Files

Karl Clinger 40ed108dd5 Volt VMM (Neutron Stardust): source-available under AGPSL v5.0

KVM-based microVMM for the Volt platform:
- Sub-second VM boot times
- Minimal memory footprint
- Landlock LSM + seccomp security
- Virtio device support
- Custom kernel management

Copyright (c) Armored Gates LLC. All rights reserved.
Licensed under AGPSL v5.0

2026-03-21 01:04:35 -05:00

5.6 KiB

Raw Blame History

Volt VMM Benchmark Results (Updated)

Date: 2026-03-08 (updated with security stack + volt-init) Version: Volt v0.1.0 (with CPUID + Seccomp-BPF + Capability dropping + Landlock + i8042 + volt-init) Host: Intel Xeon Silver 4210R @ 2.40GHz (2 sockets × 10 cores, 40 threads) Host Kernel: Linux 6.1.0-42-amd64 (Debian) Guest Kernel: Linux 4.14.174 (vmlinux ELF format, 21,441,304 bytes)

Summary

Metric	Previous	Current	Change
Binary size	3.10 MB	3.45 MB	+354 KB (+11%)
Cold boot to userspace	N/A	548 ms	New capability
Cold boot to kernel panic (median)	1,723 ms	1,338 ms	−385 ms (−22%)
VMM init time (TRACE)	88.9 ms	85.0 ms	−3.9 ms (−4%)
VMM init time (wall-clock median)	110 ms	91 ms	−19 ms (−17%)
Memory overhead (128M guest)	6.6 MB	9.3 MB	+2.7 MB
Security layers	1 (CPUID)	4	+3 layers
Security overhead	—	<1 ms	Negligible
Init system	None	volt-init (509 KB)	New

1. Binary & Component Sizes

Component	Size	Format
volt-vmm VMM	3,612,896 bytes (3.45 MB)	ELF 64-bit, dynamic, stripped
volt-init	520,784 bytes (509 KB)	ELF 64-bit, static-pie musl, stripped
initramfs.cpio.gz	265,912 bytes (260 KB)	gzipped cpio archive
Total deployable	~3.71 MB

Dynamic dependencies (volt-vmm): libc, libm, libgcc_s

2. Cold Boot to Userspace (10 iterations)

Process start → "VOLT VM READY" banner displayed. 128M RAM, 1 vCPU, initramfs with volt-init.

Iteration	Time (ms)
1	505
2	556
3	555
4	561
5	548
6	564
7	553
8	544
9	559
10	535

Stat	Value
Minimum	505 ms
Median	548 ms
Maximum	564 ms
Spread	59 ms (10.8%)

Kernel internal uptime at shell prompt: ~320ms (from volt-init output).

3. Cold Boot to Kernel Panic (10 iterations)

Process start → "Rebooting in" message. No initramfs, no rootfs. 128M RAM, 1 vCPU.

Iteration	Time (ms)
1	1,322
2	1,332
3	1,345
4	1,358
5	1,338
6	1,340
7	1,322
8	1,347
9	1,313
10	1,319

Stat	Value
Minimum	1,313 ms
Median	1,338 ms
Maximum	1,358 ms
Spread	45 ms (3.4%)

Improvement: −385 ms (−22%) from previous (1,723 ms). The i8042 device emulation eliminated the ~500ms keyboard controller probe timeout.

4. VMM Initialization Breakdown (TRACE-level)

Δ from start (ms)	Duration (ms)	Phase
+0.000	—	Program start
+0.110	0.1	KVM initialized
+35.444	35.3	CPUID configured (46 entries)
+69.791	34.3	Guest memory allocated (128 MB)
+69.805	0.0	VM created
+69.812	0.0	Devices initialized (serial + i8042)
+83.812	14.0	Kernel loaded (21 MB ELF)
+84.145	0.3	vCPU configured
+84.217	0.1	Landlock sandbox applied
+84.476	0.3	Capabilities dropped
+85.026	0.5	Seccomp-BPF installed (72 syscalls, 365 BPF instructions)
+85.038	—	VM running

Phase	Duration (ms)	%
KVM init	0.1	0.1%
CPUID configuration	35.3	41.5%
Memory allocation	34.3	40.4%
Kernel loading	14.0	16.5%
Device + vCPU setup	0.4	0.5%
Security hardening	0.9	1.1%
Total	85.0	100%

Wall-clock VMM Init (5 iterations)

Iteration	Time (ms)
1	91
2	115
3	84
4	91
5	84

Median: 91 ms (previous: 110 ms, −17%)

5. Memory Overhead

RSS measured 2 seconds after VM boot:

Guest Memory	RSS (KB)	VSZ (KB)	Overhead (KB)	Overhead (MB)
128 MB	140,388	2,910,232	9,316	9.3
256 MB	269,500	3,041,304	7,356	7.2
512 MB	535,540	3,303,452	11,252	11.0

Average VMM overhead: ~9.2 MB (slight increase from previous 6.6 MB due to security structures, i8042 device state, and initramfs buffering).

6. Security Stack

Layers

Layer	Details
CPUID filtering	46 entries; strips VMX, TSX, MPX, MONITOR, thermal, perf
Seccomp-BPF	72 syscalls allowed, all others → KILL_PROCESS (365 BPF instructions)
Capability dropping	All 64 Linux capabilities cleared
Landlock	Filesystem sandboxed to kernel/initrd files + /dev/kvm
NO_NEW_PRIVS	Set via prctl (enforced by Landlock)

Security Overhead

Mode	VMM Init (median, ms)
All security ON	90
Security OFF (--no-seccomp --no-landlock)	91
Overhead	<1 ms

Security is effectively free from a performance perspective.

7. Devices

Device	I/O Address	IRQ	Notes
Serial (ttyS0)	0x3f8	IRQ 4	16550 UART with IRQ injection
i8042	0x60, 0x64	IRQ 1/12	Keyboard controller (responds to probes)
IOAPIC	0xfec00000	—	Interrupt routing
Local APIC	0xfee00000	—	Per-CPU interrupt controller

The i8042 device is the key improvement — it responds to keyboard controller probes immediately, eliminating the ~500ms timeout that plagued the previous version and Firecracker's default configuration.

Generated by automated benchmark suite, 2026-03-08

5.6 KiB Raw Blame History Unescape Escape