Xen Project Advances Hypervisor Project

The Xen Project announced this week that the latest version of the open source hypervisor can now take advantage of core scheduling, an experimental technology that enables Xen to group multiple processors together to create a single virtual central processor unit (CPU).

Lars Kurth, chairperson for the Xen Project advisory board, said this capability also represents an important first step toward developing a more secure form of hyperthreading. Since earlier this year, many IT organizations have turned off hyperthreading because of cybersecurity concerns. However, such decisions have resulted in significant performance penalties for many applications.

In addition to adding support for core scheduling, version 4.13 of Xen Project Hypervisor adds support for live patching and late uCode loading that makes it possible to install updates at runtime without having to reboot the hypervisor.
The latest version of Xen also adds support for additional processors, including AMD 2nd Generation EPYC, Hygon Dhyana 18h, Raspberry Pi4 and Intel AVX512-based platforms.

Finally, version 4.13 of Xen adds support for OP-TEE, which enables all guests to concurrently run trusted Applications on TrustZone, firmware created by ARM to isolate processors on the same system, and improvements to Dom0less, which makes it possible to partition processors running in parallel.

The Xen Project Group also announced it has created a Functional Safety Working Group, which is committed to making the Xen hypervisor compatible with ASIL-B requirements, a set of compliance requirements defined by the automotive industry. That effort represents a significant challenge because it requires code and development processes to comply with key tenets of ISO 26262, a set of standards for embedding electronics into any road vehicle.

The Xen Group is also working on developing a secret-free hypervisor, which Kurth said will play a critical role in thwarting side-channel cybersecurity attacks. Cybercriminals can employ side-channel attacks to break encryption algorithms by measuring and analyzing the physical attributes such as the amount of radiation being generated by a processor.

Kurth said version 4.13 represents a major milestone in the ongoing development of Xen. In the future, Xen will also be able to take advantage of the Rust-vmm project being led by Intel that will make it possible for a processor to run multiple types of hypervisors in a modular fashion.  In addition to providing a more agile way of isolating virtual machines, Rust-vmm will reduce the amount of time required to spin up a virtual machine. Specifically, Intel is trying to make it easier for a processor to be able to run different classes of hypervisors that are optimized for legacy monolithic applications and cloud-native applications based on containers that require a much lighter-weight hypervisor.

It’s not clear to what degree advances in technologies such as core scheduling will influence the selection of hypervisors and virtual machines. However, from a DevOps perspective, it’s clear core capabilities being added to the next generation of hypervisors will not only improve application performance, but they should also significantly advance best DevSecOps practices.

— Mike Vizard