Tl;Dr: Run the VM with only modern paravirtualized devices, then run OpenHCL inside the VM in ring -1 to emulate legacy devices and the guest os in ring 0 as usual.
This is more secure, as the host only exposes paravirtualized devices with reduced attack surface to the guest. While still allowing to run legacy os.
> In recent years, development efforts in the OpenVMM project have primarily focused on OpenHCL (AKA: OpenVMM as a paravisor).
> As a result, not a lot of "polish" has gone into making the experience of running OpenVMM in traditional host contexts particularly "pleasant".
> This lack of polish manifests in several ways, including but not limited to: […]
> • No API or feature-set stability guarantees whatsoever.
https://github.com/microsoft/openvmm/blob/main/Guide/src/use...