Xen Project Hypervisor 4.11 Brings Cleaner Architecture to Hypervisor Core Technologies
The Linux Foundation | 10 July 2018
Latest release adds PVH functionality for better security and performance
SAN FRANCISCO, July 10, 2018 – The Xen Project, hosted by The Linux Foundation, today announced the release of Xen Project Hypervisor 4.11. The latest release adds new PVH-related functionality to simplify the interface between the Xen Project Hypervisor/Support and operating systems bringing added security and performance. The release also contains mitigations for the Meltdown and Spectre vulnerabilities.
The Xen Project Hypervisor is used by more than 10 million users, and powers some of the largest clouds in production today, including Amazon Web Services, Tencent, Alibaba Cloud, Oracle Cloud and IBM SoftLayer. It is the base for commercial virtualization products from Citrix, Huawei, Inspur and Oracle, and security solutions from Qubes OS, Bromium vSentry, A1Logic, Bitdefender, Star Lab’s Crucible Hypervisor, Zentific and Dornerwork’s Virtuosity.
Long-term development goals of the Xen Project continue to focus on less code, a smaller trusted computing base (TCB), less complexity, ease of maintenance, and better performance as well as scalability. To support these goals, the Xen Project has re-architected the Hypervisor’s core technologies, which encompass all core functionality, such as x86 support, device emulation and boot sequence. The latest PVH-related functionality in Xen Project 4.11 is a manifestation of this re-architecture.
“The Xen Project community worked swiftly to address the security needs of Spectre and Meltdown, and continued to match its goals in adding significant features to this release,” said Lars Kurth, chairperson of the Xen Project Advisory Board. “The latest features in this release around PVH functionality bring better security, performance and management to the Hypervisor.”
PVH Dom0 Reduces the Attack Surface of Xen Project Based Systems
PVH combines the best of PV and HVM mode to simplify the interface between operating systems with Xen Project Support and the Xen Project Hypervisor and to reduce the attack surface of Xen Project Software. PVH guests are lightweight HVM guests that use hardware virtualization support for memory and privileged instructions. PVH does not require QEMU.
Xen Project 4.11 adds experimental PVH Dom0 support by calling Xen via dom0=pvh on the command line. Running a PVH Dom0 removes approximately 1 million lines of QEMU code from Xen Project’s computing baseshrinking the attack surface of Xen Project based systems.
Enabling a PVH Dom0 requires a PVH Dom0 capable Linux or FreeBSD. Patches for each operating system are currently being upstreamed and should be available in the next Linux and FreeBSD versions.
PV in PVH container (PVH Shim) Simplifies Management
Xen Project Hypervisor 4.11 supports unmodified legacy PV-only guest to run in PVH mode. This allows cloud providers to support old, PV-only distros while only providing support for a single kind of guest (PVH) simplifying management, reducing the surface of attack significantly, and eventually allowing end-users to build a Xen Project hypervisor configuration with no “classic” PV support at all.
PCI config space emulation in Xen
Support for the PCI configuration space has been moved from QEMU to the hypervisor. Besides enabling PVH Dom0 support, this code will eventually be available to HVM guests and PVH guests. Additional security hardening needs to be performed before exposing this functionality to security supported guest types, such as PVH or HVM guests.
Mitigations against Cache Side Channel Attacks from Meltdown and Spectre
This release contains mitigations forMeltdown and Spectre vulnerabilities, including:
- Performance optimized XPTI: Xen Project’s equivalent to Kernel page-table isolation (KPTI). Only “classic PV” guests need XPTI whereas HVM and PVH cannot attack the hypervisor via Meltdown.
- Branch Predictor Hardening:For x86 CPUs, a new framework for Intel and AMD microcode was added related to Spectre mitigations as well as support for Retpoline.
Contributions for this release of the Xen Project came from Amazon Web Services, AMD, Arm, Citrix, DornerWorks, EPAM Systems, Gentoo Linux, Google, Huawei, Intel Corporation, Invisible Things Lab, Oracle, Qualcomm, SUSE, and a number of universities and individuals. See full list of participants in this release here.
Additional Technical Features
Scheduler Optimizations: Credit1 and Credit2 scheduling decisions when a vCPU is exclusively pinned to a pCPU or when soft-affinity is used are performance optimized.
Add DMOPs to allow use of VGA with restricted QEMU (x86): Xen Project Hypervisor 4.9 introduced the Device Model Operation Hypercall (DMOPs), which significantly limits the capability of a compromised QEMU to attack the hypervisor. In Xen 4.11 we added DMOPs that enable the usage of the VGA console, which was previously restricted.
Enable Memory Bandwidth Allocation in Xen ((Intel® Xeon® Scalable platform or Newer): Support for Memory Bandwidth Allocation (MBA) allows Xen Project Hypervisor 4.11 to slow misbehaving VMs by using a credit-based throttling mechanism.
Emulator enhancements (x86):Support for previously unsupported Intel® Advanced Vector Extensions (Intel® AVX and AVX2), and for AMD F16C, FMA4, FMA, XOP and 3DNow! instructions have been added to the x86 emulator.
Guest resource mapping (x86): Support for directly mapping Grant tables and IOREQ server pages have been introduced into Xen Project Hypervisor 4.11 to improve performance.
Clean-up and future-proofing (Arm):Xen’s VGIC support has been re-implemented. In addition, stage-2 page table handling, memory subsystems and big.LITTLE support have been refactored to make it easier to maintain and update the code in future.
Support for PSCI 1.1 and SMCCC 1.1 compliance (Arm):Xen Project is updated to comply with the latest versions of the Arm® Power State Coordination Interfaceand Secure Monitor Call Calling Conventions that provides an optimised calling convention and optional, discoverable support for mitigating Spectre Variant 2.
Comments from Xen Project Users and Contributors:
“The Xen Project Hypervisor 4.11 builds on its maturity and flexibility as a dependable, secure, type-1 hypervisor. Xen Project 4.11’s support for PVH dom0, added to its existing PVH domU capability, allows it to take advantage of the performance and scalability benefits of paravirtualization, while reducing complexity and code size, making it easier to maintain, enhance and secure,” said James Bulpin, Senior Director of Technology at Citrix. “With several other performance, security and maintainability enhancements, Xen Project 4.11 demonstrates the community’s dedication to making Xen the best hypervisor for a wide range of use-cases from huge private clouds to embedded systems.”
“Intel is pleased to see the Xen Project 4.11 release with the latest Intel-based platform features,” said Arjan Van De Ven, Intel Fellow and Director of Core Systems and Linux Pathfinding Engineering at Intel’s Open Source Technology Center. “We remain focused on enabling the best of Intel architecture to help ensure customers can take advantage of the newest features.””The Xen Project Hypervisor is an important part of the virtualization solutions SUSE provides to our customers. This newest release of Xen 4.11 offers some important benefits such as increased performance and hardening – which are critical in enterprise environments,” said Mike Latimer, Senior Engineering Manager, SUSE. “The Xen Project is an excellent example of our commitment to provide the best quality software to our customers. We look forward to continuing our contributions to this thriving community, and being a part of the exciting future of virtualization.”
About The Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.