@planedrop said:
@Chuckz Why do you need Core Isolation enabled in a VM? Core Isolation is designed to protect processes within Windows 11 by using VBS, if you're already isolating the VM I don't see a huge reason to have it enabled.
It's worth noting again that Microsoft themselves says to NOT use Nested Virt for production use, very specifically in their own documentation.
I get what you're wanting here but reality is 99% of places don't need nested virtualization and if they do they should probably rethink it since it's not considered stable or production ready on ANY hypervisor. This isn't specific to XCP-ng.
Hyper-V has probably the best nested virt support and even they say it should not be used in production environments.
I'm not saying I don't want this feature to work better, I do. But I can't imagine it should be a priority for Vates or anyone working on Xen because it's not really needed for production setups.
If I am missing some reason you have to have this enabled please let me know, but virtualizing Windows just to nest another Windows so you can enable Core Isolation is really cumbersome and not worth any benefits it provides as far as I can tell.
Hi @planedrop Sure, I agree the isolation that XCP-ng's Xen hypervisor provides protection of other guests on the host from a compromised Windows guest, but it won't protect the confidential data and other services provided by that compromised Windows guest. Nor will it protect the other hosts on the network from attacks that can spread laterally via the network rather than via security holes between different guests on the host. The hypervisor is only one piece of the security process, it is not enough. So I want to protect that Windows guest from attacks that could have been stopped with core isolation, because I don't want even a single device or guest in my infrastructure compromised.
