The open source Xen Project, which is hosted as a Linux Foundation effort, issued its first major release of 2018 on July 10.
The Xen Project Hypervisor 4.11 release comes after months of development and follows the 4.10 update that became available at the end of 2017. Xen 4.10 included some initial support for PVH (Paravirtualization Hardware), support that has been further extended in the 4.11 update.
“The latest features in this release around PVH functionality bring better security, performance and management to the Hypervisor,” Lars Kurth, chairperson of the Xen Project Advisory Board, wrote in a statement.
PVH is an effort to bring together the best of paravirtualization (PV) with Hardware Virtual Machine (HVM)-based virtualization approaches. PV mode virtualizes some elements of a hardware system, including disk and network interfaces.
HVM goes a different direction and provides a limited form of hardware emulation to enable virtualized access to system hardware interfaces.
“A lot of the choices Xen Project made when designing a PV interface were made before HVM extensions were available,” the Xen project explains in a wiki, on understanding different forms of virtualization. “Nearly all hardware now has HVM extensions available, and nearly all also include hardware-assisted pagetable virtualization.”
PVH is Xen running in PV kernel mode, with the benefit of HVM to virtualize system calls and the memory pagetables. In Xen 4.11, preview support for PVH Dom0 has been added. Dom0 is the initial first privileged domain that starts a Xen virtual machine.
“Running a PVH Dom0 removes approximately 1 million lines of QEMU code from Xen Project’s computing base, shrinking the attack surface of Xen Project-based systems,” the project stated in a press release.
Going a step further, Xen 4.11 now enables existing PV virtual guests to run inside of a PVH mode hypervisor as well. According to the Xen Project, enabling PV-only guests to run in a PVH mode reduces the attack surface and simplifies management for server and cloud virtualization platforms.
While PVH helps reduce the attack surface in Xen, security overall was a key focus for the Xen 4.11 release. Work to further harden Xen against the meltdown and spectre vulnerabilities is part of the release as well, with support for a feature known as XPTI, which helps to prevent side-channel attacks.
Going a step further, Xen 4.11 includes branch predictor hardening capabilities that help to further protect against spectre attacks.
“By default, Xen will pick the most appropriate mitigations based on compiled in support, loaded microcode, and hardware details, and will virtualize appropriate mitigations for guests to use,” the project stated in a blog post.
Sean Michael Kerner is a senior editor at ServerWatch and InternetNews.com. Follow him on Twitter @TechJournalist.