diff --git a/import-layers/meta-virtualization/recipes-extended/xen/README b/import-layers/meta-virtualization/recipes-extended/xen/README
new file mode 100644
index 0000000..3686530
--- /dev/null
+++ b/import-layers/meta-virtualization/recipes-extended/xen/README
@@ -0,0 +1,24 @@
+Xen
+---
+
+For any issues with the xen recipes please make sure you CC cardoe@gentoo.org
+
+configuring the hypervisor
+--------------------------
+
+Since 4.7.0 Xen supports using Kconfig to configure the hypervisor. Similarly
+to how the recipe for busybox works, you can provide a .config as a defconfig
+to override the default configuration of the hypervisor. The easiest way
+for you to take advantage of this is to create a .config for Xen and then
+copy it to your Yocto layer as 'defconfig' inside of
+'recipes-extended/xen/files/' and then create a bbappend adding
+'file://defconfig' to your SRC_URI.
+
+security patches
+----------------
+
+The base recipe does not include security fixes that the Xen community releases
+as XSAs (http://xenbits.xen.org/xsa/). The easiest way to include those is to
+drop patches in 'recipes-extened/xen/files' and create a bbappend adding those
+patches to SRC_URI and they will be applied. Alternatively, you can override
+the SRC_URI to a git repo you provide that contains the patches.
diff --git a/import-layers/meta-virtualization/recipes-extended/xen/xen.inc b/import-layers/meta-virtualization/recipes-extended/xen/xen.inc
index de8c168..b5c5f03 100644
--- a/import-layers/meta-virtualization/recipes-extended/xen/xen.inc
+++ b/import-layers/meta-virtualization/recipes-extended/xen/xen.inc
@@ -3,7 +3,7 @@
 LICENSE = "GPLv2"
 SECTION = "console/tools"
 
-LIC_FILES_CHKSUM = "file://COPYING;md5=a6260c12cd5de27e80d89ae18e48d20a"
+LIC_FILES_CHKSUM = "file://COPYING;md5=bbb4b1bdc2c3b6743da3c39d03249095"
 
 COMPATIBLE_HOST = '(x86_64.*).*-linux|aarch64.*-linux'
 
@@ -52,6 +52,7 @@
     xz \
     yajl \
     zlib \
+    gnu-efi \
     "
 
 # inherit setuptools adds python to RDEPENDS, override it
@@ -151,6 +152,7 @@
     ${PN}-base \
     ${PN}-blktap \
     ${PN}-console \
+    ${PN}-cpuid \
     ${PN}-dbg \
     ${PN}-dev \
     ${PN}-devd \
@@ -196,6 +198,7 @@
     ${PN}-libxenvchan-dev \
     ${PN}-libxlutil \
     ${PN}-libxlutil-dev \
+    ${PN}-livepatch \
     ${PN}-misc \
     ${PN}-pygrub \
     ${PN}-python \
@@ -369,6 +372,10 @@
     ${sbindir}/xenconsoled \
     "
 
+FILES_${PN}-cpuid = "\
+    ${bindir}/xen-cpuid \
+    "
+
 FILES_${PN}-devd = "\
     ${sysconfdir}/init.d/xendriverdomain \
     "
@@ -399,6 +406,10 @@
     ${sbindir}/kdd \
     "
 
+FILES_${PN}-livepatch += " \
+    ${sbindir}/xen-livepatch \
+    "
+
 FILES_${PN}-misc = "\
     ${bindir}/xencons \
     ${bindir}/xencov_split \
@@ -527,6 +538,7 @@
     "
 
 FILES_${PN}-scripts-network = " \
+    ${sysconfdir}/xen/scripts/colo-proxy-setup \
     ${sysconfdir}/xen/scripts/network-bridge \
     ${sysconfdir}/xen/scripts/network-nat \
     ${sysconfdir}/xen/scripts/network-route \
@@ -544,6 +556,7 @@
     ${sysconfdir}/xen/scripts/blktap \
     ${sysconfdir}/xen/scripts/block \
     ${sysconfdir}/xen/scripts/block-common.sh \
+    ${sysconfdir}/xen/scripts/block-dummy \
     ${sysconfdir}/xen/scripts/block-enbd \
     ${sysconfdir}/xen/scripts/block-iscsi \
     ${sysconfdir}/xen/scripts/block-nbd \
@@ -667,6 +680,7 @@
 FILES_${PN}-xencommons += "\
     ${sysconfdir}/default/xencommons \
     ${sysconfdir}/init.d/xencommons \
+    ${sysconfdir}/xen/scripts/launch-xenstore \
     ${systemd_unitdir}/modules-load.d/xen.conf \
     ${systemd_unitdir}/system/proc-xen.mount \
     ${systemd_unitdir}/system/xen-qemu-dom0-disk-backend.service \
@@ -744,9 +758,11 @@
 
 # this is used for the header (#!${bindir}/python) of the install python scripts
 export PYTHONPATH="${bindir}/python"
+export ac_cv_path_PYTHONPATH="${bindir}/python"
 
-# seabios forcefully sets HOSTCC to CC - fixup to allow it to build native conf executable
+# xen and seabios require HOSTCC and HOSTCXX set to cross-compile
 export HOSTCC="${BUILD_CC}"
+export HOSTCXX="${BUILD_CXX}"
 
 # make xen requires CROSS_COMPILE set by hand as it does not abide by ./configure
 export CROSS_COMPILE="${TARGET_PREFIX}"
@@ -825,6 +841,13 @@
 
 addtask stubs after do_configure before do_compile
 
+# Allow all hypervisor settings in a defconfig
+EXTRA_OEMAKE += "XEN_CONFIG_EXPERT=y"
+# Build release versions always. Technically since we track release
+# tarballs this always happens but occasionally people pull in patches
+# from staging that reverts this
+EXTRA_OEMAKE += "debug=n"
+
 do_configure() {
 
     #./configure --enable-xsmpolicy does not set XSM_ENABLE must be done manually
@@ -832,11 +855,19 @@
         echo "XSM_ENABLE := y" > ${S}/.config
     fi
 
+    if [ -f "${WORKDIR}/defconfig" ]; then
+        cp "${WORKDIR}/defconfig" "${B}/xen/.config" || \
+        bbfatal "Unable to copy defconfig to .config"
+    fi
+
     # do configure
     oe_runconf
 }
 
 do_compile() {
+    # workaround for build bug when CFLAGS is exported
+    # https://www.mail-archive.com/xen-devel@lists.xen.org/msg67822.html
+    unset CFLAGS
     oe_runmake
 }
 
diff --git a/import-layers/meta-virtualization/recipes-extended/xen/xen_4.6.1.bb b/import-layers/meta-virtualization/recipes-extended/xen/xen_4.6.1.bb
deleted file mode 100644
index 0adf8ad..0000000
--- a/import-layers/meta-virtualization/recipes-extended/xen/xen_4.6.1.bb
+++ /dev/null
@@ -1,10 +0,0 @@
-require xen.inc
-
-SRC_URI = " \
-    http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz \
-    "
-
-SRC_URI[md5sum] = "df2d854c3c90ffeefaf71e7f868fb326"
-SRC_URI[sha256sum] = "44cc2fccba1e147ef4c8da0584ce0f24189c8743de0e3e9a9226da88ddb5f589"
-
-S = "${WORKDIR}/xen-${PV}"
diff --git a/import-layers/meta-virtualization/recipes-extended/xen/xen_4.8.0.bb b/import-layers/meta-virtualization/recipes-extended/xen/xen_4.8.0.bb
new file mode 100644
index 0000000..35c9137
--- /dev/null
+++ b/import-layers/meta-virtualization/recipes-extended/xen/xen_4.8.0.bb
@@ -0,0 +1,10 @@
+require xen.inc
+
+SRC_URI = " \
+    https://downloads.xenproject.org/release/xen/${PV}/xen-${PV}.tar.gz \
+    "
+
+SRC_URI[md5sum] = "d738f7c741110342621cb8a4d10b0191"
+SRC_URI[sha256sum] = "1e15c713ab7ba3bfda8b4a285ed973529364fd1100e6dd5a61f29583dc667b04"
+
+S = "${WORKDIR}/xen-${PV}"
diff --git a/import-layers/meta-virtualization/recipes-extended/xen/xen_git.bb b/import-layers/meta-virtualization/recipes-extended/xen/xen_git.bb
index a86a501..e10d669 100644
--- a/import-layers/meta-virtualization/recipes-extended/xen/xen_git.bb
+++ b/import-layers/meta-virtualization/recipes-extended/xen/xen_git.bb
@@ -1,15 +1,16 @@
 require xen.inc
 
-SRCREV = "1fd615aa0108490ffc558d27627f509183cbfdaf"
+SRCREV ?= "9a6cc4f5c14b3d7542b7523f88a1b65464733d3a"
 
-XEN_REL="4.6"
+XEN_REL ?= "4.7"
+XEN_BRANCH ?= "staging-${XEN_REL}"
 
-PV = "${XEN_REL}.0+git${SRCPV}"
+PV = "${XEN_REL}+git${SRCPV}"
 
 S = "${WORKDIR}/git"
 
 SRC_URI = " \
-    git://xenbits.xen.org/xen.git;branch=staging-${XEN_REL} \
+    git://xenbits.xen.org/xen.git;branch=${XEN_BRANCH} \
     "
 
 DEFAULT_PREFERENCE = "-1"