Xen Winter Meetup 2025

Get your badge by registering!

Welcome session, giving the details about the events and why it was created in the first place.

This talk offers a concise yet comprehensive overview of the latest advancements within the Xen ecosystem, focusing on key updates by the Community Manager.

This session is about presenting the Xen effort regarding Rust integration and projects and future plans regarding the rebuilding the toolstack with Rust.
We would like to make a Xen Rust working group to structure more formally this effort.

In this session, Andrew Cooper, x86 hypervisor maintainer and Xen security team member, will highlight the most pressing challenges in Xen’s codebase today. From technical debt and architectural bottlenecks to security hardening and performance optimizations, Andrew will outline where contributions are most needed and how developers can get involved.

In this talk we’re presenting our work at Vates Company of enabling Secure Encrypted Virtualization (SEV) technology for Xen Project open-source hypervisor. SEV is an extension of AMD-V technology and allows to run encrypted virtual machines on the top of “untrusted” hypervisor. Even though the hypervisor still controls the lifecycle of virtual machines, it’s up to SEV enabled guest to decide whether its memory is encrypted or not. The SEV enabled hardware ensures that the hypervisor nor other software (VMs) running on the platform can’t access (decrypt) this memory.
In the heart of the SEV technology is the “AMD Secure Processor” hardware component which offers an interface to the system software (hypervisor or guest kernels) allowing to manage virtual machines and the whole platform, so these pieces of software can run and communicate without compromising each other’s security. X86 instruction set was also enriched to fully benefit from SEV technology.
We will present our project which targets to integrate SEV extension to Xen hypervisor, the necessary developments and adaptions that have been done, where we are with this project and our future work

A general discussion on PVH from both guest and Dom0 perspectives.

This session will focus on discussing the current state and key challenges of Nested Virtualization in Xen.

Discuss on the progress and next steps for IOMMU work.

ACONIT, the Association for a Conservatory of Information Technology, founded in 1985 with principle objective of preserving the history of computing and creating tools to better understand and explain to the general public the risks and rewards of current developments in the information processing as it permeates deeper into society.

Address

Aconit
12 Rue Joseph Rey
38100 Grenoble

Located in the heart of Grenoble, La Fondue offers a warm and authentic atmosphere, perfect for wrapping up our event with great food and conversation. Known for its traditional Savoyard cuisine, the restaurant specializes in rich, flavorful cheese fondue, hearty raclette, and other regional delights.

Address

La Fondue
5 Rue Brocherie
38000 Grenoble

Get your badge by registering!

This talk will explore challenges and proposed strategies for implementing UEFI Secure Boot within Xen and downstream distributions like XCP-ng or Qubes OS, focusing on how these changes can enhance security and contribute to a more unified framework for future development.

We will begin by examining why UEFI Secure Boot is essential in continuing the transitive chain established by the modern static root of trust, and its synergy with TrenchBoot and DRTM technology. We will delve into the implications of the UEFI Secure Boot process, showing why simply signing bootloaders and hypervisor binaries is insufficient; a comprehensive implementation must address the entire boot chain.

Malware analysis sandboxes use virtual machine introspection (VMI) to analyze
malware samples. VMI is a set of techniques to monitor the execution of a
virtual machine (VM) while remaining isolated from the VM. Some so-called
evasive malware detects VM execution pauses caused by VMI to avoid exhibiting
their malicious behavior. This problem tends to disappear since sandbox
designers manipulate the VM clock to hide these pauses. On the other hand, the
fake network created by a sandbox offers new opportunities to evasive malware.
Indeed, VMI pauses have a measurable impact on network performance. In this way,
malware can detect performance differences between the observed network and the
network of the target system.

To solve this problem, the TANSIV approach consists in building the sandbox
network on top of a discrete-event network simulator. The simulator defines the
time reference and TANSIV coordinates the flow of time, by synchronizing the
virtual clocks with the simulator clock. Packets emitted by the VMs are
intercepted and transmitted to the destination VM at the virtual time calculated
by the simulator. The VMs are regularly interrupted to resynchronize them with
the network simulator. In the case of hardware virtualization, in addition to
manipulating the virtual clocks to hide VMI pauses, TANSIV hides the
synchronization pauses with the network simulator.

TANSIV is portable between hypervisors and has been ported on the Xen
hypervisor. Moreover TANSIV has been integrated with DRAKVUF, an open-source
Xen-based hypervisor which leverages VMI to analyze Xen guests. Our results show
that TANSIV is able to hide the impact of VMI pauses both on local and network
timings.

Live migration of virtual machines is a concept highly used in cloud computing environments for various reasons such as server upgrades, consolidation to reduce energy consumption, etc. This migration
however faces several challenges when taking place between servers that present a heterogeneous set of processors. It is important to properly characterize this heterogeneity as well as evaluate its impact on virtual machine migration within the context of a data center. Our work aims at providing an extensive characterization of migration issues related to processor heterogeneity and propose an amelioration to the virtual machine migration algorithm in the context.

This session will delve into the current state of Q35 and aim to agree on the technical approach for achieving robust PCIe device support.

In order to provide a IaaS experience to Clever Cloud customers, we decided to work on a "Xen as a Service" approach. In this presentation, I will recollect the challenges and choices we made to run xcp-ng inside our VMs.

This session aims to bridge the gap between research labs and the Xen Project by identifying synergies and mutual benefits. We’ll discuss how Xen can support academic research, how research can contribute to Xen’s evolution, and potential papers to increase Xen’s visibility.

(Note: may only happen if someone more knowledgeable of the topic than me can lead the sessions)

A practical session to discover Xen’s codebase structure, and maybe how to do a small example modification. Also: how to navigate the dozens git repositories on xen.org.

Since XSA-351, coretemp and similar modules can no longer be used in Dom0 for hardware data access.

ACONIT, the Association for a Conservatory of Information Technology, founded in 1985 with principle objective of preserving the history of computing and creating tools to better understand and explain to the general public the risks and rewards of current developments in the information processing as it permeates deeper into society.

Address

Aconit
12 Rue Joseph Rey
38100 Grenoble