Is that the case or is it being called something else on other CPU versions or is it only included in Xeon Scaleable 2nd and 3rd and some Xeon X generations?
連結已複製
Hello HHH03,
Thank you for posting your question on this Intel® Community.
Mode-based Execution Control (MBE) is an Intel® Virtualization Technology (Intel® VT-x) new feature. As you pointed out, it is natively supported on Intel® Xeon® Scalable, 2nd, and 3rd Gen Intel® Xeon® Scalable processors.
To better assist you, could you please provide us with additional details about the CPU, or CPU families, you are currently using?
Wanner G.
Intel Customer Support Technician
I’m not sure how they would perform using Windows HVCI security mode. If you have insight on how they would perform using HVCI, it would be appreciated much.
Thanks HHH03
Broadwell based Xeons's do not have HVCI, first group of Xeon W-21xx do not have it also. Probably Xeon W-22xx and up have it.
From the notebook side, 10th generation Comet Lake processors do not have it. But, Ice Lake based 10th generation mobile processors have it.
You can see this with HWiNFO 64 tool. On the right side at the Operating System column: UEFI Boot - Secure Boot - TPM - HVCI, if it is green means it is present. On my HP notebook I have Core i7-1065G7, 10th generation Ice Lake processor and HVCI is green.
Hello HHH03,
I will look into this request, and provide an update soon.
In the meantime, what I can recommend is that you review the following documentation available from Microsoft* about HVCI on Windows* 10:
Enable virtualization-based protection of code integrity
Wanner G.
Intel Customer Support Technician
Hello HHH03,
Please find below an update to your thread.
The performance overhead of HVCI is reduced when the processor supports MBEC. If HVCI is turned on, but the processor does not support MBEC, the result would be higher overload compared to processors that do support MBEC.
From an Intel CPU perspective, support for MBEC can be ascertained by checking if Bit 54 of MSR 48BH (IA32_VMX_PROCBASED_CTLS2) is set. This is described in detail in Intel Software Developer Manual Volume 3C Section 23.6.2 & Appendix A.3.3. SDM is at: http://www.intel.com/sdm
From a Windows perspective, when HVCI is enabled and the system is rebooted, msinfo32.exe output will list "Mode-based Execution Control" in the "Virtualization-based Security Available Security Properties" line. Alternate methods to query this information is described in the Microsoft article https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
On the server processor side, Xeon Broadwell generation processors do not support MBEC. Skylake generation processors introduced support for MBEC.
We hope you find this information helpful.
Wanner G.
Intel Customer Support Technician
