The Xen Project, an open source hypervisor hosted at the Linux Foundation, has released Xen Project Hypervisor version 4.14. The latest version introduces Linux stubdomains, better nested performance, and more robust live patching. It reflects contributions from across the community and ecosystem.

“Xen Project Hypervisor 4.14 is a clear example of important investments from companies and community members to move the project forward,” said George Dunlap, Xen Project Advisory Board Chair. “We continue to see broad participation from many companies, which is validation of the important role Xen plays in the open-source virtualization space: a project focused solely on virtualization, with a mature code base and community.”

Key updates and improvements include:

  • Linux Stubdomains – that can run the newest device models, allowing users to take advantage of one of Xen’s unique security features while still having the latest emulated hardware.
  • Lightweight VM fork for fuzzing / introspection – Allows very fast introspection ‘experimentation’, for analyzing malware or finding bugs on systems with Intel EPT support.
  • New livepatch features – allow for a wider range of security fixes to be live patched while providing extra safety mechanisms to prevent users from applying patches in the wrong order.
  • Control-flow Enforcement Technology (CET) Shadow Stack support – Control-flow Enforcement Technology (CET) is a set of features in hardware designed to combat Return-oriented Programming (ROP, also call/jump COP/¯JOP) attacks.  Xen 4.14 can use these hardware features, if available, to protect itself from ROP attacks.

Support for new platforms

Robert Gomer
“With the release of 4.14, AMD EPYC processors and Xen users can now scale their compute environments from low to extremely high core counts, as workloads dictate,” said Robert Gomer, Director AMD Datacenter.

Support for Raspberry Pi 4 has been extended and now all versions of the RPI4, including the popular ones with 4GB and 8GB of RAM, work on Xen. Additionally, version 4.14 will support the next generation AMD EPYC processor, codenamed ‘Milan’, when it is available to the public.

“We are pleased to be working with the Xen Project Hypervisor team not only on our current generation of AMD EPYC processors but for future generations as well,” said Robert Gomer, Director AMD Datacenter. “With the release of 4.14, AMD EPYC processors and Xen users can now scale their compute environments from low to extremely high core counts, as workloads dictate. Xen users can take full advantage of AMD EPYC processors’ 64 cores per socket, and the X2APIC feature enables the Xen hypervisor to support up to 256 threads. Whether those users are on-prem or in the cloud, AMD EPYC processors scale to meet their needs.”

Additional Highlights of Xen Project Hypervisor version 4.14 include:

  • Support for Xen running under Hyper-V – Xen will now run as a guest under Hyper-V, the hypervisor developed by Microsoft which runs Microsoft’s Azure cloud. Running Xen inside a cloud allows the same VM control stack to be used on-premise as in a cloud, allowing virtual machines to be moved freely between on-prem and cloud, or even between clouds.
  • Hypervisor FS support – Similar to Linux’s sysfs, Hypervisor FS allows Xen to expose internal data and control knobs in a structured way, without the previous requirement of parsing log data or writing custom hypercalls to transport the data, and custom code to read it.

Xen Hypervisor version 4.14 would also include improvements to hypervisor build, x2APIC mode, mem sharing, altp2m, x86 boot path, microcode handling, libxl event handling, xenstore, xentop, network hotplug scripts, and more.

Ongoing work on upcoming Xen Project Hypervisor features include:

  • Secret-free Xen– As side channel attacks continue to be risk, Secret free Xen will prevent memory from being mapped which will allow for mitigations to be turned off, increasing performance and erasing the data that was being sought after to begin with.
  • Golang bindings significantly expanded – This upcoming feature will make it easier to develop customer code on top of Xen using the language, Go.
  • Live migration without need for guest cooperation – Current users must have functioning Xen drivers in the guest to live migrate. This upcoming feature allows users to migrate VMs with no drivers or broken drivers.

“The Xen Project Hypervisor remains a key building block for enabling the success of the Citrix Hypervisor product,” said Jacus de Beer, Director of Engineering, Hybrid Cloud Platforms at Citrix. “The enhanced live patching features and continued security improvements released in version 4.14 are key to the success of our customers as it enables them to address security concerns without impacting VM uptime. In addition, enabling Xen workloads to run in the cloud opens up interesting opportunities for hybrid cloud deployments.”