Virtualization is also the technology at the root of Microsoft’s confidential computing services, offering a way to work with encrypted data securely, ensuring protection in storage, in motion, and in operation. Nesting encrypted virtual environments on top of traditional hypervisors works well enough, though it limits the operating system functions accessible within a trusted execution environment.
Extending the hypervisor
This is where an alternate approach to virtualization comes in, what Microsoft is calling a “paravisor.” It builds on the concept of paravirtualization, which provides more links between the host and virtualized environments. This approach requires the client OS to be virtualization-aware, with a defined set of APIs and drivers that can use those APIs when necessary. It lets the client OS handle isolated compute, and the host OS share I/O and other common services between host and virtualized processes.
If you’re using the virtualization-based security features in Windows, you’re using a VM that supports paravirtualization. This ensures that secured operations have the same priority and hardware access as their unsecured counterparts, avoiding performance bottlenecks and giving users the same experience whether they’re inside or outside a secured process’s trust boundaries.