Merge branch 'main' into vmm-parallel

Author: Manciukic

CHANGELOG.md

@@ -50,6 +50,27 @@ and this project adheres to
   balloon statistics descriptor length to prevent a guest-controlled oversized
   descriptor from temporarily stalling the VMM event loop. Only affects microVMs
   with `stats_polling_interval_s > 0`.
+- [#5809](https://github.com/firecracker-microvm/firecracker/pull/5809): Fixed a
+  bug on host Linux >= 5.16 for x86_64 guests using the `kvm-clock` clock source
+  causing the monotonic clock to jump on restore by the wall-clock time elapsed
+  since the snapshot was taken. Users using `kvm-clock` that want to explicitly
+  advance the clock with `KVM_CLOCK_REALTIME` can opt back in using the new
+  `clock_realtime` flag in `LoadSnapshot` API.
+- [#5738](https://github.com/firecracker-microvm/firecracker/pull/5738): Fixed
+  x86_64 snapshot serialization to cover the full KVM custom MSR range
+  (0x4b564d00-0x4b564dff) instead of a small subset. Previously, some KVM MSRs
+  such as MSR_KVM_ASYNC_PF_INT and MSR_KVM_ASYNC_PF_ACK were missing from
+  snapshots, which could cause issues on restore.
+- [#5818](https://github.com/firecracker-microvm/firecracker/pull/5818): Enforce
+  the virtio device initialization sequence in the PCI transport, matching the
+  existing MMIO transport behavior. The PCI transport now validates device
+  status transitions, rejects queue configuration writes outside the FEATURES_OK
+  to DRIVER_OK window, rejects feature negotiation outside the DRIVER state,
+  blocks re-initialization after a failed reset, and sets DEVICE_NEEDS_RESET
+  when device activation fails.
+- [#5818](https://github.com/firecracker-microvm/firecracker/pull/5818): Reject
+  device status writes that clear previously set bits in the MMIO transport,
+  except for reset.
 
 ## [1.15.0]
 

docs/RELEASE_POLICY.md

@@ -90,8 +90,8 @@ v3.1 will be patched since were the last two Firecracker releases and less than
 
 | Release | Release Date | Latest Patch | Min. end of support | Official end of Support         |
 | ------: | -----------: | -----------: | ------------------: | :------------------------------ |
-|   v1.15 |   2026-03-09 |      v1.15.0 |          2026-09-09 | Supported                       |
-|   v1.14 |   2025-12-17 |      v1.14.3 |          2026-06-17 | Supported                       |
+|   v1.15 |   2026-03-09 |      v1.15.1 |          2026-09-09 | Supported                       |
+|   v1.14 |   2025-12-17 |      v1.14.4 |          2026-06-17 | Supported                       |
 |   v1.13 |   2025-08-28 |      v1.13.2 |          2026-02-28 | 2026-03-09 (v1.15 released)     |
 |   v1.12 |   2025-05-07 |      v1.12.1 |          2025-11-07 | 2025-12-17 (v1.14 released)     |
 |   v1.11 |   2025-03-18 |      v1.11.0 |          2025-09-18 | 2025-09-18 (end of 6mo support) |

docs/design.md

@@ -118,7 +118,11 @@ and/or creating their own custom CPU templates.
 
 #### Clocksources available to guests
 
-Firecracker only exposes kvm-clock to customers.
+Firecracker exposes the following clock sources to guests:
+
+- x86_64: kvm-clock and tsc. Linux guests >=5.10 will pick tsc by default if
+  stable.
+- aarch64: arch_sys_counter
 
 ### I/O: Storage, Networking and Rate Limiting
 

docs/jailer.md

@@ -263,6 +263,15 @@ Note: default value for `<api-sock>` is `/run/firecracker.socket`.
 
 ### Observations
 
+- All inputs to the jailer are considered trusted, including the paths provided
+  via `--exec-file`, `--chroot-base-dir`, and `--netns`, as well as any
+  resources placed inside the jail root directory. Cgroup mount points are
+  discovered from `/proc/mounts` and are managed by the kernel, so they are
+  inherently trusted. The operator invoking the jailer is part of the trusted
+  computing base. It is the operator's responsibility to ensure that these paths
+  and their parent directories have appropriate ownership and permissions (e.g.,
+  root-owned, not world-writable) to prevent unauthorized modification by other
+  local users.
 - The user must create hard links for (or copy) any resources which will be
   provided to the VM via the API (disk images, kernel images, named pipes, etc)
   inside the jailed root folder. Also, permissions must be properly managed for

docs/prod-host-setup.md

@@ -96,6 +96,11 @@ namespace isolation and drops privileges of the Firecracker process.
 
 To set up the jailer correctly, you'll need to:
 
+- Ensure that all paths provided to the jailer (`--exec-file`,
+  `--chroot-base-dir`, `--netns`) and their parent directories are not writable
+  by unprivileged users. The jailer treats all its inputs as trusted; it is the
+  operator's responsibility to ensure that these paths cannot be tampered with
+  by other local users.
 - Create a dedicated non-privileged POSIX user and group to run Firecracker
   under. Use the created POSIX user and group IDs in Jailer's `--uid <uid>` and
   `--gid <gid>` flags, respectively. This will run the Firecracker as the

docs/snapshotting/snapshot-support.md

@@ -493,6 +493,11 @@ resumed with the guest OS wall-clock continuing from the moment of the snapshot
 creation. For this reason, the wall-clock should be updated to the current time,
 on the guest-side. More details on how you could do this can be found at a
 [related FAQ](../../FAQ.md#my-guest-wall-clock-is-drifting-how-can-i-fix-it).
+When using `kvm-clock` as clock source on `x86_64`, it's possible to optionally
+set the `clock_realtime: true` in the `LoadSnapshot` request to advance the
+clock on the guest at restore time (host Linux >= 5.16 is required to support
+this feature). Note that this may cause issues within the guest as the clock
+will appear to suddenly jump.
 
 ## Provisioning host disk space for snapshots
 

src/firecracker/src/api_server/request/snapshot.rs

@@ -111,6 +111,7 @@ fn parse_put_snapshot_load(body: &Body) -> Result<ParsedRequest, RequestError> {
         resume_vm: snapshot_config.resume_vm,
         network_overrides: snapshot_config.network_overrides,
         vsock_override: snapshot_config.vsock_override,
+        clock_realtime: snapshot_config.clock_realtime,
     };
 
     // Construct the `ParsedRequest` object.
@@ -189,6 +190,7 @@ mod tests {
             resume_vm: false,
             network_overrides: vec![],
             vsock_override: None,
+            clock_realtime: false,
         };
         let mut parsed_request = parse_put_snapshot(&Body::new(body), Some("load")).unwrap();
         assert!(
@@ -220,6 +222,7 @@ mod tests {
             resume_vm: false,
             network_overrides: vec![],
             vsock_override: None,
+            clock_realtime: false,
         };
         let mut parsed_request = parse_put_snapshot(&Body::new(body), Some("load")).unwrap();
         assert!(
@@ -251,6 +254,7 @@ mod tests {
             resume_vm: true,
             network_overrides: vec![],
             vsock_override: None,
+            clock_realtime: false,
         };
         let mut parsed_request = parse_put_snapshot(&Body::new(body), Some("load")).unwrap();
         assert!(
@@ -291,6 +295,7 @@ mod tests {
                 host_dev_name: String::from("vmtap2"),
             }],
             vsock_override: None,
+            clock_realtime: false,
         };
         let mut parsed_request = parse_put_snapshot(&Body::new(body), Some("load")).unwrap();
         assert!(
@@ -319,6 +324,7 @@ mod tests {
             resume_vm: true,
             network_overrides: vec![],
             vsock_override: None,
+            clock_realtime: false,
         };
         let parsed_request = parse_put_snapshot(&Body::new(body), Some("load")).unwrap();
         assert_eq!(

src/firecracker/swagger/firecracker.yaml

@@ -1602,7 +1602,7 @@ definitions:
         type: string
         description:
           The new path for the backing Unix Domain Socket.
-          
+
   SnapshotLoadParams:
     type: object
     description:
@@ -1650,6 +1650,14 @@ definitions:
           for restoring a snapshot with a different socket path than the one used
           when the snapshot was created. For example, when the original socket path
           is no longer available or when deploying to a different environment.
+      clock_realtime:
+        type: boolean
+        description:
+          "[x86_64 only] When set to true, passes KVM_CLOCK_REALTIME to
+          KVM_SET_CLOCK on restore, advancing kvmclock by the wall-clock time
+          elapsed since the snapshot was taken. When false (default), kvmclock resumes
+          from where it was at snapshot time. This option may be extended to other clock
+          sources and CPU architectures in the future."
 
 
   TokenBucket:

src/jailer/src/env.rs

@@ -519,8 +519,11 @@ impl Env {
 
     fn join_netns(path: &str) -> Result<(), JailerError> {
         // The fd backing the file will be automatically dropped at the end of the scope
-        let netns =
-            File::open(path).map_err(|err| JailerError::FileOpen(PathBuf::from(path), err))?;
+        let netns = OpenOptions::new()
+            .read(true)
+            .custom_flags(libc::O_NOFOLLOW)
+            .open(path)
+            .map_err(|err| JailerError::FileOpen(PathBuf::from(path), err))?;
 
         // SAFETY: Safe because we are passing valid parameters.
         SyscallReturnCode(unsafe { libc::setns(netns.as_raw_fd(), libc::CLONE_NEWNET) })

src/jailer/src/main.rs

@@ -3,6 +3,9 @@
 
 use std::ffi::{CString, NulError, OsString};
 use std::fmt::{Debug, Display};
+use std::fs::OpenOptions;
+use std::io::Read;
+use std::os::unix::fs::OpenOptionsExt;
 use std::path::{Path, PathBuf};
 use std::{env as p_env, fs, io};
 
@@ -240,12 +243,25 @@ where
     T: AsRef<Path> + Debug,
     V: Display + Debug,
 {
-    fs::write(file_path, format!("{}\n", value))
+    let mut file = OpenOptions::new()
+        .write(true)
+        .create(true)
+        .truncate(true)
+        .custom_flags(libc::O_NOFOLLOW)
+        .open(file_path.as_ref())
+        .map_err(|err| JailerError::Write(PathBuf::from(file_path.as_ref()), err))?;
+    io::Write::write_all(&mut file, format!("{}\n", value).as_bytes())
         .map_err(|err| JailerError::Write(PathBuf::from(file_path.as_ref()), err))
 }
 
 pub fn readln_special<T: AsRef<Path> + Debug>(file_path: &T) -> Result<String, JailerError> {
-    let mut line = fs::read_to_string(file_path)
+    let mut file = OpenOptions::new()
+        .read(true)
+        .custom_flags(libc::O_NOFOLLOW)
+        .open(file_path.as_ref())
+        .map_err(|err| JailerError::ReadToString(PathBuf::from(file_path.as_ref()), err))?;
+    let mut line = String::new();
+    file.read_to_string(&mut line)
         .map_err(|err| JailerError::ReadToString(PathBuf::from(file_path.as_ref()), err))?;
 
     // Remove the newline character at the end (if any).