2

In order to use Docker, Hyper-V on Windows and all that VM stuff, there must be two things:

  • The CPU must support virtualization
  • The virtualization must be enabled in the BIOS setup.

However, if we look at the BIOS, CPU virtualization settings it has are not very detailed. Usually, it is just one single flag, for instance "SVN mode: Enable/Disable" for AMD and that's it.

So, CPU virtualization is a technology that can be disabled for some reason. What is that reason?

Why should anybody ever disable CPU virtualization in the BIOS setup? My best bet is debugging problems or (unlikely) improving performance, but I want an expert commentary.

Related question — https://serverfault.com/questions/390012/ — probably a dup, but it is 8 years old.

enkryptor
  • 721
  • 6
  • 12
  • 1
    There is an 8 year old question that is related and has some interesting answers: https://superuser.com/questions/419209/are-there-any-pros-cons-to-enabling-virtualization-on-my-computer – Robert Mar 04 '21 at 13:39
  • Does this answer your question? [Are there any pros/cons to enabling virtualization on my computer?](https://superuser.com/questions/419209/are-there-any-pros-cons-to-enabling-virtualization-on-my-computer) – Moab Mar 04 '21 at 14:27
  • [Disabling VT-x may enhance stability/performance in some cases](https://superuser.com/q/651865/241386) – phuclv Mar 04 '21 at 15:41
  • @Moab the linked question is a different question — it asks about reasons for enabling the VT. I'm specifically ask for any particular reason for disabling the VT. The linked question doesn't answer this, all that it says is "you should not enable VT unless you really use it" without explaining why. – enkryptor Mar 04 '21 at 16:34
  • @enkryptor the linked question by Robet & Moab has an accepted answer that details the reason you might want it off is FOR SECURITY: https://superuser.com/a/308246/160219 – gregg Mar 04 '21 at 16:47
  • @gregg if it is duplicate of 289054, it should be closed as a dup of 289054, not 419209 – enkryptor Mar 04 '21 at 17:52
  • @enkryptor it says Pro's and con's – Moab Mar 04 '21 at 18:38
  • @Moab you imply I didn't read the question, which is not true. I've read both answers and still think the accents are different. "When should I enable VT" differs from "what reasons are there for explicitly disabling it". Answers like "it is for virtualization, so you can leave it disabled unless required" address the former, not the latter. Moreover, things have changed in 8 years. – enkryptor Mar 04 '21 at 18:54

1 Answers1

2

For technical reasons virtualization can only be enabled early in the boot process, thus in the BIOS. It cannot be changed by the OS or other software.

There are some potential exploits associated with virtualization. There are differing opinions as to whether this is a real issue or at present mostly theoretical. It is generally not regarded as a serious issue but that may change in the future. I am sure that malware authors have looked into this.

Some manufacturers set virtualization on by default as a convenience for the user, most of whom don't know of it's existence. Some security software needs it. Others prefer to disable it by default, leaving it to the user to enable it if needed. In some cases virtualization is either permanently on or off with no option to change it.

Some people are almost paranoid about computer security. Every unexpected event is seen as a suspected virus or evidence that someone is hacking their computer. I have seen this on computer forums. Such individuals aware of the implications would probably consider it irresponsible to enable virtualization if it wasn't needed.

LMiller7
  • 2,518
  • 1
  • 10
  • 11
  • 1
    I do remember that there were some root-kits that could make use of the virtualization technology at boot-time to hide themselves so that they were active but undetectable at run-time. – Robert Mar 04 '21 at 14:25
  • Yes, a root kit could be designed to be the host, then use virtualization technology allow the primary system to run with nearly the same environment that it would be running on without the root kit present. – robartsd Mar 04 '21 at 19:08