Xen Project Hypervisor Version 4.14 Brings Added Security and Performance

By AIT News Desk On Jul 27, 2020

New version introduces Linux stubdomains and robust live patching to build on security features.

The Xen Project, an open source hypervisor hosted at the Linux Foundation, announced the release of Xen Project Hypervisor 4.14, which introduces Linux subdomains, better nested performance, more robust live patching and reflects contributions from across the community and ecosystem. This release also continues the fundamental shift for Xen, which was outlined in version 4.13, to make it increasingly resistant to side-channel attacks and hardware issues.

“Xen Project Hypervisor 4.14 is a clear example of important investments from companies and community members to move the project forward,” said George Dunlap, Xen Project Advisory Board Chair. “We continue to see broad participation from many companies, which is validation of the important role Xen plays in the open-source virtualization space: a project focused solely on virtualization, with a mature code base and community.”

Security

Advanced security has always been one of Xen’s distinctive strengths. This precedent continues with more security-focused features this release.

Key updates and improvements include:

Linux Stubdomains that can run the newest device models, allowing users to take advantage of one of Xen’s unique security features while still having the latest emulated hardware.
Lightweight VM fork for fuzzing / introspection. Allows very fast introspection “experimentation”, for analyzing malware or finding bugs on systems with Intel EPT support.
New livepatch features allow for a wider range of security fixes to be live patched while providing extra safety mechanisms to prevent users from applying patches in the wrong order.
Control-flow Enforcement Technology (CET) Shadow Stack support. Control-flow Enforcement Technology (CET) is a set of features in hardware designed to combat Return-oriented Programming (ROP, also call/jump COP/¯JOP) attacks. Xen 4.14 can use these hardware features, if available, to protect itself from ROP attacks.

Embedded and Safety-Critical

As the Xen project continues to evolve and grow, it has become relevant for the embedded and automotive use cases. Due to this, and the importance of functional safety and safety certification to these use cases, Xen continues on a journey to become Safety Certifiable. A key part of this initiative is the progress made in the Xen Project Functional Safety Working group, which was created in the Spring of 2019 and is supported by multiple vendors, including safety assessors. A new development out of this group is the successful drafting of prototype requirement documents and progress towards the processes and procedures on maintaining these documents.

Support for new platforms

Support for Raspberry Pi 4 has been extended and now all versions of the RPI4, including the popular ones with 4GB and 8GB of RAM, work on Xen. Additionally, version 4.14 will support the next generation AMD EPYC™ processor, codenamed “Milan“, when it is available to the public.

Featured Highlights

Support for Xen running under Hyper-V. Xen will now run as a guest under Hyper-V, the hypervisor developed by Microsoft which runs Microsoft’s Azure cloud. Running Xen inside a cloud allows the same VM control stack to be used on-premise as in a cloud, allowing virtual machines to be moved freely between on-prem and cloud, or even between clouds.
Hypervisor FS support. Similar to Linux’s sysfs, Hypervisor FS allows Xen to expose internal data and control knobs in a structured way, without the previous requirement of parsing log data or writing custom hypercalls to transport the data, and custom code to read it.

Xen Hypervisor version 4.14 also includes improvements to hypervisor build, x2APIC mode, mem sharing, altp2m, x86 boot path, microcode handling, libxl event handling, xenstore, xentop, network hotplug scripts and more.

Ongoing work on upcoming features

Secret-free Xen– As side channel attacks continue to be risk, Secret free Xen will prevent memory from being mapped which will allow for mitigations to be turned off, increasing performance and erasing the data that was being sought after to begin with.
Golang bindings significantly expanded – This upcoming feature will make it easier to develop customer code on top of Xen using the language, Go.
Live migration without need for guest cooperation – Current users must have functioning Xen drivers in the guest to live migrate. This upcoming feature allows users to migrate VMs with no drivers or broken drivers.

Recommended AI News: Bitcoin Association Appoints Two New Asia Ambassadors To Advance Bitcoin SV

AMD

“We are pleased to be working with the Xen Project Hypervisor team not only on our current generation of AMD EPYC™ processors but for future generations as well. With the release of 4.14, AMD EPYC™ processors and Xen users can now scale their compute environments from low to extremely high core counts, as workloads dictate. Xen users can take full advantage of AMD EPYC™ processors’ 64 cores per socket, and the X2APIC feature enables the Xen hypervisor to support up to 256 threads. Whether those users are on-prem or in the cloud, AMD EPYC processors scale to meet their needs.” — Robert Gomer, Director AMD Datacenter Alliances

Citrix

“The Xen Project Hypervisor remains a key building block for enabling the success of the Citrix Hypervisor product,” Jacus de Beer, Director of Engineering, Hybrid Cloud Platforms at Citrix. “The enhanced live patching features and continued security improvements released in version 4.14 are key to the success of our customers as it enables them to address security concerns without impacting VM uptime. In addition, enabling Xen workloads to run in the cloud opens up interesting opportunities for hybrid cloud deployments.”

EPAM

“The Xen Project continues to make major strides in functional safety compliance, and we’re seeing a growing number of automotive industry leaders intensively evaluating the solution for in-vehicle central computer units,” said Alex Agizim, CTO, Automotive & Embedded, EPAM Systems. “We’re excited to be part of this initiative, and as one of the leaders in Xen’s FuSa SiG, we look forward to enabling vehicles to become more seamlessly integrated with the connected services ecosystem using open source software.”

Intel

“Thriving open source ecosystems such as the Xen community are key to widespread innovation and peer-reviewed security,” said Mark Skarpness, Vice President of Intel’s Architecture, Graphics and Software Organization, IAGS and General Manager of System Software Engineering at Intel Corporation. “Our latest Intel Xeon platforms are ready to deliver the performance and features Xen users need to take full advantage of Xen 4.14.”

SUSE

“We are happy to announce that in this new Xen hypervisor community release a new hypervisorfs feature will be available, which SUSE contributed to respond to customer demand for a reliable and easy to use mechanism to probe configuration and get/set runtime options,” said Claudio Fontana, Engineering Manager, Virtualization, SUSE. “SUSE has also given attention, among other features, to ‘core scheduling’, which is steadily progressing towards being ready for production use.”

Xilinx

“Xilinx is very happy with the progress Xen has made in the 4.14 release toward supporting usage in functional safety applications,” said Tony McDowell, Senior Embedded Platforms Marketing Engineer, Xilinx. “Xilinx believes the flexibility of virtualized multiprocessing on architectures such as Zynq UltraScale+ MPSoC and Versal is key to success in these domains. This is why we continue to invest our engineering know-how into continuous improvement in Xen overall and specifically focus on efforts such as the Xen FuSa SIG.”