Software Archive
Read-only legacy content
17061 Discussions

Kernel diver for virtualization?

Péter_Szilágyi
Beginner
‎11-13-2009 08:11 AM
1,102 Views
Hello,

I've been reading up on the Intel-VT and the VMX instructions, but it seems that in order to get the CPU into a VMX-ready state I need to modify the CR4 register, which can only be done from within the kernel (at least under Windows). My problem is that I would like to write a dead-simple driver that only turned on the VMX operations and maybe did some minor housekeeping, yet to install this drvier under 64bit Windows I need to digitally sign the driver... which would cost hundreds of dollars. Why do I need kernel access in order to be able to write a small hypervisor for my project? As a university student I have absolutely no means of paying for the required certificates from VeriSign or whatever.

How is this issue solved with other projects? Does every single project that use Intel-VT pay for special certificates and such, or am I missing something? Is a pricey certificate needed for every single open source project that would like to use virtualization one way or the other?

Have a nice day,
Peter
0 Kudos

Link Copied

5 Replies
hellfire
New Contributor I
‎11-14-2009 11:48 AM
1,102 Views
Ring0 privilege level is required to turn on VMX. The problem with drivers signing is related to Microsoft. It is not a problem to obtain a certificate from one of providers (verisign.com, globalsign.com) for commercial project.
For educational purposes one of following can be done:
2) Boot Windows with disabled driver signature enforcement

0 Kudos
Copy link
Péter_Szilágyi
Beginner
‎11-15-2009 10:45 AM
1,102 Views
Actually I was thinking about more than educational purpose and less than commercial (i.e. an open source project).

My question though is why do I need Ring0 privilege level?
0 Kudos
Copy link
hellfire
New Contributor I
‎11-15-2009 12:32 PM
1,102 Views
My question though is why do I need Ring0 privilege level?

This is requirement of IA-32 architecture. To enter VMX operation, CR4.VMXE bit must be set. Writing to CR4 can be done with Ring0 privilege (CPL=0) only. Otherwise #GP(0) exception will be raised by processor.

0 Kudos
Copy link
Péter_Szilágyi
Beginner
‎11-15-2009 01:09 PM
1,102 Views
I know *why* practically (to edit the register), but *why* theoretically? Why couldn't vritualization always be enabled?
0 Kudos
Copy link
hellfire
New Contributor I
‎11-15-2009 03:52 PM
1,102 Views
Quoting - Pter Szilgyi
I know *why* practically (to edit the register), but *why* theoretically? Why couldn't vritualization always be enabled?

Theoretically - due to security reasons. It is not acceptable to let any user mode software manipulate system registers and turn virtualization on.
0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.