Why do systems generally disable virtualization by default in BIOS settings?

Question

I have yet to see a system whose default configuration enables MMU and directed I/O virtualization. Often this necessitates rebooting and going into the BIOS to enable it if you want, e.g., 64-bit support on your VMs.

Is there some kind of substantial processor overhead that occurs if this is switched on and you're not using virtualization? If not, then what's the reason for it being off by default?

score 58 · Answer 1 · edited Oct 01 '19 at 10:57

58

There were some proof-of-concept rootkits like Blue Pill a while back that could own a system with VT on. After this discovery, most vendors began shipping their units with VT disabled as a general security precaution.

edited Oct 01 '19 at 10:57

Rin Minase

105
2

answered May 17 '12 at 13:27

MDMarra

100,734
32
197
329

8

+1 People using VT on a desktop/laptop are the exception. That machine being susceptible to virii is the rule. – Chris S May 17 '12 at 14:03
I'm suddenly having second thoughts about this shiny new powerful dev machine I've built that runs a bunch of VMs with hardware virtualization enabled. I don't *need* virtualization, but I figure it'd save me time in the long run not having to repave it every couple of months. How big an issue is this? – Paperjam May 17 '12 at 21:16
2

Virtually non-existant (as of this comment). Blue Pill was a proof of concept. I am unaware of anything like this in the wild. – MDMarra May 17 '12 at 21:20
The point is awareness -- when you use virtualization, you have hypervisor software running that will raise a stink if it is not running on bare metal, but normal OS installs don't do that. – Simon Richter May 18 '12 at 09:24
2

Here is the Microsoft evaluation of the security problem, including the recommendation to switch VT off by default on client role systems: http://msdn.microsoft.com/en-us/windows/hardware/gg463498.aspx – Jpsy Jul 20 '13 at 15:02
5

Microsoft's paper is no longer available on their web site, but you can read it on the [Internet Archive](http://web.archive.org/web/20121130215423/http://msdn.microsoft.com/en-us/windows/hardware/gg463498.aspx) if you want to. – Josh Kelley Sep 09 '14 at 16:48
Also it is under the Security tab of my Lenovo BIOS, which further indicates the security aspect. – Ciro Santilli OurBigBook.com Nov 19 '17 at 11:53

score 7 · Answer 2 · edited Oct 01 '19 at 09:59

7

All the server blades we buy have virtualization enabled by default. It may be because our vendor has made a commercial decision to do so to save on so many support calls.

It is not disabled because of a processor hit, but depending on what is it being used for. It may be off by default, because enabling these features may affect peripheral access.

edited Oct 01 '19 at 09:59

Rin Minase

105
2

answered May 17 '12 at 13:24

Sirch

5,785
4
20
36

6

What peripheral access can this impact? I've never heard that before. – MDMarra May 17 '12 at 13:25
Are you talking about VT-d when you mentioned peripheral access? – Zoredache May 17 '12 at 19:03
No, it was MMU... I remember someone droning on about it recently. Something to do with Rasberry Pi. – Sirch May 18 '12 at 09:46

score 4 · Answer 3 · edited Mar 20 '17 at 10:04

4

Note that according to this other thread, it also seems to have some impact on performances https://superuser.com/questions/545101/why-does-hp-recommend-that-i-keep-hardware-virtualization-off

It seems relevant to me, since reduced set of instructions are more efficient. I just wouldn't have thought that changing a BIOS option could directly affect this.

I got no idea whether the impact is significant or not, but considering this and the security potential flaw, having such a rarely used feature disabled by default looks like a good choice to me.

edited Mar 20 '17 at 10:04

Community

1

answered Jul 22 '15 at 09:52

Balmipour

314
1
3
10

3

The efficiency angle from the linked answer makes no sense. The instruction cache holds instructions of a software program. If the program doesn't use virtualization instructions then there is no effect on that cache. Furthermore there is no report that there is a separate execution unit that handles virtualization nor a part of the instruction decoder that can be bypassed, so there should be no efficiency difference either way. – Nimrod Mar 25 '18 at 18:48

score 1 · Answer 4 · edited Jun 11 '20 at 10:02

1

another reason is most user kernel function (like gettimeofday) are moved in VDSO.

sometimes under virtualization this fast path cannot be enabled.

so the system cannot:

gain the fast execution of these functions

avoid expensive switch from userland to kernel and return

edited Jun 11 '20 at 10:02

Community

1

answered Aug 27 '18 at 12:36

Massimo

260
3
13

https://bert-hubert.blogspot.com/2017/03/on-linux-vdso-and-clockgettime.html – Massimo Aug 27 '18 at 12:40

score 0 · Answer 5 · answered Oct 01 '19 at 10:45

In addition to the security concerns raised in @MDMarra answer, you should consider two additional points:

any enabled, optional features has a small probability to have some nasty and unexpected interactions with other functionalities, requiring additional validation. PC vendors hate to spend resources on rarely used features, and client-side virtualization is one of them.
I strongly suspect that due to #1, Intel basic client firmware/BIOS blob has VT disabled. So any vendor shipping a VT-enabled client need to customize that option when preparing its firmware.

That said, we are now in 2019; I see more clients with VT enabled by default. Servers are an entirely different matter: I not only always found VT enabled, but VT-d is also often active.

Why do systems generally disable virtualization by default in BIOS settings?

5 Answers5