After eight months of development, the release of the free hypervisor Xen 4.15 has been published. Companies such as Amazon, Arm, Bitdefender, Citrix and EPAM Systems have contributed to the development of the new release. The release of updates for the Xen 4.15 branch will last until October 8, 2022, and the publication of vulnerability fixes until April 8, 2024.
Key changes in Xen 4.15:
- The Xenstored and oxenstored processes have experimental support for live updates, which allow the delivery and application of vulnerability fixes without restarting the host environment.
- Added support for unified boot images, allowing you to create system images that include Xen components. These images are packaged as a single EFI binary that can be used to boot a running Xen system directly from the EFI boot manager without intermediate bootloaders such as GRUB. The image includes Xen components such as the hypervisor, the kernel for the host environment (dom0), initrd, Xen KConfig, XSM settings, and Device Tree.
- For the ARM platform, the experimental ability to execute device models on the side of the dom0 host system has been implemented, which allows emulating arbitrary hardware devices for guests based on the ARM architecture. ARM also supports SMMUv3 (System Memory Management Unit), which improves the security and reliability of device forwarding on ARM systems.
- Added the ability to use the IPT (Intel Processor Trace) hardware tracing mechanism, introduced since Intel Broadwell CPUs, to export data from guest systems to debug utilities running on the host side. For example, you can use VMI Kernel Fuzzer or DRAKVUF Sandbox.
- Added support for Viridian (Hyper-V) environments to run Windows guests using more than 64 VCPUs.
- Upgraded the PV Shim layer used to run unmodified paravirtualized (PV) guests in PVH and HVM environments (enables older guests to run in more secure environments that provide tighter isolation). The new version has improved support for running PV guests in environments that only support HVM mode. The size of the layer has been reduced due to the reduction of HVM-specific code.
- Enhanced capabilities of VirtIO drivers on ARM systems. For ARM systems, an implementation of the IOREQ server is proposed, which is planned to be used in the future to enhance I / O virtualization using the VirtIO protocols. Added reference implementation of VirtIO block device for ARM and provided the ability to push VirtIO block devices to ARM-based guests. PCIe virtualization support for ARM has begun to be enabled.
- Work continues on the implementation of the Xen port for RISC-V processors. Currently, code is being developed to manage virtual memory on the host and guest side, as well as code specific to the RISC-V architecture.
- Together with the Zephyr project, based on the MISRA_C standard, a set of requirements and guidelines for code design is being developed to reduce the risk of security problems. Static analyzers are used to identify discrepancies with the created rules.
- The Hyperlaunch initiative is introduced to provide flexible tools for configuring a static set of virtual machines to launch at system boot time. The initiative proposed the concept of domB (boot domain, dom0less), which makes it possible to avoid deploying a dom0 environment when starting virtual machines at an early stage of server boot.
- The continuous integration system provides Xen testing on Alpine Linux and Ubuntu 20.04. Stopped testing CentOS 6. QEMU-based dom0 / domU tests added to ARM continuous integration environment.
Source: opennet.ru