Xen Changelog

What's new in Xen 4.12.0

Apr 3, 2019

SECURITY & CODE SIZE:
The Xen 4.12 release builds upon the security features of previous releases, continuing Xen’s legacy of being the safest and most stable hypervisor for security-focused environments.
HVM/PVH and PV only Hypervisor: The new Xen Project 4.12 release separates the HVM/PVH and PV code paths in Xen and provides KCONFIG options to build a PV only or HVM/PVH only hypervisor. This enables Xen based security products such as Qubes OS, Star Lab Crucible, & OpenXT to build products with vastly reduced memory footprints and attack surface more easily. In addition, the release enables cloud and hosting providers which do not offer support for PV guests to deploy HVM/PVH only hypervisors which in turn, increases security.
QEMU Deprivilege (DM_RESTRICT): The Xen 4.9 – 4.11 releases laid the groundwork for the QEMU Deprivilege, limiting the impact of security vulnerabilities that originate QEMU. In Xen 4.12, this feature has been vastly improved. The majority of restrictions and features have been implemented, improving security and readiness for wide-scale testing. Support for VM migration has also been added and defense-in-depth techniques using chroot, RLIMITs, and Linux namespaces which are used to protect against privilege escalations from QEMU to Xen and VM’s.
Argo – Hypervisor-Mediated data eXchange: Argo is a new inter-domain communication mechanism that is designed for security, safety and mixed-criticality systems with isolation properties that go beyond those of existing inter-domain communication mechanisms. Argo is designed to be robust and simple to use correctly, securely and safely. In addition, Argo meets requirements for performance isolation between domains, to prevent negative performance impact from malicious or disruptive activity of other domains, or even other VCPUs of the same domain. It follows Multiple Independent Levels of Security/Safety (MILS) architecture foundational principles. Argo provides Xen hypervisor primitives to transmit data between VMs, by performing data copies into receive memory rings registered by domains. It does not require memory sharing between VMs and does not use grant tables or Xenstore.
Improvements to Virtual Machine Introspection: The VMI subsystem which allows detection of 0-day vulnerabilities has seen many functional and performance improvements. Altp2m (see https://xenproject.org/tag/alt2pm/) and Intel #VE/VMFUNC support within the subsystem have been tuned and hardened. These two technologies reduce the performance overhead of Virtual Machine Introspection by 5% to 20% depending on workload.
X86 ARCHITECTURAL RENEWAL:
The new Xen 4.12 features renew how x86 architecture support is implemented in Xen, a multi-year effort that is nearing completion.
Credit 2 Scheduler: The Credit2 scheduler is now the Xen Project default scheduler. This Credit2 scheduler represents several years worth of effort to create the next-generation scheduler for Xen. It is designed specifically for performance of latency-sensitive workloads, as well as scalability and predictability.
PVH Support: Grub2 boot support has been added to Xen and Grub2. These additions enable users to boot any PVH guest kernel via the grub menu. The updates to PHV also improves its stability.
PVH Dom0: PVH Dom0 support has now been upgraded from experimental to tech preview. This upgrade, exclusive to Intel Hardware, resolves various bugs and features several improvements such as the new dom0-iommu=map-reserved option which can be used to work around broken firmware when using a PVH Dom0. Support for migrating domUs from a PVH dom0 has also been included.
EMBEDDED/AUTOMOTIVE:
The Project is working to make Xen more easily safety certifiable targeting embedded and automotive use-cases. These new upgrades will increase the viability of Xen for use in mixed-criticality systems.
Dom0less VMs for statically partitioned systems: The new Xen 4.12 upgrade makes it possible to create and boot Arm VMs from Device Tree immediately after starting Xen. In traditional Xen environments, VMs can only be started after Dom0 kernel, user space and the toolstack are up and running. The upgrade decreases boot time by more than 90%. Dom0less VMs extend the usage of Xen to statically partitioned mixed-criticality systems. Xen is planning on extending the concept of Dom0less in subsequent releases to allow building Xen Systems entirely without a Dom0. This, in turn, will reduce the cost of safety certification significantly.
Tiny Arm Configurations: The Xen 4.12 upgrade allows users to build a tiny Arm configuration with less than 50 KSLOC, which in turn reduces the cost of safety certification for Xen based systems. This new functionality allows building Xen variants for specific hardware such as Renesas RCar 3 and Xilinx Ultrascale+ MPSoC with a minimal set of drivers and features that are needed for mixed-criticality systems.
Additional Technical Features
The new Xen 4.12 upgrade also includes improved IOMMU mapping code, which is designed to significantly improve the startup times of AMD EPYC based systems.
The upgrade also features Automatic Dom0 Sizing which allows the setting of Dom0 memory size as a percentage of host memory (e.g. 10%) or with an offset (e.g. 1G+10%).

New in Xen 4.11.1 (Dec 17, 2018)

update Xen version to 4.11.1
x86/dom0: Avoid using 1G superpages if shadowing may be necessary
x86/shadow: shrink struct page_info's shadow_flags to 16 bits
x86/shadow: move OOS flag bit positions
x86/mm: Don't perform flush after failing to update a guests L1e
x86/mm: Put the gfn on all paths after get_gfn_query()
x86/hvm/ioreq: use ref-counted target-assigned shared pages
x86/hvm/ioreq: fix page referencing
AMD/IOMMU: suppress PTE merging after initial table creation
amd/iommu: fix flush checks
stubdom/vtpm: fix memcmp in TPM_ChangeAuthAsymFinish
x86: work around HLE host lockup erratum
x86: extend get_platform_badpages() interface
Release: add release note link to SUPPORT.md
x86/pv: Fix crash when using `xl set-parameter pcid=...`
tools/dombuilder: Initialise vcpu debug registers correctly
x86/domain: Initialise vcpu debug registers correctly
x86/boot: Initialise the debug registers correctly
x86/boot: enable NMIs after traps init
vtd: add missing check for shared EPT...
x86: fix "xpti=" and "pv-l1tf=" yet again
x86: split opt_pv_l1tf
x86: split opt_xpti
x86: silence false log messages for plain "xpti" / "pv-l1tf"
x86/vvmx: Disallow the use of VT-x instructions when nested virt is disabled
stubdom/grub.patches: Drop docs changes, for licensing reasons
tools/tests: fix an xs-test.c issue
x86/boot: Allocate one extra module slot for Xen image placement
xen: sched/Credit2: fix bug when moving CPUs between two Credit2 cpupools
x86/hvm/emulate: make sure rep I/O emulation does not cross GFN boundaries
x86/efi: split compiler vs linker support
x86/efi: move the logic to detect PE build support
x86/shutdown: use ACPI reboot method for Dell PowerEdge R540
x86: assorted array_index_nospec() insertions
VT-d/dmar: iommu mem leak fix
rangeset: make inquiry functions tolerate NULL inputs
x86/setup: Avoid OoB E820 lookup when calculating the L1TF safe address
x86/hvm/ioreq: MMIO range checking completely ignores direction flag
x86/vlapic: Bugfixes and improvements to vlapic_{read,write}()
x86/vmx: Avoid hitting BUG_ON() after EPTP-related domain_crash()
libxl: start pvqemu when 9pfs is requested
x86: write to correct variable in parse_pv_l1tf()
xl.conf: Add global affinity masks
x86: Make "spec-ctrl=no" a global disable of all mitigations
x86/spec-ctrl: Introduce an option to control L1D_FLUSH for HVM HAP guests
x86/msr: Virtualise MSR_FLUSH_CMD for guests
x86/spec-ctrl: CPUID/MSR definitions for L1D_FLUSH
x86/pv: Force a guest into shadow mode when it writes an L1TF-vulnerable PTE
x86/mm: Plumbing to allow any PTE update to fail with -ERESTART
x86/shadow: Infrastructure to force a PV guest into shadow mode
x86/spec-ctrl: Introduce an option to control L1TF mitigation for PV guests
x86/spec-ctrl: Calculate safe PTE addresses for L1TF mitigations
tools/oxenstored: Make evaluation order explicit
x86/vtx: Fix the checking for unknown/invalid MSR_DEBUGCTL bits
ARM: disable grant table v2
VMX: fix vmx_{find,del}_msr() build
x86/vmx: Support load-only guest MSR list entries
x86/vmx: Pass an MSR value into vmx_msr_add()
x86/vmx: Improvements to LBR MSR handling
x86/vmx: Support remote access to the MSR lists
x86/vmx: Factor locate_msr_entry() out of vmx_find_msr() and vmx_add_msr()
x86/vmx: Internal cleanup for MSR load/save infrastructure
x86/vmx: API improvements for MSR load/save infrastructure
x86/vmx: Defer vmx_vmcs_exit() as long as possible in construct_vmcs()
x86/vmx: Fix handing of MSR_DEBUGCTL on VMExit
x86/spec-ctrl: Yet more fixes for xpti= parsing
x86/spec-ctrl: Fix the parsing of xpti= on fixed Intel hardware
x86/hvm: Disallow unknown MSR_EFER bits
x86/xstate: Make errors in xstate calculations more obvious by crashing the domain
x86/xstate: Use a guests CPUID policy, rather than allowing all features
x86/vmx: Don't clobber %dr6 while debugging state is lazy
x86: command line option to avoid use of secondary hyper-threads
x86: possibly bring up all CPUs even if not all are supposed to be used
x86: distinguish CPU offlining from CPU removal
x86/AMD: distinguish compute units from hyper-threads
cpupools: fix state when downing a CPU failed
x86/svm Fixes and cleanup to svm_inject_event()
allow cpu_down() to be called earlier
mm/page_alloc: correct first_dirty calculations during block merging
xen: oprofile/nmi_int.c: Drop unwanted sexual reference
x86/spec-ctrl: command line handling adjustments
x86: correctly set nonlazy_xstate_used when loading full state
xen: Port the array_index_nospec() infrastructure from Linux
xen/Makefile: Bump version to 4.11.1-pre for ongoing 4.11 stable branch
This release contains NO fixes to qemu-traditional.

New in Xen 4.10.1 (May 15, 2018)

c30ab3d97c: SUPPORT.md: Add missing support lifetime information
5f6000a985: adapt SUPPORT.md to match 4.11
f9e1bddbc8: SUPPORT.md: Fix a typo
3614c7d949: SUPPORT.md: Document the new text ordering rule
6f8e8bae87: SUPPORT.md: Move descriptions up before Status info
2e02212848: docs/Makefile: Format SUPPORT.md into the toplevel
73c8c2c211: docs/Makefile: Introduce GENERATE_PANDOC_RULE_RAW
c07d2195b0: docs/gen-html-index: Support documents at the toplevel
0609dd1c5e: docs/gen-html-index: Extract titles from HTML documents
a3459c741e: SUPPORT.md: Syntax: Provide a title rather than a spurious empty section
de3ccf0790: SUPPORT.md: Syntax: Fix a typo "States"
f7a7eeac29: SUPPORT.md: Syntax: Fix some bullet lists
cba8690ea8: x86: fix slow int80 path after XPTI additions
d27de97cd1: libxl: Specify format of inserted cdrom
656c14780c: x86/msr: Correct the emulation behaviour of MSR_PRED_CMD
8d37ee1d10: x86/VT-x: Fix determination of EFER.LMA in vmcs_dump_vcpu()
696b24dfe1: x86/HVM: suppress I/O completion for port output
41015e7945: x86/pv: Fix up erroneous segments for 32bit syscall entry
4f12a18bc2: x86/XPTI: reduce .text.entry
649e617335: x86: log XPTI enabled status
bd26592fdf: x86: disable XPTI when RDCL_NO
afece29fe9: x86/pv: Fix the handing of writes to %dr7
2e34343fb2: xen/arm: Relax ARM_SMCCC_ARCH_WORKAROUND_1 discovery
d9756ca980: xen/arm: vpsci: Rework the logic to start AArch32 vCPU in Thumb mode
e2ee191d3d: xen/arm: vpsci: Introduce and use PSCI_INVALID_ADDRESS
2efc116c68: xen/arm: psci: Consolidate PSCI version print
51742fbc08: xen/arm: vpsci: Remove parameter 'ver' from do_common_cpu
4fcd9d14b1: xen/arm64: Kill PSCI_GET_VERSION as a variant-2 workaround
1ef0574d3b: xen/arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support
ee109adca7: xen/arm: smccc: Implement SMCCC v1.1 inline primitive
b2682eddc2: xen/arm: psci: Detect SMCCC version
9746779afb: xen/arm: smccc: Add macros SMCCC_VERSION, SMCCC_VERSION_{MINOR, MAJOR}
1d99ad5b35: xen/arm64: Print a per-CPU message with the BP hardening method used
9beb8a4461: xen/arm64: Implement a fast path for handling SMCCC_ARCH_WORKAROUND_1
ef4b4d7ab0: xen/arm: Adapt smccc.h to be able to use it in assembly code
df71252060: xen/arm: vsmc: Implement SMCCC_ARCH_WORKAROUND_1 BP hardening support
7f9ebebcec: xen/arm: vsmc: Implement SMCCC 1.1
4eb96e3eda: xen/arm: vpsci: Add support for PSCI 1.1
3087ba8278: xen/arm: psci: Rework the PSCI definitions
76a6dddcf8: xen/arm: vpsci: Move PSCI function dispatching from vsmc.c to vpsci.c
0f92968bcf: x86/vlapic: clear TMR bit upon acceptance of edge-triggered interrupt to IRR
9e9185f661: SUPPORT.md: Specify support for various image formats
e87e798673: SUPPORT.md: Clarify that the PV keyboard protocol includes mouse support
6131a2c0ed: cpufreq/ondemand: fix race while offlining CPU
47621a4ed1: x86: remove CR reads from exit-to-guest path
489cfbc1b9: x86: slightly reduce Meltdown band-aid overhead
860f470ba1: x86/xpti: don't map stack guard pages
8462c575d9: x86/xpti: Hide almost all of .text and all .data/.rodata/.bss mappings
cee48d83cb: x86: ignore guest microcode loading attempts
20db434e90: ocaml: fix arm build
0d2f9c89f7: Merge branch 'merge-comet-staging-4.10-v1' into staging-4.10
a1189f93ef: libxl/pvh: force PVH guests to use the xenstore shutdown
c37114cbf8: x86/HVM: don't give the wrong impression of WRMSR succeeding
5ede9f9600: x86/PV: fix off-by-one in I/O bitmap limit check
7e0796d3fe: grant: Release domain lock on 'map' path in cache_flush
b9aa790d31: x86/pv: Avoid leaking other guests' MSR_TSC_AUX values into PV context
4867afbc95: x86/nmi: start NMI watchdog on CPU0 after SMP bootstrap
3deb58f832: x86/srat: fix end calculation in nodes_cover_memory()
3376822f15: x86/hvm/dmop: only copy what is needed to/from the guest
37dd90787e: x86/entry: Use 32bit xors rater than 64bit xors for clearing GPRs
296705818c: x86/emul: Fix the decoding of segment overrides in 64bit mode
0857b09aae: x86/spec_ctrl: Fix several bugs in SPEC_CTRL_ENTRY_FROM_INTR_IST
4195d40e31: x86/srat: fix the end pfn check in valid_numa_range()
ab62fc3171: x86: reduce Meltdown band-aid IPI overhead
0e10f28586: x86/NMI: invert condition in nmi_show_execution_state()
a05fc8e5be: x86/emul: Fix the emulation of invlpga
083bd83354: ignores: update .hgignore
b0e975c822: ignores: update list of git ignored files
def29407de: firmware/shim: better filtering of intermediate files during Xen tree setup
8c3bbc7c2b: firmware/shim: better filtering of dependency files during Xen tree setup
cee8bb62ff: build: remove shim related targets
08a941bdac: shim: allow building of just the shim with build-ID-incapable linker
7dc817b750: firmware/shim: avoid mkdir error during Xen tree setup
21080841ae: firmware/shim: correctly handle errors during Xen tree setup
dc4a23b115: firmware/shim: update Makefile
da7543dd32: x86/shim: don't use 32-bit compare on boolean variable
9fd27db52a: xen/pvshim: fix GNTTABOP_query_size hypercall forwarding with SMAP
6d9b6bf418: Revert "x86/boot: Map more than the first 16MB"
79f04299ca: x86: relocate pvh_info
9ce99ad413: xen/shim: stash RSDP address for ACPI driver
186c2f57bd: libxl: lower shim related message to level DEBUG
357bf02e49: x86/shim: use credit scheduler
81306edf86: x86/guest: clean up guest/xen.h
14e1a434f4: libxl: remove whitespaces introduced in 62982da926
b869742c99: xen/pvshim: switch shim.c to use typesafe mfn_to_page and virt_to_mfn
d691e41793: xen/pvshim: fix coding style issues
ee478f4737: xen/pvshim: re-order replace_va_mapping code
f05a7c5148: xen/pvshim: identity pin shim vCPUs to pCPUs
7027acfc1f: tools: fix arm build after bdf693ee61b48
bc513e82ed: Don't build xen-shim for 32 bit build host
af63193017: Revert "x86/guest: use the vcpu_info area from shared_info"
a44e83b712: x86/shim: commit shim.config changes for 4.10 branch
da3a46d017: Merge tag '4.10.0-shim-comet-3' into staging-4.10
b6a6458b13: xen/arm: Flush TLBs before turning on the MMU to avoid stale entries
e3dfd5d1dd: xen/arm: vgic: Make sure the number of SPIs is a multiple of 32
a6780c122b: x86/hvm: Disallow the creation of HVM domains without Local APIC emulation
16edf98e95: gnttab: don't blindly free status pages upon version change
e2ceb2ed66: gnttab/ARM: don't corrupt shared GFN array
1b1c059099: memory: don't implicitly unpin for decrease-reservation
5e91fc4d3b: xen/arm: cpuerrata: Actually check errata on non-boot CPUs
3921128fcb: xen/arm: vsmc: Don't implement function IDs that don't exist
cd2e1436b1: xen/arm: vpsci: Removing dummy MIGRATE and MIGRATE_INFO_UP_CPU
3181472a5c: x86/idle: Clear SPEC_CTRL while idle
5644514050: x86/cpuid: Offer Indirect Branch Controls to guests
db12743f2d: x86/ctxt: Issue a speculation barrier between vcpu contexts
bc0e599a83: x86/boot: Calculate the most appropriate BTI mitigation to use
fc81946cea: x86/entry: Avoid using alternatives in NMI/#MC paths
ce7d7c0168: x86/entry: Organise the clobbering of the RSB/RAS on entry to Xen
a695f8dce7: x86/entry: Organise the use of MSR_SPEC_CTRL at each entry/exit point
92efbe8658: x86/hvm: Permit guests direct access to MSR_{SPEC_CTRL,PRED_CMD}
8baba874d6: x86/migrate: Move MSR_SPEC_CTRL on migrate
79891ef944: x86/msr: Emulation of MSR_{SPEC_CTRL,PRED_CMD} for guests
641c11ef29: x86/cpuid: Handling of IBRS/IBPB, STIBP and IBRS for guests
05eba93a0a: x86: fix GET_STACK_END
a69cfdf0c1: x86/acpi: process softirqs while printing CPU ACPI data
0f4be6e2c4: xen/x86: report domain id on cpuid
0a7e6b50e0: x86/svm: Offer CPUID Faulting to AMD HVM guests as well
65ee6e043a: x86/cmdline: Introduce a command line option to disable IBRS/IBPB, STIBP and IBPB
129880dd8f: x86/feature: Definitions for Indirect Branch Controls
c513244d8e: x86: Introduce alternative indirect thunks
0e12c2c881: x86/amd: Try to set lfence as being Dispatch Serialising
6aaf353f2e: x86/boot: Report details of speculative mitigations
32babfc19a: x86: Support indirect thunks from assembly code
47bbcb2dd1: x86: Support compiling with indirect branch thunks
8743fc2ef7: common/wait: Clarifications to wait infrastructure
1830b20b6b: x86/entry: Erase guest GPR state on entry to Xen
ab95cb0d94: x86/hvm: Use SAVE_ALL to construct the cpu_user_regs frame after VMExit
d02ef3d274: x86/entry: Rearrange RESTORE_ALL to restore register in stack order
e32f814160: x86: Introduce a common cpuid_policy_updated()
c534ab4e94: x86/hvm: Rename update_guest_vendor() callback to cpuid_policy_changed()
be3138b6f6: x86/alt: Introduce ALTERNATIVE{,_2} macros
79012ead93: x86/alt: Break out alternative-asm into a separate header file
bbd093c503: xen/arm32: entry: Document the purpose of r11 in the traps handler
a69a8b5fdc: xen/arm32: Invalidate icache on guest exist for Cortex-A15
f167ebf6b3: xen/arm32: Invalidate BTB on guest exit for Cortex A17 and 12
c4c0187839: xen/arm32: Add skeleton to harden branch predictor aliasing attacks
19ad8a7287: xen/arm32: entry: Add missing trap_reset entry
3caf32c470: xen/arm32: Add missing MIDR values for Cortex-A17 and A12
df7be94f26: xen/arm32: entry: Consolidate DEFINE_TRAP_ENTRY_* macros
f379b70609: SUPPORT.md: Fix version and Initial-Release
728fadb586: xen/arm: cpuerrata: Remove percpu.h include
928112900e: xen/arm64: Implement branch predictor hardening for affected Cortex-A CPUs
cae6e1572f: xen/arm64: Add skeleton to harden the branch predictor aliasing attacks
d1f4283a1d: xen/arm: cpuerrata: Add MIDR_ALL_VERSIONS
0f7a4faafb: xen/arm64: Add missing MIDR values for Cortex-A72, A73 and A75
b829d42829: xen/arm: Introduce enable callback to enable a capabilities on each online CPU
fa23f2aaa2: xen/pvh: place the trampoline at page 0x1
79f797c3f4: firmware/shim: fix build process to use POSIX find options
69f4d872e5: x86/guest: use the vcpu_info area from shared_info
7cccd6f748: x86: allow Meltdown band-aid to be disabled
234f481337: x86: Meltdown band-aid against malicious 64-bit PV guests
57dc197cf0: x86/mm: Always set _PAGE_ACCESSED on L4e updates
7209b8bf08: x86: Don't use potentially incorrect CPUID values for topology information
910dd005da: x86/entry: Remove support for partial cpu_user_regs frames
50d24b9530: x86/upcall: inject a spurious event after setting upcall vector
c89c622b89: x86/E820: don't overrun array
3b8d88d4fa: x86/IRQ: conditionally preserve access permission on map error paths
6f1979c8e4: -xen-attach is needed for pvh boot with qemu-xen
0a515eeb96: xen/pvshim: map vcpu_info earlier for APs
0e2d64ae8f: xl: pvshim: Provide and document xl config
ab9e3854dd: libxl: pvshim: Introduce pvshim_extra
abdde49edc: libxl: pvshim: Provide first-class config settings to enable shim mode
321ef983a0: xen/shim: allow DomU to have as many vcpus as available
c9083de0ae: xen/shim: crash instead of reboot in shim mode
b5be9c817d: xen/pvshim: use default position for the m2p mappings
9d60bc96be: xen/shim: modify shim_mem parameter behaviour
29dd3142bf: xen/pvshim: memory hotplug
5b6c3ffa1d: xen/pvshim: support vCPU hotplug
004646a1dd: xen/pvshim: set max_pages to the value of tot_pages
7dcc20e0c8: xen/pvshim: add shim_mem cmdline parameter
83c838c9f8: xen/pvshim: add migration support
cc7d96b98c: x86/pv-shim: shadow PV console's page for L2 DomU
7f5eb7d04e: xen/pvshim: add grant table operations
bbad376ab1: xen/pvshim: forward evtchn ops between L0 Xen and L2 DomU
da4518c559: xen/pvshim: set correct domid value
1cd703979f: xen/pvshim: modify Dom0 builder in order to build a DomU
60dd95357c: xen: mark xenstore/console pages as RAM
0ba5d8c275: xen/pvshim: skip Dom0-only domain builder parts
4ba6447e7d: xen/pvh: do not mark the low 1MB as IO mem
2b8a95a296: xen/x86: make VGA support selectable
cdb1fb4921: xen/arm: bootfdt: Use proper default for #address-cells and #size-cells
a40186478c: xen/arm: gic-v3: Bail out if gicv3_cpu_init fail
3784256866: tools/firmware: Build and install xen-shim
b5ead1fad3: x86/shim: Kconfig and command line options
aa96a59dc2: x86/guest: use PV console for Xen/Dom0 I/O
7477359b9a: x86/guest: add PV console code
cb5dc94ba7: x86/guest: setup event channel upcall vector
3b058a3eab: x86: don't swallow the first command line item in guest mode
5a543c6f39: x86: read wallclock from Xen when running in pvh mode
949eb11d58: x86: APIC timer calibration when running as a guest
f5ca36927e: x86: xen pv clock time source
68e7a08436: x86/guest: map per-cpu vcpu_info area.
d2df09c92b: xen/guest: fetch vCPU ID from Xen
efa15c993b: x86/guest: map shared_info page
83186a8e69: xen/pvshim: keep track of used PFN ranges
1fa5444834: xen: introduce rangeset_claim_range
10128f33aa: xen/console: Introduce console=xen
2f5a012143: x86/pvh: Retrieve memory map from Xen
9752c7422b: x86/shutdown: Support for using SCHEDOP_{shutdown,reboot}
b38cc15b2f: x86/guest: Hypercall support
3d1afab1f6: x86/entry: Probe for Xen early during boot
31b664a93f: x86/boot: Map more than the first 16MB
db65173fe7: x86/entry: Early PVH boot code
51f937a39b: x86: produce a binary that can be booted as PVH
887c705600: x86: introduce ELFNOTE macro
f575701f3c: x86/link: Relocate program headers
af2f50b2b6: x86/Kconfig: Options for Xen and PVH support
b538a13a68: x86: Common cpuid faulting support
57dc22b80d: x86/fixmap: Modify fix_to_virt() to return a void pointer
48811d481c: tools/ocaml: Extend domain_create() to take arch_domainconfig
78898c9d1b: tools/ocaml: Expose arch_config in domaininfo
e7c8187b91: xen/domctl: Return arch_config via getdomaininfo
9e46ae12ed: ACPICA: Make ACPI Power Management Timer (PM Timer) optional.
ff1fb8fe53: x86/link: Introduce and use SECTION_ALIGN
92a6295c30: x86/time: Print a more helpful error when a platform timer can't be found
78e9cc3488: xen/common: Widen the guest logging buffer slightly
667275050d: tools/libxc: Multi modules support
4621c10f48: tools/libelf: fix elf notes check for PVH guest
40938b5d56: tools/libxc: remove extraneous newline in xc_dom_load_acpi
5840f40e88: xen/x86: report domain id on cpuid
caff7f9b59: x86/svm: Offer CPUID Faulting to AMD HVM guests as well
69e302e59c: x86/upcall: inject a spurious event after setting upcall vector
a87ec4833a: x86/msr: Free msr_vcpu_policy during vcpu destruction
9dc5eda576: x86/vmx: Don't use hvm_inject_hw_exception() in long_mode_do_msr_write()
135b67e9bd: xen/efi: Fix build with clang-5.0
682a9d8d37: gnttab: improve GNTTABOP_cache_flush locking
19dcd8e47d: gnttab: correct GNTTABOP_cache_flush empty batch handling
e5364c32c6: x86/microcode: Add support for fam17h microcode loading
e2dc7b584f: x86/mm: drop bogus paging mode assertion
c8f4f45e04: x86/mb2: avoid Xen image when looking for module/crashkernel position
4150501b71: x86/vvmx: don't enable vmcs shadowing for nested guests
ab7be6ce4a: xen/pv: Construct d0v0's GDT properly

New in Xen 4.9.1 (Dec 27, 2017)

New in Xen 4.9.0 (Jul 4, 2017)

New Features:
Boot Xen on EFI platforms using GRUB2 (x86): From Xen Project 4.9 and GRUB2 2.02 onwards, the Xen Project Hypervisor can be booted using the multiboot2 protocol on legacy BIOS and EFI x86 platforms. Partial support for the multiboot2 protocol was also introduced into network boot firmware (iPXE). This makes the Xen Project boot process much more flexible. Boot configurations can be changed directly from within a bootloader (without having to use text editors) and boot configurations are more portable across different platforms.
Near native latency for embedded and automotive environments: The "null" scheduler enables use-cases where every virtual CPU can be assigned to a physical CPU (commonly needed for embedded and automotive environments) removing almost all of the scheduler overheads in such environments. Usage of the “null” scheduler also guarantees significantly lower latency and more predictable performance. The new vwfi parameter for ARM (virtual Wait For Interrupt) allows fine-grained control of how the Xen Project Hypervisor handles WFI instructions. Setting vwfi to "native" reduces interrupt latency by approximately 60%. Benchmarks on Xilinx Zynq Ultrascale+ MPSoC’s have shown a maximum interrupt latency of less than 2 microseconds, which is extremely close to hardware limits, and should be small enough for the vast majority of embedded use cases.
Xen 4.9 includes new standard ABIs for sharing devices between virtual machines (including reference implementations) for a number of embedded, automotive and cloud native computing use-cases.
For embedded/automotive, a virtual sound ABI was added implementing audio playback and capture as well as volume control and the possibility to mute/unmute audio sources. In addition a new virtual display ABI for complex display devices exposing multiple framebuffers and displays has been added. Multi-touch support has been added to the virtual keyboard/mouse protocol enabling touch screens.
Xen 4.9 also introduces a Xen transport for 9pfs, which is a remote filesystem protocol originally written for Plan 9. During the Xen 4.9 release cycle, a Xen 9pfs frontend was upstreamed in the Linux kernel and a backend in QEMU. It is now possible to share a filesystem (not necessarily a block device) from a virtual machine to another, which is a requirement for adding Xen support to many container engines, such as CoreOS rkt.
The PV Calls ABI has been introduced to allow forwarding POSIX requests across guests: a POSIX function call originating from an app in a DomU can be forwarded and implemented in Dom0. For example, guest networking socket calls can be executed to Dom0, enabling a new networking model which is a natural fit for cloud-native apps.
Improvements to Existing Functionality:
Xenstored optimisations: Xenstore daemons allow Dom0 and guests access to system configuration information. C-xenstored scalability limits have been increased to allow large hosts (about >1000 domains) to run efficiently. Transaction handling has been improved for better performance, smaller memory footprint and fewer transaction conflicts. Dynamic debugging capabilities have been added.
DMOP (Device Model Operation Hypercall): In Xen 4.9 the interface between Xen and QEMU was completely re-worked and consolidated. There is now only a single hypercall in Xen (the DMOP hypercall), which is carefully designed to allow the privcmd driver to audit any QEMU memory ranges and parameters that are passed to Xen via DMOP. The Linux privcmd driver enables DMOP auditing, which significantly limits the capability of a compromised QEMU to attack the hypervisor.
Alternative runtime patching and GICv3 support for ARM32: Alternative runtime patching which enables the hypervisor to apply workarounds for erratas affecting the processor and to apply optimizations specific to a CPU and GICv3 support was extended for 32-bit ARM platforms, bringing this functionality to embedded use-cases.
Intel and x86 Feature Support: The latest version of the Xen Project hypervisor adds the support of Neural Network Instructions AVX512_4VNNIW and Multiply Accumulation Single precision AVX512_4FMAPS as subfamilies of AVX512 instruction sets. With these instructions enabled in Xen for both HVM and PV guests, programs in guest OSes can take full advantage of these important instructions to speed up machine learning computing. This Xen release also further enhances VT-d Posted Interrupt (PI) optimization, Machine Check Exception(MCE) handling, and more.
System Error Detection (ARM): Xen on ARM made a step forward in reliability and serviceability with the introduction of System Error detection and reporting, a key feature for customers with highly available systems.
GCOV support: We removed the old GCOV implementation and replaced it with an updated version that supports more formats and exposes a more generic interface.
Re-work and hardening of x86 emulation code for security: Hardware-assisted virtualisation provides hypervisors with the ability to execute most privileged instructions natively and securely. However, for some boundary cases, it is still necessary to emulate x86 instructions in software. In Xen 4.9, the project completely re-worked the x86 emulation code, added support for new instructions, audited the code against security vulnerabilities and created AFL based test fuzzing tests that are regularly run against the emulator.
Updated support for Microsoft’s Hyper-V Hypervisor Top-Level Functional Specification (also known as Viridian Enlightenments): Xen implements a subset of version 5.0 of the Hyper-V Hypervisor TLFS, which enables Xen to run Windows guests at similar performance as it would run on Hyper-V. In addition, this work lays the groundwork to enable us to run Hyper-V within Xen in the future using nested virtualization.
Multi-Release Long-Term Development:
Transition from PVHv1 to PVHv2: Xen Project 4.8 laid the groundwork for re-architecting and simplifying PVH, focussing on the DomU guest ABI, which enabled Guest operating system developers to start porting their OSes to this mode. Support for FreeBSD is in progress, while support for Linux is committed. Xen 4.9 added Dom0 builder support and support for multiple virtual Intel I/O Advanced Programmable Interrupt Controllers (vIO APIC). PVHv2 for interrupt routing and PCI emulation is currently being peer reviewed and can be expected early in the Xen 4.10 release cycle. This lays the groundwork for a PVHv2 Dom0. For PVHv2 DomU support, PCI Passthrough and a major re-work of the xl/libxl and libvirt user interfaces for PVH have been started. Support for PVHv1 has been removed from the Xen Codebase.
Reworking the Xen-QEMU integration to protect against QEMU security vulnerabilities: In Xen Project 4.8, we embarked on an effort to re-work Xen-QEMU integration which amounts to sandboxing QEMU within Dom0. Significant progress was made in Xen 4.9 towards this goal, with the implementation of DMOP. Other changes such de-privileging QEMU in Dom0 and changes to the Linux privcmd driver have been mostly completed in Xen 4.9. Changes that are currently designed, but net yet implemented, are necessary changes to libxl and QEMU's usage of XenStore.

New in Xen 4.8.1 (Apr 27, 2017)

update Xen version to 4.8.1
oxenstored: trim history in the frequent_ops function
oxenstored transaction conflicts: improve logging
oxenstored: don't wake to issue no conflict-credit
oxenstored: do not commit read-only transactions
oxenstored: allow self-conflicts
oxenstored: blame the connection that caused a transaction conflict
oxenstored: track commit history
oxenstored: discard old commit-history on txn end
oxenstored: only record operations with side-effects in history
oxenstored: support commit history tracking
oxenstored: add transaction info relevant to history-tracking
oxenstored: ignore domains with no conflict-credit
oxenstored: handling of domain conflict-credit
oxenstored: comments explaining some variables
xenstored: Log when the write transaction rate limit bites
xenstored: apply a write transaction rate limit
tools/libxenctrl: fix error check after opening libxenforeignmemory
libxl: correct xenstore entry for empty cdrom
x86: use 64 bit mask when masking away mfn bits
memory: properly check guest memory ranges in XENMEM_exchange handling
xen: sched: don't call hooks of the wrong scheduler via VCPU2OP
x86/EFI: avoid Xen image when looking for module/kexec position
x86/EFI: avoid IOMMU faults on [_end,__2M_rwdata_end)
x86/EFI: avoid overrunning mb_modules[]
build/clang: fix XSM dummy policy when using clang 4.0
x86: drop unneeded __packed attributes
arm: xen_size should be paddr_t for consistency
xen/arm: alternative: Register re-mapped Xen area as a temporary virtual region
QEMU_TAG update
arm: read/write rank->vcpu atomically
xen/arm: p2m: Perform local TLB invalidation on vCPU migration
xen/arm: Introduce INVALID_VCPU_ID
xen/arm: Set nr_cpu_ids to available number of cpus
xen/arm: acpi: Relax hw domain mapping attributes to p2m_mmio_direct_c
Revert "xen/arm: Map mmio-sram nodes as un-cached memory"
xen/arm: dt: Relax hw domain mapping attributes to p2m_mmio_direct_c
xen/arm: flush icache as well when XEN_DOMCTL_cacheflush is issued
xen/arm: fix GIC_INVALID_LR
fix out of bound access to mode_strings
missing vgic_unlock_rank in gic_remove_irq_from_guest
xen/arm: Fix macro for ARM Jazelle CPU feature identification
xen/arm: traps: Emulate ICC_SRE_EL1 as RAZ/WI
xen/arm: Fix misplaced parentheses for PSCI version check
arm/irq: Reorder check when the IRQ is already used by someone
Don't clear HCR_VM bit when updating VTTBR.
x86/emul: Correct the decoding of mov to/from cr/dr
x86emul: correct decoding of vzero{all,upper}
xen: credit2: don't miss accounting while doing a credit reset.
xen: credit2: always mark a tickled pCPU as... tickled!
x86/layout: Correct Xen's idea of its own memory layout
x86/vmx: Don't leak host syscall MSR state into HVM guests
xen/arm: fix affected memory range by dcache clean functions
xen/arm: introduce vwfi parameter
arm/p2m: remove the page from p2m->pages list before freeing it
QEMU_TAG update
VMX: fix VMCS race on context-switch paths
xen/p2m: Fix p2m_flush_table for non-nested cases
x86/ept: allow write-combining on !mfn_valid() MMIO mappings again
IOMMU: always call teardown callback
x86/emulate: don't assume that addr_size == 32 implies protected mode
xen: credit2: fix shutdown/suspend when playing with cpupools.
xen: credit2: never consider CPUs outside of our cpupool.
xen: credit2: use the correct scratch cpumask.
x86/hvm: do not set msr_tsc_adjust on hvm_set_guest_tsc_fixed
x86emul: correct FPU stub asm() constraints
x86: segment attribute handling adjustments
x86emul: LOCK check adjustments
x86emul: VEX.B is ignored in compatibility mode
x86/xstate: Fix array overrun on hardware with LWP
arm/p2m: Fix regression during domain shutdown with active mem_access
libxl: fix libxl_set_memory_target
xen/arm: gic-v3: Make sure read from ICC_IAR1_EL1 is visible on the redistributor
x86/cpu: Don't update this_cpu for get_cpu_vendor(, gcv_guest)
x86/emul: Correct the return value handling of VMFUNC
x86/boot: fix build with certain older gcc versions
x86emul: CMPXCHG16B requires an aligned operand
VT-d: correct dma_msi_set_affinity()
x86emul: ignore most segment bases for 64-bit mode in is_aligned()
x86emul: MOVNTI does not allow REP prefixes
x86/VPMU: clear the overflow status of which counter happened to overflow
x86/hvm: don't unconditionally create a default ioreq server
libelf: section index 0 is special
x86emul: CMPXCHG{8,16}B ignore prefixes
xen: Fix determining when domain creation is complete
x86emul: correct PUSHF/POPF
init/FreeBSD: fix incorrect usage of $rc_pids in xendriverdomain
init/FreeBSD: add rc control variables
init/FreeBSD: fix xencommons so it can only be launched by Dom0
init/FreeBSD: remove xendriverdomain_precmd
init/FreeBSD: set correct PATH for xl devd
xsm: allow relevant permission during migrate and gpu-passthrough.
libxl: init_acpi_config should return rc in exit path, and set to 0 on success
x86/emul: add likely()/unlikely() to test harness
x86/HVM: add missing NULL check before using VMFUNC hook
x86: force EFLAGS.IF on when exiting to PV guests
x86/emul: Correct the handling of eflags with SYSCALL
QEMU_TAG update
update Xen version to 4.8.1-pre
In addition, this release also contains the following fixes to qemu-traditional:
cirrus/vnc: zap drop bitblit support from console code.
cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
cirrus: fix oob access issue (CVE-2017-2615)
qemu: ioport_read, ioport_write: be defensive about 32-bit addresses

New in Xen 4.7.0 (Jun 23, 2016)

Usability Improvements: In Xen 4.7, a new XL command line interface to manage PVUSB devices has been introduced to manage PVUSB devices for PV guests. The new XL commands also enables hot-plugging of USB devices as well as QEMU disk backends, such as drbd, iscsi, and more in HVM guests. This new feature allows users to add and remove disk backends to virtual machines without the need to reboot the guest. In addition, the soft reset for HVM guests allows for a more graceful shutdown and restart of the HVM guest.
Support for a wider range of workloads and applications: The PV guest limit restriction of 512GB has been removed to allow the creation of huge PV domains in the TB range. TB sized VMs, coupled with Xen Project’s existing support for 512 vCPUs per VM, enable execution of memory and compute intensive workloads, like big data analytics workloads and in-memory databases.
Improved Live Migration support: CPU ID Levelling enables migration of VM’s between a larger range of non-identical hosts than previously supported.
Enhanced Development with ARM: Xen Project now supports booting on hosts that expose ACPI 6.0 (and later) information. The ARM Server Base Boot Requirements (SBBR) stipulate that compliant systems need to express hardware resources with ACPI; thus this support will come in useful for ARM Servers. This effort was carried out by Shannon Zhao of Linaro with minor patches from Julien Grall of ARM.
Additionally, PSCI 1.0 compatibility allows Xen Project software to operate on systems that expose PSCI 1.0 methods. Now, all 1.x versions of PSCI will be compatible with Xen Project software. More information on Power State Co-ordination Interface can be found here. This effort was also carried out by Julien Grall with a patch from Dirk Behme of Bosch.
New feature support for the Intel® Xeon® processor product family: Xen Project 4.7 supports VT-d Posted Interrupts, which provides hardware-level acceleration to increase interrupt virtualization efficiency. It reduces latency and improves user experience through performance improvements, especially for interrupt-intensive front- end workloads such as web servers.

New in Xen 4.6.0 (Oct 13, 2015)

General Hypervisor Updates:
The memory event subsystem has been reworked and extended to a new VM event subsystem. The new VM event subsystems supports both the ARM and x86 architectures. It can be used to intercept all sorts of VM events, such as memory access, register access and more. This enables security applications such as zero-footprint guest introspection, host-wide monitoring and many others. Have a look at Tamas’s presentations and Steve’s presentations on this topic to get more insights.
The Xen Security Modules (XSM) now have a default policy that is regularly tested in the Xen Project Test Lab to make sure it is not broken by mistake. This will enable us to switch on XSM by default in the future.
vTPM 2.0 support has been contributed by Intel and the US National Security Agency. To learn more about how to use vTPM and how it can make your host more secure, go to our wiki.
Grant table scalability has been improvement significantly by using finer-grained locks in grant tables. In some scenarios aggregate intrahost network throughput has been shown to improve by 100%. Other I/O drivers in Xen should potentially show significant performance improvements as well.
We introduced ticket lock to improve fairness, which provides better support of massive workloads from up to hundreds or thousands of VMs on a single host.
The unused SEDF scheduler has been removed from the hypervisor and toolstack. The Xen Project is committed to actively remove unused code to keep the code base small and to minimize security risks.
We removed Mini-OS from the Xen code base into its own tree. Mini-OS started as a demonstration OS, but received significant contributions in recent years (e.g. it is used by many Unikernels). We decide to treat it as a separately maintained independent project with it’s own mailing list and code tree to make it easier to consume. We hope this will help unikernel communities to more easily consume and contribute to Mini-OS, while reducing the Xen Project Hypervisor footprint.
x86-specific Hypervisor Updates:
The Intel alternate P2M framework is a new capability for VM Introspection, Security and Privacy in Xen that gives Xen the ability to host up to 10 alternate guest to physical memory domains mappings for a specific guest-domain. It is one of the key technologies to enable zero-footprint VM introspection. It can also help Xen to implement faster NFV applications.
Intel Page Modification Logging Technology offloads the page dirty logging duty to hardware. Microbenchmark shows about 7% improvement in SPECJbb and should be particularly beneficial for Live Migration.
Intel Cache Allocation Technology allows system administrators to assign more L3 cache capacity to individual VMs, resulting in lower latency and higher performance for high-priority workloads such as NFV, real-time and video-on-demand applications.
Intel Memory Bandwidth Monitoring allows system administrators to identify memory bandwidth saturation on a Xen host that may be caused by several memory-intensive VMs running on the same host. Taking corrective actions, such as migrating VMs to a different Xen host, increases scalability and performance in the data center.
Intel Reserve Memory Region reporting provides a mechanism to report and reserve memory regions for legacy devices to allow for safe device passthrough.
Virtual Performance Monitoring Unit support makes it possible to profile the Xen Project Hypervisor with the Linux perf tool. Note that some work still needs to be completed within Linux to make perf fully functional.
Virtual NUMA for HVM guest is a continuation of the NUMA work performed in Xen 4.5 and previous releases. In this release, we exposed the functionality through the XL toolstack and added firmware changes to make the feature fully functional.
ARM-specific Hypervisor Updates:
The supported number of VCPUs has been increased from 8 to 128 VCPUs on ARM64 platforms.
Passthrough for non-PCI devices allows users to passthrough devices via partial device trees. Full support for PCI device passthrough is currently being worked on.
ARM GICv2 on GICv3 support.
32 bit userspace in 64 bit guest support.
OVMF for ARM contributed by Linaro.
64K page ARM guest support.
Support for the following new Hardware Platforms has been added: Renesas R-Car Gen2, Thunder X, Huawei hip04-d04 and Xilinx ZynqMP SoC.
Toolstack Updates:
Live Migration support in libxc / libxl and has been replaced with a completely new implementation (Migration v2). The new version respects different layers in the Xen Software stack and has been designed to be more robust and extensible to better support next-generation infrastructures and work planned in subsequent hypervisor releases.
Remus – our High Availability solution – has been reworked and is now based on Migration v2.
Libxl asynchronous operations can now be cancelled. This allows libxl users to cancel long-running asynchronous operations and benefits tool stacks such as libvirt and is beneficial for integration with cloud orchestration stacks.
Improved SPICE/QXL support.
AHCI disk controller support.
A new host I/O topology query interface gives upper layer in the software stack the ability to identify the I/O topology of underlying hardware platform.
Addition of Xenalyze, which is a tool for analyzing Hypervisor trace buffers and can be used for debugging and optimization, has been added to the Xen Project codebase as a maintained feature.
Xen Project Test Lab Updates:
During the Xen 4.6 release cycle, the Xen Project created an Advisory Board funded Continuous Integration Test Lab. It currently has 24 hosts and is going to expanded in the future. This has led to significant improvements in Xen code quality and has allowed the project to expand automated test coverage. The number of test cases doubled during the 4.6 cycle. Some interesting new test cases that have been added are:
XSM
Stub Domain
VM migration using libvirt between two hosts is now tested.
Live Migration between hosts of different Xen versions is now tested and will help identify any breakage in our migration code or specification.
Test with different disk formats such as QCOW2, VHD and raw format.
More test cases are in the pipeline, including test case for OpenStack’s devstack, performance and scalability tests, FreeBSD Dom0 etc.
Linux, FreeBSD and other OSes:
During the Xen 4.6 release cycle, we made significant improvements to major operating systems we rely on to improve interoperability. Some highlights on Linux kernel development spanning from Linux 3.18 to 4.3 were:
Xen blkfront multiqueue and multipage ring support.
Xen SCSI frontend and backend support.
VPMU kernel support.
Performance improvement in mmap call.
P2M in PV guest can address 512GB or more.
For FreeBSD there were these improvements:
Experimental PVH Dom0/DomU support.
Removal of classic i386 PV port by FreeBSD developer John Baldwin.
Blkfront indirect descriptor support by FreeBSD developer Colin Percival.
Removal of broken FreeBSD specific blkfront/back extensions.
ARM32 and ARM64 guest support are underway.
Greater Ecosystem:
Project Raisin provides an easier way to build and package Xen. It also includes a basic test suite for developer to test their changes.
Our OpenStack CI loop is up and running and is testing OpenStack changes against the Xen Project Hypervisor
Xen Hypervisor support moved from quality group C to group B in OpenStack.

Xen Changelog

What's new in Xen 4.12.0

New in Xen 4.11.1 (Dec 17, 2018)

New in Xen 4.10.1 (May 15, 2018)

New in Xen 4.9.1 (Dec 27, 2017)

New in Xen 4.9.0 (Jul 4, 2017)

New in Xen 4.8.1 (Apr 27, 2017)

New in Xen 4.7.0 (Jun 23, 2016)

New in Xen 4.6.0 (Oct 13, 2015)

New in Xen 4.6.0 RC3 (Sep 14, 2015)

New in Xen 4.3.1 (Nov 4, 2013)

New in Xen 4.3.0 (Jul 10, 2013)

New in Xen 4.2.2 (May 17, 2013)

New in Xen 4.1.5 (May 17, 2013)

New in Xen 3.3.1 (Jan 13, 2009)