Doesn't that message date back to a time that either predates or is almost concurrent with the introduction of x86 hardware-assisted virtualization? I wasn't around playing with VMs back then, but I'm not sure that the track record of x86 virtualization 20 years ago was that great.
It does, but that's an argument about implementations, and his comment is an argument about design. Just read it again and see if you think it's reasonable. Pay attention to the tone and (especially) the conclusory certainty he deploys.
The letter is dated 2007-10.
AMD released (ie commercially available) Pacifica on May 23, 2006 while Intel did released their Vanderpool a half of year earlier November 14, 2005. [0]
Windows Server 2008 was RTM'ed on February 2008 which provided Hyper-V as a first class component. [1]
Virtual Server 2005 R2 SP1 added support for both Intel VT (IVT) and AMD Virtualization (AMD-V) and was released 11 June 2007. [2]
https://en.wikipedia.org/wiki/X86_virtualization#AMD_virtual...
https://en.wikipedia.org/wiki/Windows_Server_2008
https://en.wikipedia.org/wiki/Microsoft_Virtual_Server#Versi...
The email in question actually addresses one of the first, if not the first, x86 hypervisor product, Xen, relying on both my memory of the time (I did some work with Xen in the mid aughts) and Wikipedia: <https://en.wikipedia.org/wiki/Timeline_of_virtualization_tec...>.
The Xen hypervisor itself was pretty minimal, as I understand mostly serving to time-slice CPU cycles among guest domains and partition memory access. As a contrast to VMWare, device access and drivers were handled by the guests themselves.
As such, the attack surface of the Xen hypervisor itself is fairly minimal. Most security issues seem to be denial of service vulnerabilities, though there are some privilege escalation, access, information leak, and overflow issues listed:
<https://xenbits.xen.org/xsa/>
I generally respect de Raadt's expertise and instincts, though he may have been over his skis here.