Latest Xen Project release delivers security enhancements for embedded and automotive use cases with support for the latest hardware features
SAN FRANCISCO, June 23, 2016 – The Xen Project, a project hosted at The Linux Foundation, today announced the release of Xen Project 4.7. The release minimizes downtime and improves the user experience with non-disruptive security patching, and includes security enhancements for embedded, automotive, IoT and new security use cases. The new release also adds support for the latest hardware features from Intel and ARM.
Xen Project Hypervisor 4.7 comes equipped with Live Patching, a technology that enables re-boot free deployment of security patches to minimize disruption and downtime during security upgrades for system administrators and DevOps practitioners. Xen Project 4.7 implements version 1 of the Hypervisor Live Patching specification, which is designed to encode the vast majority of security patches (approximately 90%) as Live Patching payloads. This version ships with a Live Patching enabled hypervisor and payload deployment tools and is available as a technology preview.
For security, embedded automotive and IoT use cases, Xen Project introduced the ability to remove core Xen Hypervisor features at compile time via KCONFIG. This ability creates a more lightweight hypervisor and eliminates extra attack surfaces that are beneficial in security-first environments, microservice architectures and environments that have heavy compliance and certification needs, like automotive.
“The Xen Project hypervisor is innovating in all areas and continues to evolve to meet the new needs of cloud computing and compute infrastructures,” said Lars Kurth, chairperson of the Xen Project advisory board. “Xen Project 4.7 is a testament to the incredible collaboration that is happening within the community, and a continuation of our shorter release cycle.”
The Xen Project powers more than 10 million users across enterprise and cloud computing in addition to embedded and mobile devices. First to market with Intel and ARM features, many of the world’s largest companies and service providers use and invest in Xen Project software. Xen Project software is used in many commercial products, including Bitdefender Hypervisor Introspection, which was developed in close collaboration with Citrix. This technology leverages Xen Project’s Virtual Machine Introspection feature to reveal malicious activity, however stealthy, which can remain invisible to traditional endpoint security.
Major contributions for this release come from AMD, ARM, Bitdefender, Bosch, Broadcom, Citrix, Fujitsu, GlobalLogic, Huawei, Intel, Linaro, Netflix, Novetta, NSA, Oracle, Red Hat, Star Lab, SUSE, Xilinx, and a number of universities and individuals. Xen Project’s functionality continues to evolve to serve new compute infrastructures such as mobile, hyper-scale computing, massive workloads, security-intensive applications, embedded computing, cloud computing, hosting providers, and hardware appliances.
The following new features and capabilities are available in Xen Project Hypervisor 4.7:
- Usability Improvements: In Xen 4.7, a new XL command line interface to manage PVUSB devices has been introduced to manage PVUSB devices for PV guests. The new XL commands also enables hot-plugging of USB devices as well as QEMU disk backends, such as drbd, iscsi, and more in HVM guests. This new feature allows users to add and remove disk backends to virtual machines without the need to reboot the guest. In addition, the soft reset for HVM guests allows for a more graceful shutdown and restart of the HVM guest.
- Support for a wider range of workloads and applications: The PV guest limit restriction of 512GB has been removed to allow the creation of huge PV domains in the TB range. TB sized VMs, coupled with Xen Project’s existing support for 512 vCPUs per VM, enable execution of memory and compute intensive workloads, like big data analytics workloads and in-memory databases.
- Improved Live Migration support: CPU ID Levelling enables migration of VM’s between a larger range of non-identical hosts than previously supported.
- Enhanced Development with ARM: Xen Project now supports booting on hosts that expose ACPI 6.0 (and later) information. The ARM Server Base Boot Requirements (SBBR) stipulate that compliant systems need to express hardware resources with ACPI; thus this support will come in useful for ARM Servers. This effort was carried out by Shannon Zhao of Linaro with minor patches from Julien Grall of ARM.
- New feature support for the Intel® Xeon® processor product family: Xen Project 4.7 supports VT-d Posted Interrupts, which provides hardware-level acceleration to increase interrupt virtualization efficiency. It reduces latency and improves user experience through performance improvements, especially for interrupt-intensive front- end workloads such as web servers.
Additionally, PSCI 1.0 compatibility allows Xen Project software to operate on systems that expose PSCI 1.0 methods. Now, all 1.x versions of PSCI will be compatible with Xen Project software. More information on Power State Co-ordination Interface can be found here. This effort was also carried out by Julien Grall with a patch from Dirk Behme of Bosch.
Xen Project 4.7 is the first to include Code and Data Prioritization (CDP), part of the Intel® Resource Director Technology (RDT) Framework and an extension of Cache Allocation Technology (CAT), first introduced in Xen Project 4.6. The introduction of CDP allows isolation of code/data within the shared L3 cache of multi-tenant environments, reducing contention and improving performance.
Additional features specific to the Intel Xeon processor family in Xen Project 4.7 include: VMX TSC Scaling, which allows for easier migration between machines with different CPU frequencies and support for Memory Protection Keys, a new security feature for hardening the software stack.
Comments from Xen Project Users and Contributors
“Oracle is committed to designing and delivering best-in-class cloud services to help businesses transition from traditional systems to the cloud,” said Ajay Srivastava, senior vice president, Linux and Virtualization, Oracle. “The new live patching capabilities in Xen Project Hypervisor 4.7 can help reduce downtime for private, public and hybrid cloud environments, which is of vital importance to our customers.”
“Intel is focused on enabling widespread cloud adoption and works across the industry to deliver the best architecture for the current and future needs of compute, storage, and networking,” said Susie Li, Director of Virtualization, Intel Open Source Technology Center and Xen Project Advisory Board Member. “The work the Xen Project community has achieved underpins many of the world’s largest and most successful data centers in the world, setting the standard for performance, security, and capabilities. Xen Project 4.7 is developed with the latest Intel platform features to make it easier to deploy and scale clouds, so businesses can deliver services to their customers faster and more securely.”
“Organizations continually have to readjust their security strategy to mitigate deep threats to IT systems. Bitdefender Hypervisor Introspection (HVI), which is tightly integrated with XenServer Direct Inspect API from Citrix, runs memory introspection at the hypervisor-level,” said Harish Agastya, Vice President of Enterprise Solutions at Bitdefender. “The Xen Project hypervisor provides critical virtualization and security building blocks, which enable us to partner with Citrix to create a new security layer that detects suspicious activities by working directly with raw memory – a level of insight from which malware cannot hide.”
About Xen Project
Xen Project software is an open source virtualization platform licensed under the GPLv2 with a similar governance structure to the Linux kernel. Designed from the start for cloud computing, the Project has more than a decade of development and is being used by more than 10 million users. A Project at The Linux Foundation, the Xen Project community is focused on advancing virtualization in a number of different commercial and open source applications including server virtualization, Infrastructure as a Services (IaaS), desktop virtualization, security applications, embedded and hardware appliances. It counts many industry and open source community leaders among its members including: Alibaba, Amazon Web Services, AMD, ARM, Bromium, Cavium, Citrix, Huawei, Intel, NetApp, Oracle, Rackspace, and Verizon Terremark. For more information about the Xen Project software and to participate, please visit XenProject.org.