Intel’s Xeon® processor E5-2600 v4 product family has arrived, and amongst its many benefits there are two features I want to highlight; SMAP and PML support.
I haven’t previously blogged about these, however with the launch of the new Xeon E5 processors this is the ideal time to highlight what the Citrix XenServer team has been working on.
So, what is SMAP, and why should I be interested in it?
SMAP, or Supervisor Mode Access Prevention, is a newly introduced CPU capability targeted at making life much more difficult for would-be hackers, seeking to exploit software bugs. One example of where this could help is with para-virtualized guest VMs running on Xen based hypervisors, such as XenServer. Find out more about Xen at the XenProject.org. Hypothetically, if there were a bug in Xen enabling a para-virtualized guest to modify a Xen memory space pointer to the guest’s memory space, then that could lead to a potential situation where the guest VM could exploit the bug and take control of Xen.
What enabling SMAP does is provide hardware checking against this class of attack, ensuring that Xen cannot access memory controlled by a PV guest, except in cases where such access is required for specific functionality. In these cases, logic is added for the authorized access to temporarily disable SMAP.
Citrix and Intel have always had a close, collaborative working relationship and for Xen’s SMAP support, this is no exception. Intel added the SMAP code to the XenProject, now a part of Xen 4.6, which XenServer has absorbed into the latest Technical Preview (TP3) release.
Citrix Engineering also carried out some analysis to identify potentially vulnerable hyper calls, the results of which did highlight one such vulnerability. In this instance, it turned out to be a hypercall not actually exploitable, however it certainly highlighted the validity of leveraging SMAP support in Xen, and as such SMAP will be enabled by default in the XenServer.next release, to protect against exactly this type of attack.
In the above vulnerability example, the hypercall in question is restricted in access to Dom0, so could not be used by an unprivileged guest domain, and as it happens, the SMAP violation has already been fixed.
PML and how it impacts events such as XenMotion
During the live migration of a guest VM from one host to another, Xen has to copy all of the memory contents from the VM on the source host, whilst it is running. Of course whilst the VM is still running, depending usage, it will continue to write to memory pages. How XenServer handles this is to track the pages that have been copied, so we can easily establish whether the VM has written to them, and if needs be, flag them as being “dirty”. Those memory pages would then be recopied to the destination host in the next live migration stage (all transparent to the administrator performing the XenMotion obviously).
PML, or Page Modification Logging, is a new CPU capability that reduces runtime overhead of tracking dirty guest pages. This is achieved by PML tracking the dirty pages in hardware, rather than it being done in software by the Xen hypervisor. The actual time taken during the final stages of the migration, when the VM is paused for the final memory copy to ensure there can not be any further dirty pages, remains unaffected, however this feature does mean that guest VMs are more responsive during the XenMotion memory copy process and reducing the load on the host.
To know more on PML, check out this Intel whitepaper.
XenServer is the first hypervisor platform to leverage SMAP integration within Intel’s Xeon® processor E5-2600 v4 product family, helping to remove this security vulnerability class from being an area of concern. Likewise, PML simplifies our codebase, whilst also improving overall system performance.
Integration of Intel CPU capabilities such as these demonstrates how Citrix continues to collaborate closely with Intel on solving real world problems, whilst also ensuring XenServer is able to leverage the latest hardware-embedded technology.
If you are interested in knowing more on other activities between the Citrix XenServer team and Intel, then please also checkout the following links:
- XenServer Tech. Preview features Intel GVT-g Virtualized Graphics
- Foundational Security with Intel® TXT and Citrix XenServer
- Citrix and Intel Solutions for Enhanced Graphics and Secure OpenStack Clouds at IDF 2015