Are there any good reasons for disabling hardware-assisted virtualization?

Question

We've had a number of servers from Dell recently, all of which have had hardware-assisted virtualization disabled in the BIOS.

As far as I know hardware-assisted virtualization is a good thing - so why would Dell disable it? Does it have a performance overhead if the machine isn't acting as a virtual machine host? Are there any security issues?

In case it's relevant to your answers we will primarily be using:

• Host OS: Windows Server 2003 Enterprise R2 (32-bit)
• Guest OS:Windows Server 2003 Enterprise R2 (32-bit)
• VMM: Virtual Server 2005 Enterprise R2 SP1

Answer 1

The reason Dell (and Sony etc.) disable Intel-VT and AMD-V is that they cannot support it. Enabling the feature would mean they would have to provide support on it, which the simply cannot do, due to insufficient knowledge at the supportdesk, mainly.

That is, at least, how Sony formulated it.

I tried prying the reason from Sony support guys and that is the only thing they would give me. I finally was able to patch my BIOS and enable VT myself, though.

As for the rest, stuff like Bluepill are not exactly mainstream. And as far as I know - and I work with virtualization stuff a lot - there is no downside to enabling it. If there is though, I would really like to know about it...

Answer 2

One very good reason is security. There have been known hacks that insert a malicious hypervisor in between your OS and your hardware. This allows anyone to capture any data in a perfectly transparent manner.

Answer 3

I would hazard a guess that not all CPUs available for a given motherboard and BIOS combination support VT extensions. So they ship it as disabled in the BIOS for the sake of compatibility.

Times are changing and VT is becoming pretty common place now. So perhaps we'll see a change?

Answer 4

I found this on The Register:

Sony's engineers and QA people were: "Very concerned that enabling VT would expose our systems to malicious code that could go very deep in the Operating System structure of the PC and completely disable the latter."

Answer 5

Depending on the virtualization method you are intending to use you may not need to enable hardware virtualization featurs in Intel-VT and AMD-V capable CPUs. When you would need to use these features is when the virtualization method is unable to work when installing unmodified operating systems, usually Microsoft Windows.

When working with VMware the hardware virtualization features added byt the Intel-VT and AMD-V chipsets are usually unnecessary as VMware provides all of the necessary features within itself and it can lead to degraded performance of the virtual server itself.

With Xen virtualization you will need to use these features if you intend to run Windows within the unprivileged guest domains (domU's) and install using full-virtualization rather than para-virtualization. In my experience having to enable these features can show a significant degradation in performance overall even still but it will allow you to install Windows. Other operating systems like Linux, *BSD and OpenSolaris I have had no problems installing without hardware virtualization and see much better improvement when the hardware virtualization features are disabled.

In the end it comes down to what virtualization path your are planning to take, and what operating systems you see being installed that can be the determining factor in whether to leave it disabled or go ahead and enable it.

Answer 6

Having worked in Dell server support, all the VT capable servers have the feature disabled in the bios by default, but it is easy to enable if you need it.

As for Sony - they have it disabled in the laptops, for the reasons stated above.

I've never seen a server with VT/SVM capabilities disabled completely, to the point you can't enable it.

Answer 7

I might be behind the times, but in lots of cases with things like VMWare it actually makes a lot of things slower:

VMWare White Paper on the Subject

Answer 8

As wzzrd mentioned above, it's all to do with support. Leaving VT off lowers the number of support scenarios where VT becomes a factor, enabling quicker problem resolution for the majority of customers who haven't ventured down the virtualization route.

One thing I've noted is that in windows 7, running the xp mode beta causes conflicts with vmware workstation when VT is enabled on my dell. Both want to "get hold of" the VT extension and as xp mode leaves a VPC process running even after exiting, it doesn't "let go" of the VT. So when you fire up vmware, any virtual machine you try and run dies on startup. Disabling the VT extension in the bios prevents this from happening, but with markedly reduced performance.

Answer 9

I am pretty sure hardware assisted virtualization does NOT have any overhead when you're just running a native OS.

The only reason I can think of for having the ability to disable it (I've never thought about this before, actually) is that certain applications/workloads could in fact run worse when HAV is enabled than when ran natively, due to certain overhead in the MMU for instance.

I wouldn't worry about it at all.

Answer 10

Enabling Intel VT makes CPU hotter, I've had a Desktop and Laptop that have had this behaviour, both with stock CPU coolers. I'm refering to Home Computers but it's the same feature.

I know that AMD-V comes enabled by default, but I don't know if it makes CPU hotter.

Answer 11

Simply have a look at Hewlett Packard Proliant DL145 G3 - Servers.

HP disabled the HyperVisor (HV) by the BIOS. The BIOS-Menue don't show an option to enable this feature. The only answer to questions regarding this problem is "this platform don't support hardware virtualisation - end of discussion"

It's simply impossible to enable HV with the HP-provided BIOS.

The only solution: Coreboot ... that is to completely wipe out the PHOENIX-BIOS from this boards and replace it with something other ...