After eight months of development, the release of the free hypervisor Xen 4.16 has been published. Companies such as Amazon, Arm, Bitdefender, Citrix and EPAM Systems have contributed to the development of the new release. The release of updates for the Xen 4.16 branch will last until June 2, 2023, and the publication of vulnerability fixes until December 2, 2024.
Key changes in Xen 4.16:
- TPM Manager, which provides virtual cryptographic key storage chips (vTPM) implemented on the basis of a common physical TPM (Trusted Platform Module), has been amended to further implement support for the TPM 2.0 specification.
- Increased reliance on the PV Shim layer used to run unmodified paravirtualized (PV) guests in PVH and HVM environments. Going forward, the use of 32-bit paravirtualized guests will only be possible in PV Shim mode, which will reduce the number of places in the hypervisor that could potentially have vulnerabilities.
- Added the ability to boot on Intel devices without a programmable timer (PIT, Programmable Interval Timer).
- Cleaned up obsolete components, stopped building the default "qemu-xen-traditional" code and PV-Grub (the need for these Xen-specific forks was gone after Xen-enabled changes were pushed to the core QEMU and Grub).
- For ARM guest systems, initial support for virtualized Performance Monitor Counters has been implemented.
- Improved support for dom0less mode, which makes it possible to avoid deploying a dom0 environment when starting virtual machines at an early stage of server boot. The changes made made it possible to implement support for 64-bit ARM systems with EFI firmware.
- Improved support for heterogeneous big.LITTLE-based 64-bit ARM systems that combine powerful but power-hungry cores and slower but more power-efficient cores in a single chip.
At the same time, Intel published the release of the Cloud Hypervisor 20.0 hypervisor, built on the basis of the components of the Rust-VMM joint project, in which, in addition to Intel, Alibaba, Amazon, Google and Red Hat also participate. Rust-VMM is written in the Rust language and allows you to create task-specific hypervisors. The Cloud Hypervisor is one such hypervisor that provides a high-level virtual machine monitor (VMM) that runs on top of KVM and is optimized for cloud-native tasks. The project code is available under the Apache 2.0 license.
Cloud Hypervisor is focused on running modern Linux distributions using virtio-based paravirtualized appliances. Among the key tasks mentioned are: high responsiveness, low memory consumption, high performance, simplification of configuration and reduction of possible vectors for attacks. Emulation support is kept to a minimum and the emphasis is on paravirtualization. Currently only x86_64 systems are supported, but AArch64 support is on the way. Of the guest systems, only 64-bit Linux builds are currently supported. CPU, memory, PCI and NVDIMM settings are made at the build stage. It is possible to migrate virtual machines between servers.
In the new version:
- The x86_64 and aarch64 architectures now allow up to 16 PCI segments, increasing the total number of PCI devices allowed from 31 to 496.
- Implemented support for binding virtual CPUs to physical CPU cores (CPU pinning). For each vCPU, it is now possible to define a limited set of host CPUs that are allowed to execute, which can be useful when mirroring (1:1) host and guest resources directly, or when running a virtual machine on a specific NUMA node.
- Improved I/O virtualization support. Each VFIO region can now be memory-mapped, which reduces the number of exits from the virtual machine and improves the performance of device forwarding to the virtual machine.
- In the Rust code, work has been done to replace unsafe sections with alternative implementations that run in safe mode. For the remaining unsafe sections, detailed comments have been added explaining why the left unsafe code can be considered safe.
Source: opennet.ru