Xen is een baremetal-hypervisor voor het x86- en ARMv7/v8-platform, en laat diverse besturingssystemen gelijktijdig op één systeem draaien zonder de prestaties drastisch te beïnvloeden. Voor meer informatie over Xen en de bijbehorende community verwijzen we naar deze en deze pagina. Op dit moment worden alleen Linux, NetBSD en FreeBSD als hostsystemen ondersteund, maar men is druk bezig om ook andere besturingssystemen volledig te ondersteunen. De ontwikkelaars hebben versie 4.12.0 uitgebracht, met de volgende aankondiging:
WHAT’S NEW IN XEN 4.12
I am pleased to announce the release of Xen Project Hypervisor 4.12. This latest release adds impressive feature improvements around security and code size, x86 architectural renewal (one of our long-term development goals since Xen 4.8) and some significant updates making Xen the technology ideal for mixed-criticality systems, which is important for many use-cases covering the embedded, security and automotive industries.
The leaner architecture in Xen 4.12 reduces code size on x86 (between 5% and 22% depending on configuration) and almost 30% on Arm, reducing the potential for security vulnerabilities while making Xen an attractive option for use in mixed-criticality systems. This version of Xen is more configurable, significantly reducing integration costs for business and organizations which customize Xen heavily.
SECURITY & CODE SIZE
The Xen 4.12 release builds upon the security features of previous releases, continuing Xen’s legacy of being the safest and most stable hypervisor for security-focused environments.
X86 ARCHITECTURAL RENEWAL
- HVM/PVH and PV only Hypervisor: The new Xen Project 4.12 release separates the HVM/PVH and PV code paths in Xen and provides KCONFIG options to build a PV only or HVM/PVH only hypervisor. This enables Xen based security products such as Qubes OS, Star Lab Crucible, & OpenXT to build products with vastly reduced memory footprints and attack surface more easily. In addition, the release enables cloud and hosting providers which do not offer support for PV guests to deploy HVM/PVH only hypervisors which in turn, increases security.
- QEMU Deprivilege (DM_RESTRICT): The Xen 4.9 – 4.11 releases laid the groundwork for the QEMU Deprivilege, limiting the impact of security vulnerabilities that originate QEMU. In Xen 4.12, this feature has been vastly improved. The majority of restrictions and features have been implemented, improving security and readiness for wide-scale testing. Support for VM migration has also been added and defense-in-depth techniques using chroot, RLIMITs, and Linux namespaces which are used to protect against privilege escalations from QEMU to Xen and VM’s.
- Argo – Hypervisor-Mediated data eXchange: Argo is a new inter-domain communication mechanism that is designed for security, safety and mixed-criticality systems with isolation properties that go beyond those of existing inter-domain communication mechanisms. Argo is designed to be robust and simple to use correctly, securely and safely. In addition, Argo meets requirements for performance isolation between domains, to prevent negative performance impact from malicious or disruptive activity of other domains, or even other VCPUs of the same domain. It follows Multiple Independent Levels of Security/Safety (MILS) architecture foundational principles. Argo provides Xen hypervisor primitives to transmit data between VMs, by performing data copies into receive memory rings registered by domains. It does not require memory sharing between VMs and does not use grant tables or Xenstore.
- Improvements to Virtual Machine Introspection: The VMI subsystem which allows detection of 0-day vulnerabilities has seen many functional and performance improvements. Altp2m (see https://xenproject.org/tag/alt2pm/) and Intel #VE/VMFUNC support within the subsystem have been tuned and hardened. These two technologies reduce the performance overhead of Virtual Machine Introspection by 5% to 20% depending on workload.
The new Xen 4.12 features renew how x86 architecture support is implemented in Xen, a multi-year effort that is nearing completion.
- Credit 2 Scheduler: The Credit2 scheduler is now the Xen Project default scheduler. This Credit2 scheduler represents several years worth of effort to create the next-generation scheduler for Xen. It is designed specifically for performance of latency-sensitive workloads, as well as scalability and predictability.
- PVH Support: Grub2 boot support has been added to Xen and Grub2. These additions enable users to boot any PVH guest kernel via the grub menu. The updates to PHV also improves its stability.
- PVH Dom0: PVH Dom0 support has now been upgraded from experimental to tech preview. This upgrade, exclusive to Intel Hardware, resolves various bugs and features several improvements such as the new dom0-iommu=map-reserved option which can be used to work around broken firmware when using a PVH Dom0. Support for migrating domUs from a PVH dom0 has also been included.
The Project is working to make Xen more easily safety certifiable targeting embedded and automotive use-cases. These new upgrades will increase the viability of Xen for use in mixed-criticality systems.
Additional Technical Features
- Dom0less VMs for statically partitioned systems: The new Xen 4.12 upgrade makes it possible to create and boot Arm VMs from Device Tree immediately after starting Xen. In traditional Xen environments, VMs can only be started after Dom0 kernel, user space and the toolstack are up and running. The upgrade decreases boot time by more than 90%. Dom0less VMs extend the usage of Xen to statically partitioned mixed-criticality systems. Xen is planning on extending the concept of Dom0less in subsequent releases to allow building Xen Systems entirely without a Dom0. This, in turn, will reduce the cost of safety certification significantly.
- Tiny Arm Configurations: The Xen 4.12 upgrade allows users to build a tiny Arm configuration with less than 50 KSLOC, which in turn reduces the cost of safety certification for Xen based systems. This new functionality allows building Xen variants for specific hardware such as Renesas RCar 3 and Xilinx Ultrascale+ MPSoC with a minimal set of drivers and features that are needed for mixed-criticality systems.
- The new Xen 4.12 upgrade also includes improved IOMMU mapping code, which is designed to significantly improve the startup times of AMD EPYC based systems.
- The upgrade also features Automatic Dom0 Sizing which allows the setting of Dom0 memory size as a percentage of host memory (e.g. 10%) or with an offset (e.g. 1G+10%).
his release contains 1466 commits from 364 patch series. A significant number of contributions for this release of the Xen Project came from Citrix, Suse, ARM, Xilinx, BitDefender, EPAM, OpenXT Community, Oracle, Gentoo Linux, Aggios, Amazon, Invisible Things Lab and DornerWorks, and a number of universities and individuals. As in Xen 4.11, we spent a lot of energy to improve code quality and harden security. On behalf of the Xen Project Hypervisor team, I would like to thank everyone for their contributions (either in the form of patches, code reviews, bug reports or packaging efforts) to the Xen Project.
Please check our acknowledgement page, which recognises all those who helped make this release happen. The source can be located in the tree (tag RELEASE-4.12.0) or can be downloaded as a tarball from our website. For detailed download and build instructions check out the guide on building Xen 4.12.