Explicitly error out on host-guest version mismatch#1252
Explicitly error out on host-guest version mismatch#1252ludfjig wants to merge 1 commit intohyperlight-dev:mainfrom
Conversation
Signed-off-by: Ludvig Liljenberg <4257730+ludfjig@users.noreply.github.com>
ludfjig
added
the
kind/enhancement
ludfjig
requested review from
danbugs,
dblnz,
devigned,
jprendes,
marosset,
simongdavies and
syntactically
as code owners
dblnz
left a comment
dblnz
left a comment
There was a problem hiding this comment.
This looks good, but do we want to match against the patch version also?
I think it would be better to ensure that the guest's major/minor are the same, but the patch version is greater or equal the host's version.
I thought about this, and then decided to be as conservative as possible, because this would limit some things we can update in patch versions. Maybe this is a good start, and then we can consider later whether we should relax it? |
Keeping it restrictive to start then relaxing later is a good option. Its harder to go the other way. |
There was a problem hiding this comment.
Pull request overview
This PR adds explicit version checking to prevent loading guest binaries built with incompatible hyperlight-guest-bin versions. When the host loads a guest binary, it now verifies that the embedded guest-bin version exactly matches the host version, addressing the lack of backwards compatibility guarantees mentioned in issue #845.
Changes:
- Embeds hyperlight-guest-bin version string in a custom ELF section (
.hyperlight_guest_bin_version) in guest binaries - Adds host-side logic to extract and validate the embedded version during guest binary loading
- Introduces a new
GuestBinVersionMismatcherror that clearly indicates version incompatibility
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| src/hyperlight_guest_bin/src/lib.rs | Embeds version string in custom ELF section using global_asm! |
| src/hyperlight_common/src/lib.rs | Defines macro and constant for ELF section name |
| src/hyperlight_host/src/mem/elf.rs | Adds read_section_as_string() to extract version from ELF and stores it in ElfInfo |
| src/hyperlight_host/src/mem/exe.rs | Exposes guest_bin_version() method and adds comprehensive tests for version checking |
| src/hyperlight_host/src/sandbox/snapshot.rs | Validates version match at snapshot creation time, rejecting mismatches |
| src/hyperlight_host/src/error.rs | Adds GuestBinVersionMismatch error variant with descriptive message |
| docs/how-to-build-a-hyperlight-guest-binary.md | Documents version compatibility requirements and how to resolve mismatches |
Hyperlight currently provides no backwards compatibility guarantees for guests. We should therefore error out explicitly if someone loads an old guest with new host, as they ABI might no longer match.
This PR enforces that hyperlight-host version must match the guest's hyperlight-guest-bin version.
Question: If the elf section is not found, we still load it. This is good for running guests that don't use hyperlight-guest-bin. However, should we enforce that the section must exist? Does anyone run guests without depending on hyperlight-guest-bin? In addition, stripping the binary will remove the new elf section, which is also something to consider
Closes #845