feat: ARM64 runtime guards for SMT, UFFD WP, and seccomp

- client.go: disable SMT on ARM64 (no hyperthreading, Firecracker
  rejects SMT=true on ARM)
- script_builder.go: disable seccomp on ARM64 (upstream FC aarch64
  filter missing userfaultfd syscall)
- userfaultfd.go: skip UFFD write-protection flag on ARM64 (kernel
  doesn't support it; KVM dirty log used instead for diff tracking)
- machineinfo: ARM64 fallback for CPU Family/Model when gopsutil
  doesn't populate them
- smoketest: use runtime.GOARCH instead of hardcoded amd64

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 2 people

packages/orchestrator/cmd/smoketest/smoke_test.go

@@ -8,6 +8,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"runtime"
 	"testing"
 	"time"
 
@@ -282,7 +283,7 @@ func findOrBuildEnvd(t *testing.T) string {
 
 	cmd := exec.CommandContext(t.Context(), "go", "build", "-o", binPath, ".") //nolint:gosec // trusted input
 	cmd.Dir = envdDir
-	cmd.Env = append(os.Environ(), "CGO_ENABLED=0", "GOOS=linux", "GOARCH=amd64")
+	cmd.Env = append(os.Environ(), "CGO_ENABLED=0", "GOOS=linux", "GOARCH="+runtime.GOARCH)
 	out, err := cmd.CombinedOutput()
 	if err != nil {
 		t.Skipf("failed to build envd: %v\n%s", err, out)

packages/orchestrator/pkg/sandbox/fc/client.go

@@ -3,6 +3,7 @@ package fc
 import (
 	"context"
 	"fmt"
+	"runtime"
 
 	"github.com/bits-and-blooms/bitset"
 	"github.com/firecracker-microvm/firecracker-go-sdk"
@@ -326,7 +327,15 @@ func (c *apiClient) setMachineConfig(
 	memoryMB int64,
 	hugePages bool,
 ) error {
-	smt := true
+	// SMT (Simultaneous Multi-Threading / Hyper-Threading) must be disabled on
+	// ARM64 because ARM processors use a different core topology (big.LITTLE,
+	// efficiency/performance cores) rather than hardware threads per core.
+	// Firecracker validates this against the host CPU and rejects SMT=true on ARM.
+	// See: https://github.com/firecracker-microvm/firecracker/blob/main/docs/cpu_templates/cpu-features.md
+	// We use runtime.GOARCH (not TARGET_ARCH) because the orchestrator binary
+	// always runs on the same architecture as Firecracker.
+	const archARM64 = "arm64"
+	smt := runtime.GOARCH != archARM64
 	trackDirtyPages := false
 	machineConfig := &models.MachineConfiguration{
 		VcpuCount:       &vCPUCount,

packages/orchestrator/pkg/sandbox/fc/script_builder.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"fmt"
 	"path/filepath"
+	"runtime"
 	txtTemplate "text/template"
 
 	"github.com/e2b-dev/infra/packages/orchestrator/pkg/cfg"
@@ -25,6 +26,8 @@ type startScriptArgs struct {
 	NamespaceID       string
 	FirecrackerPath   string
 	FirecrackerSocket string
+	ExtraArgs         string
+	StracePfx         string
 }
 
 // StartScriptResult contains the generated script and computed paths
@@ -47,7 +50,7 @@ ln -s {{ .HostRootfsPath }} {{ .DeprecatedSandboxRootfsDir }}/{{ .SandboxRootfsF
 mount -t tmpfs tmpfs {{ .SandboxDir }}/{{ .SandboxKernelDir }} -o X-mount.mkdir &&
 ln -s {{ .HostKernelPath }} {{ .SandboxDir }}/{{ .SandboxKernelDir }}/{{ .SandboxKernelFile }} &&
 
-ip netns exec {{ .NamespaceID }} {{ .FirecrackerPath }} --api-sock {{ .FirecrackerSocket }}`
+ip netns exec {{ .NamespaceID }} {{ .StracePfx }}{{ .FirecrackerPath }} --api-sock {{ .FirecrackerSocket }}{{ .ExtraArgs }}`
 
 const startScriptV2 = `mount --make-rprivate / &&
 mount -t tmpfs tmpfs {{ .SandboxDir }} -o X-mount.mkdir &&
@@ -57,7 +60,7 @@ ln -s {{ .HostRootfsPath }} {{ .SandboxDir }}/{{ .SandboxRootfsFile }} &&
 mkdir -p {{ .SandboxDir }}/{{ .SandboxKernelDir }} &&
 ln -s {{ .HostKernelPath }} {{ .SandboxDir }}/{{ .SandboxKernelDir }}/{{ .SandboxKernelFile }} &&
 
-ip netns exec {{ .NamespaceID }} {{ .FirecrackerPath }} --api-sock {{ .FirecrackerSocket }}`
+ip netns exec {{ .NamespaceID }} {{ .StracePfx }}{{ .FirecrackerPath }} --api-sock {{ .FirecrackerSocket }}{{ .ExtraArgs }}`
 
 // StartScriptBuilder handles the creation and execution of firecracker start scripts
 type StartScriptBuilder struct {
@@ -85,6 +88,15 @@ func (sb *StartScriptBuilder) buildArgs(
 	rootfsPaths RootfsPaths,
 	namespaceID string,
 ) startScriptArgs {
+	// On ARM64, disable seccomp to allow userfaultfd syscall for snapshot restore.
+	// The upstream Firecracker seccomp filter for aarch64 does not include the
+	// userfaultfd syscall (nr 282), causing snapshot loading to fail with
+	// "Failed to UFFD object: System error".
+	var extraArgs, stracePfx string
+	if runtime.GOARCH == "arm64" {
+		extraArgs = " --no-seccomp"
+	}
+
 	return startScriptArgs{
 		// General
 		SandboxDir: sb.builderConfig.SandboxDir,
@@ -103,6 +115,8 @@ func (sb *StartScriptBuilder) buildArgs(
 		NamespaceID:       namespaceID,
 		FirecrackerPath:   versions.FirecrackerPath(sb.builderConfig),
 		FirecrackerSocket: files.SandboxFirecrackerSocketPath(),
+		ExtraArgs:         extraArgs,
+		StracePfx:         stracePfx,
 	}
 }
 

packages/orchestrator/pkg/sandbox/uffd/userfaultfd/userfaultfd.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"runtime"
 	"sync"
 	"syscall"
 	"unsafe"
@@ -351,7 +352,8 @@ func (u *Userfaultfd) faultPage(
 	// Performing copy() on UFFD clears the WP bit unless we explicitly tell
 	// it not to. We do that for faults caused by a read access. Write accesses
 	// would anyways cause clear the write-protection bit.
-	if accessType != block.Write {
+	// ARM64 kernels do not support UFFD write protection, so skip the WP flag.
+	if accessType != block.Write && runtime.GOARCH != "arm64" {
 		copyMode |= UFFDIO_COPY_MODE_WP
 	}
 

packages/orchestrator/pkg/service/machineinfo/main.go

@@ -22,13 +22,27 @@ func Detect() (MachineInfo, error) {
 	}
 
 	if len(info) > 0 {
-		if info[0].Family == "" || info[0].Model == "" {
+		family := info[0].Family
+		model := info[0].Model
+
+		// On ARM64, gopsutil doesn't populate Family/Model from /proc/cpuinfo.
+		// Provide fallback values so callers don't get an error.
+		if runtime.GOARCH == "arm64" {
+			if family == "" {
+				family = "arm64"
+			}
+			if model == "" {
+				model = "0"
+			}
+		}
+
+		if family == "" || model == "" {
 			return MachineInfo{}, fmt.Errorf("unable to detect CPU platform from CPU info: %+v", info[0])
 		}
 
 		return MachineInfo{
-			Family:    info[0].Family,
-			Model:     info[0].Model,
+			Family:    family,
+			Model:     model,
 			ModelName: info[0].ModelName,
 			Flags:     info[0].Flags,
 			Arch:      runtime.GOARCH,