RE: kyber
Hmmm.... The EAL-4 hype that IBM likes to parade out whenever discussing LPARs is common to just about every OS you are likely to use (right back to Windows 2000!). You really need to ensure you are using good security practices (not just the vendor's recommended best practices, they are often slow to update them) rather than relying on the vendor's out-of-the-box security ratings.
One of the big discussions over hypervisor security is "do I want a full-fat OS layer as my hypervisor?" Essentially, all hypervisors are software acting as an OS, either a full-featured one (type 2 hypervisors, like the hp-ux OS host for the Integrity Virtual Machines software package) or a cut-down one where the software is bundled into the same package (type 1s, think the Windows server 2008 base of HyperV, or the Linux that is in VMware's ESXi, or what underlies IBM's z/VM or LPARs). Even so-called real hardware partitioning relies on software, in hp's npar case run on a management processor board, essentially a mini computer built inside the server. The devil is in that you will usually have a network-based access to the virtualisation layer to allow remote administration, and this is the security hole. Crack the admin login to the management console and you can disrupt the VMs at will, or possibly introduce virii into the images used to build VMs with some virtualisation products.
The pros for a cut-down OS is that it is much smaller and uses less system overhead, leaving more resources for the virtual machines. As there is less software involved in a one-task hypervisor, there is a less of an attack surface presented to the network. If it is a separate mini computer then it actually doesn't use any of the main system's resources (hp's old hardware partitioning on the Integrity rack servers left 100% of the main server available). But, if you have a cut-down OS, how do you enforce network security? You have to take the vendor's word that they have locked it down. For example, I can't buy Symantec anti-virus for the cut-down OS in ESXi or HyperV, only for the full-fat OS VMs sittign on top. With older versions of VMware you actually had a Linux command line you could log into to poke around, but this has been removed in the latest version for security. That's great, as long as you didn't like being able to go into the underlying Linux.
With a full-fat OS layer as a hypervisor, you have to give up more system resources to the virtualising layer, but you have the same OS as is used for general tasks and so you can apply the same security policies and lock it down in a flexible manner, tailored as you require. If a new threat becomes apparent then you have full control of the virtualising layer to make configuration changes, whereas with a cut-down hypervisor you have to wait for the vendor to introduce a patch.
The main problem I see with type 1 hypervisors is you don't have the ability to go in and check the security (a worrying thought given that HyperV is essentially half-fat Windows Server). If Intel (and hopefully AMD) do go for more checking of the hypervisor layer than that can only be a good thing.