New version turns Meltdown mitigation into a feature
To help you understand what will land on that day, The Register asked Lars Kurth, chair of the Xen Project Advisory Board for his views on what’s important and new in the next release.
Here’s what he said by way of reply.
“One of our long-term development themes for the last few releases has been to make it possible for users to compile out large chunks of functionality from the xen codebase. In this release we added all the functional pieces for two major use-cases that highlight this ability in different ways, but we have not yet exposed the capability to compile the code out. Both use-cases rely on nested virtualization in the sense that guests that use PV [paravirtualization] functionality can run in an HVM [hardware virtual machine] container, and vice versa.”
To deliver on that plan Xen 4.11 adds what Kurth called “a new feature called PVShim, first discussed in detail at our July 2017 Developer Summit. This feature was initially released as one mitigation for Meltdown, but is a key 4.11 feature. PVShim allows a ‘classic’ PV-only guest to be run in PVH mode. This allows cloud providers to support old, PV-only distros while only providing a single kind of guest (PVH – paravirtualized with CPU virtualization extensions). This simplifies management, reduces the surface of attack significantly, and eventually allows end-users to build a Xen hypervisor configuration with no ‘classic’ PV support at all.”
The new version also saw developers “spend a significant amount of time on completing and optimizing mitigations for the Meltdown and Spectre vulnerabilities. We implemented performance optimized XPTI, Xen’s equivalent to KPTI. It is worth noting that only ‘classic PV’ guests need XPTI as HVM and PVH guests are not vulnerable to Meltdown.”
“The second use-case enables the building of container-like functionality with the much stronger isolation guarantees of virtualization,” Kurth continued. “In this scenario, you would want to build a PV only variant of Xen (one which does neither have HVM or PVH support) together with PVCalls and 9pfs support introduced in Xen 4.9 and 4.10. Instead of running container images in Linux Containers, you would then run them in a PV guest, with the strong isolation provided by the Xen guest. This new small Xen configuration – for which we do not have a name yet – could then be run directly on the host, or be deployed into an HVM or PVH cloud instance taking advantage of Xen’s unique ability to run on existing cloud providers without special nested virtualization support.”
“There are more improvements to come,” Kurth concluded, “but the ones listed above are among the items that the team is most excited about.” ®