none
The memory isolation of Hyper-v Platform APIs RRS feed

  • Question

  • Hi everyone.

    I'm trying to build a POC application to validate the Hyper-v Platform API which available since Windows 10 RS5 (17134), particularly the Memory Isolation capability.

    as we know, there exists a type-1 hypervisor since windows 10 to provide the ability to isolate some key parts of the Windows kernel, "VSM" is the name called by Microsoft.

    so once the Hyper-v platform API was published, I'm very curious about whether our common developers can build some security applications just like VSM do.

    the conclusion is, I think I failed due to the lack of documents about the new API set.

    API doc refer: https://docs.microsoft.com/en-us/virtualization/api/hypervisor-platform/hypervisor-platform

    ------------------------------------------------------------------------------------------------------

    here is the problem:

    the WHvPartitionPropertyCodeSeparateSecurityDomain which is a property code of VM partition, and can be used with 

    WHvGetPartitionProperty and WHvSetPartitionProperty APIs.

    so according to its name (I mean Separate & Domain), I think once I assign this property with TRUE for a specified guest VM partition, and then map a memory region to guest VM partition (with WHvMapGpaRange), the bare metal hyper-v hypervisor (TYPE-1 hypervisor) should ensure the memory region cannot be accessed by the host OS (current windows 10 system) and other VMs.

    but it doesn't, I can still access the mapped memory region in host OS.



    so is there anyone who can help me please, I will thanks that for a lot.

    or can I get help from microsoft staffs? espcially who code for the Hyper-V platform. @mstfguys please :)

    • Edited by shad0 Monday, December 23, 2019 11:07 AM
    Monday, December 23, 2019 9:43 AM