The Xen Project: A decade of innovation and looking forward to 2020 and beyond

By January 7, 2020 Commentary

As we enter a new decade, it is worthwhile to look back at the last year and decade to glance into the crystal ball for what 2020 and beyond may have in store for the Xen Project.

A good starting point is the retrospective we put together for the project’s 15th birthday which gives an overview of the project’s wide use in many different market segments that goes far beyond server virtualization and cloud computing, which the Xen Project hypervisor was originally created for. Personally, I have accompanied the project for most of that decade (9 years) seeing the project evolve in many directions. Some successful, such as the creation of Virtual Machine Introspection, some less so, such as trying to bring virtualization to mobile devices. However, almost all of the work that was performed laid the groundwork for new ideas and innovation.

 

In the second half of the last decade, significant work has gone into re-working key architectural elements of the Xen Project Hypervisor over multiple years: most notably the Credit 2 scheduler, PVH support, PVH Dom0, PVH Shim (support to run unmodified legacy PV-only guest to be run in PVH mode) and QEMU deprivilege. We saw transformational features such as live-patching being developed and deployed in cloud and hosting environments, enabling our users to deploy security fixes while minimizing downtime. And transformational security functionality such as Virtual Machine Introspection has been brought to market by Xen Project members such as BitDefender and Citrix.

At the beginning of 2018, the emergence of CPU related side channel vulnerabilities have transformed our industry, forcing the project and its downstreams to re-think fundamental architectural assumptions. Concepts such as the secret-free Hypervisor (currently under development), the implementation of Core Scheduling as experimental technology and XPTI were developed as mitigations against these vulnerabilities.

In parallel, our community embarked on the journey to make the Xen Project hypervisor useful in embedded and automotive contexts. Initially the focus was on building real-time capability into the hypervisor through the addition of new schedulers (ARINC, RTDS, Null and other real-time support), PV drivers and GPU mediation for rich IO and other enablers that are necessary to make Xen a useful platform for embedded market segments.

2019: A Pivotal Year

Xen 4.12 and 4.13, released in 2019, accelerated this trend by adding new features that provide easier adoption for embedded and safety-critical use-cases, specifically ISO 26262 and ASIL-B. Examples are a minimal Xen on Arm Configuration (< 50 KSLOC of code for a specific HW environment PV drivers), Dom0less Xen and support for the VMSA compatible IO-MMU of Renesas Electronics Arm-based 3rd generation R-Car SoCs.

In parallel, the project has been creating a Functional Safety expert group which is staffed and supported by representatives from the Xen Project community and Safety Assessors. The initial main focus of the expert group is to establish a credible plan to achieve safety-certification and to help guide its implementation. The Xen Project is not the only project attempting to make progress in this area: the ELISA Project, Zephyr and others are going down a similar route with many shared challenges and a ramp-up of efforts to collaborate on these jointly.

Within Automotive Grade Linux, efforts are nearly complete to integrate Xen into AGL to be used for non-ASIL automotive functions. Once complete, it will be possible to decide at build time to run AGL in a Xen Dom0 with the possibility to run additional operating systems together with AGL

From a community perspective, 2019 has been a challenging year. One third of our leadership team members have changed organisations (while retaining their role within the community) and a large number of new developers started to contribute to our projects. This has initially created some uncertainty and some disruption, but is also creating new opportunities that should enable us to build a better and more smooth running community. For example, we developed tooling and documentation to make patch contribution easier, we are developing new CI infrastructure that relies more on automation & bots and we are at the cusp of publishing a code of conduct with a special focus on creating a friendlier and more efficient community.

Most of the development work in the last two years required an unprecedented level of collaboration, primarily due to the complexity of technical as well as new organisational challenges we have faced and will continue to face in future. Examples of these are responses to side channel attack (much of which could not be discussed and developed in the open source way), bringing expertise related to safety certification into the community and understanding and adapting to the constraints that working within functional safety implies.

Other sub-projects and initiatives

Besides the Hypervisor subproject significant progress has been made in the Windows PV Driver project which has graduated from incubation to be a mature project and within the Unikraft project, which was launched almost exactly two years ago. Watch this space for a more detailed Unikraft update. In addition, members of the OpenXT community have been scoping out requirements and architecture for their future security architecture, working closely with the Xen Project leadership team. Some pieces of this architecture, such as Argo have already been contributed. Expect to hear more about this in 2020.

My crystal ball: predictions for the near future

As already alluded to, the last two years showed a shift of the project in new directions. I expect that the new focus areas will be

  • More resilience to Hardware Security issues with technologies such as the Secret Free Hypervisor and related projects
  • Reducing downtime when applying uCode updates, applying security patches and upgrading Xen. Some of these will be significant improvements to existing functionality, others such as the proposed Live-update capability will provide major new capability.
  • We are likely to see a host of new ideas and capabilities emerging from the collaboration of security researchers in the OpenXT eco-system and the Xen Project
  • We are likely to see new subprojects in 2020
  • Change our infrastructure and working practices to build a better and more effective community
  • I expect progress on moving the Xen Project in a direction that makes downstreams of Xen easily safety certifiable and to become the best open source virtualization platform for safety-relevant use-cases. This will require refactoring Xen on Arm, filling some functional gaps, while changing the codebase to make it possible for vendors to consume Xen Project software in a fashion that is compliant with ISO 26262 ASIL B or IEC 61508 SIL 1 requirements. This all needs to be done while delivering security benefits and minimizing the impact for established Xen Project users.

From my personal perspective, until 2019 it was not really clear whether it would be possible for open source projects such as ours to enable the building of ISO 26262 ASIL B or IEC 61508 SIL 1 compliant products. However, it is now clear that at least in theory this should be doable. Although this is a challenging goal, many of the pieces which are necessary to enable this, have or are starting to come together.

Before I sign off, I wanted to thank everyone who has contributed to the project’s success for their contribution and for creating such an innovative and exciting community. Looking forward to working with you in 2020!