Do the x86 virtualization instruction sets (VT-x, AMD-V) have alternate uses?

Question

Hardware-assisted virtualization provides a great pathway to efficiently and securely running guest operating systems atop a hypervisor.

Do those instruction sets (such as Intel's VT-x, AMD's AMD-V, and the Extended Page Tables extension) provide value for scenarios other than running a guest OS wholesale? For example, could they be used to sandbox processes or prevent pieces of kernel-mode code from doing things they shouldn't?

Answer 1

Going through the Intel's own page on "Hardware assisted virtualization" , they mention a couple of interesting applications:

1. Industrial systems: Virtualization enables systems to simultaneously run real-time and general-purpose operating systems, each on dedicated processor cores of an Intel® multi-core processor.

This is different from running a guest-OS. Here the VT-x features can be used to run two different Operating Systems in parallel, so that we can combine the best of both to achieve our goals. For example, a scenario where you needed very high precision real-time data monitoring, and very high speed processing: In this case, the data acquisition could be entirely delegated to an RTOS running on one of the cores, whereas the other ran a GPOS to process the data.

2. Medical devices: Securing applications and patient data is essential for medical diagnostic equipment. Applications requiring a higher level of security can be isolated using Intel VT, which protects their memory space in hardware and helps prevent attacks from malicious software. As such, software running in a secure partition only has access to its own code and data regions, unable to page outside its memory boundary because the hardware precludes unauthorized access.

As they mention, the memory space protection implemented in VT allows software to run only its own code, and access only its own memory spaces. This has a lot of potential in e-security.

Answer 2

Do those instruction sets (such as Intel's VT-x, AMD's AMD-V, and the Extended Page Tables extension) provide value for scenarios other than running a guest OS wholesale?

An additional use case for virtualization extensions is to run a bare metal hypervisor (also called type 1 hypervisor). Apart from being able to run multiple OSs on top, you can also run bare metal applications directly on top of the hypervisor (not inside a guest OS instance) alongside regular virtualized OSs. The hypervisor can guarantee security such that these applications can run critical systems like medical equipment. If a guest OS crashes, the hypervisor would ensure that bare metal applications are not affected.

For example, could they be used to sandbox processes?

They can be used to sandbox processes, but that's what regular operating systems do as well.

or prevent pieces of kernel-mode code from doing things they shouldn't?

This is actually what is happening when virtualized guest operating systems are trying to execute sensitive instructions, which are instructions that can alter the execution of the machine that can be run in the unprivileged mode of the architecture.