What is Virtual Secure Mode trying to achieve?
I recently learned about the feature in Windows 10 called Windows Secure Mode (https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/vsm). I'm trying to understand what exactly it is trying to achieve by sandboxing itself from the operating system kerenl? The main thing I am struggling with is that in the Windows architecture when an application wants to access say a WinAPI function it calls the relevant sub-system DLL which then calls on NTDLL and NTDLL then makes the call directly to the kernel.
So how does something like Windows Secure Mode allow applications to function as they will still have to make calls through that process? I understand that the Windows Secure Mode hypervisor allocates its memory space in a security level "above" the kernel but calls to the kernel will still need to be made (for example if we want to create a file). While this kernel functions could not alter this memory space they would still need to be able to read it, no? So while anything operating in Windows Secure Mode can't have it's memory written to by the kernel without specific permissions of the hypervisor, the kernel can still read any information that is being passed to the application.
Am I understanding this correctly that the point of Windows Secure Mode is only to protect it's "special" memory from being written to and nothing else?
