fix: gate UFFD write-protection on x86_64 for ARM64 compatibility

tomassrnka · claude · tomassrnka · commit 136ef0e01f19 · 2026-03-12T11:14:09.000+01:00
Commit 8fc760f ("feat: enable write-protection on guest memory") added UFFD write-protection support unconditionally. ARM64 Linux kernels do not implement UFFD write protection — they lack UFFD_FEATURE_WP_ASYNC, UFFDIO_REGISTER_MODE_WP, the UFFDIO_WRITEPROTECT ioctl, and UFFDIO_COPY_MODE_WP. This causes snapshot restore to fail on ARM64 (Apple Silicon / AWS Graviton) with ioctl errors from the kernel. Gate the three write-protection code paths in guest_memory_from_uffd() behind #[cfg(target_arch = "x86_64")]: 1. UFFD features: request WP_ASYNC only on x86_64. On other architectures, request only EVENT_REMOVE | MISSING_HUGETLBFS. 2. Register mode: include WRITE_PROTECT in the register mode only on x86_64. On other architectures, register with MISSING only. 3. write_protect ioctl: gate the hugetlbfs write-protection call behind cfg(target_arch = "x86_64") so it is never emitted on ARM64. The core UFFD snapshot restore functionality (page fault handling via MISSING mode) works identically on both architectures and is unaffected. Also update scripts/build.sh to auto-detect the target architecture and select the correct Rust target triple (aarch64-unknown-linux-musl) so the build script works on ARM64 hosts. Tested: built for aarch64-unknown-linux-musl, deployed to ARM64 VM, verified sandbox creation via UFFD snapshot restore succeeds with no write-protection errors. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/scripts/build.sh b/scripts/build.sh
@@ -2,16 +2,32 @@
 
 set -euo pipefail
 
+# Determine target architecture
+ARCH="${ARCH:-$(uname -m)}"
+case "$ARCH" in
+    x86_64)
+        TARGET="x86_64-unknown-linux-musl"
+        ;;
+    aarch64|arm64)
+        TARGET="aarch64-unknown-linux-musl"
+        ;;
+    *)
+        echo "Unsupported architecture: $ARCH"
+        exit 1
+        ;;
+esac
+
 # The format will be: v<major>.<minor>.<patch>_<commit_hash> — e.g. v1.7.2_8bb88311
 # Extract full version from src/firecracker/swagger/firecracker.yaml
 FC_VERSION=$(awk '/^info:/{flag=1} flag && /^  version:/{print $2; exit}' src/firecracker/swagger/firecracker.yaml)
 commit_hash=$(git rev-parse --short=7 HEAD)
 version_name="v${FC_VERSION}_${commit_hash}"
 echo "Version name: $version_name"
+echo "Target: $TARGET"
 
 echo "Starting to build Firecracker version: $version_name"
 tools/devtool -y build --release
 
 mkdir -p "./build/fc/${version_name}"
-cp ./build/cargo_target/x86_64-unknown-linux-musl/release/firecracker "./build/fc/${version_name}/firecracker"
+cp "./build/cargo_target/${TARGET}/release/firecracker" "./build/fc/${version_name}/firecracker"
 echo "Finished building Firecracker version: $version_name and copied to ./build/fc/${version_name}/firecracker"
diff --git a/src/vmm/src/persist.rs b/src/vmm/src/persist.rs
@@ -492,9 +492,12 @@ fn guest_memory_from_uffd(
     // because the only place the kernel checks this is in a hook from madvise, e.g. it doesn't
     // actively change the behavior of UFFD, only passively. Without balloon devices
     // we never call madvise anyway, so no need to put this into a conditional.
-    uffd_builder.require_features(
-        FeatureFlags::EVENT_REMOVE | FeatureFlags::MISSING_HUGETLBFS | FeatureFlags::WP_ASYNC,
-    );
+    #[cfg(target_arch = "x86_64")]
+    let features =
+        FeatureFlags::EVENT_REMOVE | FeatureFlags::MISSING_HUGETLBFS | FeatureFlags::WP_ASYNC;
+    #[cfg(not(target_arch = "x86_64"))]
+    let features = FeatureFlags::EVENT_REMOVE | FeatureFlags::MISSING_HUGETLBFS;
+    uffd_builder.require_features(features);
 
     let uffd = uffd_builder
         .close_on_exec(true)
@@ -504,10 +507,14 @@ fn guest_memory_from_uffd(
         .map_err(GuestMemoryFromUffdError::Create)?;
 
     for mem_region in guest_memory.iter() {
+        #[cfg(target_arch = "x86_64")]
+        let mode = RegisterMode::MISSING | RegisterMode::WRITE_PROTECT;
+        #[cfg(not(target_arch = "x86_64"))]
+        let mode = RegisterMode::MISSING;
         uffd.register_with_mode(
             mem_region.as_ptr().cast(),
             mem_region.size() as _,
-            RegisterMode::MISSING | RegisterMode::WRITE_PROTECT,
+            mode,
         )
         .map_err(GuestMemoryFromUffdError::Register)?;
 
@@ -516,6 +523,7 @@ fn guest_memory_from_uffd(
         // won't have any effect, as the write-protection bit for a page will be
         // wiped when the first page fault occurs. These cases need to be handled
         // directly from the UFFD handler.
+        #[cfg(target_arch = "x86_64")]
         if huge_pages.is_hugetlbfs() {
             uffd.write_protect(mem_region.as_ptr().cast(), mem_region.size() as _)
                 .map_err(GuestMemoryFromUffdError::WriteProtect)?;
