The Open Source Hypervisor: Xen

The open source hypervisor Xen originates from the computer laboratory of the University of Cambridge, where it was conceived in the year 2001, and the concept was first published in the year 2003, in an article called "Xen and the Art of Virtualization" [18]. Today, Xen is used in many commercial products as well as in research environments. Figure 4.1 shows the logo for the Xen hypervisor.

Figure 4.1.: The logo for the Xen hypervisor [8]

Xen is a hypervisor, which can be employed for various architectures, including IA-32, x84-64, Itanium and ARM architectures. Nowadays the Xen community develops and maintains the Virtual Machine Monitor (VMM) as free software, licensed under GPLv2. In Xen systems the Xen hypervisor always forms the lowest layer, and therefore most privileged software layer, on top of the system hardware, which will schedule the individual guest operating systems across the physical CPUs.

Currently the Xen developers and community members are trying to get the full Xen support to be included into the Linux mainline kernel. In early 2011 the most significant parts of Xen

4. Virtualization Technologies

have been accepted to be included into the mainline Linux kernel version 2.6.37. The next versions of the Linux kernel might offer full Xen support, which would realize the deployment of Xen virtualized environments.

As a design principle, the code base of the VMM Xen is relatively small. Xen consists of just tens of thousands lines of code, which is orders of magnitudes less than the size of an operating system kernel. In general, less code size can often also mean fewer bugs, and thus fewer potential security flaws which could potentially be exploited to attack a system. A Xen virtual environment basically consists of the Xen hypervisor itself, a privileged host operating system, Domain-0, as well as one or more paravirtualized guest domains and/or hardware-virtualized guest domains.

4.5.1. Domain-0: Host operating system

The host operating system in a Xen environment is termed ’Domain-0’, or ’Dom-0’ for short. Domain-0 is a specially modified Linux kernel, which forms a unique virtual machine running on the Xen hypervisor, which receives special management privileges and has special rights to access physical I/O resources as well as rights to interact with the other guest domains. Any Unix-like operating system may be used as Domain-0, which will be booted automatically when the hypervisor boots.

The integrity of Domain-0 is very critical for the security level of the system as Domain-0 can control and manage all further guest domains. Therefore it should be held as small as possible and should only be used for the management of the guest operating systems. The Domain-0 does not even need a Graphical User Interface and can be accessed securely by the system administrator through SSH or a similar protocol.

4.5.2. Domain-U: Guest operating systems

The counterpart of the Domain-0, in Xen terminology, is called ’Domain-U’, or ’Dom-U’. It describes an unprivileged domain, which by default, has no access to the hardware. Such a

4. Virtualization Technologies

guest operating system is started by the Xen daemon ’xend’ in Domain-0, which the user can access with the Xen management command line tool called ’xm’ [63].

Two different types of guest Domains can be created with Xen, ’paravirtualized’ guest oper- ating systems, and Hardware Virtual Machines (HVM), which utilize special hardware-based virtualization extensions.

4.5.2.1. Paravirtualized guest operating systems

Paravirtualization requires the guest operating system to be explicitly modified to be virtual- ization aware. According to the CPU protection Ring model, as illustrated in figure 4.2, the hypervisor is located in the most privileged CPU ring, Ring 0, and thus the operating system has to move to another ring. For the x86 architecture the operating system will be moved to Ring 1. Since the operating system kernel sources have not been designed and developed to run in another protection ring, rather than Ring 0. The Xen hypervisor exposes a set of so-called ’Hypercalls’ which can be used by both Domain-0 and guest domains to directly interact with the hypervisor. Any Unix-like operating system could be modified in order to be used as a paravirtualized guest operating system in a vitualized Xen environment.

4. Virtualization Technologies

4.5.2.2. Hardware assisted vitualization: HVM guests

Paravirtualized guest operating systems have to be specially modified, in order to be more virtualization friendly. However, these modifications are not possible or feasible for all types of operating systems. For instance, the kernel sources of Microsoft Windows operating systems are closed and thus cannot be easily modified. The regular operating system has to remain in Ring 0. However, the hypervisor must be the most privileged software component in a virtualized environment, in order to be the only instance which is privileged to access the underlying hardware resources.

Since the release of version 3.0 of the Xen hypervisor, it features the capability to also run unmodified operating systems as unprivileged guest domains. A basic requirement for the virtualization of a closed-source operating system is hardware virtualization assistance of the host machine’s processor.

Intel has added special virtualization enhancements to the CPU and called the underlying technology the ’Intel Virtualization Technology (Intel VT-x)’ [52]. Intel VT-x adds a new set of commands to the processor, called ’Virtual Machine eXtension’ (VMX). Conceptually the virtualization enhancements of Intel VT-x can be thought of as an additional CPU protection Ring -1, intended for the hypervisor to be the most privileged one (see figure 4.3).

4. Virtualization Technologies

A hypervisor can run in VMX mode and can be completely invisible to the operating system, which is running in Ring 0. However, if an unmodified operating system does not ’know’ that it is running in a virtualized environment, it cannot easily take advantage of any features provided by the hypervisor. This leads to a loss of performance and flexibility. Hardware- assisted virtualization, in Xen terminology, is often referred to as a Hardware Virtual Machine (HVM).