[Feature Request] Core Scheduling

[sargun]

Feature Request

It would be valuable to have core scheduling for Firecracker, to avoid, and potentially eliminate side channel attacks.

Describe the desired solution

To add core scheduling to firecracker, and have it run the ioctl to set a new cookie for the vCPU processes.

Describe possible alternatives

One can avoid using core scheduling by disabling SMT. Unfortunately, this means everything else on the system loses capacity, and if you're running VMs with more than 1 core, you can't take advantage of SMT.

Checks

• Have you searched the Firecracker Issues database for similar requests?
• Have you read all the existing relevant Firecracker documentation?
• Have you read and understood Firecracker's core tenets?

[kalyazin]

Hi @sargun . Thanks for contacting us!
We investigated running Firecracker using Core Scheduling on a host with SMT enabled. Our results show that the performance gains/degradations are very workload-dependent, and not sufficient in magnitude to justify the risk of introducing a wide class of security issues currently excluded by disabling SMT. We may investigate the use of SMT and Core Scheduling further in the future, but for now we will not merge a PR implementing Core Scheduling because of the fundamental shift in the security posture it would introduce in Firecracker.

[xmarcalx]

Hi @sargun ,

sorry for the late reply.
Actually i was interesting in some more details behind this request.
Do you want to be able to enable SMT in the system to benefit your trusted processes in the host but still running microVMs as per today basically with core scheduling?
Do you have some numbers on performance benefits you observed?