Removing support for 32-bit PV guests

Update Jan 17, 2022

Our latest security update for XCP-ng 8.2 removed support for 32-bit paravirtualized (PV) guest. Let's see what it means and what you can do if you have them.

⚠️
32-bit PV guests were already unsupported and deprecated officially since the release of XCP-ng 8.1. However, it was still working until our latest security release: it's not the case anymore!

If you still have 32-bit PV guests, you will need to take action before (ideally) applying the update. If you already applied the update, there are still solutions for you.

Removed support for 32 bit PV guests

Official support for PV guests stopped with the release of XCP-ng 8.1, on 2020-03-31.

As we wrote in the release notes for XCP-ng 8.1:

* PV guests are not supported anymore.
* Existing guests will still run... For now...
* Due to how 32-bit PV guests work, keeping them functioning on newer hardware with newer features comes with an increasing performance cost.
* Security issues related to PV guests may be or not be fixed. There is no guarantee about fixes.

In order to gain back 5% to 10% better performance in dom0, support for 32-bit PV guests was now entirely removed. In addition to the performance penalty on the controller domain, 32-bit PV also had unfixed vulnerabilities related to speculative attacks.

64-bit PV guests will still run ("for now..."), but as we already did in the past, we strongly advise to convert them to HVM as soon as possible.

How to check if I still have 32-bit PV guests?

You can use Xen Orchestra with the search filter virtualizationMode:pv 32-bit. This will automatically display all PV guests originally based on 32-bit PV template.

All the PV guests with a 32-bit string in their database record

I still have 32-bit PV guests, what should I do?

Converting them to HVM before you update your pool is the best, future-proof and more secure way to go. Our support can assist you in this.

The conversion steps usually are as follows:

  • Check the kernel supports Xen extensions. CentOS 6 does, for example. Some older distros don't. If they don't, extra steps will be needed to install a compatible kernel.
  • Backup and/or snapshot the VM to have a fallback.
  • Modify the grub configuration to remove console=hvc0 from the kernel boot parameters.
  • If the boot loader is not installed on the VM's MBR, install it.
  • Turn the VM Off.
  • Set the boot mode to HVM in Xen Orchestra's "Advanced" tab of the VM view.
  • Start the VM.

Alternatively, there exists a feature called PV shim that will run your PV guest inside a PVH VM. It is a supported approach but has a performance cost. Turn the VM off, and change the VM type: xe vm-param-set uuid=<VM UUID> domain-type=pv-in-pvh.

In the worst case, if you have running 32-bit PV guests that you really can't reboot at any cost, you may re-enable 32 bit PV guest support with the following Xen command line option: pv=32. Let us stress again that 32-bit PV has unfixed security vulnerabilities related to speculative channels issues in CPUs and should really be avoided.

Need help?

Remember that we can provide you some assistance, via our professional support. Please contact us if you need advice or help to convert your PV guests to HVM.

Alternatively, our forums are also a possiblity to get assistance from the community.

Tags

Olivier Lambert

Along with Samuel Verschelde

Vates CEO & co-founder, Xen Orchestra and XCP-ng project creator. Enthusiast entrepreneur and Open Source advocate. A very happy Finnish Lapphund owner.