chore: migrate from bincode to bitcode

Reason: the bincode crate is no longer maintained [1].

Notable changes made during the migration:
 - Firecracker versions using bitcode can no longer parse snapshots
   produced by Firecracker versions using bincode and vice versa.
   Note that Firecracker does not support snapshot compatibility across
   its versions anyway.
 - RSS overhead has increased and exceeded 5 MB limit in certain tests.
   The memory monitor's threshold has been updated to 6 MB.
 - Since, unlike bincode, bitcode does not support
   with_fixed_int_encoding mode, the snapshot CRC field is now written
   as plain bytes to guarantee that its length is not going to change
   due to potential future changes in the serialisation logic.
 - Added a new argument to the seccompiler-bin to produce per-thread
   filter files to facilitate testing.  Previously, the
   test_validate_filter was parsing the bincode-encoded filters itself.
   With individual per-thread filter files this is no longer required.

[1] https://rustsec.org/advisories/RUSTSEC-2025-0141

Signed-off-by: Nikita Kalyazin <kalyazin@amazon.com>

Author: kalyazin

Cargo.lock

@@ -4,14 +4,14 @@
 
 Seccompiler-bin is a tool that compiles seccomp filters expressed as JSON files
 into serialized, binary BPF code that is directly consumed by Firecracker, at
-build or launch time.
+build or launch time. The binary filters are serialized using bitcode format.
 
 Seccompiler-bin uses a custom [JSON file structure](#json-file-format), detailed
 further below, that the filters must adhere to.
 
 Besides the seccompiler-bin executable, seccompiler also exports a library
 interface, with helper functions for deserializing and installing the binary
-filters.
+filters. The library uses bitcode format for serialization and deserialization.
 
 ## Usage
 
@@ -31,13 +31,30 @@ Example usage:
                                     # [default: "seccomp_binary_filter.out"]
     --basic # Optional, creates basic filters, discarding any parameter checks.
             # (Deprecated).
+    --split-output # Optional, creates individual BPF files for each thread
+                   # in addition to the main bitcode output file (for testing).
 ```
 
 ### Seccompiler library
 
 To view the library documentation, navigate to the seccompiler source code, in
 `firecracker/src/seccompiler/src` and run `cargo doc --lib --open`.
 
+### Output format
+
+Seccompiler-bin generates binary BPF filters serialized using the bitcode
+format. The output file contains a bitcode-serialized map of thread names to
+their corresponding BPF instruction sequences.
+
+When using the `--split-output` flag, seccompiler-bin will generate:
+
+- The main bitcode output file (as specified by `--output-file`)
+- Individual `.bpf` files for each thread containing raw BPF bytecode (useful
+  for testing)
+
+The individual thread files are named `<thread_name>.bpf` and placed in the same
+directory as the main output file.
+
 ## Where is seccompiler implemented?
 
 Seccompiler is implemented as another package in the Firecracker cargo

docs/seccompiler.md

@@ -6,7 +6,7 @@ limitations.
 
 ## Introduction
 
-Firecracker uses the serde crate [1] along with the bincode [2] format to
+Firecracker uses the serde crate [1] along with the bitcode [2] format to
 serialize its state into Firecracker snapshots. Firecracker snapshots have
 versions that are independent of Firecracker versions. Each Firecracker version
 declares support for a specific snapshot data format version. When creating a
@@ -46,22 +46,22 @@ A Firecracker snapshot has the following format:
 | -------- | ---- | --------------------------------------------------------- |
 | magic_id | 64   | Firecracker snapshot and architecture (x86_64/aarch64).   |
 | version  | M    | The snapshot data format version (`MAJOR.MINOR.PATCH`)    |
-| state    | N    | Bincode blob containing the microVM state.                |
+| state    | N    | Bitcode blob containing the microVM state.                |
 | crc      | 64   | Optional CRC64 sum of magic_id, version and state fields. |
 
 The snapshot format has its own version encoded in the snapshot file itself
 after the snapshot's `magic_id`. The snapshot format version is independent of
 the Firecracker version and it is of the form `MAJOR.MINOR.PATCH`.
 
 Currently, Firecracker uses the
-[Serde bincode encoder](https://github.com/servo/bincode) for serializing the
-microVM state. The encoding format that bincode uses does not allow backwards
-compatible changes in the state, so essentially every change in the microVM
-state description will result in bump of the format's `MAJOR` version. If the
-needs arises, we will look into alternative formats that allow more flexibility
-with regards to backwards compatibility. If/when this happens, we will define
-how changes in the snapshot format reflect to changes in its `MAJOR.MINOR.PATCH`
-version.
+[Serde bitcode encoder](https://github.com/SoftbearStudios/bitcode) for
+serializing the microVM state. The encoding format that bitcode uses does not
+allow backwards compatible changes in the state, so essentially every change in
+the microVM state description will result in bump of the format's `MAJOR`
+version. If the needs arises, we will look into alternative formats that allow
+more flexibility with regards to backwards compatibility. If/when this happens,
+we will define how changes in the snapshot format reflect to changes in its
+`MAJOR.MINOR.PATCH` version.
 
 ## VM state encoding
 
@@ -72,14 +72,14 @@ Rust support are hard requirements while all others can be the subject of trade
 offs. More info about this comparison can be found
 [here](https://github.com/firecracker-microvm/firecracker/blob/9d427b33d989c3225d874210f6c2849465941dc0/docs/snapshotting/design.md#snapshot-format).
 
-Key benefits of using *bincode*:
+Key benefits of using *bitcode*:
 
 - Minimal snapshot size overhead
 - Minimal CPU overhead
 - Simple implementation
 
 The current implementation relies on the
-[Serde bincode encoder](https://github.com/servo/bincode).
+[Serde bitcode encoder](https://github.com/SoftbearStudios/bitcode).
 
 ## Snapshot compatibility
 
@@ -146,4 +146,4 @@ repository. All Firecracker devices implement the
 interface that enables creating from and saving to the microVM state.
 
 [1]: https://serde.rs
-[2]: https://github.com/bincode-org/bincode
+[2]: https://github.com/SoftbearStudios/bitcode

docs/snapshotting/versioning.md

@@ -51,6 +51,6 @@ fn main() {
     println!("cargo:rerun-if-changed={}", SECCOMPILER_SRC_DIR);
 
     let out_path = format!("{}/{}", out_dir, ADVANCED_BINARY_FILTER_FILE_NAME);
-    seccompiler::compile_bpf(&seccomp_json_path, &target_arch, &out_path, false)
+    seccompiler::compile_bpf(&seccomp_json_path, &target_arch, &out_path, false, false)
         .expect("Cannot compile seccomp filters");
 }

src/firecracker/build.rs

@@ -16,7 +16,7 @@ path = "src/bin.rs"
 bench = false
 
 [dependencies]
-bincode = { version = "2.0.1", features = ["serde"] }
+bitcode = { version = "0.6.9", features = ["serde"] }
 clap = { version = "4.5.53", features = ["derive", "string"] }
 displaydoc = "0.2.5"
 libc = "0.2.178"

src/seccompiler/Cargo.toml

@@ -27,6 +27,12 @@ struct Cli {
                 and rule-level actions. Not recommended."
     )]
     basic: bool,
+    #[arg(
+        long,
+        help = "Output individual BPF files for each thread instead of a single combined file. \
+                Used for testing purposes."
+    )]
+    split_output: bool,
 }
 
 fn main() -> Result<(), CompilationError> {
@@ -36,5 +42,6 @@ fn main() -> Result<(), CompilationError> {
         &cli.target_arch,
         &cli.output_file,
         cli.basic,
+        cli.split_output,
     )
 }

src/seccompiler/src/bin.rs

@@ -8,29 +8,19 @@ use std::os::fd::{AsRawFd, FromRawFd};
 use std::os::unix::fs::MetadataExt;
 use std::str::FromStr;
 
-use bincode::config;
-use bincode::config::{Configuration, Fixint, Limit, LittleEndian};
-use bincode::error::EncodeError as BincodeError;
-
 mod bindings;
 use bindings::*;
 
 pub mod types;
 pub use types::*;
 use zerocopy::IntoBytes;
 
-// This byte limit is passed to `bincode` to guard against a potential memory
+// This byte limit is passed to `bitcode` to guard against a potential memory
 // allocation DOS caused by binary filters that are too large.
 // This limit can be safely determined since the maximum length of a BPF
 // filter is 4096 instructions and Firecracker has a finite number of threads.
 const DESERIALIZATION_BYTES_LIMIT: usize = 100_000;
 
-pub const BINCODE_CONFIG: Configuration<LittleEndian, Fixint, Limit<DESERIALIZATION_BYTES_LIMIT>> =
-    config::standard()
-        .with_fixed_int_encoding()
-        .with_limit::<DESERIALIZATION_BYTES_LIMIT>()
-        .with_little_endian();
-
 /// Binary filter compilation errors.
 #[derive(Debug, thiserror::Error, displaydoc::Display)]
 pub enum CompilationError {
@@ -61,14 +51,15 @@ pub enum CompilationError {
     /// Cannot create output file: {0}
     OutputCreate(std::io::Error),
     /// Cannot serialize bfp: {0}
-    BincodeSerialize(BincodeError),
+    BitcodeSerialize(bitcode::Error),
 }
 
 pub fn compile_bpf(
     input_path: &str,
     arch: &str,
     out_path: &str,
     basic: bool,
+    split_output: bool,
 ) -> Result<(), CompilationError> {
     let mut file_content = String::new();
     File::open(input_path)
@@ -188,9 +179,44 @@ pub fn compile_bpf(
         bpf_map.insert(name.clone(), bpf);
     }
 
-    let mut output_file = File::create(out_path).map_err(CompilationError::OutputCreate)?;
+    // Helper function to create and write the main bitcode output file
+    let write_main_output = || -> Result<(), CompilationError> {
+        let mut output_file = File::create(out_path).map_err(CompilationError::OutputCreate)?;
+        let encoded = bitcode::serialize(&bpf_map).map_err(CompilationError::BitcodeSerialize)?;
+
+        // Check size limit to prevent DOS attacks
+        if encoded.len() > DESERIALIZATION_BYTES_LIMIT {
+            // Create a simple error by trying to deserialize invalid data
+            let error = bitcode::deserialize::<()>(&[0xFF]).unwrap_err();
+            return Err(CompilationError::BitcodeSerialize(error));
+        }
 
-    bincode::encode_into_std_write(&bpf_map, &mut output_file, BINCODE_CONFIG)
-        .map_err(CompilationError::BincodeSerialize)?;
+        std::io::Write::write_all(&mut output_file, &encoded)
+            .map_err(CompilationError::OutputCreate)
+    };
+
+    if split_output {
+        // Output individual files for each thread (for testing)
+        use std::path::Path;
+        let base_path = Path::new(out_path);
+        let parent = base_path.parent().unwrap_or_else(|| Path::new("."));
+
+        for (thread_name, bpf_data) in &bpf_map {
+            let thread_file_path = parent.join(format!("{}.bpf", thread_name));
+            let mut thread_file =
+                File::create(&thread_file_path).map_err(CompilationError::OutputCreate)?;
+
+            // Write raw BPF data as bytes
+            use zerocopy::IntoBytes;
+            std::io::Write::write_all(&mut thread_file, bpf_data.as_bytes())
+                .map_err(CompilationError::OutputCreate)?;
+        }
+
+        // Also create the main output file with bitcode format for compatibility
+        write_main_output()?;
+    } else {
+        // Normal output: single bitcode file
+        write_main_output()?;
+    }
     Ok(())
 }

src/seccompiler/src/lib.rs

@@ -19,7 +19,7 @@ acpi_tables = { path = "../acpi-tables" }
 arrayvec = { version = "0.7.6", optional = true }
 aws-lc-rs = "1.15.1"
 base64 = "0.22.1"
-bincode = { version = "2.0.1", features = ["serde"] }
+bitcode = { version = "0.6.9", features = ["serde"] }
 bitflags = "2.10.0"
 bitvec = { version = "1.0.1", features = ["atomic", "serde"] }
 byteorder = "1.5.0"