windows - Windows 真的在虚拟机中运行吗？

Question

我找到了 this blog post from from Raymond Chen声称:

Strictly speaking, what it actually represents is the resources of the other virtual machines, since Windows itself is running in a virtual machine under the hypervisor. You may not be explicitly using the hypervisor, but some other features are built on top of the hypervisor.

我找不到任何支持此声明的来源。

主机 Windows 操作系统是否真的在虚拟机管理程序下的虚拟机中运行？

Answer 1

VBS Virtualization-based Security

Virtualization-based security, or VBS, uses hardware virtualizationfeatures to create and isolate a secure region of memory from thenormal operating system. Windows can use this "virtual secure mode" tohost a number of security solutions, providing them with greatlyincreased protection from vulnerabilities in the operating system, andpreventing the use of malicious exploits which attempt to defeatprotections.

One such example security solution is Hypervisor-Enforced CodeIntegrity (HVCI), commonly referred to as Memory integrity, which usesVBS to significantly strengthen code integrity policy enforcement.Kernel mode code integrity checks all kernel mode drivers and binariesbefore they're started, and prevents unsigned drivers or system filesfrom being loaded into system memory.

VBS uses the Windows hypervisor to create this virtual secure mode,and to enforce restrictions which protect vital system and operatingsystem resources, or to protect security assets such as authenticateduser credentials. With the increased protections offered by VBS, evenif malware gains access to the OS kernel the possible exploits can begreatly limited and contained, because the hypervisor can prevent themalware from executing code or accessing platform secrets.

Similarly, user mode configurable code integrity policy checksapplications before they're loaded, and will only start executablesthat are signed by known, approved signers. HVCI leverages VBS to runthe code integrity service inside a secure environment, providingstronger protections against kernel viruses and malware. Thehypervisor, the most privileged level of system software, sets andenforces page permissions across all system memory. Pages are onlymade executable after code integrity checks inside the secure regionhave passed, and executable pages are not writable. That way, even ifthere are vulnerabilities like a buffer overflow that allow malware toattempt to modify memory, code pages cannot be modified, and modifiedmemory cannot be made executable.

VSM Virtual Secure Mode

Virtual Secure Mode (VSM) is a set of hypervisor capabilities andenlightenments offered to host and guest partitions which enables thecreation and management of new security boundaries within operatingsystem software. VSM is the hypervisor facility on which Windowssecurity features including Device Guard, Credential Guard, virtualTPMs and shielded VMs are based. These security features wereintroduced in Windows 10 and Windows Server 2016.

VSM enables operating system software in the root and guest partitionsto create isolated regions of memory for storage and processing ofsystem security assets. Access to these isolated regions is controlledand granted solely through the hypervisor, which is a highlyprivileged, highly trusted part of the system’s Trusted Compute Base(TCB). Because the hypervisor runs at a higher privilege level thanoperating system software and has exclusive control of key systemhardware resources such as memory access permission controls in theCPU MMU and IOMMU early in system initialization, the hypervisor canprotect these isolated regions from unauthorized access, even fromoperating system software (e.g., OS kernel and device drivers) withsupervisor mode access (i.e. CPL0, or “Ring 0”).

With this architecture, even if normal system level software runningin supervisor mode (e.g. kernel, drivers, etc.) is compromised bymalicious software, the assets in isolated regions protected by thehypervisor can remain secured.