Xen Project Hypervisor 4.10 Focuses on Security, Improved User Experience, and Future Proofing

By December 14, 2017Press Release

Rearchitecture and new user interface provide for cleaner and smaller codebase

SAN FRANCISCO, December 14, 2017 – The Xen Project, hosted at The Linux Foundation, today announced the release of Xen Project Hypervisor 4.10. The latest release continues to take a security-first approach with improved architecture and more centralized documentation. The release is equipped with the latest hardware updates from Arm and a more intuitive user interface.

The Xen Project hypervisor is used by more than 10 million users, and powers some of the largest clouds in production today, including Amazon Web Services, Tencent, Alibaba Cloud, Oracle Cloud and IBM SoftLayer. It is the base for commercial virtualization products from Citrix, Huawei, Inspur and Oracle, and security solutions from Qubes OS, Bromium vSentry, A1Logic, Bitdefender, Star Lab’s Crucible Hypervisor, Zentific and Dornerwork’s Virtuosity.

As demand for embedded, automotive and security solutions continues to rise, the revamped Xen Project architecture provides a cleaner and smaller code base for better security and performance.

“This release is a stepping stone for us to solidify a new architecture that uses hardware support for better performance for PV guests, reduces code size and maintenance burden, and provides a smaller TCB for better security,” said Lars Kurth, Chairperson of the Xen Project Advisory Board. “This provides value to traditional markets that the Xen Project is present and popular in, like the server and cloud space, but also continues to open the Xen Project up to new markets like embedded and automotive.”

“The Xen Project Hypervisor already has a number of great security properties; Xen 4.10 builds on these by further reducing the size of the TCB, reducing the complexity of code within the TCB, and limiting additional components’ rights to the bare minimum necessary,” said James Bulpin, Senior Director of Technology, Citrix. “The re-architecting work done in Xen 4.10 will also make it easier to maintain and enhance, while preserving quality and security properties.”

Rearchitecture Creates Smaller Attack Surface and Cleaner Code

Since the introduction of Xen Project Hypervisor 4.8, the project has overhauled the x86 core of its technology. The intention is to create a cleaner architecture, less code and a smaller computing base for security and performance. As part of this re-architecture, Xen Project 4.10 supports PVHv2 DomU. PVHv2 guests have a smaller TCB and attack surface compared to PV and HVM guests.

In Xen Project Hypervisor 4.9, the interface between Xen Project software and QEMU was completely reworked and consolidated via DMOP. For the Xen Project Hypervisor 4.10, the Xen Project community built on DMOP and added a Technology Preview for dm_restrict to constrain what device models, such as QEMU, can do after startup. This feature limits the impact of security vulnerabilities in QEMU. Any previous QEMU vulnerabilities that could normally be used for escalation privileges to the host cannot escape the sandbox.

This work significantly reduces potential security vulnerabilities in the Xen Project software stack.

Better User Experience through the Xen Project User Interface

The Xen Project community also made significant changes to the hypervisor’s user interface. It is now possible to modify certain boot parameters without the need to reboot Xen. Guest types are now selected using the type option in the configuration file, where users can select a PV, PVH or HVM guest. The builder option is being depreciated in favor of the type option,  the PVH option has been removed and a set of PVH specific options have been added.

These changes allow the Xen Project to retain backward compatibility on new hardware without old PV code, providing the same functionality with a much smaller codebase. Additional user interface improvements are detailed in our blog post.

Improved Support Documentation

In Xen Project 4.10, a machine-readable file (support.md) was added to describe support related information in a single document. It defines support status and whether features are security supported and to which degree. For example, a feature may be security supported on x86, but not on Arm.

This file will be back-ported to older Xen releases and will be used to generate support information for Xen Project releases and will be published on xenbits.xen.org/docs/. This effort will both allow users to better understand how they are impacted by security issues, and centralizing security support related information is a pre-condition to become a CVE Numbering authority.

Contributions for this release of the Xen Project came from Amazon Web Services, AMD, Aporeto, Arm, BAE Systems, BitDefender, Cavium, Citrix, EPAM, GlobalLogic, Greenhost, Huawei Technologies, Intel, Invisible Things Lab, Linaro, Nokia, Oracle, Red Hat, Suse, US National Security Agency, and a number of universities and individuals. This was a shorter release cycle with a code quality and hardened security a key focus.
Additional Technical Features

Support for Latest System-on-chip (SoC) Technology: The Xen Project now supports SoCs based on the 64-bit Armv8-A architecture from Qualcomm Centriq 2400 and Cavium ThunderX.

SBSA UART Emulation for Arm® CPUs: Implementation of SBSA UART emulation support in the Xen Project Hypervisor makes it accessible through the command line tools. This enables the guest OS to access the console when no PV console driver is present. In addition, the SBSA UART emulation is also required to be compliant with the VM System specification.

ITS support for Arm CPUs: Xen Project 4.10 adds support for Arm’s Interrupt Translation Service (ITS), which accompanies the GICv3 interrupt controller such as the Arm CoreLink GIC-500. ITS support allows the Xen Project Hypervisor to harnesses all of the benefits of the GICv3 architecture, improving interrupt efficiency and allowing for greater virtualization on-chip for both those using the Xen Project for the server and embedded space. ITS support is essential to virtualize systems with large amounts of interrupts. In addition ITS increases isolation of virtual machines by providing interrupt remapping, enabling safe PCI passthrough on Arm.

GRUB2 on 64-bit Armv8-A architecture: The GRUB community merged support to boot Xen on 64-bit Arm-based CPU platforms. GRUB2 support for Armv8-A improves the user experience when installing Xen via distribution package on UEFI platform.

Credit 2 scheduler improvements: Soft-affinity support for the Credit 2 scheduler was added to allow those using the Xen Project in the cloud and server space to specify a preference for running a VM on a specific CPU. This enables NUMA aware scheduling for the Credit 2 scheduler. In addition we added cap support allowing users to set a the maximum amount of CPU a VM will be able to consume, even if the host system has idle CPU cycles.

Null scheduler improvements: The recent updates to the “null” scheduler guarantee near zero scheduling overhead, significantly lower latency, and more predictable performance. Added tracing support enables users to optimize workloads and introduced soft-affinity. Soft affinity adds a flexible way to express placement preference of vcpus on processors, which improves cache and memory performance when configured appropriately.

Virtual Machine Introspection improvements: Performance improvements have been made to VMI. A software page table walker was added to VMI on Arm, which lays the groundwork to alt2pm for Arm CPUs. For more information on alt2pm is available here.

PV Calls Drivers in Linux: In Xen Project 4.9, the Xen Project introduced the PV Calls ABI, which allows forwarding POSIX requests across guests. This enables a new networking model that is a natural fit for cloud-native apps. The PV Calls backend driver was added to Linux 4.14.

Additional Resources