The Xen Project, hosted at The Linux Foundation, has announced the release of Xen Project Hypervisor 4.10. The latest release would significantly reduce potential security vulnerabilities in the Xen Project software stack.
The Xen Project hypervisor is used by more than 10 million users, and powers some of the largest clouds in production today, including Amazon Web Services (AWS Cloud), Tencent, Alibaba Cloud, Oracle Cloud and IBM SoftLayer. It is the base for commercial virtualization products from Citrix, Huawei, Inspur and Oracle, and security solutions from Qubes OS, Bromium vSentry, A1Logic, Bitdefender, Star Lab’s Crucible Hypervisor, Zentific and Dornerwork’s Virtuosity.
According to Xen Project, their latest Hypervisor release features an improved architecture and more centralized documentation. Its revamped architecture would provide a cleaner and smaller code base for better security and performance. The new release is equipped with the latest hardware updates from Arm and a more intuitive user interface.
“This release is a stepping stone for us to solidify a new architecture that uses hardware support for better performance for PV guests, reduces code size and maintenance burden, and provides a smaller TCB for better security,” said Lars Kurth, Chairperson of the Xen Project Advisory Board. “This provides value to traditional markets that the Xen Project is present and popular in, like the server and cloud space, but also continues to open the Xen Project up to new markets like embedded and automotive.”
Since the introduction of Xen Project Hypervisor 4.8, the project has overhauled the x86 core of its technology. The intention is to create a cleaner architecture, less code and a smaller computing base for security and performance. As part of this re-architecture, Xen Project 4.10 supports PVHv2 DomU. PVHv2 guests have a smaller TCB and attack surface compared to PV and HVM guests.
In Xen Project Hypervisor 4.9, the interface between Xen Project software and QEMU was completely reworked and consolidated via DMOP. For the Xen Project Hypervisor 4.10, the Xen Project community built on DMOP and added a Technology Preview for dm_restrict to constrain what device models, such as QEMU, can do after startup. This feature would limit the impact of security vulnerabilities in QEMU. Any previous QEMU vulnerabilities that could normally be used for escalation privileges to the host cannot escape the sandbox.
Improved User Interface
The Xen Project community also made significant changes to the hypervisor’s user interface. It is now possible to modify certain boot parameters without the need to reboot Xen. Guest types are now selected using the type option in the configuration file, where users can select a PV, PVH or HVM guest. The builder option is being depreciated in favor of the type option, the PVH option has been removed and a set of PVH specific options have been added.
These changes would allow the Xen Project to retain backward compatibility on new hardware without old PV code, providing the same functionality with a much smaller codebase.
Improved Support Documentation
In Xen Project 4.10, a machine-readable file (support.md) was added to describe support related information in a single document. It defines support status and whether features are security supported and to which degree. For example, a feature may be security supported on x86, but not on Arm.
This file will be back-ported to older Xen releases and will be used to generate support information for Xen Project releases and will be published on xenbits.xen.org/docs. This effort would both allow users to better understand how they are impacted by security issues, hile centralizing security support related information.
Technical contributions for this release of the Xen Project came from Amazon Web Services, AMD, Aporeto, Arm, BAE Systems, BitDefender, Cavium, Citrix, EPAM, GlobalLogic, Greenhost, Huawei Technologies, Intel, Invisible Things Lab, Linaro, Nokia, Oracle, Red Hat, Suse, US National Security Agency, and a number of universities and individuals. This was a shorter release cycle with a code quality and hardened security a key focus.
Hypervisor 4.10 Additional Features
- Support for Latest System-on-chip (SoC) Technology – The Xen Project now supports SoCs based on the 64-bit Armv8-A architecture from Qualcomm Centriq 2400 and Cavium ThunderX.
- SBSA UART Emulation for Arm CPUs – Implementation of SBSA UART emulation support in the Xen Project Hypervisor makes it accessible through the command line tools. This enables the guest OS to access the console when no PV console driver is present. In addition, the SBSA UART emulation is also required to be compliant with the VM System specification.
- ITS support for Arm CPUs – Xen Project 4.10 adds support for Arm’s Interrupt Translation Service (ITS), which accompanies the GICv3 interrupt controller such as the Arm CoreLink GIC-500. ITS support would allow the Xen Project Hypervisor to harness all of the benefits of the GICv3 architecture, improving interrupt efficiency and allowing for greater virtualization on-chip for both those using the Xen Project for the server and embedded space. ITS support would be essential to virtualize systems with large amounts of interrupts. In addition ITS would increase isolation of virtual machines by providing interrupt remapping, enabling safe PCI pass-through on Arm.
- GRUB2 on 64-bit Armv8-A architecture – The GRUB community merged support to boot Xen on 64-bit Arm-based CPU platforms. GRUB2 support for Armv8-A would improve the user experience when installing Xen via distribution package on UEFI platform.
- Credit 2 scheduler improvements – Soft-affinity support for the Credit 2 scheduler was added to allow those using the Xen Project in the cloud and server space to specify a preference for running a VM on a specific CPU. This would enable NUMA aware scheduling for the Credit 2 scheduler. In addition Xen Project added cap support allowing users to set a the maximum amount of CPU a VM will be able to consume, even if the host system has idle CPU cycles.
- Null scheduler improvements – The recent updates to the “null” scheduler would guarantee “near zero scheduling overhead, significantly lower latency, and more predictable performance.” Added tracing support would enable users to optimize workloads and introduced soft-affinity. Soft affinity adds a flexible way to express placement preference of vcpus on processors, which would improve cache and memory performance when configured appropriately.
- Virtual Machine Introspection improvements – Performance improvements have been made to VMI. A software page table walker was added to VMI on Arm, which lays the groundwork to alt2pm for Arm CPUs.
- PV Calls Drivers in Linux – In Xen Project 4.9, the Xen Project introduced the PV Calls ABI, which allows forwarding POSIX requests across guests. This enables a new networking model that would be a natural fit for cloud-native apps. The PV Calls backend driver was added to Linux 4.14.