control domain

A domain, commonly dom0, with the permission and responsibility to create and manage other domains on the system.


A domain is Xen's unit of resource ownership, and generally has at the minimum some RAM and virtual CPUs.

The terms domain and guest are commonly used interchangeably, but they mean subtly different things.

A guest is a single, end user, virtual machine.

In some cases, e.g. during live migration, one guest will be comprised of two domains for a period of time, while it is in transit.


The numeric identifier of a running domain. It is unique to a single instance of Xen, used as the identifier in various APIs, and is typically allocated sequentially from 0.


Control-flow Enforcement Technology is a facility in x86 CPUs for defending against memory safety vulnerabilities. It is formed of two independent features:

  • CET-SS, Shadow Stacks, are designed to protect against Return Oriented Programming (ROP) attacks.
  • CET-IBT, Indirect Branch Tracking, is designed to protect against Call or Jump Oriented Programming (COP/JOP) attacks.

Intel support CET-SS and CET-IBT from the Tiger Lake (Client, 2020) and Sapphire Rapids (Server, 2023) CPUs. AMD support only CET-SS, starting with Zen3 (Both client and server, 2020) CPUs.


The term 'guest' has two different meanings, depending on context, and should not be confused with domain.

When discussing a Xen system as a whole, a 'guest' refer to a virtual machine which is the "useful output" of running the system in the first place (e.g. an end-user VM). Virtual machines providing system services, (e.g. the control and/or hardware domains), are not considered guests in this context.

In the code, "guest context" and "guest state" is considered in terms of the CPU architecture, and contrasted against hypervisor context/state. In this case, it refers to all code running lower privilege privilege level the hypervisor. As such, it covers all domains, including ones providing system services.

hardware domain

A domain, commonly dom0, which shares responsibility with Xen about the system as a whole.

By default it gets all devices, including all disks and network cards, so is responsible for multiplexing guest I/O.