Open Source Xen Project Hypervisor 4.13 Ships
The Xen Project, which develops an open source hypervisor hosted by the Linux Foundation, announced the release of Xen Project Hypervisor 4.13.
The project site says it "is focused on advancing virtualization in a number of different commercial and open source applications, including server virtualization, Infrastructure-as-a-Services (IaaS), desktop virtualization, security applications, embedded and hardware appliances, and automotive/aviation."
Project backers said this release, following the last update that shipped in April, features improved security, hardware support and new options for embedded use cases.
"This release also represents a fundamental shift in the long-term direction of Xen, one which solidifies its resilience against security threats due to side channel attacks and hardware issues," the project stated in a Dec. 18 news release.
On the security side of things alone, key updates in the new release included:
- Core scheduling, a newly introduced experimental technology that allows Xen to group virtual central processing units (CPUs) into virtual Cores and schedules these on physical cores. Switching between virtual cores on a physical core is synchronized and there are never virtual CPUs of different virtual cores running at the same time on a single physical core. While Core scheduling does not yet allow users to re-enable hyperthreading, together with other features currently under development (such as the secret-free Hypervisor), it's inclusion in Xen 4.13 is critical for providing a better security-performance trade-offs in the near future. Users are encouraged to stress-test.
- Ability to install uCode updates at run-time via late uCode loading, avoiding system reboots that are otherwise necessary.
- Live-patching improvements which extend the capability of the Xen Project Hypervisor without the need to reboot, providing added efficiency.
- Branch hardening removes a number of potential gadgets reducing the attack surface using Spectre v1.
Another point of interest is support for new hardware platforms. "Most notably, Xen 4.13 introduces support for AMD 2nd Generation EPYC with exceptional performance-per-dollar, connectivity options, and security features," the project stated. "In addition, Xen 4.13 also supports Hygon Dhyana 18h processor family, Raspberry Pi4 and Intel AVX512."
Other notable changes, as detailed in a "what's new" post, include:
- Many bug fixes and quality improvements to the Xen on Arm port
- Xen 4.13 is now fully Py3 compatible (3.3+). In Xen 4.13 we changed the minimum Py2 version to 2.6
- Alongside this release a new set of Windows PV Drivers have been released. These are available for download at the 9.0.0 drivers download pages
"This release contains 1640 commits from 64 developers," the project said. "A significant number of contributions for this release of the Xen Project came from Citrix, Suse, ARM, EPAM, Amazon, Xilinx, Intel, Invisible Things Lab, BitDefender, Hygon and other vendors and a number of universities and individuals."
Going forward, the future direction is said to include:
- More resilience to Hardware Security issues
- Reducing downtime when applying uCode updates, applying security patches and upgrading Xen without any downtime
- Refactoring Xen on Arm to become the best open source virtualization platform for safety-relevant use-cases: this means filling some functional gaps, while changing the codebase to make it possible for vendors to consume Xen Project software in a fashion that is compliant with ISO 26262 ASIL B or IEC 61508 SIL 1 requirements, while delivering security benefits and minimizing the impact for established Xen Project users. During this release cycle, the project created a functional safety working group (FuSa SIG), which is staffed and supported by representatives from the Xen Project community and Safety Assessors. The initial main focus of the FuSa SIG is to establish a credible plan to achieve safety-certification and to help guide its implementation.
More information on the new update is detailed in the release notes, and the update can be downloaded here.
David Ramel is an editor and writer for Converge360.