Hacker News new | past | comments | ask | show | jobs | submit login

Note this “disclaimer” in the guide:

> In recent years, development efforts in the OpenVMM project have primarily focused on OpenHCL (AKA: OpenVMM as a paravisor).

> As a result, not a lot of "polish" has gone into making the experience of running OpenVMM in traditional host contexts particularly "pleasant".

> This lack of polish manifests in several ways, including but not limited to: […]

> • No API or feature-set stability guarantees whatsoever.

https://github.com/microsoft/openvmm/blob/main/Guide/src/use...




Plus, for running as a paravisor:

> OpenHCL currently relies on Hyper-V's implementation of Virtual Trust Levels (VTLs) to implement the security boundaries necessary


OpenHCL is much more interesting than OpenVMM:

Tl;Dr: Run the VM with only modern paravirtualized devices, then run OpenHCL inside the VM in ring -1 to emulate legacy devices and the guest os in ring 0 as usual.

This is more secure, as the host only exposes paravirtualized devices with reduced attack surface to the guest. While still allowing to run legacy os.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: