[Libvir] Reliably detecting if Intel VT is disabled in the BIOS

Wed, 14 Mar 2007 07:10:45 -0800

VMXON is the instruction which turns on Intel VT extensions[1]. This instruction can be enabled and disabled by setting a bit in a CPU register. Moreover, this CPU register itself can be locked so that no changes can be made until the CPU is power-cycled.
In detail, the register is the IA32_FEATURE_CONTROL (0x3A) MSR. The relevant bits are: 

  bit 0   Lock bit (0 = unlocked, 1 = permanently locked)
  bit 1   Enable VMXON in Intel Safer Mode Extensions (SMX)
  bit 2   Enable VMXON in normal operation


So to find out if VT is possible with the CPU, use CPUID (in practice, 
check if "vmx" is in /proc/cpuinfo flags).



To find out if VT can be turned on in the host, check bit 2 in the above 
register.  There is a handy tool called msr-tools[2] which you can use:


  # ./rdmsr 0x3a
  ff03

(bit 2 is clear, so VT is _not_ enabled on this host).


It seems that the BIOS locks the register (by writing 1 to bit 0).  To 
find out if the BIOS has locked the register, use rdmsr again and look 
at the lowest bit.  In the example above you can see that the BIOS 
disabled VT and locked the register.  Once the register is locked, the 
only way around it is to reboot.


If the register is unlocked you can enable VT by writing a 1 to bit 2.


If you don't want to use the msr-tools, then direct access to the 
register can be had through /dev/cpu/<id>/msr.  For example this is an 
strace of rdmsr 0x3a:


open("/dev/cpu/0/msr", O_RDONLY)        = 3
pread(3, "\3\377\0\0\0\0\0\0", 8, 58)   = 8

However you need to be root to open /dev/cpu/0/msr.


On machines which don't support the IA32_FEATURE_CONTROL MSR you will 
get an EIO error:


pread(3, 0x7ffff81ec810, 8, 58)         = -1 EIO (Input/output error)

Rich.

Notes:


[1] I don't think this is possible with AMD's Pacifica extensions.  I'm 
not sure if it's possible to disable these in the BIOS & lock them.


[2] http://www.kernel.org/pub/linux/utils/cpu/msr-tools/

Sources:

* linux/drivers/kvm/vmx.c: function vmx_disabled_by_bios


* "IntelĀ® Trusted Execution Technology Preliminary Architecture 
Specification" section 2.1.2

  (http://download.intel.com/technology/security/downloads/31516803.pdf)


--
Emerging Technologies, Red Hat  http://et.redhat.com/~rjones/
64 Baker Street, London, W1U 7DF     Mobile: +44 7866 314 421
 "[Negative numbers] darken the very whole doctrines of the equations
 and make dark of the things which are in their nature excessively
 obvious and simple" (Francis Maseres FRS, mathematician, 1759)



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


--
Libvir-list mailing list
Libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list














    











					Reply via email to