Xen Project 4.8.2 is available

I am pleased to announce the release of Xen 4.8.2. Xen Project Maintenance releases are released in line with our Maintenance Release Policy. We recommend that all users of the 4.8 stable series update to the latest point release.

The release is available from its git repository

xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.8 (tag RELEASE-4.8.2)

or from the XenProject download page

www.xenproject.org/downloads/xen-archives/xen-48-series/xen-482.html

These releases contain many bug fixes and improvements. For a complete list of changes, please check the lists of changes on the download pages.

My GSoC Experience: Allow Setting up Shared Memory Regions between VMs from xl Config File

This blog was written by Zhongze Liu. Zhongze Liu is a student studying information security in Huazhong University of Science and Technology in Wuhan, China. He recently took part in GSoC 2017 where he worked closely with the Xen Project community on “Allowing Sharing Memory Regions between VMs from xl Config.” His interests are low-level hacking and system security (especially cloud and virtualization security).

I got to know the Xen Project about one year ago when I was working on a virtualization security project in a system security lab. It was the very first time that I received hands-on experience with a Type-I hypervisor. I was very interested in its internals and wanted to explore more of it by reading its code and performing some hacking on it. This is also what I was able to do this summer while I worked as a GSoC student with the Xen Project community. My specific focus was on setting up shared memory regions among VMs from a new xl config entry.

The purpose of this GSoC project is to allow simple guests that don’t have grant table support to be able to communicate via one or more shared memory regions. Such guests are not uncommon in the embedded world, and this project makes it possible for these poor guests to communicate with their friends.

This project involves many components of Xen, from the xl utility, xenstore, all the way down to the hypervisor itself. The implementation plan is quite straightforward: (1) during domain creation: parse the config –> map the pages –> write down in the xenstore fs what has been done;  (2) during domain destruction: read from xenstore the current status –> unmap the pages –> clean up the related xenstore entries. More details can be found in my proposal posted on the xen-devel mailing list. The tangible outcome is a patch set adding changes to xl, libxl, libxc, xsm and flask.

I met quite a few challenges during the project. The first and biggest one turned out to be how to design an appropriate syntax for the new config entry. The syntax has to be flexible and friendly to users. And the hardest part is how to control the stage-2 page permissions and cache attributes — we currently don’t have such a hypercall to control the stage-2 page attributes, but the clients are asking for the control over these attributes. I read a lot of documents about stage-2 page attributes on both x86 and ARM, and wrote a proposal for a new hypercall that would solve this issue.

After I made this proposal, I discovered that it would take up too much time to discuss the details in my proposal, not to mention implementing it. After discussing this challenge with my mentors, we decided to leave this as a TODO (see the “Future Directions” section in the project proposal), and only support the default attributes in the very first version of this project.

Next challenge: the “map the pages” step in the plan is easier said than done. After implemented the tool stack side, I moved forward to test my code, but kept getting errors on mapping the pages. By putting many printks through the whole code path, I found something blocking the way: On x86, adding foreign pages from one DomU to another by modifying p2m entries is not allowed.

Why? (1) the default xsm policy doesn’t allow this; (2) p2m tear-down is not implemented —doing so will screw up the refcount of the pages.

Fixing reason (2) is not a trivial task, but luckily, p2m tear-down is already implemented on the ARM side. So I decided to mark this new config entry as unsupported on x86, and continue to implement the ARM side. The fix to (1) turned out to be some changes to the xsm interface for xsm_map_gmfn_foreign, the dummy xsm policy, and the corresponding flask hook.

The last challenge that I’m going to talk about is testing. To test out ARM code, I followed this instruction on the Xen wiki to setup an emulator and another instruction on cross-compiling Xen and the tool stack for ARM. I’m not using Debian, so some of the handy tools provided by Debian are not available for me. I have to find alternative solutions to some of the critical steps and during my experiment, I found docker is the most distribution-independent solution which in the mean time won’t bring too much performance overhead. I created a Debian-based docker images with all the tools and dependencies required to build Xen, and every time I went to launch a build, I just needed to do a ‘docker run -v local/xen/path:docker/xen/path -it image-name build-script-name.sh‘.  I’m planning to post my Dockerfile to the Xen wiki so that others can build their own cross-building environment with a simple ‘docker build’.

I’ve really learned a lot during the process, from my mentors, and from the Xen Project community. Additionally:

  • I’ve improved my coding skills
  • I’ve learned more about the Xen Project and its internals
  • I’ve learned many efficient git tricks, which will be very useful in my future projects
  • I’ve read about memory management on ARM and x86
  • I’ve learned how to setup a rootfs, emulator, kernel, drivers and cross-compiling environment to test out ARM programs
  • And most importantly, I’ve learned how to work with an open source community.

And no words are strong enough to express my many thanks to all the people in the community who have helped me so far, especially Stefano, Julien, and Wei. They’ve been very supportive and responsive from the very beginning, giving me valuable suggestions and answering my sometimes stupid questions.

I’m very glad that I was invited to the Xen Project Summit in Budapest. It was really a great experience to meet so many interesting people there. And many thanks to Lars and Mary, who helped me in getting my visa to the event and offered me two T-shirts to help me through the hard times when my luggage was delayed.

The GSoC internship is coming to an end, and it’s just my first step to contributing to the Xen Project. I like this community and I am looking forward to contributing to it more and learning more from it.

 

My GSoC experience: Fuzzing the hypervisor

This blog post was written by Felix Schmoll, currently studying Mechanical Engineering at ETH Zurich. After obtaining a Bachelor in Computer Science from Jacobs University he spent the summer working on fuzzing the hypervisor as a Google Summer of Code student. His main interests in code are low-level endeavours and building scalable applications.

Five months ago, I had never even heard of fuzzing, but this summer, I worked on fuzzing the Xen Project hypervisor as a Google Summer of Code student.

For everybody that is not familiar with fuzzing: it is a way to test interfaces. The most primitive form of it is to repeatedly generate random input and feed it to the interface. A more advanced version is coverage-guided fuzzing, which uses information on the code path taken by the binary to permute the input further. The goal of this project was to build a prototype of fuzzing the hypercall-interface, seeing if one could make the hypervisor crash with a definite sequence of hypercalls.

American Fuzzy Lop (AFL) is by far the most popular fuzzer, and so it was chosen as the one to be run on the hypervisor. As it is a fuzzer for user-space programs, it had to be ported to the kernel. To make this work, the first step was to allow it to obtain feedback on the coverage from Xen by implementing a hypercall. Further, a mechanism was needed to execute the hypercalls from a domain other than dom0 (there are many ways to stop the hypervisor from dom0). For this purpose, an XTF-test case was instrumented to run as a server, receiving test cases from an AFL-instance. In the end, changes were made to the hypervisor, libxl, xenconsole, XTF and AFL.

The biggest challenge of all was finding my way around the code base of Xen. A lot of components were relevant to the project, and it would be unrealistic to expect anybody to read all of the code at once. While documentation was at times scarce, a helpful community of experts was always available on IRC. It was also a great experience to meet these people at the Xen Project Summit in Budapest.

The result of my summer project are numerous patches. While there were no bugs actually found (i.e. the hypervisor never crashed), valuable experience was collected for future projects. I am confident that by building up on the prototype it will be possible to improve the reliability of Xen. A first step would be to pass the addresses of valid buffers into hypercalls. For a description of more possible improvements please read the technical summary of the project.

Lastly, I would like to thank everybody involved with GSoC, Xen Project and in particular my great mentor Wei Liu for allowing me to experience how it is to work on a well-lead open-source project.

Recap of LinuxCon China and Xen Project’s Growth in the Region

It’s been a very busy month or so for the Xen Project. During mid-June, I was lucky to attend and speak at LinuxCon + ContainerCon China held in Beijing. There I spoke on the topic of securing embedded systems with the hypervisor and live patching, virtual machine introspection and vulnerability management alongside my colleague Cheng Zhang of Citrix.

Open source has grown tremendously in China over the last few years, with Xen Project technology being a key enabler for cloud computing. Most recently, the Xen Project announced Huawei joining the Project’s advisory board. Huawei is one of a growing number of Chinese companies leveraging and contributing to the Xen Project’s software. Other organizations include Alibaba, Fujitsu (China), Intel (China), Tencent, Inspur, and more.

The Xen Project hypervisor currently powers Alibaba Cloud, which is growing at a massive rate with incredible potential.

Many ask why is this growth happening in China and why now? There are many different reasons, but I think the main point is: As key technologies are increasingly built collaboratively, more and more Chinese companies are using open source to leapfrog competitors. By joining Linux Foundation projects, in-country organizations are helping to drive further growth and development.

Collaboration in China and at the Conference

Contributions with the Xen Project have greatly expanded over the last few years, especially in contributions and membership coming from China. In our latest release, Xen Project 4.9, we had 25% more contributors to the core hypervisor, and an increase of 17% of contributions coming from the hypervisor, tests, and other components. We received several contributions from individuals based in China as well as Fujitsu (China), Huawei Technologies, and Intel (China).

We are generally seeing more companies (in China and beyond) participating in the project with an eye toward automotive, embedded, security, and native-cloud computing.

During the conference, I was able to meet up with community members from Alibaba, Huawei, Hyper_, Intel and others.. Key highlights and conversations for me included:

  • In the last year, we have seen very rapid adoption of Xen Project based products in government (e.g. China State Grid), industry (e.g. CTCI), telecoms (e.g. China Mobile), banking/financial (e.g. ICBC, People’s Insurance Company of China) and are starting to see adoption in High Performance Computing. One surprising factor that is leading to rapid adoption of open source in China is that many industries are required to perform code audits on software with the aim of strengthening cybersecurity, which gives open source software a significant edge.
  • I had lots of discussions on the “ins and outs” of Virtual Machine Introspection, after I highlighted that VMI defeated WannaCry/EternalBlue a priori mentioned in my live patching, virtual machine introspection and vulnerability management talk. As I learned most WannaCry victims were based in China including a number of companies such as the China National Petroleum Corporation, which led to 20% of petrol stations across the mainland going offline.
  • Live Patching, and its potential limitations and the complexities of how to build and validate them, were also high on the list of discussions which came up several times.
  • Another highlight was a discussion around the proposed Shared coprocessor framework for Xen, whose design is currently being finalized and will support sharing of GPUs, DSPs, FPGs and security once the prototype has been completed and upstreamed. I had originally assumed that co-processor sharing was mainly of interested either in embedded or for niche cloud use-cases, but was surprised to learn that there may be much more market pull than anticipated.

I’m looking forward for continued collaboration and innovation in this region.

Xen Project 4.6.6 and 4.7.3 are available

I am pleased to announce the release of 4.6.6 and 4.7.3. Xen Project Maintenance releases are released in line with our Maintenance Release Policy. We recommend that all users of the 4.6 and 4.7 stable series update to the latest point release.

4.6.6
The release is available from its git repository
http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.6
(tag RELEASE-4.6.6) or from the XenProject download page
http://www.xenproject.org/downloads/xen-archives/xen-46-series/xen-466.html

4.7.3
The release is available from its git repository
http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.7
(tag RELEASE-4.7.3) or from the XenProject download page
http://www.xenproject.org/downloads/xen-archives/xen-47-series/xen-473.html

These releases contain many bug fixes and improvements. For a complete list of changes, please check the lists of changes on the download pages.

What’s New in the Xen Project Hypervisor 4.9?

I am pleased to announce the release of the Xen Project Hypervisor 4.9. As always, we focused on improving code quality, security hardening as well as enabling new features. Our approach to security is also the reason why we delayed this release by 3 weeks: security issues that were discovered during the hardening phase of this release, were batched and handled using our Security Policy, which requires us to develop fixes for security issues in private and allows organisations on our pre-disclosure list to update their systems and software, before any code is made public. Consequently, we had to wait until June 20, before we could apply security fixes, build the final release candidate and test the final release candidate.

The Xen Project Hypervisor 4.9 release focuses on advanced features for embedded, automotive and native-cloud-computing use cases, enhanced boot configurations for more portability across different hardware platforms, the addition of new x86 instructions to hasten machine learning computing, and improvements to existing functionality related to the ARM® architecture, device model operation hypercall, and more.

We are also pleased to announce that Julien Grall, Senior Software Engineer at ARM, will stay release manager for Xen Project Hypervisor 4.10 release.

We grouped updates to the Xen Project Hypervisor using the following categories

  • New Features
  • Improvements to Existing Functionality
  • Multi-Release Long-Term Development

New Features

Boot Xen on EFI platforms using GRUB2 (x86): From Xen Project 4.9 and GRUB2 2.02 onwards, the Xen Project Hypervisor can be booted using the multiboot2 protocol on legacy BIOS and EFI x86 platforms. Partial support for the multiboot2 protocol was also introduced into network boot firmware (iPXE). This makes the Xen Project boot process much more flexible. Boot configurations can be changed directly from within a bootloader (without having to use text editors) and boot configurations are more portable across different platforms.

Near native latency for embedded and automotive environments: The “null” scheduler enables use-cases where every virtual CPU can be assigned to a physical CPU (commonly needed for embedded and automotive environments) removing almost all of the scheduler overheads in such environments. Usage of the “null” scheduler also guarantees significantly lower latency and more predictable performance. The new vwfi parameter for ARM (virtual Wait For Interrupt) allows fine-grained control of how the Xen Project Hypervisor handles WFI instructions. Setting vwfi to “native” reduces interrupt latency by approximately 60%. Benchmarks on Xilinx Zynq Ultrascale+ MPSoC’s have shown a maximum interrupt latency of less than 2 microseconds, which is extremely close to hardware limits, and should be small enough for the vast majority of embedded use cases.

Xen 4.9 includes new standard ABIs for sharing devices between virtual machines (including reference implementations) for a number of embedded, automotive and cloud native computing use-cases.

For embedded/automotive, a virtual sound ABI was added implementing audio playback and capture as well as volume control and the possibility to mute/unmute audio sources. In addition a new virtual display ABI for complex display devices exposing multiple framebuffers and displays has been added. Multi-touch support has been added to the virtual keyboard/mouse protocol enabling touch screens.

Xen 4.9 also introduces a Xen transport for 9pfs, which is a remote filesystem protocol originally written for Plan 9. During the Xen 4.9 release cycle, a Xen 9pfs frontend was upstreamed in the Linux kernel and a backend in QEMU. It is now possible to share a filesystem (not necessarily a block device) from a virtual machine to another, which is a requirement for adding Xen support to many container engines, such as CoreOS rkt.

The PV Calls ABI has been introduced to allow forwarding POSIX requests across guests: a POSIX function call originating from an app in a DomU can be forwarded and implemented in Dom0. For example, guest networking socket calls can be executed to Dom0, enabling a new networking model which is a natural fit for cloud-native apps.

Improvements to Existing Functionality

Xenstored optimisations: Xenstore daemons allow Dom0 and guests access to system configuration information. C-xenstored scalability limits have been increased to allow large hosts (about >1000 domains) to run efficiently. Transaction handling has been improved for better performance, smaller memory footprint and fewer transaction conflicts. Dynamic debugging capabilities have been added.

DMOP (Device Model Operation Hypercall): In Xen 4.9 the interface between Xen and QEMU was completely re-worked and consolidated. There is now only a single hypercall in Xen (the DMOP hypercall), which is carefully designed to allow the privcmd driver to audit any QEMU memory ranges and parameters that are passed to Xen via DMOP. The Linux privcmd driver enables DMOP auditing, which significantly limits the capability of a compromised QEMU to attack the hypervisor.

Alternative runtime patching and GICv3 support for ARM32: Alternative runtime patching which enables the hypervisor to apply workarounds for erratas affecting the processor and to apply optimizations specific to a CPU and GICv3 support was extended for 32-bit ARM platforms, bringing this functionality to embedded use-cases.

Intel and x86 Feature Support: The latest version of the Xen Project hypervisor adds the support of Neural Network Instructions AVX512_4VNNIW and Multiply Accumulation Single precision AVX512_4FMAPS as subfamilies of AVX512 instruction sets. With these instructions enabled in Xen for both HVM and PV guests, programs in guest OSes can take full advantage of these important instructions to speed up machine learning computing. This Xen release also further enhances VT-d Posted Interrupt (PI) optimization, Machine Check Exception(MCE) handling, and more.

System Error Detection (ARM): Xen on ARM made a step forward in reliability and serviceability with the introduction of System Error detection and reporting, a key feature for customers with highly available systems.

GCOV support: We removed the old GCOV implementation and replaced it with an updated version that supports more formats and exposes a more generic interface.

Re-work and hardening of x86 emulation code for security: Hardware-assisted virtualisation provides hypervisors with the ability to execute most privileged instructions natively and securely. However, for some boundary cases, it is still necessary to emulate x86 instructions in software. In Xen 4.9, the project completely re-worked the x86 emulation code, added support for new instructions, audited the code against security vulnerabilities and created AFL based test fuzzing tests that are regularly run against the emulator.

Updated support for Microsoft’s Hyper-V Hypervisor Top-Level Functional Specification (also known as Viridian Enlightenments): Xen implements a subset of version 5.0 of the Hyper-V Hypervisor TLFS, which enables Xen to run Windows guests at similar performance as it would run on Hyper-V. In addition, this work lays the groundwork to enable us to run Hyper-V within Xen in the future using nested virtualization.

Multi-Release Long-Term Development

This section contains large feature developments that cover several release cycles. It is intended to provide a progress update for larger features.

Transition from PVHv1 to PVHv2: Xen Project 4.8 laid the groundwork for re-architecting and simplifying PVH, focussing on the DomU guest ABI, which enabled Guest operating system developers to start porting their OSes to this mode. Support for FreeBSD is in progress, while support for Linux is committed. Xen 4.9 added Dom0 builder support and support for multiple virtual Intel I/O Advanced Programmable Interrupt Controllers (vIO APIC). PVHv2 for interrupt routing and PCI emulation is currently being peer reviewed and can be expected early in the Xen 4.10 release cycle. This lays the groundwork for a PVHv2 Dom0. For PVHv2 DomU support, PCI Passthrough and a major re-work of the xl/libxl and libvirt user interfaces for PVH have been started. Support for PVHv1 has been removed from the Xen Codebase.

Reworking the Xen-QEMU integration to protect against QEMU security vulnerabilities: In Xen Project 4.8, we embarked on an effort to re-work Xen-QEMU integration which amounts to sandboxing QEMU within Dom0. Significant progress was made in Xen 4.9 towards this goal, with the implementation of DMOP. Other changes such de-privileging QEMU in Dom0 and changes to the Linux privcmd driver have been mostly completed in Xen 4.9. Changes that are currently designed, but net yet implemented, are necessary changes to libxl and QEMU’s usage of XenStore.

Summary

Despite the shorter release cycle, the community developed several major features, and found and fixed many more bugs. Compared to Xen 4.8, which was our first fixed-term release, we have seen increased Development Velocity (in Xen 4.8 developers contributed 1245 changes – in Xen 4.9 developers contributed 1549 changes – a growth of 20%), increased Code Review activity, and more contributors (both individual and organisations contributing). For Xen 4.8 a total of 68 developers from 25 employers contributed, for Xen 4.9 a total of 86 developers from 30 employers contributed.

As in Xen 4.8, we took a security-first approach for Xen 4.9 and spent a lot of energy to improve code quality and harden security. This inevitably slowed down the acceptance of new features somewhat and also delayed the release. However, we believe that we reached a meaningful balance between mature security practices and innovation.

On behalf of the Xen Project Hypervisor team, I would like to thank everyone for their contributions (either in the form of patches, code reviews, bug reports or packaging efforts) to the Xen Project. Please check our acknowledgement page, which recognises all those who helped make this release happen.

The source can be located in the https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/tags/RELEASE-4.9.0 tree (tag RELEASE-4.9.0) or can be downloaded as tarball from our website. For detailed download and build instructions check out the guide on building Xen 4.9

More information can be found at