Search code examples
virtualizationx86

Do the x86 virtualization instruction sets (VT-x, AMD-V) have alternate uses?


Hardware-assisted virtualization provides a great pathway to efficiently and securely running guest operating systems atop a hypervisor.

Do those instruction sets (such as Intel's VT-x, AMD's AMD-V, and the Extended Page Tables extension) provide value for scenarios other than running a guest OS wholesale? For example, could they be used to sandbox processes or prevent pieces of kernel-mode code from doing things they shouldn't?


Solution

  • Going through the Intel's own page on "Hardware assisted virtualization" , they mention a couple of interesting applications:

    1. Industrial systems: Virtualization enables systems to simultaneously run real-time and general-purpose operating systems, each on dedicated processor cores of an Intel® multi-core processor.

    This is different from running a guest-OS. Here the VT-x features can be used to run two different Operating Systems in parallel, so that we can combine the best of both to achieve our goals. For example, a scenario where you needed very high precision real-time data monitoring, and very high speed processing: In this case, the data acquisition could be entirely delegated to an RTOS running on one of the cores, whereas the other ran a GPOS to process the data.

    2. Medical devices: Securing applications and patient data is essential for medical diagnostic equipment. Applications requiring a higher level of security can be isolated using Intel VT, which protects their memory space in hardware and helps prevent attacks from malicious software. As such, software running in a secure partition only has access to its own code and data regions, unable to page outside its memory boundary because the hardware precludes unauthorized access.

    As they mention, the memory space protection implemented in VT allows software to run only its own code, and access only its own memory spaces. This has a lot of potential in e-security.