Parse attributes in extended VTL0 APIs by femiatl · Pull Request #653 · microsoft/litebox

femiatl · 2026-02-09T19:49:51Z

VTL0 sends data to the secure kernel during and after initial boot. Use the new attributes parameter to extend load_kdata, allowing it to process data after boot and use the improved format for sending data from VTL0. Small, simple data buffers like certificates can be sent efficiently with the same APIs used for larger aggregated data like module info.

The new data format is leveraged to reduce the size of the kernel string table passed from ~10MB (all of rodata) to ~250KB.

The validate_module and validate_kexec APIs are extended to use the new attributes.

sangho2 · 2026-02-10T17:45:15Z

@femiatl Could you please resolve the conflicts such that CI can work on this PR.

VTL0 sends data to the secure kernel during and after initial boot. Use the new attributes parameter to extend load_kdata, allowing it to process data after boot and use the improved format for sending data from VTL0. Small, simple data buffers like certificates can be sent efficiently with the same APIs used for larger aggregated data like module info. The new data format is leveraged to reduce the size of the kernel string table passed from ~10MB (all of rodata) to ~250KB. The validate_module and validate_kexec APIs are extended to use the new attributes.

github-actions · 2026-02-11T02:56:04Z

🤖 SemverChecks 🤖 ⚠️ Potential breaking API changes detected ⚠️

Click for details

--- failure function_parameter_count_changed: pub fn parameter count changed ---

Description:
A publicly-visible function now takes a different number of parameters.
        ref: https://doc.rust-lang.org/cargo/reference/semver.html#fn-change-arity
       impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.46.0/src/lints/function_parameter_count_changed.ron

Failed in:
  litebox_platform_lvbs::mshv::vsm::mshv_vsm_protect_memory now takes 3 parameters instead of 2, in /home/runner/work/litebox/litebox/litebox_platform_lvbs/src/mshv/vsm.rs:259
  litebox_platform_lvbs::mshv::vsm::mshv_vsm_load_kdata now takes 3 parameters instead of 2, in /home/runner/work/litebox/litebox/litebox_platform_lvbs/src/mshv/vsm.rs:336

--- failure inherent_method_missing: pub method removed or renamed ---

Description:
A publicly-visible method or associated fn is no longer available under its prior name. It may have been renamed or removed entirely.
        ref: https://doc.rust-lang.org/cargo/reference/semver.html#item-remove
       impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.46.0/src/lints/inherent_method_missing.ron

Failed in:
  Symbol::from_bytes, previously in file /home/runner/work/litebox/litebox/target/semver-checks/git-main/67aa94c6a750cd2791fe9edab62e6b29b9624493/litebox_platform_lvbs/src/mshv/vsm.rs:1778

--- failure method_parameter_count_changed: pub method parameter count changed ---

Description:
A publicly-visible method now takes a different number of parameters, not counting the receiver (self) parameter.
        ref: https://doc.rust-lang.org/cargo/reference/semver.html#fn-change-arity
       impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.46.0/src/lints/method_parameter_count_changed.ron

Failed in:
  litebox_platform_lvbs::mshv::vsm::SymbolTable::build_from_container now takes 2 parameters instead of 4, in /home/runner/work/litebox/litebox/litebox_platform_lvbs/src/mshv/vsm.rs:1844

sangho2 · 2026-02-13T15:18:49Z

It seems that this change is based on new ABI to simplify data transfer. Good idea! As @tgopinath-microsoft noted in #652, this cannot be merged yet.

One overall feedback or requested change: This PR needs some detailed comments to explain new ABI and data structures. Also, some functions are with old comments (e.g., these functions no longer get nranges), and some other functions are without any comments.

sangho2 · 2026-02-13T16:10:02Z

litebox_platform_lvbs/src/mshv/heki_data.rs

+    pub pa: u64,
+    pub epa: u64,
+    data_type: u16,
+    pub attr: u16,


Is this MemAttr? a bit misleading because we do have HekiDataAttr above.

sangho2 · 2026-02-13T16:13:13Z

litebox_platform_lvbs/src/mshv/heki_data.rs

+// modular_bitfield generates warning. There is an updated crate
+// with fix, but we are locked to current version.


We could try to use the updated one.

sangho2 · 2026-02-13T16:18:47Z

litebox_platform_lvbs/src/mshv/heki_data.rs

+}
+
+/// `HekiDataRange` is a generic container for various types of memory ranges.
+/// It has a context-specific `attributes`


Seems this "context-specific attributes" is no longer valid. data_type is now context-specific and attr is just MemAttr.

sangho2 · 2026-02-13T16:21:14Z

litebox_platform_lvbs/src/mshv/heki_data.rs

+    const MAX_RANGE_COUNT: usize =
+        (Self::SIZE - size_of::<HekiDataHdr>()) / size_of::<HekiDataRange>();
+
+    pub fn from_bytes(bytes: &[u8]) -> Result<&Self, VsmError> {


try_from_bytes would be better.

sangho2 · 2026-02-13T16:24:05Z

litebox_platform_lvbs/src/mshv/heki_data.rs

+        Ok(data_page)
+    }
+
+    pub fn kdata_type(&self) -> HekiKdataType {


Both HekiDataHdr and HekiDataRange have data_type. Do they serve different purposes?

sangho2 · 2026-02-13T16:29:56Z

litebox_platform_lvbs/src/mshv/vsm.rs

@@ -254,12 +256,14 @@ pub fn mshv_vsm_end_of_boot() -> i64 {

 /// VSM function for protecting certain memory ranges (e.g., kernel text, data, heap).
 /// `pa` and `nranges` specify a memory area containing the information about the memory ranges to protect.


nranges is no longer used.

sangho2 · 2026-02-13T16:31:38Z

litebox_platform_lvbs/src/mshv/vsm.rs

 /// `pa` and `nranges` specify a memory area containing the information about the memory ranges to protect.
-pub fn mshv_vsm_protect_memory(pa: u64, nranges: u64) -> Result<i64, VsmError> {
+pub fn mshv_vsm_protect_memory(pa: u64, va: u64, attr: u64) -> Result<i64, VsmError> {
+    if attr == 0 {


Fine for now, but breaking ABI change like this should be gracefully handled in the future.

Agreed. Let me update the PR with some doc for breaking API as well

sangho2 · 2026-02-13T16:36:37Z

litebox_platform_lvbs/src/mshv/heki_data.rs

+        HekiKdataType::try_from(self.hdr.data_type).unwrap_or(HekiKdataType::Unknown)
+    }
+
+    pub fn next(&self) -> Option<(u64, u64, usize)> {


better to rename this function because next() looks like this is for iterator, but it isn't.

sangho2 · 2026-02-13T16:39:09Z

litebox_platform_lvbs/src/mshv/vsm.rs

-                mem_attr,
-            )?;
        }
+        let Some(next_data_page_addr) = data_page.next() else {


next_data_page_addr is misleading because this is a tuple.

sangho2 · 2026-02-13T16:47:18Z

litebox_platform_lvbs/src/mshv/vsm.rs

-        }
-    }
+    let attr = HekiDataAttr::from_bytes(attr.to_le_bytes());
+    let data_type = attr.dtype_or_err().unwrap_or(HekiKdataType::Unknown);


If this is unknown data, better to return an error here.

sangho2 · 2026-02-13T17:01:33Z

It seems that unlike the current copy_heki_pages_from_vtl0, this new PR tries to fetch heki pages on demand. If my understanding is correct, this new design is a bit more vulnerable to TOCTTOU than before because we are doing multiple fetches (classical double fetch vulnerabilities).

femiatl requested review from athvu, karissanchez, sangho2 and tgopinath-microsoft February 9, 2026 19:49

femiatl self-assigned this Feb 9, 2026

femiatl force-pushed the femia/lvbs/pagewalk branch 2 times, most recently from 5d880ea to 54e3a52 Compare February 11, 2026 02:45

femiatl force-pushed the femia/lvbs/pagewalk branch from 54e3a52 to d4626b2 Compare February 11, 2026 02:49

sangho2 reviewed Feb 13, 2026

View reviewed changes

		// modular_bitfield generates warning. There is an updated crate
		// with fix, but we are locked to current version.

		@@ -254,12 +256,14 @@ pub fn mshv_vsm_end_of_boot() -> i64 {

		/// VSM function for protecting certain memory ranges (e.g., kernel text, data, heap).
		/// `pa` and `nranges` specify a memory area containing the information about the memory ranges to protect.

Conversation

femiatl commented Feb 9, 2026

Uh oh!

sangho2 commented Feb 10, 2026

Uh oh!

github-actions bot commented Feb 11, 2026

Uh oh!

sangho2 commented Feb 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

sangho2 Feb 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

sangho2 commented Feb 13, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

sangho2 commented Feb 13, 2026 •

edited

Loading

sangho2 Feb 13, 2026 •

edited

Loading