The Xen Project is used by more than 10 million users, powers some of the largest clouds on the planet, and is starting to build momentum in embedded and safety-conscious market segments. It is also nearly 16 years old.
The Xen Project’s success and longevity can be attributed to its flexible architecture, but more importantly to enabling community members to contribute ideas and code, even if they are not core to the project's main use-case. This has brought Xen far beyond server virtualization.
Lars will share how the project has supported new technologies and ideas, which may include some really interesting things you might not know about Xen (especially around defense applications), and will derive best practices that may help other projects.
Scale17x: Thinking outside of the conceived tech comfort zone
1. Thinking Outside of the Conceived
Tech Comfort Zone
Xen Project 15 Years
Down the Line
Presentation at
www.slideshare.net/xen_com_mgr
2. Lars Kurth
Community Manger, Xen Project
Chairman, Xen Project Advisory Board
Director, Open Source, Citrix
Contributors
Andrew Cooper: Committer, Xen Project ◉ Christopher Clark: Contributor, Xen Project
Mihai Donțu: Chief Linux Officer, Bitdefender ◉ George Dunlap: Committer, Xen Project
lars_kurth
3. What is Xen and Xen Project?
Versatile Virtualization Platform
Designed to be a component in a SW stack
Ease of use for end-users was never a design goal
Xen Hypervisor = “Engine”
Taken by integrators to build a product, service, …
Analogy: integrators build a “car” with Xen as “engine”
Xen Project
Development community with several sub projects
that develop technologies related to Xen
– Hypervisor
– PV Drivers
– Unikernel related projects: MirageOS, Unikraft
5. Original Use Cases
Server Consolidation
Co-located hosting facilities,
Distributed web services
Cloud Computing
Secure Computing Platforms and
Application Mobility
High availability, Fault tolerance,
Checkpointing
6. Original Design Goals
Modular architecture
Via disaggregation
Flexible architecture
Via use of system services
High degree of customisability
Initial goal: server and possibility of
desktop products
10. From the Beginning
Disaggregation was part of the original Xen conception
Influenced by microkernel thinking
VMn
Guest OS
Applications
VM0 (or Dom0)
Dom0 Kernel
Native Driver
System Services
XS TSDE
Scheduler MMU Timers Interrupts
11. From the Beginning
Disaggregation was part of the original Xen conception
Influenced by microkernel thinking
VMn
Guest OS
Applications
VM0 (or Dom0)
Dom0 Kernel
System Services
XS TS
Scheduler MMU Timers Interrupts
Driver Domain
Guest OS
Native Driver
Service Domain
Guest OS
System Services
DE
Disaggregate
Disaggregate
12. From the Beginning
Disaggregation was part of the original Xen conception
Influenced by microkernel thinking
The PV protocols were specifically designed for untrusted
backends and untrusted native device drivers
Particularly the grant tables
Security technologies were always in maintainers minds
They were up-streamed without resistance
Sometimes with a lot of support from maintainers
13. Today: Disaggregation used by …
OpenXT, SecureView
(desktop, laptops, tablets)
Defense Applications
Unikernels
Defense Applications
Xenon Hypervisor family, Magrana Server, …
Cloud Computing
Server Virtualization
ARLX/Virtuosity OA,
Crucible Hypervisor
Embedded Defense /
Security Applications
Automotive Virtuosity,
GlobalLogic Nautilus, EPAM Fusion
General purpose desktop and mobile Virtualization
Qubes OS
VMI
14. Tension: Core vs. non-Core Usage
Defense Applications
Unikernels
Defense Applications
Cloud Computing
Server Virtualization
Embedded Defense /
Security Applications
Automotive
General purpose desktop and mobile Virtualization
VMI
Until 2017, all key maintainers were working for
companies working on Server Virtualization, the core use-case
Today 30% of key maintainers
work for vendors that care about
embedded and mixed-criticality
use-cases bringing in new
innovations
15. Tension: Core vs. non-Core Usage
Many security technologies were not made easy to use
Disaggregation is a good example
Product schedule pressure, led to
– Core team members choosing the quick to implement / more performant
approach ➜ New features went into Dom0 first
– Maintainers reviewing non-Core contributions: takes effort to understand
and guide contributors to the best approach ➜ This did often not happen
E.g. Xen has no build capability for disaggregated domains
Led to duplication amongst downstreams
Increased the barrier to adoption for newcomers
19. Xen Summit: 2007, New York, USA
US DoD employees presented approaches to
Apply EAL5 Common Criteria Security Clearance for Xen
Xen Security Modules (XSM)
EAL5 CC related research led to the Xenon Separation VMM family
Today: widely used by DoD departments
XSM was subsequently upstreamed
Defense Applications
Xenon Hypervisor family, Magrana Server, …
Server Virtualization
Linux Distros, Citrix Hypervisor, Huawei UVP, Oracle VM, XCP-ng
20. 2012: The Xenon Separation VMM
Secure virtualization infrastructure for military clouds (pdf)
“ We reduce the size of the code base by dropping support
for selected features that are not needed to run commodity
operating systems, e.g. Windows 7 or Linux. Because the
internal design and construction of the base Xen VMM is
highly modular, removing some of the features does not
disable any of the remaining features.
The total effort required was about 3 engineers over a
period of 2 years, and includes the effort of keeping up with
the Xen community. ”
21. x86: Desktop / Tablet Use Cases
2009: Virtual Computer releases NxTop 1.0
NxTop is the first of 3 Xen based client solutions
Citrix and Neocleus release their first solutions in 2010
2012: Snowden-approved Qubes OS 1.0 releases
Today, Qubes OS 4.0 is the first technology to use PVHv2 in production
2013: Citrix and DoD collaborate to create SecureView
In 2015, XenClient is discontinued and released as OpenXT
SecureView continues to be developed on top of OpenXT
OpenXT, SecureView
(desktop, laptops, tablets)
Defense Applications
General purpose desktop Virtualization
XenClient, NxTop, Neosphere, Qubes OS
22. Reflection
Early & continued engagement of Security Researchers
Security feature contributions before being productized
Xen became an attractive platform for security research
Enabler:
The Xen community accepted contributions
Modular Architecture
Enabled specialised and certifiable products for defence use
But: Innovations were not attempted to be up-streamed
23. Reflection
Attempts to commercialize Xen on Desktop
Enabled a new products leveraging Xen’s security features
They also relied on removing upstream Xen code (on x86)
BUT:
None of these Xen capabilities were used in Server/Cloud
Related Story: GPU Passthrough & Virtualization
Were developed for Desktop Use Cases on Xen
TODAY:
GPU Virtualization is widely used in Server/Cloud
26. Georgia Tech: 2007, Atlanta, USA
2007: Virtual Machine Introspection for Xen hatched at
Georgia Tech
– 2003: Initial Research by Tal Garfinkel & Mendel Rosenblum
– Bryan Payne created a project called XenAccess
Later expanded scope to other hypervisors as LibVMI
2009: XenAccess and mem-events APIs were added
Used for security research and specialist security apps
Enabler:
The project accepted these changes with active help
from maintainers
27. Commercial interest in VMI
2013 to 2015: Intel launched its Haswell & Broadwell CPUs
Specifically VMFUNC, EPTP and #VE capabilities
New HW capabilities of Haswell & Broadwell generated
commercial interest in VMI by multiple vendors
2014 to 2015: The XenAccess and mem-events APIs were
re-architected into the VMI subsystem
In parallel: related companion technologies such as alt2pm
are being developed
28. Productization
2015 to 2016: Citrix and Bitdefender collaborated to bring
VMI to market through XenServer 7.0 and Bidefender HVI
Today: Similar products are available from AIS and Zentific
Today: ongoing contributions by security vendors to alt2pm
and #VE capabilities indicate future productization
29. Reflection
Few security features made it into Server/Cloud
For example: VMI & Live Patching
WHY?
HW capabilities were not enough
It was too early or the market wasn’t ready
Example: Dynamic Root of Trust related technologies
Complex and Use Case dependent
Example: Xen Security Modules - requires Specialist expertise;
configuration is Use Case dependent
30. From Desktop / Mobile
Use Cases to
Embedded / Automotive
32. Samsung releases Secure Xen on Arm port
This Xen port used paravirtualization and was kept as a Xen
fork hosted by the Xen Project as requested by Samsung
2008 to 2014: Samsung regularly shows Xen demos
Dual mobile operating systems running on Samsung
devices and later Nexus 10
Demos and presentations covered
– Innovations in real-time capabilities based on Xen
– GPU sharing technologies based on Xen
2008, Seoul, Korea
33. This showed what is possible
Inspiring others to investigate and
research along similar lines
35. 2012, Cambridge, UK
Xen on Arm reboot
Patches for upstream Xen on Arm support are posted
Armv7 and v8 are fully supported upstream by March 2014
The primary motivation for this work was to target Arm
based servers
Developers learned from the earlier Arm port:
– Clean and simple architecture
– Perfect match between Xen and Arm ISA
– Much smaller code size compared to Xen on x86
37. The missing Evolutionary Link
From x86 to Arm
2010: Dornerworks contributes the ARINC653 Scheduler
Launches ARLX (initially for x86) taking a similar approach
to Xenon
2014: Dornerworks pioneers safety certification for Xen
OpenXT, SecureView
(desktop, laptops, tablets)
Defense Applications
General purpose desktop Virtualization
XenClient, NxTop, Neosphere, Qubes OS
ARLX/Virtuosity OA,
Crucible Hypervisor
Embedded Defense /
Security Applications
38. A new Evolutionary Wave
2014: Xen moves into embedded and automotive
The Xen Project launched an automotive initiative
Xen based distros and products are being developed
2015: First automotive Xen based platform
GlobalLogic introduces the Nautilus platform at CES 2015
2015: First embedded Arm-only Xen Distro
Xen Zynq Distribution for XILINX
The last few years: R&D
Similar order of magnitude to earlier waves
40. Sedimentation:
Functionality implemented in Software being fully or partly
implemented in Hardware
Example: PV Interrupt and Timers ➜ using IO APIC and
Posted Interrupts
Silicon vendors have always worked closely with Xen
Xen’s had a significant impact on virtualization
related technology in Hardware
I wanted to tell this story, but:
It’s very difficult to explain
And much of the work was performed under NDAs
41. What have we learned?
What can you learn from Xen?
42. Culture enables Innovation
Accept changes for non-Core Use Cases
In our case this was not planned: we inherited the culture
But: do not sacrifice due diligence and future-proofing
Help people trying to adopt Xen for non-Core Use Cases
We were bad at this until about 3 years ago
Work with new ideas, forks and distributions
Developer Events: allow air-time for new ideas
Forks are not always bad: Samsung fork hosted by us
OpenXT (distro): close collaboration is key
43. Process enables Innovation
Feature/Configuration Classification
Experimental ➜ Tech Preview ➜ Supported
Marked non-Core functionality as Experimental or Preview
Maintainership
Contributors need to step up for larger non-Core Features
Proves longer term commitment by the contributor
Deprecation of Features
Intent to deprecate is announced on list: identify objections
Remove non-core Features, if stale or not used
44. Tension need to be Managed
Vendors have different Priorities
These can lead to conflicts
Non-Core vs. Core arguments can be ugly
Active community management is required
New Processes can lead to Tensions
Security Vulnerability Management led to problems
Who deals with a Vulnerability in non-Core code?
We didn’t understand this ➜ created tension and rejection
of non-Core features until we modified the process
45. Process enables Innovation
Security Support
The security team does not handle non-Core Vulnerabilities
– Supported Feature without Security Support
– Delegated Security Support (e.g. ARINC653 scheduler)
KCONFIG based Configuration Management
Larger non-core features are build or run-time disabled
Subprojects as incubators for New Ideas
Can be used to foster innovation on the periphery
Examples: MirageOS, Automotive Project, Unikraft
48. Safety Certification
Driven by interest in embedded and automotive usage
So far the focus was on features and code size
BUT: vendors are actively looking for help from the project
to make building safety certified products sustainable on
top of Xen Project
2018: Experiments to identify impact on community
Experiments with MISRA C compliance ➜
Challenging because changes often lead to an emotional
response with far too much debate ➜ Change of
approach is needed
49. Safety Certification: Tensions^2
We may need to make significant changes
To coding standards: e.g. MISRA C
To existing processes: more requirements, design, etc.
documents ➜ enforce existing process, but vigorously
New processes and tools: not yet clear
Discussions suffer from lack of knowledge: what is really
needed?
High stakes: Risks if no workable solution is found
Vendors could go elsewhere
A fork of the project
50. Our Approach for now
Bring community leaders and “experts together”
Establish understanding of the needs of each side
Dispel myths: there are many
Identify gaps and what would need to change
Establish a change process and keep up momentum
Be prepared to adapt/fail/abandon
It may not be possible to find a compromise that works
for all stake-holders
Editor's Notes
Thank you for coming
This talk I will cover key aspects of the history of the Xen Project,
which has been a story of Innovation, Products and sometimesStruggle.
Our story started October 2003, when Xen 1.0 was released and with it the source code
Most of you known that Xen had quite a profound
impact on our industry and was instrumental in
creating cloud computing
But today, I wanted to cover lesser well known
Aspects of Xens history, which had a profound
impact on the project and its direction and potential.
And of course this cant be a completestory: we have to focus on some elements
Finally we will draw somelessons which may be useful for other projects.
Been with the project since 2011: 7 years
Thank you to the contributors of this talk who helped me verify some of the bits that happenedbefore I joined
4 MINS
As this is talk is in the collaboration talk, I thought it is necessary to introduce Xenand the Xen Project and what it is today
I am not going to talk about Unikernels: there is a talk at 16:40 todayby Florian one of our community members
6 MINS
These were from the original Xen paper
Published yesterday at the
Symposium on Operating Systems Principles
15 years ago
What is interesting is that some of theterminology was created or popularizedbecause of Xen
Some of the original design goals, which are still relevant today
were
There were of course others, which are not relevant today
9 MINS
Family tree of product categories on the left and products on the right
2006: cloud computing by AWS
2007: laid the foundation for use of Xen in the military (e.g. on aircraft carriers)This is not well known and has also influenced the direction of the project
2009: we saw an attempt to bring Xen to desktops, which ultimately floppedYear of the desktop anyone?
2010: Galois created HalVM the 1st Unikernel (and also released the 1st commercial Unikernel based product 6 years later)
2012/13: we saw the emergence of Xen as basis for security solution fordesktops such as Qubes OS – SecureView is similar but also
Same time: we saw the emergence of what a call a breed of securityapplications and also Xen starting to push into embedded use cases(at that time primarily for defense use)
2 years later: that market segment expanded into the Armspace and automotive2 years ago, we saw the 1st Virtual Machine Introspectionbased products
11 MINS
… Given the intentions behind the projectWhat we have today, is NOT what Xen was built for
The first reason had to do with
The fact that Xen came out of a University => affinity to research and cool ideas
But: more importantly it comes backto a strong sec mindset that can betraced back to some of the originaldesign goals
That design goal was Modularity, which was implemented using pluggable Dom0, system services and disaggregation
Dom0: Linux or BSDs and in the near future we will see RTOSes or systems without a Dom0
System services: 2 XenStore variants, 1 Device Emulator (but use is optional in some configurations) and 3 different toolstacks
To explain the idea of disaggregation I have to become a little bit technical
Which creates an extra security boundary
This was in particular true for the PV protocols (the interfaces between the various Xen components)and grant tables which are unique to Xen and enable this technology
Coming back to the idea of mindset and cultureBECAUSE of it IN GENERAL security
Technology contribution were usually up-streamedwithout any resistance
16 MINS
And these technologies, many of which are still NOT USED
today in server virtualization and cloud computing ENABLED an entire new eco-system around Xen
But of course non of this isn’t an entirely happy story
The reason is what I call tension between
Core=server virt
NonCore=Everything else
In other words, until 2017 all the contributors from products in non-core UCs relied on the good-will of maintainers working on core use-cases. And as you can imaging, this has not always been a smooth ride for noncore contributors.
18 MINSSo let’s look at this in some more detail.
But first:
Remember that many of these technologies were initially up streamed 10-12 years agoWHEN the attitude to security in computingwas much more relaxed than today
Tension led to cutting corners which sacrificed ease of use
Product schedule pressure=>Putting functionality into Dom0 1st sacrificing part of the original design goals (bit not do much that those goals would become unachievable=> NonCore contributions didn’t get the degree of due diligence than it should have [aka future proofing]
Example: … Qubes OS, OpenXT, … almost everyone who uses disaggregation did their own
In summary!
There are plenty of examples of open source projects where features for non-Core use-cases simply would never be upstreamed
Example is QEMU: machine emulator and virtualizer which Xen usesXen uses QEMU as a library for emulated devices and back-ends And we have tried multiple times over many years to upstream sucha configuration with no success BECAUSE the library UC was
considered non-core for QEMU
20 MINS
But this isn’t the full story … The next part of the storystarts when the US DoD gets involved in Xen which was a key ingredient in creating a securityeco-system around Xen
That story starts at …
22 MINS
And it covers the emergence of the Defense Applicationbranch of our family tree
DoD: This is something that was not very well known in the community until last year when this info was shared at the platform security summit
25: MINS
SO I mentioned the Xenon VMM before
The Common Criteria related research eventually led to
a prototype of the Xenon VMM => one key aspect of
that work was to shrink Xen on x86 … I quoted some
of the work her
And there are really two interesting things … HIGHLIGHT
This validated the modular design of Xen
And it showed that you cut create a cut-down x86variant of Xen in 3 man years WHILE tracking 3Xen releases (4.0 – 4.2)
The tragedy was that this was never attempted to be upstreamed by the authors, BUT this was laterpicked up by other vendors upstreaming similarwork (a lot of what is coming in Xen 4.12 isabout reducing the code size)
Another key ingredient was the attempt by 3 vendors in
2009 to bring Xen based desktop solutions to market. Ultimately this failed primarily for the similar reasons we neverreached the year of the Linux Desktop
But: this was a stepping stone to highly secure Desktop Solutions such as Qubes OSand OpenXT and SecureView
These technologies demonstrated what is possiblewith Xen from a security viewpoint, which later onwas built upon
27: So it’s time to reflect a little
We essentially created a virtuous cycle by which engagementby security researchers and security contributionsXen became a very attractive platform to do security research
28: Laid the foundation for a new class of productsDespite the fact that none of the features these products depended uponwere features used in products related to the Core UCs
There is a related story around Graphics Virtualization
It’s long and complicated, but it is closely tied up with the
Security story here
Where the outcome was different and the technology iswidely used today
32:
VMI = Panopticon vs. a Camera in Each Prison Cell
Georgia Tech,Atlanta
Georgia Tech,Atlanta
2011: There were significant additions to the API by a startup called Virtuata which later was acquiredby CISCO
Georgia Tech,Atlanta
Georgia Tech,Atlanta
40:
Xen Security Modules: producing policy configs; not enoughcustomer demand to motivate taking this on for Server/Cloud.
41: The next part of the story explains how we got from there to embedded
and automotive, primarily on Arm
That story started in Seoul in 2008
Fork: there were multiple attempts first byIan Pratt and later by me to convince Samsungto mainline this port. That did not succeed, sothe next best thing was to support the portas a fork hosted by the project
This as well as desktop example is actually a great exampleof how activities which ultimately were not commercially successful (there are no Xen based phones today)
laid the groundwork for what came after.
From my perspective, what some would see asfailure I see as experimentation that has fuelled
Innovation in the project.
43:
46: not the complete picture
Because there was actually a missing link from
X86 to Arm – that link was Dornerworks =Embedded Consultancy with a strong Defence Industry background
Took some of the ideas of XenonThey added and unstreamed Avionics related technology to Xensuch as the ARINC scheduler
And were the first to seriously work on functional safety for XenThis led to the first Xen based product (ARLX which was safety certified)
48: And this sparked a new evolutionary wave within our family tree aroundembedded and automotive
R&D by Samsung, Renesas, ADIT, Bosch, LG, …
The leader of this pack in our community is EPAM which have been bringing many innovations to Xen
50: Sedimentation is the idea of functionality moving down the software stack the more commoditized it gets|And if it is really popular or important it will move into hardware
33:
But: we did not do this well at the beginningConsequence: XSM would be a great technology for Server/Cloud security today, but to make the paradigm work requires significant re-work
Xen has been non-core to Linux for the first 10 years of it’s life:
partly also the reason why we are more open to new ideas
Didn’t want to inflict the pain Linux inflicted on us on our downstreams
Arm port into XenGetting Xen Linux support upstreamed
…
All were managed as subprojects with a defined goal