OpenXT and Qubes use Linux stubdomains instead of mini-OS stubdomains. Linux is well supported, but larger than mini-OS and adds overhead for user/kernel switching. RedHat has experimental work underway for Linux unikernels.
Stubdomains use software-based (non-HAP) shadow page tables and are impacted by the L1TF vulnerability. They are exposed to the hypervisor’s entire PV interface that supports legacy guests. This is an impedance mismatch:
Stubdomain software is supplied by the platform provider and refreshed on the platform update cycle, not the guest refresh cycle
Stubdomains should not require legacy PV interface items that are provided to support old guests
Stubdomain security would improve with a much narrower, use-case specific hypervisor ABI
Hypervisor attack surface is increased with stubdomains, which add the PV hypercall interface to the guest's HVM hypercall interface
In OpenXT, XSM/Flask is able to restrict stubdomain access to a subset of Xen's PV hypercall interface, which takes effect when stubdomains are issued XSM labels by the toolstack. The XSM policy in upstream Xen will need policy written for Linux stubdomains and libxl will need to label them correctly.