The Linux Foundation, hosting the open source hypervisor Xen Project, has announced the release of Xen Project Hypervisor 4.18, which would include improved security and performance capabilities along with design improvements for HPC and ML applications. This release was made possible, as usual, by the devoted and vibrant Xen Project community, which includes developers from several companies and geographical locations.
According to Kelly Choi, Community Manager for the Xen Project, "This version prepares architectures for HPC and AI/ML applications, which require very large quantities of data processing, but also provides new enterprise security and high-performance features. We would like to express our gratitude to the pioneers and leaders in the industry who helped with the release."
Notable Features of the Xen Project Hypervisor 4.18 release would include the following:
Arm
- The Scalable Vector Extension (SVE) is now merged in upstream Xen as a tech preview
- The Arm Firmware Framework for Arm A-profile (FF-A) framework support is now merged in upstream Xen as a tech preview
- The memory subsystem in Xen on Arm64 is now more compliant with the Arm architecture
x86
- On all Intel systems, MSR_ARCH_CAPS is now visible in guests, and controllable from the VM’s config file. For CPUs from 2019 onwards, this allows guest kernels to see details about hardware fixes for speculative mitigations.
- Support for features new in 4th Gen AMD EPYC Processors: CPUID_USER_DIS (CPUID Faulting) used by Xen to control PV guest's view of CPUID data.
- Support for features new in Intel Sapphire Rapids CPUs: PKS (Protection Key Supervisor) available to HVM/PVH guests; VM-Notify used by Xen to mitigate certain micro-architectural pipeline livelocks, instead of crashing the entire server; Bus-lock detection, used by Xen to mitigate (by rate-limiting) the systemwide impact of a guest misusing atomic instructions.
- Support for features new in Intel Granite Rapids CPUs: AVX512-FP16.
- Add Intel Hardware P-States (HWP) cpufreq driver.
- Support for enforcing system-wide operation in Data Operand Independent Timing Mode.
RISC-V and PowerPC
- Upstream Xen GitLab CI has been set up with full Xen build and a message printed from Xen early printk.
Security
- 20 XSAs has been published, enhancing the security of the project to keep it safe from common vulnerabilities
MISRA-C
- The project has officially adopted more MISRA-C rules, from four directives and 24 rules in 4.17 to 6 directives and 65 rules of MISRA-C
“Our ongoing collaboration with the Xen Project is an important aspect of Arm’s commitment to the open source software community, including the addition of the Xen Hypervisor in the SOAFEE open source reference implementation,” said Andrew Wafaa, Fellow and Senior Director of Software Communities at Arm. “Xen 4.18 delivers significant enhancements for our extensive developer ecosystem, including the introduction of Arm Firmware Framework for Arm A-profile (FF-A) support, which will enhance security by adding capacity to communicate with more Trusted Execution Environments (TEE) from any Xen guests, and the adoption of more than 60 MISRA rules, illustrating the project’s commitment to enabling safety-critical automotive applications in future automotive and industrial use cases.”
Integrating New x86 Features
Other Improvements in the Xen Project Hypervisor 4.18 release would include the following:
- xl/libxl can customize SMBIOS strings for HVM guests
- On Arm, experimental support for dynamic addition/removal of Xen device tree nodes using a device tree overlay binary (.dtbo)
Introduced two new hypercalls to map the vCPU runstate and time areas by physical rather than linear/virtual addresses.
Open Community Initiative Updates
- On Arm, the upstream MPU (memory protection unit) support and PCI-passthrough work is ongoing, including some refactoring and improvements of the existing code. Support for both will be included in the next few releases.
- On RISC-V, some refactoring and improvements of the existing code have been done. BUG/WARN macros, temporary printk, and decode_cause() functions to print the reason for a trap have been introduced. In the next few releases, identity mapping, full Xen build, and trap handling will be introduced.
- On PowerPC, initial support for the ppc64le architecture was added to Xen, specifically targeting Power ISA 3.0B and later. As of 4.18, an early-stage Xen image can be built that boots on bare metal PowerNV systems. Current ongoing work focuses on handling printing to the OPAL serial console, as well as some basic Radix MMU page table initialization.
“AMD looks forward to embracing the further improvements in this latest version of the Xen hypervisor," said Kris Chaplin, Senior Manager Technical Marketing at AMD. “Further MISRA-C rules and developments in dom0less configurations, along with progress on real-time systems help path the way to a future in safety certified environments and enhance the benefits of Xen for our communities, partners, and customers.”
“XenServer is a cost-effective enterprise-grade hypervisor used for both desktop and server virtualization workloads. XenServer inherits its security and performance from the Xen Project hypervisor,” said Jacus de Beer, General Manager XenServer BU at Cloud Software Group. “XenServer is looking forward to integrating some of the new x86 features introduced in 4.18 in its upcoming product releases.”
