Improved Security, Decreased SWaP, Greater Potential For Embedded and Automotive Applications In Xen Project Hypervisor Update
Developers working in automotive, aerospace, medical, industrial, and other fields rely on time-critical systems to ensure that when the system starts, their products do too. Lagging or non-functioning software can lead to failure.
The ability to partition hardware resources in a virtual environment has made the open source Xen Project hypervisor a cost-effective solution for these types of products. Case in point, DornerWorks Virtuosity, a Xen Project distribution targeting the Xilinx Zynq UltraScale+ processor family, is currently providing virtualization and software security in products developed to meet ARINC 653 and FACETM standards for avionics systems, and AS9100:D and ISO 9001:2015 for automotive.
Xen Project released an updated Xen Hypervisor 4.12 on April 2, 2019, and with it, improvements that will make embedded technologies more efficient and capable than ever. This latest release adds impressive feature improvements around security and code size, x86 architectural renewal, and more.
“As a long time proponent of embedded virtualization for commercial and safety-critical applications, DornerWorks is excited by the continued focus of the Xen community on not only large server clusters but also on the smaller embedded systems that we rely on every day,” said Steven H. VanderLeest, Ph.D, Chief Operating Officer at DornerWorks. “We are especially pleased with the release of Dom0less boot and configuration options to reduce ARM code size, which will help reduce the certification and maintenance burden while improving Xen’s boot time and performance.”
The leaner architecture in Xen 4.12 reduces the lines of code, reducing the potential for security vulnerabilities, making Xen an attractive option for use in mixed-criticality systems. Additionally, it reduces exposure to unknown security threats by improving de-privileged QEMU through defense-in-depth techniques, and improving virtual machine introspection.
Xen 4.12 will be more configurable, significantly reducing integration costs for business and organizations that customize Xen heavily. Additionally, Xen 4.12 continues to build upon previous versions regarding cleaner architecture, improved user experience, and future proofing.
“Xen Project Hypervisor 4.12 is a clear example of the project delivering on its promise for revamped architecture, a major step forward to unlock market segments such as security products as well as embedded and automotive,” said Lars Kurth, chairperson of the Xen Project Advisory Board. “As we continue to serve the hosting and cloud markets, we will also focus on streamlining the certification process for Xen while helping the security embedded automotive vendors that are invested in Xen continue to build attractive products on top of the hypervisor.”
Security improvements and decreased code size
The Xen 4.12 release builds on the features last implemented in July 2018, targeting greater safety and stability for security-focused environments.
- HVM/PVH and PV only Hypervisor: The new Xen Project 4.12 release enables Xen based security products to build components with vastly reduced memory footprints and smaller attack surface more easily. It also enables cloud and hosting providers which improve security.
- QEMU Deprivilege (DM_RESTRICT): QEMU restrictions and features providing greater VM security have been implemented. Support for VM migration has also been added, along with defense-in-depth techniques used to protect against privilege escalations from QEMU to Xen and VM’s.
- Argo – Hypervisor-Mediated data eXchange: Argo is a new inter-domain communication mechanism that is designed for security, safety and mixed-criticality systems with isolation properties that go beyond those of existing inter-domain communication mechanisms. It provides Xen hypervisor primitives to transmit data between VMs, by performing data copies into receive memory rings registered by domains without requiring memory sharing between VMs, grant tables, or Xenstore.
- Xen Virtual Machine Introspection (VMI): The VMI component provides zero-day vulnerability detection capability, allowing for live introspection of virtual machine memory from outside a VM. Altp2m and Intel #VE/VMFUNC support within the subsystem have also been tuned and hardened. These two technologies reduce the performance overhead of Virtual Machine Introspection by 5 percent to 20 percent, depending on workload, and make it possible for the VMI to detect common attack techniques like buffer overflows and code injection without knowing the signature.
x86 architectural renewal
The new Xen 4.12 features renew how x86 architecture support is implemented in Xen.
- Credit 2 Scheduler: Now the Xen Project default scheduler, the Credit2 scheduler is designed specifically for performance of latency-sensitive workloads, as well as scalability and predictability.
- PVH Support: Grub2 boot support has been added to Xen and Grub2, enabling users to boot any PVH guest kernel via the grub menu, with greater stability.
- PVH Dom0: PVH Dom0 support, exclusive to Intel Hardware, resolves various bugs and provides the new dom0-iommu=map-reserved option which can be used to work around broken firmware when using a PVH Dom0. Support for migrating domUs from a PVH dom0 has also been included.
Embedded and automotive applications
The Xen Project is working to make Xen more easily safety certifiable targeting embedded and automotive use-cases. These new upgrades will increase the viability of Xen for use in mixed-criticality systems.
- Dom0less VMs for statically partitioned systems: The new Xen 4.12 upgrade makes it possible to create and boot Arm VMs from Device Tree immediately after starting Xen. In traditional Xen environments, VMs can only be started after Dom0 kernel, user space and the toolstack are up and running. The upgrade decreases boot time by more than 90 percent.
- Dom0less VMs extend the usage of Xen to statically partitioned mixed-criticality systems. Xen is planning on extending the concept of Dom0less in subsequent releases to allow building Xen Systems entirely without a Dom0. This, in turn, will reduce the cost of safety certification significantly.
- Tiny Arm Configurations: The Xen 4.12 upgrade allows users to build a tiny Arm configuration with less than 50 KSLOC, which in turn reduces the cost of safety certification for Xen based systems. This new functionality allows building Xen variants for specific hardware such as Xilinx Zynq Ultrascale+ MPSoC with a minimal set of drivers and features that are needed for mixed-criticality systems.
“Xilinx is excited to see the new features introduced by the Xen development team for the 4.12 release, especially the new Dom0-less fast boot combined with the code size reductions targeting Xilinx Zynq UltraScale+ MPSoC,” said Simon George, Director of System Software and SoC Solution Marketing at Xilinx. “These features, along with the earlier null scheduler, allow Xen to better serve diverse, embedded use cases. We look forward to Xen’s roadmap for continued work on new features for these markets.”
Other Xen 4.12 improvements
The new Xen 4.12 upgrade also includes improved IOMMU mapping code, which is designed to significantly improve the startup times of AMD EPYC based systems. The upgrade also features Automatic Dom0 Sizing which allows the setting of Dom0 memory size as a percentage of host memory (e.g. 10 percent) or with an offset (e.g. 1G+10 percent).
You can start building products with the improved capabilities of the Xen Project hypervisor with a Xen Quick Start Package (QSP) from DornerWorks. Contact us today to get the QSP. We will discuss your product goals, and develop a roadmap to grow your business with virtualized software systems.