Slashdot Mirror
HP Disables VT On Some Intel Laptops
snoukka writes "I just bought a new HP nx9420 laptop in order to use it with Linux, XEN, and windows on XEN. I was very disappointed when I noticed that the processor had this feature but VT is disabled in BIOS by HP and cannot be enabled! Disabled!? It's like buying a car with turbo and finding out after buying it that this turbo 'feature' was disabled." The forum thread goes back to last August and is still live. The latest post from an HP rep indicates that new firmware for the nx9420 should be available later this week in which the ability to switch on VT is enabled. It's not clear whether other HP products, in which VT was also disabled, will also get new firmware.
But will HP have to charge $4.99 for the VT compatible firmware in order to comply with the Sarbanes-Oxley Act?
I gave VT to my wife... ;)
Enabling VT is a huge security risk with no benefit for most of HP's customers. You probably should be able to turn it on, but having it on leaves open the possibility that a rootkit could be installed as the hypervisor/VMM/whatever, making it undetectable to the OS. Even having the option seems dangerous, as many "power users" will probably enable everything in the BIOS they can, regardless of risk/reward. On second thought, there are probably only a few hundred people that would run Xen on their laptop, so why have the "bug" available on the other few hundred thousand laptops? I suspect there may be many legal reasons why it is disabled by default, whether or not disabling the option to turn it on was intentional or not.
--That's the point of being root, you can do anything you want, even if it's stupid.
Because, of course, it's better to send 5000 users to Wikipedia for a two-letter acronym search than for the author who already know the meaning to include it between parenthesis.
As a long time Xen user and one of the very first non Xen developer to run hardware virtualized OS under Xen on Intel hardware, I can say something that most here are missing: if you install Xen as the hypervisor and then launch an unmodified OS, like Windows, using hardware virtualization (you ain't launching an unmodified OS under Xen without hardware virtualization anyway), the unmodified OS will *not* see a VT-capable system. Which means that if you install Xen in the first place, as a knowledgeable Xen/Linux user, it's gonna be *very* hard for a Windows virus to be able to attack Xen/Linux. You can run Xen under Xen (that's an indisputable fact, I've done it) but you fscking can NOT run an hardware virtualized system under another hardware virtualized system (that is another undisputable fact). Now conceptually there may be an workable exploit one day, but being able to attack the hypervisor from an OS seeing a non-VT system would be one heck of a hack (a bit like being able to crash a computer configured as a completely passive sniffer behind a one-way ethernet cable or a shomiti tap). In other words, it is very unlikely to happen anytime soon.
Moreover saying that an hypotetical "hypervisor exploit" would be undetectable is complete rubbish bullshit: it's not any more difficult to detect than to detect a root exploit. Anyone who consider that scanning a machine from itself is a safe way of detecting malware is a fool anyway. You take the system offline, hook it's hard disk to a known good system (or boot it using a live CD) and voila... Gameover rootkit, game over hypervisor "undetectable" malware.
(and if you want to play the "my servers can't be taken down" I'll fire back with a "what punk, you're telling me you've got a SPOF?").
What Xen buys you if you want, though, is free (from Linux) scanning / SHA1-summing / etc. of Windows systems without the Windows systems even *knowing* it is happening. Game over Windows "rootkits". Plain and simple.
I hope that by now you realize that if you run Xen/Linux then Windows under Xen using VT, it is *impossible* for a virus to act as the hypervisor and then to present you with a 'fake' Xen/Linux hypervisor that would allow you to run Windows. That's how VT in this day and Intel age works. It may change, but as of now: move along, nothing to see here.
(OK, OK, a *really* incredible virus could make you think you're running Windows using HVM though Windows would actually be running under QEMU... But that would be one heck of a hack and you'd notice QEMU's extreme slowness in emulation mode... No accelerated QEMU under Xen).
Hypervisor rootkits can't counter timing-attacks based detection either.
Windows running under Xen is way more secure than running on the bare metal. Dot.
So please, stop all the uninformed "oh my god VT is teh insecure tech!".
To me running Windows under Xen is the most secure thing that happened to Windows in ages (and, no, I wasn't that much of a VMWare fan).
Acronyms are a way in which like minded people can quickly and efficiently communicate; countless businesses, academic institutions and social groups freely use acronyms as part of an established and understood vocabulary.
Except that in this case "VT" is not part of an established and understood vocabulary.
Of course, we wouldn't ask that question because everyone knows what HP is already. Why's that? Because this is a tech orientated site, of course.
This isn't really a good comparison. Even people without a technology background know what "HP" stands for.
I've been involved with and around computers and electronics since the late 1970s, and today is the first day in a long time that I've encountered the abbreviation "VT". It means "Video Terminal", right? Or is it "Video Tape"?
It's AEP (accepted editorial practice, but you knew that already, right?) to put the meaning of an abbreviation in parentheses next to its first use in a journalism piece, so you're sure the reader understands what you're talking about - unless you're writing an abbreviation knowledge test.
Putting moderation advice in your
You can't blame Lenovo for this. Intel had major problems with making VT work early on, and there are a lot of steppings where it's just plain broken. These companies decided to turn it off for everyone because they don't want to handle all the users complaining that Lenovo sucks because VT is broken. Blame Intel for this one.
My other car is first.