Xen is open-source royalty. This hypervisor, which runs and manages virtual machines (VMs), powers some of the largest clouds. You know their names: Amazon Web Services (AWS), Tencent, Alibaba Cloud, Oracle Cloud, and IBM SoftLayer. It’s also the foundation for VM products from Citrix, Huawei, Inspur, and Oracle. But, with the release of its latest edition, Xen Project Hypervisor 4.11, there are major changes under the hood.
Don’t let the “4.11” fool you. This is a major update.
The 15-year-old Xen has been completely re-architected. All of its core technologies, such as x86 support, device emulation, and boot sequence, have been rewritten. The new Xen uses less code and has a smaller trusted computing base (TCB). It’s also made less complex and easier to maintain. This latest update boasts both better performance and scalability. It also supports ARM architectures better than ever before.
Xen’s security has also been given several major improvements. Lars Kurth, chairperson of the Xen Project Advisory Board, said in a statement, “The Xen Project community worked swiftly to address the security needs of Spectre and Meltdown, and continued to match its goals in adding significant features to this release.”
Xen has done far more than just patch old security holes. The programmers have combined the best features of Xen paravirtualization (PV) and hardware-assisted virtualization (HVM)into PVH. This simplifies the interface between operating systems with Xen Project Support and the Xen Project Hypervisor. It also reduces Xen’s attack surface.
The new release also includes experimental PVH Dom0 support. When you run Xen in this mode, you lose approximately 1 million lines of QEMU VM code. This further shrinks Xen’s attack surface. You can use this with PVH Dom0 capable Linux distributions or FreeBSD. Patches to enable this are are currently being upstreamed. They’ll be available in the next major Linux and FreeBSD releases.
Xen 4.11 also supports unmodified legacy PV-only guests in PVH mode. This way you can run old PV-only distros in VMs and clouds while only supporting PVH guests. This makes managing them easier while again reducing the attack surface.
What does all this mean? Citrix Senior Director of Technology James Bulpin said in a statement, “The Xen Project Hypervisor 4.11 builds on its maturity and flexibility as a dependable, secure, type-1 hypervisor. Xen Project 4.11’s support for PVH dom0, added to its existing PVH domU capability, allows it to take advantage of the performance and scalability benefits of paravirtualization, while reducing complexity and code size, making it easier to maintain, enhance, and secure.”
This combined with “several other performance, security, and maintainability enhancements” shows Xen community’s “dedication to making Xen the best hypervisor for a wide range of use-cases from huge private clouds to embedded systems.”
With Xen at the heart of so many public clouds, these improvements should make many users happy even if they have no idea that their work depends on it.