After eight months of development the new version of the free Xen 4.15 hypervisor has just been released and in this new version the updates for the Xen 4.15 branch will last until October 8, 2022 and the publication of vulnerability fixes until April 8, 2024.
For those unfamiliar with Xen, you should know that is an open source virtual machine monitor developed by the University of Cambridge. The design goal is to be able to run fully functional instances of operating systems in a fully functional way on a single computer.
Xen provides secure isolation, resource control, quality of service guarantees and hot virtual machine migration. Operating systems can be explicitly modified to run Xen (while maintaining compatibility with user applications).
Main new features in Xen 4.15
In this new version in the processes Xenstored and Oxenstored added experimental support for live updates, enabling vulnerability fixes to be delivered and applied without restarting the host environment, plus added support for unified boot images, allowing you to create system images that include Xen components. These images are packaged as a single EFI binary which can be used to boot a running Xen system directly from an EFI boot manager without intermediate boot loaders like GRUB. The image includes Xen components such as hypervisor, kernel for host environment (dom0), initrd, Xen KConfig, XSM configuration, and device tree.
For platform ARM, an experimental possibility of running device models is implemented on the dom0 host system side, allowing the emulation of arbitrary hardware devices for guest systems based on the ARM architecture. For ARM, support for SMMUv3 (System Memory Management Unit) is also implemented, which improves the security and reliability of forwarding devices in ARM systems.
We can also find that added ability to use IPT hardware tracking mechanism (Intel Processor Trace), which appeared starting with the Intel Broadwell CPU, to export data from guest systems for debugging utilities running on the host system side. For example, you can use VMI Kernel Fuzzer or DRAKVUF Sandbox.
Added support for Viridian environments (Hyper-V) to run Windows guests using more than 64 virtual CPUs and PV Shim layer redesigned used to run unmodified paravirtualized (PV) guests in PVH and HVM environments (allows older guests to run in more secure environments that provide more stringent isolation). The new version improved support for running PV guest systems in environments that only support HVM mode. Reduction of the size of the interlayer, thanks to the reduction of the specific HVM code.
Of the other changes that stand out:
- Together with the Zephyr project, a set of coding requirements and guidelines based on the MISRA_C standard is being developed to reduce the risk of security issues. Static analyzers are used to detect discrepancies with the created rules.
- Introduced the Hyperlaunch initiative to provide flexible tools to configure a static set of virtual machines to run at boot time.
- The capabilities of the VirtIO controllers on ARM systems were enhanced as an IOREQ server implementation is proposed, which is planned to be used in the future to enhance I / O virtualization using the VirtIO protocols.
- Work continues on the implementation of a Xen port for RISC-V processors. Currently, code is being developed to manage virtual memory on the host and guest side, as well as to create code specific to the RISC-V architecture.
- The initiative proposed the concept of domB (boot domain, dom0less), which makes it possible to dispense with the implementation of the dom0 environment when starting virtual machines at an early stage of server startup.
- Continuous integration enabled Xen testing on Alpine Linux and Ubuntu 20.04.
- CentOS 6 tests discarded.
- QEMU-based dom0 / domU tests have been added to the continuous integration environment for ARM.
Finally, if you want to know more about it, you can check the details In the following link.