feat: Add Rosetta support for vfkit on Apple Silicon

Enables running x86_64 (Intel) binaries in ARM64 Linux VMs on Apple
Silicon Macs using Apple's Rosetta translation layer.

Changes:
- Add microvm.vfkit.rosetta.enable option to enable Rosetta
- Add microvm.vfkit.rosetta.mountTag option (default: "rosetta")
- Add microvm.vfkit.rosetta.install option to auto-install Rosetta
- Add microvm.vfkit.rosetta.ignoreIfMissing for compatibility
- Add rosetta device to vfkit runner when enabled
- Validate that Rosetta is only used on aarch64-darwin systems
- Create comprehensive documentation with setup instructions
- Update options table to document Rosetta option

Users must manually mount the Rosetta virtiofs share and configure
binfmt in their guest configuration. See doc/src/vfkit-rosetta.md
for complete setup instructions.

Author: luizribeiro

doc/src/SUMMARY.md

@@ -8,6 +8,7 @@
   - [Device pass-through](./devices.md)
   - [CPU emulation](./cpu-emulation.md)
   - [Output options](./output-options.md)
+  - [Using Rosetta with vfkit (macOS)](./vfkit-rosetta.md)
   - [MicroVM options reference ⚙️](./microvm-options.md)
 - [Running a MicroVM as a package](./packages.md)
 - [Preparing a host for declarative MicroVMs](./host.md)

doc/src/options.md

@@ -17,6 +17,7 @@ available for customization. These are the most important ones:
 | `microvm.forwardPorts`         | (qemu user-networking only) TCP/UDP port forwarding                                                 |
 | `microvm.vfkit.extraArgs`      | (vfkit only) Extra arguments to pass to vfkit                                                       |
 | `microvm.vfkit.logLevel`       | (vfkit only) Log level: "debug", "info", or "error" (default: "info")                              |
+| `microvm.vfkit.rosetta.enable` | (vfkit only) Enable Rosetta for running x86_64 binaries on ARM64 (Apple Silicon only)              |
 | `microvm.kernelParams`         | Like `boot.kernelParams` but will not end up in `system.build.toplevel`, saving you rebuilds        |
 | `microvm.storeOnDisk`          | Enables the store on the boot squashfs even in the presence of a share with the host's `/nix/store` |
 | `microvm.writableStoreOverlay` | Optional string of the path where all writes to `/nix/store` should go to.                          |

doc/src/vfkit-rosetta.md

@@ -0,0 +1,81 @@
+# Using Rosetta with vfkit on Apple Silicon
+
+Rosetta support enables running x86_64 (Intel) binaries in your ARM64 Linux VM on Apple Silicon Macs. This is useful for running legacy applications or development tools that haven't been ported to ARM yet.
+
+## Requirements
+
+- Apple Silicon (M1/M2/M3/etc.) Mac
+- macOS with Rosetta installed
+- vfkit hypervisor
+
+## Configuration
+
+Enable Rosetta in your MicroVM configuration:
+
+```nix
+{
+  microvm = {
+    hypervisor = "vfkit";
+
+    vfkit.rosetta = {
+      enable = true;
+      # Optional: install Rosetta automatically if missing
+      install = true;
+    };
+  };
+}
+```
+
+## Guest Setup
+
+After enabling Rosetta, you need to mount the share and configure binfmt in your guest:
+
+```nix
+{
+  # Mount the Rosetta share
+  fileSystems."/mnt/rosetta" = {
+    device = "rosetta";
+    fsType = "virtiofs";
+  };
+
+  # Configure binfmt to use Rosetta for x86_64 binaries
+  boot.binfmt.registrations.rosetta = {
+    interpreter = "/mnt/rosetta/rosetta";
+    magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x3e\x00'';
+    mask = ''\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'';
+  };
+}
+```
+
+## Testing
+
+Once configured, you can verify Rosetta is working:
+
+```bash
+# Inside the VM
+uname -m
+# Should show: aarch64
+
+# Try running an x86_64 binary (if you have one)
+file /path/to/x86_64/binary
+# Should show: ELF 64-bit LSB executable, x86-64
+
+/path/to/x86_64/binary
+# Should run successfully via Rosetta
+```
+
+## Options Reference
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `microvm.vfkit.rosetta.enable` | bool | `false` | Enable Rosetta support |
+| `microvm.vfkit.rosetta.mountTag` | string | `"rosetta"` | Mount tag for the virtiofs share |
+| `microvm.vfkit.rosetta.install` | bool | `false` | Auto-install Rosetta if missing |
+| `microvm.vfkit.rosetta.ignoreIfMissing` | bool | `false` | Continue if Rosetta unavailable |
+
+## Limitations
+
+- Only works on Apple Silicon Macs (M-series chips)
+- vfkit will fail to start on Intel Macs if Rosetta is enabled
+- Performance is slower than native ARM64 execution
+- Not all x86_64 binaries may work perfectly

lib/runners/vfkit.nix

@@ -15,9 +15,9 @@ let
   inherit (microvmConfig)
     hostName vcpu mem user interfaces volumes shares socket
     storeOnDisk kernel initrdPath storeDisk kernelParams
-    balloon devices credentialFiles vsock graphics;
+    devices credentialFiles vsock graphics;
 
-  inherit (microvmConfig.vfkit) extraArgs logLevel;
+  inherit (microvmConfig.vfkit) extraArgs logLevel rosetta;
 
   volumesWithLetters = withDriveLetters microvmConfig;
 
@@ -69,7 +69,16 @@ let
         throw "vfkit does not support macvtap networking on macOS. Use type = \"user\" for NAT networking."
       else
         throw "Unknown network interface type: ${type}"
-    ) interfaces);
+    ) interfaces)
+    ++
+    lib.optionals rosetta.enable (
+      let
+        rosettaArgs = "rosetta,mountTag=${rosetta.mountTag}"
+          + lib.optionalString rosetta.install ",install"
+          + lib.optionalString rosetta.ignoreIfMissing ",ignoreIfMissing";
+      in
+      [ "--device" rosettaArgs ]
+    );
 
   allArgsWithoutSocket = [
     "${vfkit}/bin/vfkit"
@@ -103,6 +112,8 @@ in
     then throw "vfkit does not support changing user"
     else if balloon
     then throw "vfkit does not support memory ballooning"
+    else if rosetta.enable && !vmHostPackages.stdenv.hostPlatform.isAarch64
+    then throw "Rosetta requires Apple Silicon (aarch64-darwin). Current host: ${system}"
     else if devices != []
     then throw "vfkit does not support device passthrough"
     else if credentialFiles != {}

nixos-modules/microvm/options.nix

@@ -602,6 +602,44 @@ in
       description = "vfkit log level.";
     };
 
+    vfkit.rosetta = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable Rosetta support for running x86_64 binaries in ARM64 Linux VMs.
+          Only works on Apple Silicon (ARM) Macs.
+
+          After enabling, you must mount the rosetta share and configure binfmt
+          in your guest configuration. See the vfkit documentation for details.
+        '';
+      };
+
+      mountTag = mkOption {
+        type = types.str;
+        default = "rosetta";
+        description = "Mount tag for the Rosetta virtiofs share.";
+      };
+
+      install = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Automatically install Rosetta if missing.
+          If false and Rosetta is not installed, vfkit will fail to start.
+        '';
+      };
+
+      ignoreIfMissing = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Continue execution even if Rosetta installation fails or is unavailable.
+          Useful for configurations that should work on both ARM and Intel Macs.
+        '';
+      };
+    };
+
     prettyProcnames = mkOption {
       type = types.bool;
       default = true;