and a new one will need to be created.
-    ///
-    /// Rather than call this method directly, consider using the `call_guest_function_by_name` method on the `SingleUseSandbox`
-
-    #[instrument(err(Debug),skip(self, args),parent = Span::current())]
-    pub(crate) fn call(
-        mut self,
-        func_name: &str,
-        func_ret_type: ReturnType,
-        args: Option<Vec<ParameterValue>>,
-    ) -> Result<ReturnValue> {
-        self.call_internal(func_name, func_ret_type, args)
-    }
-
-    // Internal call function that takes a mutable reference to self
-    // This function allows a SingleUseMultiGuestCallContext to be used to make multiple calls to guest functions
-    // before it is no longer usable.
-    #[instrument(skip_all, parent = Span::current())]
-    fn call_internal(
-        &mut self,
-        func_name: &str,
-        func_ret_type: ReturnType,
-        args: Option<Vec<ParameterValue>>,
-    ) -> Result<ReturnValue> {
-        // We are guaranteed to be holding a lock now, since `self` can't
-        // exist without doing so. since GuestCallContext is effectively
-        // !Send (and !Sync), we also don't need to worry about
-        // synchronization
-
-        call_function_on_guest(&mut self.sbox, func_name, func_ret_type, args)
-    }
-
-    /// This function allows for a `SingleUseSandbox` to be used to make multiple calls to guest functions before it is dropped.
-    ///
-    /// The function is passed a callback function that it then callsd with a reference to a 'SingleUseMultiGuestCallContext'
-    /// that can be used to make multiple calls to guest functions.
-    ///
-    pub fn call_from_func<
-        Fn: FnOnce(&mut SingleUseMultiGuestCallContext) -> Result<ReturnValue>,
-    >(
-        self,
-        f: Fn,
-    ) -> Result<ReturnValue> {
-        let mut ctx = SingleUseMultiGuestCallContext::new(self);
-        f(&mut ctx)
-    }
-}
-
-/// A context for making multiple calls to guest functions in a SingleUseSandbox. Can only be created
-/// from an existing SingleUseGuestCallContext using the `call_using_closure` method.
-/// Once created, calls to guest functions may be made through this context until it is dropped.
-/// Once dropped the underlying `SingleUseGuestCallContext` and associated `SingleUseSandbox` will be dropped
-pub struct SingleUseMultiGuestCallContext {
-    call_context: SingleUseGuestCallContext,
-}
-
-impl SingleUseMultiGuestCallContext {
-    fn new(call_context: SingleUseGuestCallContext) -> Self {
-        Self { call_context }
-    }
-
-    /// Call the guest function called `func_name` with the given arguments
-    pub fn call(
-        &mut self,
-        func_name: &str,
-        func_ret_type: ReturnType,
-        args: Option<Vec<ParameterValue>>,
-    ) -> Result<ReturnValue> {
-        self.call_context
-            .call_internal(func_name, func_ret_type, args)
-    }
-}
-
 #[cfg(test)]
 mod tests {
     use std::sync::mpsc::sync_channel;
@@ -203,13 +109,9 @@ mod tests {
     };
     use hyperlight_testing::simple_guest_as_string;
 
-    use crate::func::call_ctx::SingleUseMultiGuestCallContext;
     use crate::sandbox_state::sandbox::EvolvableSandbox;
     use crate::sandbox_state::transition::Noop;
-    use crate::{
-        GuestBinary, HyperlightError, MultiUseSandbox, Result, SingleUseSandbox,
-        UninitializedSandbox,
-    };
+    use crate::{GuestBinary, HyperlightError, MultiUseSandbox, Result, UninitializedSandbox};
 
     fn new_uninit() -> Result<UninitializedSandbox> {
         let path = simple_guest_as_string().map_err(|e| {
@@ -218,68 +120,6 @@ mod tests {
         UninitializedSandbox::new(GuestBinary::FilePath(path), None, None, None)
     }
 
-    /// Test to create a `SingleUseSandbox`, then call several guest
-    /// functions sequentially.
-    #[test]
-    fn singleusesandbox_single_call() {
-        let calls = [
-            (
-                "StackAllocate",
-                ReturnType::Int,
-                Some(vec![ParameterValue::Int(1)]),
-                ReturnValue::Int(1),
-            ),
-            (
-                "CallMalloc",
-                ReturnType::Int,
-                Some(vec![ParameterValue::Int(200)]),
-                ReturnValue::Int(200),
-            ),
-        ];
-
-        for call in calls.iter() {
-            let sbox: SingleUseSandbox = new_uninit().unwrap().evolve(Noop::default()).unwrap();
-            let ctx = sbox.new_call_context();
-            let res = ctx.call(call.0, call.1, call.2.clone()).unwrap();
-            assert_eq!(call.3, res);
-        }
-    }
-
-    #[test]
-    fn singleusesandbox_multi_call() {
-        let calls = [
-            (
-                "StackAllocate",
-                ReturnType::Int,
-                Some(vec![ParameterValue::Int(1)]),
-                ReturnValue::Int(1),
-            ),
-            (
-                "CallMalloc",
-                ReturnType::Int,
-                Some(vec![ParameterValue::Int(200)]),
-                ReturnValue::Int(200),
-            ),
-        ];
-
-        let sbox: SingleUseSandbox = new_uninit().unwrap().evolve(Noop::default()).unwrap();
-        let ctx = sbox.new_call_context();
-
-        let callback_closure = |ctx: &mut SingleUseMultiGuestCallContext| {
-            let mut res: ReturnValue = ReturnValue::Int(0);
-            for call in calls.iter() {
-                res = ctx
-                    .call(call.0, call.1, call.2.clone())
-                    .expect("failed to call guest function");
-                assert_eq!(call.3, res);
-            }
-            Ok(res)
-        };
-
-        let res = ctx.call_from_func(callback_closure).unwrap();
-        assert_eq!(calls.last().unwrap().3, res);
-    }
-
     /// Test to create a `MultiUseSandbox`, then call several guest functions
     /// on it across different threads.
     ///

src/hyperlight_host/src/func/guest_dispatch.rs

@@ -111,15 +111,13 @@ mod tests {
     use hyperlight_testing::{callback_guest_as_string, simple_guest_as_string};
 
     use super::*;
-    use crate::func::call_ctx::{MultiUseGuestCallContext, SingleUseGuestCallContext};
+    use crate::func::call_ctx::MultiUseGuestCallContext;
     use crate::func::host_functions::HostFunction0;
     use crate::sandbox::is_hypervisor_present;
     use crate::sandbox::uninitialized::GuestBinary;
     use crate::sandbox_state::sandbox::EvolvableSandbox;
     use crate::sandbox_state::transition::Noop;
-    use crate::{
-        new_error, HyperlightError, MultiUseSandbox, Result, SingleUseSandbox, UninitializedSandbox,
-    };
+    use crate::{new_error, HyperlightError, MultiUseSandbox, Result, UninitializedSandbox};
 
     // simple function
     fn test_function0(_: MultiUseGuestCallContext) -> Result<i32> {
@@ -129,7 +127,7 @@ mod tests {
     struct GuestStruct;
 
     // function that return type unsupported by the host
-    fn test_function1(_: SingleUseGuestCallContext) -> Result<GuestStruct> {
+    fn test_function1(_: MultiUseGuestCallContext) -> Result<GuestStruct> {
         Ok(GuestStruct)
     }
 
@@ -246,7 +244,7 @@ mod tests {
         // test_function1
         {
             let usbox = uninitialized_sandbox();
-            let sandbox: SingleUseSandbox = usbox
+            let sandbox: MultiUseSandbox = usbox
                 .evolve(Noop::default())
                 .expect("Failed to initialize sandbox");
             let result = test_function1(sandbox.new_call_context());

src/hyperlight_host/src/lib.rs

@@ -101,9 +101,6 @@ pub use sandbox::uninitialized::GuestBinary;
 pub use sandbox::MultiUseSandbox;
 /// The re-export for the `SandboxRunOptions` type
 pub use sandbox::SandboxRunOptions;
-/// A sandbox that can be used at most once to call a guest function, and
-/// then must be discarded.
-pub use sandbox::SingleUseSandbox;
 /// The re-export for the `UninitializedSandbox` type
 pub use sandbox::UninitializedSandbox;