1# Support statement for this release
2
3This document describes the support status
4and in particular the security support status of the Xen branch
5within which you find it.
6
7See the bottom of the file
8for the definitions of the support status levels etc.
9
10# Release Support
11
12    Xen-Version: 4.10-unstable
13    Initial-Release: n/a
14    Supported-Until: TBD
15    Security-Support-Until: Unreleased - not yet security-supported
16
17# Feature Support
18
19## Host Architecture
20
21### x86-64
22
23    Status: Supported
24
25### ARM v7 + Virtualization Extensions
26
27    Status: Supported
28
29### ARM v8
30
31    Status: Supported
32
33## Host hardware support
34
35### Physical CPU Hotplug
36
37    Status, x86: Supported
38
39### Physical Memory Hotplug
40
41    Status, x86: Supported
42
43### Host ACPI (via Domain 0)
44
45    Status, x86 PV: Supported
46    Status, ARM: Experimental
47
48### x86/Intel Platform QoS Technologies
49
50    Status: Tech Preview
51
52### IOMMU
53
54    Status, AMD IOMMU: Supported
55    Status, Intel VT-d: Supported
56    Status, ARM SMMUv1: Supported
57    Status, ARM SMMUv2: Supported
58
59### ARM/GICv3 ITS
60
61    Status: Experimental
62
63Extension to the GICv3 interrupt controller to support MSI.
64
65## Guest Type
66
67### x86/PV
68
69    Status: Supported
70
71Traditional Xen PV guest
72
73No hardware requirements
74
75### x86/HVM
76
77    Status: Supported
78
79Fully virtualised guest using hardware virtualisation extensions
80
81Requires hardware virtualisation support (Intel VMX / AMD SVM)
82
83### x86/PVH guest
84
85    Status: Supported
86
87PVH is a next-generation paravirtualized mode
88designed to take advantage of hardware virtualization support when possible.
89During development this was sometimes called HVMLite or PVHv2.
90
91Requires hardware virtualisation support (Intel VMX / AMD SVM)
92
93### ARM guest
94
95    Status: Supported
96
97ARM only has one guest type at the moment
98
99## Toolstack
100
101### xl
102
103    Status: Supported
104
105### Direct-boot kernel image format
106
107    Supported, x86: bzImage, ELF
108    Supported, ARM32: zImage
109    Supported, ARM64: Image
110
111Format which the toolstack accepts for direct-boot kernels
112
113### Dom0 init support for xl
114
115    Status, SysV: Supported
116    Status, systemd: Supported
117    Status, BSD-style: Supported
118
119### JSON output support for xl
120
121    Status: Experimental
122
123Output of information in machine-parseable JSON format
124
125### Open vSwitch integration for xl
126
127    Status, Linux: Supported
128
129### Virtual cpu hotplug
130
131    Status: Supported
132
133### QEMU backend hotplugging for xl
134
135    Status: Supported
136
137## Toolstack/3rd party
138
139### libvirt driver for xl
140
141    Status: Supported, Security support external
142
143## Debugging, analysis, and crash post-mortem
144
145### Host serial console
146
147    Status, NS16550: Supported
148    Status, EHCI: Supported
149    Status, Cadence UART (ARM): Supported
150    Status, PL011 UART (ARM): Supported
151    Status, Exynos 4210 UART (ARM): Supported
152    Status, OMAP UART (ARM): Supported
153    Status, SCI(F) UART: Supported
154
155### Hypervisor 'debug keys'
156
157    Status: Supported, not security supported
158
159These are functions triggered either from the host serial console,
160or via the xl 'debug-keys' command,
161which cause Xen to dump various hypervisor state to the console.
162
163### Hypervisor synchronous console output (sync_console)
164
165    Status: Supported, not security supported
166
167Xen command-line flag to force synchronous console output.
168Useful for debugging, but not suitable for production environments
169due to incurred overhead.
170
171### gdbsx
172
173    Status, x86: Supported, not security supported
174
175Debugger to debug ELF guests
176
177### Soft-reset for PV guests
178
179    Status: Supported
180
181Soft-reset allows a new kernel to start 'from scratch' with a fresh VM state,
182but with all the memory from the previous state of the VM intact.
183This is primarily designed to allow "crash kernels",
184which can do core dumps of memory to help with debugging in the event of a crash.
185
186### xentrace
187
188    Status, x86: Supported
189
190Tool to capture Xen trace buffer data
191
192### gcov
193
194    Status: Supported, Not security supported
195
196Export hypervisor coverage data suitable for analysis by gcov or lcov.
197
198## Memory Management
199
200### Dynamic memory control
201
202    Status: Supported
203
204Allows a guest to add or remove memory after boot-time.
205This is typically done by a guest kernel agent known as a "balloon driver".
206
207### Populate-on-demand memory
208
209    Status, x86 HVM: Supported
210
211This is a mechanism that allows normal operating systems with only a balloon driver
212to boot with memory < maxmem.
213
214### Memory Sharing
215
216    Status, x86 HVM: Expermental
217
218Allow sharing of identical pages between guests
219
220### Memory Paging
221
222    Status, x86 HVM: Experimenal
223
224Allow pages belonging to guests to be paged to disk
225
226### Transcendent Memory
227
228    Status: Experimental
229
230Transcendent Memory (tmem) allows the creation of hypervisor memory pools
231which guests can use to store memory
232rather than caching in its own memory or swapping to disk.
233Having these in the hypervisor
234can allow more efficient aggregate use of memory across VMs.
235
236### Alternative p2m
237
238    Status, x86 HVM: Tech Preview
239    Status, ARM: Tech Preview
240
241Allows external monitoring of hypervisor memory
242by maintaining multiple physical to machine (p2m) memory mappings.
243
244## Resource Management
245
246### CPU Pools
247
248    Status: Supported
249
250Groups physical cpus into distinct groups called "cpupools",
251with each pool having the capability
252of using different schedulers and scheduling properties.
253
254### Credit Scheduler
255
256    Status: Supported
257
258A weighted proportional fair share virtual CPU scheduler.
259This is the default scheduler.
260
261### Credit2 Scheduler
262
263    Status: Supported
264
265A general purpose scheduler for Xen,
266designed with particular focus on fairness, responsiveness, and scalability
267
268### RTDS based Scheduler
269
270    Status: Experimental
271
272A soft real-time CPU scheduler
273built to provide guaranteed CPU capacity to guest VMs on SMP hosts
274
275### ARINC653 Scheduler
276
277    Status: Supported
278
279A periodically repeating fixed timeslice scheduler.
280Currently only single-vcpu domains are supported.
281
282### Null Scheduler
283
284    Status: Experimental
285
286A very simple, very static scheduling policy
287that always schedules the same vCPU(s) on the same pCPU(s).
288It is designed for maximum determinism and minimum overhead
289on embedded platforms.
290
291### NUMA scheduler affinity
292
293    Status, x86: Supported
294
295Enables NUMA aware scheduling in Xen
296
297## Scalability
298
299### Super page support
300
301    Status, x86 HVM/PVH, HAP: Supported
302    Status, x86 HVM/PVH, Shadow, 2MiB: Supported
303    Status, ARM: Supported
304
305NB that this refers to the ability of guests
306to have higher-level page table entries point directly to memory,
307improving TLB performance.
308On ARM, and on x86 in HAP mode,
309the guest has whatever support is enabled by the hardware.
310On x86 in shadow mode, only 2MiB (L2) superpages are available;
311furthermore, they do not have the performance characteristics
312of hardware superpages.
313
314Also note is feature independent
315of the ARM "page granularity" feature (see below).
316
317### x86/PVHVM
318
319    Status: Supported
320
321This is a useful label for a set of hypervisor features
322which add paravirtualized functionality to HVM guests
323for improved performance and scalability.
324This includes exposing event channels to HVM guests.
325
326## High Availability and Fault Tolerance
327
328### Remus Fault Tolerance
329
330    Status: Experimental
331
332### COLO Manager
333
334    Status: Experimental
335
336### x86/vMCE
337
338    Status: Supported
339
340Forward Machine Check Exceptions to appropriate guests
341
342## Virtual driver support, guest side
343
344### Blkfront
345
346    Status, Linux: Supported
347    Status, FreeBSD: Supported, Security support external
348    Status, NetBSD: Supported, Security support external
349    Status, OpenBSD: Supported, Security support external
350    Status, Windows: Supported
351
352Guest-side driver capable of speaking the Xen PV block protocol
353
354### Netfront
355
356    Status, Linux: Supported
357    Status, FreeBSD: Supported, Security support external
358    Status, NetBSD: Supported, Security support external
359    Status, OpenBSD: Supported, Security support external
360    States, Windows: Supported
361
362Guest-side driver capable of speaking the Xen PV networking protocol
363
364### PV Framebuffer (frontend)
365
366    Status, Linux (xen-fbfront): Supported
367
368Guest-side driver capable of speaking the Xen PV Framebuffer protocol
369
370### PV Console (frontend)
371
372    Status, Linux (hvc_xen): Supported
373    Status, FreeBSD: Supported, Security support external
374    Status, NetBSD: Supported, Security support external
375    Status, Windows: Supported
376
377Guest-side driver capable of speaking the Xen PV console protocol
378
379### PV keyboard (frontend)
380
381    Status, Linux (xen-kbdfront): Supported
382
383Guest-side driver capable of speaking the Xen PV keyboard protocol
384
385### PV USB (frontend)
386
387    Status, Linux: Supported
388
389### PV SCSI protocol (frontend)
390
391    Status, Linux: Supported, with caveats
392
393NB that while the PV SCSI frontend is in Linux and tested regularly,
394there is currently no xl support.
395
396### PV TPM (frontend)
397
398    Status, Linux (xen-tpmfront): Tech Preview
399
400Guest-side driver capable of speaking the Xen PV TPM protocol
401
402### PV 9pfs frontend
403
404    Status, Linux: Tech Preview
405
406Guest-side driver capable of speaking the Xen 9pfs protocol
407
408### PVCalls (frontend)
409
410    Status, Linux: Tech Preview
411
412Guest-side driver capable of making pv system calls
413
414## Virtual device support, host side
415
416For host-side virtual device support,
417"Supported" and "Tech preview" include xl/libxl support
418unless otherwise noted.
419
420### Blkback
421
422    Status, Linux (xen-blkback): Supported
423    Status, QEMU (xen_disk): Supported
424    Status, FreeBSD (blkback): Supported, Security support external
425    Status, NetBSD (xbdback): Supported, security support external
426    Status, Blktap2: Deprecated
427
428Host-side implementations of the Xen PV block protocol
429
430### Netback
431
432    Status, Linux (xen-netback): Supported
433    Status, FreeBSD (netback): Supported, Security support external
434    Status, NetBSD (xennetback): Supported, Security support external
435
436Host-side implementations of Xen PV network protocol
437
438### PV Framebuffer (backend)
439
440    Status, QEMU: Supported
441
442Host-side implementation of the Xen PV framebuffer protocol
443
444### PV Console (xenconsoled)
445
446    Status: Supported
447
448Host-side implementation of the Xen PV console protocol
449
450### PV keyboard (backend)
451
452    Status, QEMU: Supported
453
454Host-side implementation fo the Xen PV keyboard protocol
455
456### PV USB (backend)
457
458    Status, QEMU: Supported
459
460Host-side implementation of the Xen PV USB protocol
461
462### PV SCSI protocol (backend)
463
464    Status, Linux: Experimental
465
466NB that while the PV SCSI backend is in Linux and tested regularly,
467there is currently no xl support.
468
469### PV TPM (backend)
470
471    Status: Tech Preview
472
473### PV 9pfs (backend)
474
475    Status, QEMU: Tech Preview
476
477### PVCalls (backend)
478
479    Status, Linux: Experimental
480
481PVCalls backend has been checked into Linux,
482but has no xl support.
483
484### Online resize of virtual disks
485
486    Status: Supported
487
488## Security
489
490### Driver Domains
491
492    Status: Supported, with caveats
493
494"Driver domains" means allowing non-Domain 0 domains
495with access to physical devices to act as back-ends.
496
497See the appropriate "Device Passthrough" section
498for more information about security support.
499
500### Device Model Stub Domains
501
502    Status: Supported, with caveats
503
504Vulnerabilities of a device model stub domain
505to a hostile driver domain (either compromised or untrusted)
506are excluded from security support.
507
508### KCONFIG Expert
509
510    Status: Experimental
511
512### Live Patching
513
514    Status, x86: Supported
515    Status, ARM: Experimental
516
517Compile time disabled for ARM by default.
518
519### Virtual Machine Introspection
520
521    Status, x86: Supported, not security supported
522
523### XSM & FLASK
524
525    Status: Experimental
526
527Compile time disabled by default.
528
529Also note that using XSM
530to delegate various domain control hypercalls
531to particular other domains, rather than only permitting use by dom0,
532is also specifically excluded from security support for many hypercalls.
533Please see XSA-77 for more details.
534
535### FLASK default policy
536
537    Status: Experimental
538
539The default policy includes FLASK labels and roles for a "typical" Xen-based system
540with dom0, driver domains, stub domains, domUs, and so on.
541
542## Virtual Hardware, Hypervisor
543
544### x86/Nested PV
545
546    Status, x86 Xen HVM: Tech Preview
547
548This means running a Xen hypervisor inside an HVM domain on a Xen system,
549with support for PV L2 guests only
550(i.e., hardware virtualization extensions not provided
551to the guest).
552
553This works, but has performance limitations
554because the L1 dom0 can only access emulated L1 devices.
555
556Xen may also run inside other hypervisors (KVM, Hyper-V, VMWare),
557but nobody has reported on performance.
558
559### x86/Nested HVM
560
561    Status, x86 HVM: Experimental
562
563This means providing hardware virtulization support to guest VMs
564allowing, for instance, a nested Xen to support both PV and HVM guests.
565It also implies support for other hypervisors,
566such as KVM, Hyper-V, Bromium, and so on as guests.
567
568### vPMU
569
570    Status, x86: Supported, Not security supported
571
572Virtual Performance Management Unit for HVM guests
573
574Disabled by default (enable with hypervisor command line option).
575This feature is not security supported: see http://xenbits.xen.org/xsa/advisory-163.html
576
577### x86/PCI Device Passthrough
578
579    Status, x86 PV: Supported, with caveats
580    Status, x86 HVM: Supported, with caveats
581
582Only systems using IOMMUs are supported.
583
584Not compatible with migration, populate-on-demand, altp2m,
585introspection, memory sharing, or memory paging.
586
587Because of hardware limitations
588(affecting any operating system or hypervisor),
589it is generally not safe to use this feature
590to expose a physical device to completely untrusted guests.
591However, this feature can still confer significant security benefit
592when used to remove drivers and backends from domain 0
593(i.e., Driver Domains).
594
595### ARM/Non-PCI device passthrough
596
597    Status: Supported, not security supported
598
599Note that this still requires an IOMMU
600that covers the DMA of the device to be passed through.
601
602### ARM: 16K and 64K page granularity in guests
603
604    Status: Supported, with caveats
605
606No support for QEMU backends in a 16K or 64K domain.
607
608### ARM: Guest Device Tree support
609
610    Status: Supported
611
612### ARM: Guest ACPI support
613
614    Status: Supported
615
616## Virtual Hardware, QEMU
617
618These are devices available in HVM mode using a qemu devicemodel (the default).
619Note that other devices are available but not security supported.
620
621### x86/Emulated platform devices (QEMU):
622
623    Status, piix3: Supported
624
625### x86/Emulated network (QEMU):
626
627    Status, e1000: Supported
628    Status, rtl8193: Supported
629    Status, virtio-net: Supported
630
631### x86/Emulated storage (QEMU):
632
633    Status, piix3 ide: Supported
634    Status, ahci: Supported
635
636### x86/Emulated graphics (QEMU):
637
638    Status, cirrus-vga: Supported
639    Status, stgvga: Supported
640
641### x86/Emulated audio (QEMU):
642
643    Status, sb16: Supported
644    Status, es1370: Supported
645    Status, ac97: Supported
646
647### x86/Emulated input (QEMU):
648
649    Status, usbmouse: Supported
650    Status, usbtablet: Supported
651    Status, ps/2 keyboard: Supported
652    Status, ps/2 mouse: Supported
653
654### x86/Emulated serial card (QEMU):
655
656    Status, UART 16550A: Supported
657
658### x86/Host USB passthrough (QEMU):
659
660    Status: Supported, not security supported
661
662## Virtual Firmware
663
664### x86/HVM iPXE
665
666    Status: Supported, with caveats
667
668Booting a guest via PXE.
669PXE inherently places full trust of the guest in the network,
670and so should only be used
671when the guest network is under the same administrative control
672as the guest itself.
673
674### x86/HVM BIOS
675
676    Status, SeaBIOS (qemu-xen): Supported
677    Status, ROMBIOS (qemu-xen-traditional): Supported
678
679Booting a guest via guest BIOS firmware
680
681### x86/HVM OVMF
682
683    Status, qemu-xen: Supported
684
685OVMF firmware implements the UEFI boot protocol.
686
687# Format and definitions
688
689This file contains prose, and machine-readable fragments.
690The data in a machine-readable fragment relate to
691the section and subsection in which it is found.
692
693The file is in markdown format.
694The machine-readable fragments are markdown literals
695containing RFC-822-like (deb822-like) data.
696
697## Keys found in the Feature Support subsections
698
699### Status
700
701This gives the overall status of the feature,
702including security support status, functional completeness, etc.
703Refer to the detailed definitions below.
704
705If support differs based on implementation
706(for instance, x86 / ARM, Linux / QEMU / FreeBSD),
707one line for each set of implementations will be listed.
708
709## Definition of Status labels
710
711Each Status value corresponds to levels of security support,
712testing, stability, etc., as follows:
713
714### Experimental
715
716    Functional completeness: No
717    Functional stability: Here be dragons
718    Interface stability: Not stable
719    Security supported: No
720
721### Tech Preview
722
723    Functional completeness: Yes
724    Functional stability: Quirky
725    Interface stability: Provisionally stable
726    Security supported: No
727
728#### Supported
729
730    Functional completeness: Yes
731    Functional stability: Normal
732    Interface stability: Yes
733    Security supported: Yes
734
735#### Deprecated
736
737    Functional completeness: Yes
738    Functional stability: Quirky
739    Interface stability: No (as in, may disappear the next release)
740    Security supported: Yes
741
742All of these may appear in modified form.
743There are several interfaces, for instance,
744which are officially declared as not stable;
745in such a case this feature may be described as "Stable / Interface not stable".
746
747## Definition of the status label interpretation tags
748
749### Functionally complete
750
751Does it behave like a fully functional feature?
752Does it work on all expected platforms,
753or does it only work for a very specific sub-case?
754Does it have a sensible UI,
755or do you have to have a deep understanding of the internals
756to get it to work properly?
757
758### Functional stability
759
760What is the risk of it exhibiting bugs?
761
762General answers to the above:
763
764 * **Here be dragons**
765
766   Pretty likely to still crash / fail to work.
767   Not recommended unless you like life on the bleeding edge.
768
769 * **Quirky**
770
771   Mostly works but may have odd behavior here and there.
772   Recommended for playing around or for non-production use cases.
773
774 * **Normal**
775
776   Ready for production use
777
778### Interface stability
779
780If I build a system based on the current interfaces,
781will they still work when I upgrade to the next version?
782
783 * **Not stable**
784
785   Interface is still in the early stages and
786   still fairly likely to be broken in future updates.
787
788 * **Provisionally stable**
789
790   We're not yet promising backwards compatibility,
791   but we think this is probably the final form of the interface.
792   It may still require some tweaks.
793
794 * **Stable**
795
796   We will try very hard to avoid breaking backwards  compatibility,
797   and to fix any regressions that are reported.
798
799### Security supported
800
801Will XSAs be issued if security-related bugs are discovered
802in the functionality?
803
804If "no",
805anyone who finds a security-related bug in the feature
806will be advised to
807post it publicly to the Xen Project mailing lists
808(or contact another security response team,
809if a relevant one exists).
810
811Bugs found after the end of **Security-Support-Until**
812in the Release Support section will receive an XSA
813if they also affect newer, security-supported, versions of Xen.
814However, the Xen Project will not provide official fixes
815for non-security-supported versions.
816
817Three common 'diversions' from the 'Supported' category
818are given the following labels:
819
820  * **Supported, Not security supported**
821
822    Functionally complete, normal stability,
823    interface stable, but no security support
824
825  * **Supported, Security support external**
826
827    This feature is security supported
828    by a different organization (not the XenProject).
829    See **External security support** below.
830
831  * **Supported, with caveats**
832
833    This feature is security supported only under certain conditions,
834    or support is given only for certain aspects of the feature,
835    or the feature should be used with care
836    because it is easy to use insecurely without knowing it.
837    Additional details will be given in the description.
838
839### Interaction with other features
840
841Not all features interact well with all other features.
842Some features are only for HVM guests; some don't work with migration, &c.
843
844### External security support
845
846The XenProject security team
847provides security support for XenProject projects.
848
849We also provide security support for Xen-related code in Linux,
850which is an external project but doesn't have its own security process.
851
852External projects that provide their own security support for Xen-related features are listed below.
853
854  * QEMU https://wiki.qemu.org/index.php/SecurityProcess
855
856  * Libvirt https://libvirt.org/securityprocess.html
857
858  * FreeBSD https://www.freebsd.org/security/
859
860  * NetBSD http://www.netbsd.org/support/security/
861
862  * OpenBSD https://www.openbsd.org/security.html
863