feat(aarch64): support external graceful shutdown via SendCtrlAltDel

[14sea]

Changes

Add external graceful shutdown support on aarch64 by reusing the existing
SendCtrlAltDel action.

• Expose a minimal PL061 GPIO controller as an aarch64 MMIO device and
  describe a gpio-keys power button (KEY_POWER) in the FDT.
• Reuse SendCtrlAltDel: on x86_64 it still injects CTRL+ALT+DEL through the
  i8042 device (unchanged); on aarch64 it drives a short, synchronous
  press/release pulse on the virtual power button. The API no longer rejects the
  action with a 400 on aarch64.
• The PL061 SPI is declared edge-triggered to match Firecracker's plain
  irqfd injection (no resample fd). A level-high line would never be de-asserted
  and the GIC would re-fire it after the guest EOIs, storming the host.
• Save/restore the PL061 register state across snapshots so the button keeps
  working on a restored microVM. The snapshot version is bumped 10.0.0 →
  11.0.0.
• Add the guest-kernel options the gpio-keys path needs
  (CONFIG_GPIOLIB, CONFIG_GPIO_PL061, CONFIG_INPUT_KEYBOARD,
  CONFIG_KEYBOARD_GPIO) to resources/guest_configs/ci.config, and update
  docs/api_requests/actions.md, docs/device-api.md and CHANGELOG.md.

This follows the direction confirmed by @ShadowCurse in
#2046:
no feature gating (always enabled on aarch64), reuse SendCtrlAltDel, and rely
on the systemd-logind already present in the CI rootfs.

A couple of points worth a maintainer's eye:

• Kernel config placement. I put the gpio-keys options in ci.config rather
  than a separate debug.config-style fragment, because the integration tests
  boot the non-debug CI kernels (which only concatenate ci.config), and the
  file already carries the x86 "CTRL+ALT+DEL support" section. Happy to move it
  if you'd prefer a dedicated fragment.
• test_send_ctrl_alt_del on aarch64. It is kept skipif-skipped on aarch64
  for now: the kernel config is included here, but a fresh PR runs against the
  currently-published guest-kernel artifacts, which do not yet have gpio-keys.
  Once the CI guest kernels are rebuilt with this ci.config change the skip can
  be removed so the existing test exercises the aarch64 path. Would you like me
  to drop the skip in this PR, or as a follow-up after the artifacts are
  rebuilt?

Hardware validation

Validated on real aarch64 + KVM hardware (RK3568, Ubuntu guest), on this exact
rebased commit:

• No interrupt storm: /proc/interrupts shows the line as Edge; the count
  increments by exactly +2 per action (press + release) and host CPU stays
  effectively idle (~0.7% over the window). A level storm would peg a CPU.
• Graceful poweroff: with systemd-logind active, SendCtrlAltDel →
  systemd-poweroff → reboot: Power down → KVM_SYSTEM_EVENT →
  Firecracker exiting successfully. exit_code=0.
• Snapshot/restore: after a full snapshot → restore cycle, the restored guest
  still takes the interrupt (+2) and emits a byte-identical KEY_POWER
  press/release event stream on /dev/input/event0, confirming the PL061
  interrupt-enable state survives restore.

Reason

Closes #2046. aarch64 previously rejected SendCtrlAltDel with a 400 and had no
mechanism to request a graceful shutdown of a microVM from the host, unlike
x86_64. This brings aarch64 to parity using the standard guest gpio-keys path.

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.

PR Checklist

• I have read and understand CONTRIBUTING.md.
• I have verified the PR builds and passes clippy -D warnings on both
  x86_64 and aarch64 (tools/devtool build on aarch64 hardware); CI runs the
  full checkbuild --all.
• I have run tools/devtool checkstyle to verify that the PR passes the
  automated style checks.
• I have described what is done in these changes, why they are needed, and
  how they are solving the problem in a clear and encompassing way.
• I have updated any relevant documentation (both in code and in the docs)
  in the PR.
• I have mentioned all user-facing changes in CHANGELOG.md.
• If a specific issue led to this PR, this PR closes the issue.
• When making API changes, I have followed the
  Runbook for Firecracker API changes.
• I have tested all new and changed functionalities in unit tests and/or
  integration tests (PL061 device unit tests added; the test_send_ctrl_alt_del
  integration test remains aarch64-skipped pending a gpio-keys CI kernel — see
  above).
• I have linked an issue to every new TODO.

---

• This functionality cannot be added in rust-vmm.

[ShadowCurse]

Overall this seems pretty good. I'll let you know when guest kernels are rebuilt for testing.

[ShadowCurse]

There will be only one gpio device, so no need to store a ref to it. Just access METRICS directly.

[ShadowCurse]

Since this is the exact state as in PL061State, just use it here. Would be easier to store and set it later.

[ShadowCurse]

As I can see, this is never accessed outside this file, so it can be made private. This also allows you to remove the line check (and the InvalidGpioLine error variant with it). You can also replace the check with assert!(line < GPIO_PIN_COUNT).

[ShadowCurse]

I think:

let result = match offset {
  0..PL061_DATA_REG_END => self.data & data_mask(offset),
  PL061_DIR => self.direction,
  ...
  _ => return None,
};
Some(u32::from(result))

would be more readable with less syntax noise.

[ShadowCurse]

this is a general comment about usage of try_from: here and in many other place you already guaranteed that these conversions cannot fail (in this example you already did a check offset >= PL061_REGISTER_SPACE_SIZE in the bus_read, in others you mask off the last byte of the value before converting it to u8). Because of this, there is no reason to use try_from. For u64 -> usize you can use vmm::utils::u64_to_usize. For u8 just use as u8 with #[allow(clippy::cast_possible_truncation)].

[ShadowCurse]

the write_reg converts the value: u32 into u8 all the time, so there is no reason to even try to construct u32. Just pass u8 directly. This will also remove needed conversion to u8 in the write_reg.

[ShadowCurse]

what are these specific 0x004 and 0x010 registers?

[14sea]

These aren't separate registers — they're masked accesses into the GPIODATA aperture (0x000..0x3FF). The PL061 encodes a per-line bitmask in address bits [9:2] of the access, so an access at offset line_mask << 2 reads/writes only the selected lines (the PrimeCell "masked GPIO data" mechanism, which is also how the Linux gpio-pl061 driver does single-line I/O).

• 0x004 = 0b0000_0001 << 2 → mask for line 0
• 0x010 = 0b0000_0100 << 2 → mask for line 2

I've reworked the test to be self-documenting via a data_aperture(line_mask) helper instead of bare offsets, and the aperture is documented at the PL061_DATA_REG_END / data_mask() definitions.

[ShadowCurse]

Let's split this commit into several smaller ones so it is easier to review. Something like:

• add PL061 device (just the impl)
• wire the device inside vmm
• add documentation
• add changelog entry

[14sea]

Done — split into 5 commits as suggested: (1) add the PL061 device impl, (2) wire it into the VMM, (3) docs, (4) CHANGELOG entry. The test_api.py change is its own commit (5) so it can be dropped/updated independently once the CI kernels are rebuilt with the gpio-keys config.

[ShadowCurse]

this is not needed

[ShadowCurse]

This can be in a separate commit to simply drop/update it when guest kernels will be rebuilt with new configs

[14sea]

Thanks for the review! Force-pushed addressing all comments:

• Commits split into device impl / VMM wiring / docs / CHANGELOG, with the test_api.py change kept separate.
• gpio_pl061: access METRICS directly; PL061Device now embeds PL061State; set_input_level is private with an assert! (dropped the InvalidGpioLine variant); read_reg rewritten as a single match; removed the infallible try_from usages (u64_to_usize / as u8); write_reg takes a u8 directly.
• Removed the unneeded comment in arch/mod.rs.
• Answered the GPIODATA masked-access question inline.

Each commit builds standalone and the gpio_pl061 unit tests pass on aarch64.