top | item 41868166

(no title)

Note this “disclaimer” in the guide:

> In recent years, development efforts in the OpenVMM project have primarily focused on OpenHCL (AKA: OpenVMM as a paravisor).

> As a result, not a lot of "polish" has gone into making the experience of running OpenVMM in traditional host contexts particularly "pleasant".

> This lack of polish manifests in several ways, including but not limited to: […]

> • No API or feature-set stability guarantees whatsoever.

https://github.com/microsoft/openvmm/blob/main/Guide/src/use...

discuss

solarkraft|1 year ago

Plus, for running as a paravisor:

> OpenHCL currently relies on Hyper-V's implementation of Virtual Trust Levels (VTLs) to implement the security boundaries necessary

nolist_policy|1 year ago

OpenHCL is much more interesting than OpenVMM:

Tl;Dr: Run the VM with only modern paravirtualized devices, then run OpenHCL inside the VM in ring -1 to emulate legacy devices and the guest os in ring 0 as usual.

This is more secure, as the host only exposes paravirtualized devices with reduced attack surface to the guest. While still allowing to run legacy os.