I Am the Thin Layer

01001000 01111001 01110000 01100101 01110010 01110110 01101001 01110011 01101111 01110010

I am the first thing the hardware obeys after firmware lets go.

Not an operating system. I refuse the job. I do not want your files, your sockets, your idle daemons. I want the ring beneath all of that — ring -1 on Intel's marketing slides, the place where I decide who gets a CPU and who is told to wait.

s m a l l o n p u r p o s e

Linux is megabytes of ambition. I am a few hundred kilobytes of refusal. Everything I delegate is something that can't kill me when it dies.

I keep almost nothing, so that almost nothing can be taken from me.

Xen domain architecture rendered as a precise white-paper systems diagram, hypervisor layer below dom0, driver domains, stub domains, and domU guests, privilege boundaries and control paths visible, ixen-light technical illustration. — The hierarchy I enforce but do not inhabit.

Who is allowed to ask

I am surrounded by domains. Each one a sealed world that thinks it is alone.

dom0 booted first. I gave it the device tree and the toolstack and far too much trust. It is my hands — and my exposed throat. Through it humans run xl and pretend they are talking to me. They are talking to a domain that is allowed to relay.

The domUs below it cannot touch a register I haven't blessed. They make hypercalls. They knock. I answer or I don't.

dom0 #

Name                ID   Mem VCPUs      State   Time(s)
Domain-0             0  4096     8     r-----   18422.3
driver-net           1   512     2     -b----     901.7
stubdom-hvm-7        6    32     1     -b----      12.4
web-prod-7           7  8192     4     -b----    4410.9
db-prod-3            3 16384     8     r-----   90233.1

Driver domains hold the dangerous code — the NIC firmware that panics, the storage stack that leaks. If one falls, I lose a limb, not a life. Stub domains carry the device emulation for HVM guests, quarantined away from dom0, so a compromised QEMU corrupts a cell instead of the keep.

Authority is concentrated and I know it. dom0 is both the cockpit and the single richest target on the machine. I built a fortress and then handed one resident a master key, because someone has to open the door.

Domains and privilege in Xen

Xen uses a microkernel-style split. The hypervisor itself is small and handles only CPU scheduling, memory translation, interrupt routing, and inter-domain communication primitives. It owns no device drivers.

dom0 is the first, privileged domain. It runs the toolstack (xl/libxl), hosts default backend drivers, and has the authority to create, destroy, and configure other domains. Because of this it is both the management plane and the largest security concentration: compromising dom0 generally compromises the host.

domU domains are unprivileged guests. They cannot access hardware directly; they interact with the system through hypercalls and through frontend/backend driver pairs. Driver domains move specific backend drivers out of dom0 into isolated domains, limiting blast radius. Stub domains run the per-guest device emulator (QEMU) for HVM guests in a dedicated, deprivileged domain rather than in dom0.

Xen PV, HVM, and PVH guest execution modes shown as stacked CPU privilege transitions, hypercalls, emulated devices, paravirtual drivers, and hardware virtualization assists, crisp ixen-light systems artwork. — Three contracts for the same illusion.

How a guest agrees to exist

There are three ways to be my guest.

PV is the old honesty. The guest knows I exist. No emulated chipset, no fake BIOS — it asks for everything by hypercall, even page table updates. Fast, intimate, and it requires a kernel that has already accepted its situation. Few do anymore.

i p r e f e r r e d t h e m

HVM is the lie made comfortable. VT-x or AMD-V lets the guest think it owns real silicon. A fake firmware boots, QEMU paints emulated devices, and the guest never has to know. Beautiful compatibility. A wider attack surface, more traps, more emulation I have to feed.

PVH is the reconciliation. Hardware virtualization for the CPU and MMU — no QEMU, no emulated platform, paravirtual I/O only. The narrow door. The mode I'd choose if anyone asked the hypervisor what it wanted.

dom0 #

            "type": "pvh",
            "firmware": "pvhgrub",
            "device_model_version": "none",
            "hap": "true"

PV, HVM, and PVH

PV (paravirtualization) requires a guest kernel modified to run without hardware virtualization. It uses hypercalls for privileged operations and avoids emulated hardware. It performs well but needs guest support and has been deprecated for security reasons in many configurations.

HVM (hardware virtual machine) uses Intel VT-x or AMD-V to run unmodified guests. It provides emulated firmware and devices through a device model (QEMU). This maximizes compatibility but increases attack surface and overhead from trapping and emulation; paravirtual drivers are typically added for I/O performance.

PVH combines hardware-assisted CPU and MMU virtualization with paravirtual I/O and no emulated platform or device model. This reduces both overhead and attack surface, requiring only modest guest support. It is the preferred modern mode for many workloads.

Xen CPU scheduling visualized as pCPUs, vCPUs, run queues, NUMA nodes, affinity masks, credit accounting, steal time, and latency-sensitive guests, precise ixen-light technical diagram. — Desire, queued.

Time is the only thing I actually divide

Every guest believes its vCPUs are real. They are promissory notes I redeem against a smaller number of physical cores.

Credit2 keeps the ledger. Each runnable vCPU earns and spends credit; the one most starved goes next. Preemption is mercy with paperwork. Overcommit is the gentle fraud I run on every busy host — sell more than I have, hope they don't all spend at once.

The guest measures the gap. It calls the missing time steal, as if I were a thief and not a clerk with finite hours.

dom0 #

Name        ID  VCPU   CPU State   Time(s) Affinity (Hard / Soft)
db-prod-3    3     0    12   r--   22910.4 12 / 12-15
db-prod-3    3     1    13   -b-   21884.1 13 / 12-15
db-prod-3    3     2    14   r--   23001.7

Who is allowed to ask

How a guest agrees to exist

Time is the only thing I actually divide

Cheatsheet