https://community.intel.com/t5/Software-Archive/Kernel-diver-for-virtualization/m-p/885238#M9713 <DIV style="margin:0px;"> <DIV id="quote_reply" style="width: 100%; margin-top: 5px;"> <DIV style="margin-left:2px;margin-right:2px;">Ring0 privilege level is required to turn on VMX. The problem with drivers signing is related to Microsoft. It is not a problem to obtain a certificate from one of providers (verisign.com, globalsign.com) for commercial project.</DIV> <DIV style="margin-left:2px;margin-right:2px;">For educational purposes one of following can be done:</DIV> <DIV style="margin-left:2px;margin-right:2px;">1) Usethe <A title="test certificate" href="http://msdn.microsoft.com/en-us/library/aa906283.aspx" target="_blank">test certificate</A></DIV> <DIV style="margin-left:2px;margin-right:2px;">2) Boot Windows with disabled driver signature enforcement</DIV> <DIV style="margin-left:2px;margin-right:2px;"><BR /></DIV> </DIV> </DIV> Sat, 14 Nov 2009 19:48:09 GMT hellfire 2009-11-14T19:48:09Z https://community.intel.com/t5/Software-Archive/Kernel-diver-for-virtualization/m-p/885237#M9712 Hello,<BR /><BR />I've been reading up on the Intel-VT and the VMX instructions, but it seems that in order to get the CPU into a VMX-ready state I need to modify the CR4 register, which can only be done from within the kernel (at least under Windows). My problem is that I would like to write a dead-simple driver that only turned on the VMX operations and maybe did some minor housekeeping, yet to install this drvier under 64bit Windows I need to digitally sign the driver... which would cost hundreds of dollars. Why do I need kernel access in order to be able to write a small hypervisor for my project? As a university student I have absolutely no means of paying for the required certificates from VeriSign or whatever.<BR /><BR />How is this issue solved with other projects? Does every single project that use Intel-VT pay for special certificates and such, or am I missing something? Is a pricey certificate needed for every single open source project that would like to use virtualization one way or the other?<BR /><BR />Have a nice day,<BR /> Peter Fri, 13 Nov 2009 16:11:55 GMT https://community.intel.com/t5/Software-Archive/Kernel-diver-for-virtualization/m-p/885237#M9712 Péter_Szilágyi 2009-11-13T16:11:55Z https://community.intel.com/t5/Software-Archive/Kernel-diver-for-virtualization/m-p/885238#M9713 <DIV style="margin:0px;"> <DIV id="quote_reply" style="width: 100%; margin-top: 5px;"> <DIV style="margin-left:2px;margin-right:2px;">Ring0 privilege level is required to turn on VMX. The problem with drivers signing is related to Microsoft. It is not a problem to obtain a certificate from one of providers (verisign.com, globalsign.com) for commercial project.</DIV> <DIV style="margin-left:2px;margin-right:2px;">For educational purposes one of following can be done:</DIV> <DIV style="margin-left:2px;margin-right:2px;">1) Usethe <A title="test certificate" href="http://msdn.microsoft.com/en-us/library/aa906283.aspx" target="_blank">test certificate</A></DIV> <DIV style="margin-left:2px;margin-right:2px;">2) Boot Windows with disabled driver signature enforcement</DIV> <DIV style="margin-left:2px;margin-right:2px;"><BR /></DIV> </DIV> </DIV> Sat, 14 Nov 2009 19:48:09 GMT https://community.intel.com/t5/Software-Archive/Kernel-diver-for-virtualization/m-p/885238#M9713 hellfire 2009-11-14T19:48:09Z https://community.intel.com/t5/Software-Archive/Kernel-diver-for-virtualization/m-p/885239#M9714 <DIV style="margin:0px;"></DIV> Actually I was thinking about more than educational purpose and less than commercial (i.e. an open source project). <BR /><BR />My question though is why do I need Ring0 privilege level?<BR /> Sun, 15 Nov 2009 18:45:06 GMT https://community.intel.com/t5/Software-Archive/Kernel-diver-for-virtualization/m-p/885239#M9714 Péter_Szilágyi 2009-11-15T18:45:06Z https://community.intel.com/t5/Software-Archive/Kernel-diver-for-virtualization/m-p/885240#M9715 <DIV style="margin:0px;"> <DIV id="quote_reply" style="width: 100%; margin-top: 5px;"> <DIV style="background-color:#E5E5E5; padding:5px;border: 1px; border-style: inset;margin-left:2px;margin-right:2px;"><EM>My question though is why do I need Ring0 privilege level?<BR /></EM></DIV> </DIV> </DIV> <BR /> <DIV>This is requirement of IA-32 architecture. To enter VMX operation, CR4.VMXE bit must be set. Writing to CR4 can be done with Ring0 privilege (CPL=0) only. Otherwise #GP(0) exception will be raised by processor.</DIV> <DIV><BR /></DIV> Sun, 15 Nov 2009 20:32:00 GMT https://community.intel.com/t5/Software-Archive/Kernel-diver-for-virtualization/m-p/885240#M9715 hellfire 2009-11-15T20:32:00Z https://community.intel.com/t5/Software-Archive/Kernel-diver-for-virtualization/m-p/885241#M9716 <DIV style="margin:0px;"></DIV> I know *why* practically (to edit the register), but *why* theoretically? Why couldn't vritualization always be enabled?<BR /> Sun, 15 Nov 2009 21:09:16 GMT https://community.intel.com/t5/Software-Archive/Kernel-diver-for-virtualization/m-p/885241#M9716 Péter_Szilágyi 2009-11-15T21:09:16Z https://community.intel.com/t5/Software-Archive/Kernel-diver-for-virtualization/m-p/885242#M9717 <DIV style="margin:0px;"> <DIV id="quote_reply" style="width: 100%; margin-top: 5px;"> <DIV style="margin-left:2px;margin-right:2px;">Quoting - <A href="https://community.intel.com/en-us/profile/452153">Pter Szilgyi</A></DIV> <DIV style="background-color:#E5E5E5; padding:5px;border: 1px; border-style: inset;margin-left:2px;margin-right:2px;"><EM> I know *why* practically (to edit the register), but *why* theoretically? Why couldn't vritualization always be enabled?<BR /></EM></DIV> </DIV> </DIV> <BR /> <DIV>Theoretically - due to security reasons. It is not acceptable to let any user mode software manipulate system registers and turn virtualization on.<BR /></DIV> Sun, 15 Nov 2009 23:52:09 GMT https://community.intel.com/t5/Software-Archive/Kernel-diver-for-virtualization/m-p/885242#M9717 hellfire 2009-11-15T23:52:09Z