Xen Project Hypervisor Version 4.14 brings added security and performance

New version introduces Linux stubdomains and robust live patching to build on security features.

SAN FRANCISCO – July 24, 2020 — The Xen Project, an open source hypervisor hosted at the Linux Foundation, today announced the release of Xen Project Hypervisor 4.14, which introduces Linux stubdomains, better nested performance, more robust live patching and reflects contributions from across the community and ecosystem. This release also continues the fundamental shift for Xen, which was outlined in version 4.13, to make it increasingly resistant to side-channel attacks and hardware issues. 

“Xen Project Hypervisor 4.14 is a clear example of important investments from companies and community members to move the project forward,” said George Dunlap, Xen Project Advisory Board Chair.  “We continue to see broad participation from many companies, which is validation of the important role Xen plays in the open-source virtualization space: a project focused solely on virtualization, with a mature code base and community.”

Security
Advanced security has always been one of Xen’s distinctive strengths. This precedent continues with more security-focused features this release.

Key updates and improvements include:

  • Linux Stubdomains that can run the newest device models, allowing users to take advantage of one of Xen’s unique security features while still having the latest emulated hardware.
  • Lightweight VM fork for fuzzing / introspection.  Allows very fast introspection “experimentation”, for analyzing malware or finding bugs on systems with Intel EPT support.
  • New livepatch features allow for a wider range of security fixes to be live patched while providing extra safety mechanisms to prevent users from applying patches in the wrong order.
  • Control-flow Enforcement Technology (CET) Shadow Stack support.  Control-flow Enforcement Technology (CET) is a set of features in hardware designed to combat Return-oriented Programming (ROP, also call/jump COP/¯JOP) attacks.  Xen 4.14 can use these hardware features, if available, to protect itself from ROP attacks.

Embedded and Safety-Critical
As the Xen project continues to evolve and grow, it has become relevant for the embedded and automotive use cases. Due to this, and the importance of functional safety and safety certification to these use cases, Xen continues on a journey to become Safety 

Certifiable. A key part of this initiative is the progress made in the Xen Project Functional Safety Working group, which was created in the Spring of 2019 and is supported by multiple vendors, including safety assessors. A new development out of this group is the successful drafting of prototype requirement documents and progress towards the processes and procedures on maintaining these documents. 

Support for new platforms
Support for Raspberry Pi 4 has been extended and now all versions of the RPI4, including the popular ones with 4GB and 8GB of RAM, work on Xen. Additionally, version 4.14 will support the next generation AMD EPYC™ processor, codenamed “Milan”, when it is available to the public.

Featured Highlights

  • Support for Xen running under Hyper-V. Xen will now run as a guest under Hyper-V, the hypervisor developed by Microsoft which runs Microsoft’s Azure cloud. Running Xen inside a cloud allows the same VM control stack to be used on-premise as in a cloud, allowing virtual machines to be moved freely between on-prem and cloud, or even between clouds.
  • Hypervisor FS support. Similar to Linux’s sysfs, Hypervisor FS allows Xen to expose internal data and control knobs in a structured way, without the previous requirement of  parsing log data or writing custom hypercalls to transport the data, and custom code to read it. 

Xen Hypervisor version 4.14 also includes improvements to hypervisor build, x2APIC mode, mem sharing, altp2m, x86 boot path, microcode handling, libxl event handling, xenstore, xentop, network hotplug scripts and more.

Ongoing work on upcoming features

  • Secret-free Xen– As side channel attacks continue to be risk, Secret free Xen will prevent memory from being mapped which will allow for mitigations to be turned off, increasing performance and erasing the data that was being sought after to begin with.  
  • Golang bindings significantly expanded – This upcoming feature will make it easier to develop customer code on top of Xen using the language, Go. 
  • Live migration without need for guest cooperation – Current users must have functioning Xen drivers in the guest to live migrate. This upcoming feature allows users to migrate VMs with no drivers or broken drivers.

Community Quotes

AMD

“We are pleased to be working with the Xen Project Hypervisor team not only on our current generation of AMD EPYC™ processors but for future generations as well. With the release of 4.14, AMD EPYC™ processors and Xen users can now scale their compute environments from low to extremely high core counts, as workloads dictate. Xen users can take full advantage of AMD EPYC™ processors’ 64 cores per socket, and the X2APIC feature enables the Xen hypervisor to support up to 256 threads. Whether those users are on-prem or in the cloud, AMD EPYC processors scale to meet their needs.” — Robert Gomer, Director AMD Datacenter Alliances

Citrix
“The Xen Project Hypervisor remains a key building block for enabling the success of the Citrix Hypervisor product,”  Jacus de Beer, Director of Engineering, Hybrid Cloud Platforms at Citrix.  “The enhanced live patching features and continued security improvements released in version 4.14 are key to the success of our customers as it enables them to address security concerns without impacting VM uptime.  In addition, enabling Xen workloads to run in the cloud opens up interesting opportunities for hybrid cloud deployments.”

EPAM
“The Xen Project continues to make major strides in functional safety compliance, and we’re seeing a growing number of automotive industry leaders intensively evaluating the solution for in-vehicle central computer units,” said Alex Agizim, CTO, Automotive & Embedded, EPAM Systems. “We’re excited to be part of this initiative, and as one of the leaders in Xen’s FuSa SiG, we look forward to enabling vehicles to become more seamlessly integrated with the connected services ecosystem using open source software.”

Intel
“Thriving open source ecosystems such as the Xen community are key to widespread innovation and peer-reviewed security,” said Mark Skarpness, Vice President of Intel’s Architecture, Graphics and Software Organization, IAGS and General Manager of System Software Engineering at Intel Corporation.  “Our latest Intel Xeon platforms are ready to deliver the performance and features Xen users need to take full advantage of Xen 4.14.”

SUSE
“We are happy to announce that in this new Xen hypervisor community release a new hypervisorfs feature will be available, which SUSE contributed to respond to customer demand for a reliable and easy to use mechanism to probe configuration and get/set runtime options,” said Claudio Fontana, Engineering Manager, Virtualization, SUSE. “SUSE has also given attention, among other features, to ‘core scheduling’, which is steadily progressing towards being ready for production use.”

Xilinx
“Xilinx is very happy with the progress Xen has made in the 4.14 release toward supporting usage in functional safety applications,” said Tony McDowell, Senior Embedded Platforms Marketing Engineer, Xilinx. “Xilinx believes the flexibility of virtualized multiprocessing on architectures such as Zynq UltraScale+ MPSoC and Versal is key to success in these domains.  This is why we continue to invest our engineering know-how into continuous improvement in Xen overall and specifically focus on efforts  such as the Xen FuSa SIG.”

Additional Resources
Release Info
Downloads

About the Xen Project
Xen Project software is an open source virtualization platform licensed under the GPLv2 with a similar governance structure to the Linux kernel. Designed from the start for cloud computing, the Project has more than a decade of development and is being used by more than 10 million users. A project at The Linux Foundation, the Xen Project community is focused on advancing virtualization in a number of different commercial and open source applications including server virtualization, Infrastructure as a Services (IaaS), desktop virtualization, security applications, embedded and hardware appliances. It counts many industries and open source community leaders among its members including Alibaba, Amazon Web Services, AMD, Arm, Bitdefender, Citrix, EPAM Systems, Huawei and Intel. For more information about the Xen Project software and to participate, please visit XenProject.org.

Intel, the Intel logo and Xeon are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.

AMD, the AMD logo, EPYC, and combinations thereof are trademarks of Advanced Micro Devices, Inc.

About Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

 

Media Contact
Rachel Romoff
rromoff@linuxfoundation.org
210-241-8284

Read more