XCP-ng, the popular virtualization platform, has released its latest security update for the month of December. The update is specifically for the 8.2 LTS release, which is currently the only supported version of XCP-ng.

The update includes fixes for vulnerabilities in Xen and linux-firmware in the controller domain. These vulnerabilities have been addressed to ensure the security of the virtual machines running on the platform.

One of the fixed vulnerabilities, labeled XSA-445, addresses a mismatch in IOMMU quarantine page table levels on x86 AMD systems. This vulnerability could potentially allow a device in quarantine mode to access leaked data from previously quarantined pages. Although this feature is not enabled by default in XCP-ng, it can still be enabled at Xen boot time.

The second fixed vulnerability, XSA-446, deals with memory content inference in PV guests. XCP-ng strongly advises against using PV guests and recommends switching to HVM for better security. If you are still using PV guests, it is highly recommended to consider making the switch.

In addition to the security updates, XCP-ng has also released non-security updates to pave the way for upcoming refreshed installation ISOs. These updates include improvements to the linux-firmware, gpumon, tzdata, and vendor-drivers components.

The linux-firmware update includes an update to the AMD microcode, specifically for the family 19h (Zen 3, Zen3+). This update helps mitigate hardware vulnerabilities and bugs. However, it is important to note that updating the hardware’s firmware remains the preferred method for updating microcode, and any newer microcode found in the firmware will take precedence over the microcode provided in XCP-ng.

Other changes include a small change to suppress unnecessary logging in gpumon, updated timezones with the latest CentOS 7 update of the tzdata package, and the integration of new drivers into XCP-ng in preparation for the upcoming refreshed installation ISOs. These new drivers include the igc module for Intel device drivers for I225/I226, the r8125 module for Realtek r8125 device drivers, and the mpi3mr module for Broadcom mpi3mr RAID device drivers.

Overall, the December 2023 security update for XCP-ng brings important security fixes and improvements to the virtualization platform, ensuring the safety and performance of virtual machines. Users are encouraged to update their systems to benefit from these enhancements and to maintain a secure environment for their workloads.

Xen Orchestra has unveiled version 5.89, featuring over 20 new enhancements and functionalities. Noteworthy developments include Broadcom’s acquisition of VMware for over $60 billion, impacting the virtualization industry. Xen Orchestra’s team has expanded with new members, alongside the release of Xen 4.18, where one of their developers secured a Top 10 contributor spot. The landscape of virtualization is explored in light of industry shifts, emphasizing Vates’ innovative ‘Bundles’ amid these changes.

Xen Orchestra’s growth includes the addition of Bastien, focusing on XO’s backend, and a dedicated member for Project Pyrgos, concentrating on k8s cluster creation. Positive feedback surrounds the Rust Linux tools, with updates driven by community input. Backup functionality improvements introduce features like differential restore, API/CLI file-level restore, and enhanced XO Lite with a more compact interface, improved dashboard, and added functionalities.

The REST API sees updates for versatility, including user management, VDI content import, and XVA file management. Enhanced integration with Netbox facilitates optional synchronization between XO users and Netbox’s “tenant” entity, enhancing user activity tracking. Compatibility with XCP-ng 8.3 brings detailed task monitoring for coalesce, among other tailored features.

Additional improvements cover token management, VM booting with disk and ISO, console view disablement, and clearer messages for actions like forgetting a Storage Repository. Xen Orchestra 5.89 solidifies its position as a comprehensive solution for XCP-ng infrastructure management, demonstrating ongoing innovation and expansion within the Xen Orchestra team. The full changelog is available here.

Proxmox today announced the release of version 8.1 of Proxmox Virtual Environment, its open-source server virtualization management platform. This version comes with several new features, support for Secure Boot, a Software-defined Network stack, a new flexible notification system, and many further enhancements and bug fixes.

Proxmox VE 8.1 is based on Debian 12.2 (“Bookworm”), but uses a newer Linux kernel 6.5 as stable default, and includes updates to the latest versions of leading open-source technologies for virtual environments like QEMU 8.1.2 and LXC 5.0.2. It comes with ZFS 2.2.0 including the most important bugfixes from 2.2.1 already. The virtualization platform adds support for Ceph Reef 18.2.0 and continues to support Ceph Quincy 17.2.7.

Highlights in Proxmox Virtual Environment 8.1

• Support for Secure Boot: This version is now compatible with Secure Boot. This security feature is designed to protect the boot process of a computer by ensuring that only software with a valid digital signature launches on a machine. Proxmox VE now includes a signed shim bootloader trusted by most hardware’s UEFI implementations. This allows installing Proxmox VE in environments with Secure Boot active.
• Software-defined Network (SDN): With this version the core Software-defined Network (SDN) packages are installed by default. The SDN technology in Proxmox VE enables to create virtual zones and networks (VNets), which enables users to effectively manage and control complex networking configurations and multitenancy setups directly from the web interface at the datacenter level. Use cases for SDN range from an isolated private network on each individual node to complex overlay networks across multiple Proxmox VE clusters on different locations. The benefits result in a more responsive and adaptable network infrastructure that can scale according to business needs.
• New Flexible Notification System: This release introduces a new framework that uses a matcher-based approach to route notifications. It lets users designate different target types as recipients of notifications. Alongside the current local Postfix MTA, supported targets include Gotify servers or SMTP servers that require SMTP authentication. Notification matchers determine which targets will get notifications for particular events based on predetermined rules. The new notification system now enables greater flexibility, allowing for more granular definitions of when, where, and how notifications are sent.
• Support for Ceph Reef and Ceph Quincy: Proxmox Virtual Environment 8.1 adds support for Ceph Reef 18.2.0 and continues to support Ceph Quincy 17.2.7. The preferred Ceph version can be selected during the installation process. Ceph Reef brings better defaults improving performance and increased reading speed.

Availability

Proxmox VE 8.1 is available for download at the Proxmox website. The ISO contains the complete feature-set and can be installed on bare-metal.

The virtualization platform from Proxmox comes stocked with all the essential management tools, as well as an easy-to-use, web-based user interface. This allows for simple, out-of-the-box management of the host, either through the command line or a standard web browser. Distribution upgrades from older versions of Proxmox VE are possible with apt. It’s also possible to install Proxmox VE 8.1 on top of Debian. Proxmox Virtual Environment is free and open-source software, published under the GNU Affero General Public License, v3.

The Xen Project has unveiled version 4.18, showcasing continued growth in both technological advancements and community contributions. The release emphasizes expanded hardware support and feature enhancements across various architectures.

Key Highlights:

• Enhanced ARM Support: Notable additions include the Scalable Vector Extension (SVE), Arm Firmware Framework (FF-A), and an improved memory subsystem, signaling substantial progress in ARM architecture support.
• x86 Architectural Improvements: Extensive support for features in AMD Genoa and Intel Sapphire Rapids CPUs, coupled with advancements like the Protection Key Supervisor (PKS) and bus-lock detection, enhances security and performance on Intel and AMD systems.
• RISC-V and Power Ports: Demonstrating a commitment to diversity, initial ports for RISC-V and Power architectures have been introduced, promising intriguing developments in subsequent releases.
• New Hypercalls and MISRA-C Adoption: The release introduces new hypercalls and an increased adherence to MISRA-C rules, bolstering the project’s robustness and versatility.

Community Initiatives: Ongoing projects and future plans within the Xen community include continuous improvements in ARM MPU support and PCI-passthrough, refining RISC-V support, and focusing on the ppc64le architecture with Radix MMU page table initialization, paving the way for broader PowerPC support.

For further details, refer to the official announcement.

XCP-ng has released a new security update for the 8.2 LTS version. The update includes new microcode from Intel to mitigate hardware vulnerabilities. However, it is recommended to update the hardware’s firmware for the best results. The update also addresses security issues related to IOMMU and PV guests in the Xen Project. The fixed vulnerability, CVE-2023-23583, can allow privilege escalation, information disclosure, or denial of service. It affects specific generations of server, desktop, embedded, and mobile processors.

The update also mentions upcoming fixes for XSA-445 and XSA-446 vulnerabilities. XSA-445 can affect hosts if the dom_io feature is enabled, and XSA-446 can bypass certain protections for PV guests. It is recommended to avoid PV guests to avoid any potential impact. The updated microcode for Intel SA is included in the XCP-ng update. The integration of fixes for XSAs will be incorporated in a future release or as needed in the coming days.

Cloud Hypervisor, an open source Virtual Machine Monitor (VMM), has announced the release of version v36.0. This VMM runs on top of the KVM hypervisor and the Microsoft Hypervisor (MSHV) and is designed to run modern cloud workloads on common hardware architectures.

The project focuses on enabling customers to run cloud workloads inside a Cloud Service Provider, utilizing modern operating systems with paravirtualized devices (such as virtio) for efficient I/O, 64-bit CPUs, and no requirement for legacy devices.

Cloud Hypervisor is implemented in Rust and is based on the Rust VMM crates. The v36.0 release includes several user-visible changes and improvements:

Command Line Changes

The project has switched back to using the clap crate to create the command line interface, as the previous argh crate was not being actively maintained. This switch has resulted in syntax changes, such as using --option=value instead of --option value.

Enabled Features Reported via API Endpoint and CLI

Users can now query the enabled features of the running Cloud Hypervisor instance through the API endpoint (/vmm.ping) and the CLI (--version -v).

NUMA Support for PCI Segments

The --numa command has been updated with a new option pci_segment=, allowing users to define the relationship between PCI segments and NUMA nodes. Examples of usage can be found in the memory documentation.

CPU Topology Support on AMD Platforms

The CPU topology on x86_64 platforms now supports multiple vendors, providing improved flexibility and compatibility.

Unix Socket Backend for Serial Port

The --serial command has been enhanced with a new option socket=, enabling users to access the serial port using a Unix socket.

AIO Backend for Block Devices

An AIO (Asynchronous Input/Output) backend has been added for virtio-block devices, improving block device performance when the io_uring feature is not supported by the host operating system.

Documentation Improvements

The release includes various documentation improvements, including a new document for collecting coverage data and various typo fixes.

Notable Bug Fixes

Several notable bug fixes have been included in this release, including a fix for a deadlock issue when TDX (Intel Total Memory Encryption Extension) is enabled, a correction of the default value for vCPU topology on AArch64, and ensuring that AMX (Advanced Matrix Extensions) feature bits are only advertised to guests when the AMX CPU feature is enabled.