Skip to content

[Snaps] #snapsafe support via VMGenID on ACPI #2476

@raduweiss

Description

@raduweiss
Contributor

Feature Tracker

This is a feature tracking issue for the work to enable Firecracker users to safely and efficiently use snapshots [1] by adding VMGenId counter as a back-end to SysGenID [2].

Describe the desired solution

We are starting by researching how to implement VMGenID via ACPI but without adding PCI support to Firecracker.

Describe possible alternatives

We will look at other options if VMGenId via ACPI is not feasible for some reason.

If we don't implement this, Linux guests can still drive SysGenId from users-space, though this may not work for all use cases, and induces latency upon snapshot restore.

Additional context

See [1] and [2].

Checks

  • Have you searched the Firecracker Issues database for similar requests?
    Have you read all the existing relevant Firecracker documentation?
    Have you read and understood Firecracker's core tenets?

[1] https://github.com/firecracker-microvm/firecracker/blob/master/docs/snapshotting/snapshot-support.md#snapshot-security-and-uniqueness
[2] https://www.spinics.net/lists/kernel/msg3842154.html; https://www.spinics.net/lists/kernel/msg3842155.html; https://www.spinics.net/lists/kernel/msg3842157.html

Activity

changed the title [-][Feature] #snapsafe support via VMGenID on ACPI[/-] [+][Snapshotting] #snapsafe support via VMGenID on ACPI[/+] on Mar 4, 2021
changed the title [-][Snapshotting] #snapsafe support via VMGenID on ACPI[/-] [+][Snaps] #snapsafe support via VMGenID on ACPI[/+] on Mar 4, 2021
bchalios

bchalios commented on Mar 21, 2023

@bchalios
Contributor

After long discussions, we are focusing into supporting #snapsafety through an extension on the virtio-rng device[1] which will allow VMM to report snapshot-related events to guests.

We have in-flight an RFC patch for supporting this in the Linux kernel [2] which is currently under discussion with the community and a PoC[3] that implements this in Firecracker.

[1] https://www.mail-archive.com/virtio-dev@lists.oasis-open.org/msg09016.html
[2] https://lore.kernel.org/lkml/20230131145543.86369-1-bchalios@amazon.es/
[3] https://github.com/bchalios/firecracker/tree/feat_snapsafety

JonathanWoollett-Light

JonathanWoollett-Light commented on Dec 11, 2023

@JonathanWoollett-Light
Contributor

We are still working on it, re-opening to indicate this.

moved this from Researching to We're Working On It in Firecracker Roadmapon Dec 13, 2023
zulinx86

zulinx86 commented on Mar 11, 2024

@zulinx86
Contributor

ACPI support may solve issue #1601.

moved this from We're Working On It to Coming Soon in Firecracker Roadmapon Apr 15, 2024
moved this from Coming Soon to We're Working On It in Firecracker Roadmapon Apr 15, 2024
bchalios

bchalios commented on May 13, 2024

@bchalios
Contributor

PRs #4428 and #4487 added support for ACPI and VMGenID, respectively, on x86 platforms. Once we add support for kernel 6.1, Firecracker will officially support VMGenID on x86 platforms.

For Aarch64 systems, we went a different way. Since we already use Device Tree to boot Firecracker microVMs, we sent out a patch set to Linux: https://lore.kernel.org/lkml/20240419224020.780377-1-Jason@zx2c4.com/ that adds device tree bindings for the VMGenID device and extend the driver so that it can probe the device via them. This should land in Linux kernel 6.10.

moved this from We're Working On It to Coming Soon in Firecracker Roadmapon May 20, 2024
moved this from Coming Soon to We're Working On It in Firecracker Roadmapon May 20, 2024
moved this from We're Working On It to Coming Soon in Firecracker Roadmapon May 20, 2024
moved this from Coming Soon to Developer Preview in Firecracker Roadmapon Jul 10, 2024
bchalios

bchalios commented on Apr 23, 2025

@bchalios
Contributor

I will resolve this, since we have added support for VMGenID both for x86_64 and Aarch64. We will continue monitoring Linux and userspace projects for any new features that augment snapshot safety related functionality and add support for those in Firecracker as they appear.

moved this from Developer Preview to Shipped in Firecracker Roadmapon Apr 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    Roadmap: TrackedItems tracked on the roadmap project.

    Type

    No type

    Projects

    Status

    Shipped

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @JonathanWoollett-Light@bchalios@raduweiss@zulinx86

        Issue actions

          [Snaps] #snapsafe support via VMGenID on ACPI · Issue #2476 · firecracker-microvm/firecracker