good

My Windows desktop has a Threadripper CPU with a few cores. Maybe I could I get a bit more utilization out of it with virtualization. Or maybe, given the frequency with which attacks target Windows, I could use virtualization to increase security. Let’s see how that goes.

If you have the Pro edition of Windows, you can run Edge in Application Guard, which basically gives you a tiny virtual Windows machine without much else in it, limiting the scope of attacks. This actually seems to work.



bad

If you don’t have the Pro edition, just Home, you can’t do that because it’s not available. Without going too far down the morality rabbit hole, I think it’s kinda gross to gate a basic security feature like this. Memory limits or management features are one thing, but if the feature works, even home users deserve security, no?

I’ve been doing some protein folding recently, and wanted to review my CPU’s thermals, powers, frequencies, all the things. So I installed Ryzen Master. When I run it, I receive only an error that it can’t be run with Virtualization Based Security enabled. I’m supposed to disable it. Sorry, AMD, but I would rather not. I’ve never had similar trouble with Intel’s XTU, for whatever that’s worth.

I wanted to run a little OpenBSD VM in Hyper-V. And instead of driving it in a little window with fake vesa graphics or whatever, let’s use a real video card. According to the metric system, I have a shit ton of PCI slots, so I stuck an extra Radeon card in one. We can pass this through to OpenBSD using what Windows calls Discrete Device Assignment (DDA), and rock and roll. I’ll get my Windows on this monitor and my hardware accelerated glxgears on that monitor.

Installing the Radeon driver in Windows Update, unnecessary but just to verify it’s plugged into the slot correctly, results in an error message because the amdkmdap driver is incompatible with Memory Integrity, another Windows security feature that uses virtualization to prevent kernel corruption. What the fuck, AMD? Fix your shit. Also, shame on you Microsoft for certifying a broken driver.

Anyway, the card works after a reboot, and I proceed to run the magic powershell commands to remove the PCI device from the host and add it to the guest. Start the guest, and boom, error. “A hypervisor feature is not available to the user.” This is Microspeak for you didn’t pay up for the gold plated Server edition of Windows. To be honest, I was kinda expecting this because officially the feature isn’t really supported and I was curious enough to see it for myself, but the user experience is kinda dumb, and also the segmentation here is stupid. Putting a dedicated device in a VM is not merely a server thing to do. I want to do it right here, on my desktop. There is a rumor that the slightly more exclusive Pro for Workstations enables this feature, but I have yet to find any Microsoft product matrix indicating that.



ugly

I removed the Radeon card, since it clearly wasn’t going to work, but now my system still has Memory Integrity disabled, and can’t enable it again. Even without the Radeon card installed, the driver has still permanently tainted my system as being incompatible with integrity. So it is now forever insecure as the result of a thirty minute experiment. I guess the bonus lesson is be wary of what you install.

(There are some workarounds to get it back, but we are straying even further from the lighted path. I maintain it should just come back after the problematic hardware is removed, and there shouldn’t even be problematic drivers in the Windows Update library.)



conclusion

Don’t use virtualization on Windows. Probably don’t use Windows.