Latest Xen Hypervisor Arrives Late, but Greatly Improved
The latest and greatest version of the open source Xen hypervisor includes leaner code, better performance, and security enhancements under the hood.
It's nearly six weeks late, but Xen 4.11 has finally shipped. If you're wondering about the delay, there's a reason for that. Xen's devs have been busy rewriting the project's code, some of it from the ground up. In other words, this isn't a ho-hum, routine release addressing only bug fixes, security issues, and the like. It's a bit of a sea change that should have DevOps folks scrambling to get it up and running right away.
For the uninitiated, the open source Xen hypervisor is used to run and manage virtual machines (VMs). A Linux Foundation project that's been around since 2003, it's the VM backbone of major public clouds such as Amazon Web Services (AWS), IBM Softlayer, Oracle Cloud, Tencent, and Alibaba. It's also used as the base for commercial VM offerings from a range of companies that includes Citrix, Huawei, Inspur and Oracle. According to the project's developers, it currently counts over 10 million users.
So what's new in Xen 4.11? All core functionality, including x86 support, device emulation and boot sequence has been re-architected, as its developers focus on less code, a smaller trusted computing base, less complexity, ease of maintenance, and better performance and scalability.
"The Xen Project community worked swiftly to address the security needs of Spectre and Meltdown, and continued to match its goals in adding significant features to this release," Lars Kurth, chairperson of the Xen Project Advisory Board, said in a statement. "The latest features in this release around PVH functionality bring better security, performance and management to the hypervisor."
In PVH, Xen combines the best of Xen paravirtualization (PV) and hardware-assisted virtualization (HVM) to simplify the interface between operating systems with Xen Project Support and the Xen Project Hypervisor, and to reduce the hypervisor's attack surface. PVH guests are lightweight HVM guests that use hardware virtualization support for memory and privileged instructions.
And because Xen's new version adds experimental PVH Dom0 support (Dom0 is the initial domain started by Xen during boot), there's no need for QEMU for hardware emulation, which clears out about a million lines of code, shrinking the software's attack surface.
"Xen Project 4.11's support for PVH Dom0, added to its existing PVH DomU capability, allows it to take advantage of the performance and scalability benefits of paravirtualization, while reducing complexity and code size, making it easier to maintain, enhance and secure," James Bulpin, Citrix's senior director of technology, said in a statement. "With several other performance, security and maintainability enhancements, Xen Project 4.11 demonstrates the community's dedication to making Xen the best hypervisor for a wide range of use-cases from huge private clouds to embedded systems."
In addition to streamlined code, there are other security enhancements in Xen's latest version, such as mitigations against cache side channel attacks from our old friends Meltdown and Spectre. For x86 machines, this includes adding a new framework for Intel and AMD microcode as well as support for Retpoline. A mitigation framework for Spectre-type vulnerabilities has also been added for ARM processors.
"Intel is pleased to see the Xen Project 4.11 release with the latest Intel-based platform features," said Arjan Van De Ven, director of core systems and Linux pathfinding engineering at Intel’s Open Source Technology Center, in a statement. "We remain focused on enabling the best of Intel architecture to help ensure customers can take advantage of the newest features."This isn't all that's been added or changed in the latest Xen, of course, with many enhancements focused on ease-of-use and performance.