OdeToCode IC Logo

Hardware Virtualization: Off By Default

Thursday, May 10, 2007

I noticed my x60 tablet had “Intel Virtualization Technology” off by default in the bios. In talking to people and reading blogs, a lot of manufacturers configure their machines similarly.

Turning on VT Technology enables “Hardware Assisted Virtualization” in Virtual PC, which gives virtual machines a performance boost. See Scott Hanselman’s “Virtual PC Tips and Hardware Assisted Virtualization” for more details.

It’s a simple job to enable VT Technology in the BIOS, but I started wondering why every machine seems to have this feature turned off. “Off by default” is a security mantra, and it turns out hardware virtualization extensions do open a potential risk.

The slide deck "Hardware Virtualization Rootkits" (PDF) is an interesting read. It seems a rootkit could use VT Technology to run at a higher privilege level than the operating system itself! Microsoft recommends that manufactures turn the feature off by default for non-server class machines. See: “CPU Virtualization Extensions: Analysis of Rootkit Issues”.

Just more proof that you can’t ship any kind of feature these days without thinking of the security implications.

Wilhelm Svenselius Thursday, May 10, 2007
I was a bit worried when I bought my most recent laptop (a Dell) because it had a TPM chip, and I try to keep everything that even smells of DRM turned off. I was pleased to find that not only does Vista give you a choice of whether to make use of the TPM, Dell has also turned it off in the BIOS by default, so Vista doesn't even detect its precense.

Hats off to "off by default"!
scott Thursday, May 10, 2007
Sweet! :)
Kenny Kerr Thursday, May 10, 2007
The other gotcha with hardware virtualization is that it is not a shareable resource. If for example you run VMware Workstation alongside Virtual PC then the first app to claim the resource will exclude subsequent apps from using it.
Comments are closed.