dsg/vmsilo
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Reduce default core isolation from "full" to "vm"

Browse source 
Full isolation has too much impact to be a default. Even on an almost
unloaded machine with a couple of VMs running it results in audio buffer
underruns due to the significant scheduling latency.

This change is fine because with vmsilo, the trust domain is the VM. There
isn't much reason to protect apps from other apps running in the same VM.
Better to run those apps in separate VMs in that case.
This commit is contained in:
Davíð Steinn Geirsson 2026-03-18 10:59:30 +00:00
parent 26ce3c9683
commit b876265793
3 changed files with 8 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -145,7 +145,7 @@ There are a lot of configuration options but you don't really need to touch most
| `nixosVms` | attrsOf VM config | `{}` | NixOS-based VMs to create (keys are VM names) |
| `enableBashIntegration` | bool | `true` | Enable bash completion for vm-* commands |
| `nvidiaWeakenSandbox` | bool | `false` | Use crosvm-nvidia package with relaxed W+X memory policy for nvidia GPU support |
| `schedulerIsolation` | `"full"`, `"vm"`, or `"off"` | `"full"` | Mitigate hyperthreading attacks using scheduler thread isolation. `"full"`: vCPU threads may not share a core with any other thread. `"vm"`: vCPU threads may share a core with other vCPUs from the same VM only. `"off"`: no mitigations. |
| `schedulerIsolation` | `"full"`, `"vm"`, or `"off"` | `"vm"` | Mitigate hyperthreading attacks using scheduler thread isolation. `"full"`: vCPU threads may not share a core with any other thread. `"vm"`: vCPU threads may share a core with other vCPUs from the same VM only. `"off"`: no mitigations. |
| `crosvm.logLevel` | string | `"info"` | Log level for crosvm (error, warn, info, debug, trace) |
| `crosvm.extraArgs` | list of strings | `[]` | Extra args passed to crosvm before "run" subcommand |
| `crosvm.extraRunArgs` | list of strings | `[]` | Extra args passed to crosvm after "run" subcommand |

5
example/configuration.nix
View file

@ -46,6 +46,11 @@
enable = true;
user = "david";
# Set this to "full" to fully isolate each vCPU or "off" for no scheduling protection.
# The default is "vm", which protects VMs from each other but does not protect each different
# vCPUs of the same VM from each other. Note that "full" has a significant performance cost.
schedulerIsolation = "vm";
nixosVms = {
untrusted = {
color = "darkred";

4
modules/options.nix
View file

@ -769,10 +769,10 @@ in
"vm"
"off"
];
default = "full";
default = "vm";
description = ''
Mitigate hyperthreading attacks using scheduler thread isolation.
- "full": vCPU threads may not share a core with any other thread (including other vCPUs of the same VM). Sets --core-scheduling=true.
- "full": vCPU threads may not share a core with any other thread (including other vCPUs of the same VM). Sets --core-scheduling=true. Has a significant performance cost and especially bad for realtime tasks like playing audio.
- "vm": vCPU threads may share a core with other vCPU threads from the same VM, but not threads from other VMs or the host. Sets --per-vm-core-scheduling.
- "off": No mitigations. Sets --core-scheduling=false.
'';