Surprised by NEW notebook default BIOS setting???

[GlennSprigg]

On a brand new HP notebook, I was setting up 'BlueStacks', for the Missus to play Android games. Towards the end, it complained bitterly
that it will be extremely slow with limited usability due to a lack of hardware virtualization problems. Upon booting into the BIOS, I found it
was not enabled. I enabled it, and now BlueStacks runs everything fast, clean & faultlessly...  Is there a reason why a new/modern system
would not have something like this enabled by default, considering the majority of users lack of technical know-how ??   

[dave_k]

Top reason is having it enabled is a security risk. Unless you need to use it having it turned off by default is more secure.

[SilverSolder]

Sooner or later, the security bods will conclude the safest thing is to never turn the PC on in the first place - then, disabling boot altogether will be the new default!

[golden_labels]

No need to be snarky. If you do not care about security, it’s your own choice — but there is no reason to see the rest of the world from that perspective.

Most people will never use VT-x, while it increases attack surface. Currently there is no known vulnerabilities that can be easily exploited, but — due to what that feature does — malware using VT-x would be a catastrophe. In that situation it’s a sane decision to consider it an optional thing for that tiny number of people, who actually want to use it.

[SilverSolder]

No need to be snarky. If you do not care about security, it’s your own choice — but there is no reason to see the rest of the world from that perspective.

Most people will never use VT-x, while it increases attack surface. Currently there is no known vulnerabilities that can be easily exploited, but — due to what that feature does — malware using VT-x would be a catastrophe. In that situation it’s a sane decision to consider it an optional thing for that tiny number of people, who actually want to use it.

I agree that you shouldn't switch stuff on by default that most users are unlikely to actually need,  for efficiency as well as security.

That doesn't stop me being frustrated with excessive security fixation in general...

[ejeffrey]

The justification was always security.   Back when virtualization extensions were new there was a big panic about undetectable rootkits using virtualization so that it didn't have to modify the OS itself and therefore could bypass code signing verifications.  If they infected the bios they could even survive an OS reinstall.

Honestly that was all a bit overblown.  If you have the level of access needed to install such a rootkit there are plenty of ways to do it without hardware virtualization and if you can infect BIOS/EFI you can do whatever you want anyway including enabling VTx. But the convention of disabling virtualization by default persists.  There have been demo rootkits using virtualization but they weren't really any better to worse than other rootkits and the idea of an undetectable VM isn't actually possible.

It wasn't a big deal at first.  Early on, hardware assisted virtualization for 32 bit x86 wasn't rally faster than good software virtualization and we didn't have IO virtualization  to give guests hardware access. But now that all mainstream x86 OSes are 64 bit only and software virtualization for that is slow or non existent I don't think there is really a good argument to keep it off by default more than any other hardware feature. 

[MrMobodies]

I notice that myself on having to turn it on when I needed it and it was disabled by default.

I have seen worse. I remembered a time when Sony use to disable there's permanently on some of their stuff I think later than 2007 or so where there were no options to turn it on and I read somewhere it was to do with security risks, not in demand from customers, many of them not going go to use it etc... and it turned out according to this article that they had a licensing agreement to leave it disabled to bring down the cost of the cpu's down.

https://mor10.com/sony-confirms-no-hardware-virtualization-on-vaio-computers-past-present-or-future/

Sony Confirms No Hardware Virtualization on Vaio Computers Past, Present or Future
Post author
By Morten Rand-Hendriksen
Post date
June 22, 2009

Sony has now released BIOS upgrades to most of their Hardware Virtualization (VX) capable Vaio computers. Visit Sony’s eSupport centre (link) and enter your model number to see if yours has an update. This move, which goes against everything Sony has said, proves that if enough people voice their discontent with bad corporate behaviour, corporations actually do the right thing.

Sony confirms they will continue disabling Hardware Virtualization (also known as VT) in the BIOS of all their Vaio computers even after the release of Windows 7 making the new Windows XP Mode unavailable to all Vaio owners.

A couple of months ago I discovered that in spite of the hardware of my Sony Vaio laptop fully supporting Hardware Virtualization, Sony has decided to disable this feature in the BIOS making it unavailable. There has been much chatter and theorizing about this on the net but no clear conclusions, statements or solutions have been provided. So today I contacted Sony directly to find out exactly what was going on. What I found was both surprising and infuriating.

A quick summary of the back story: I bought a Sony Vaio VGN-SR140D laptop last fall and have been very happy with it. That was until I tried to enable Hardware Virtualization so I could run a virtual machine on it for beta testing purposes. It turned out that even though the processor fully supports this feature, Sony has disabled it in the BIOS making it impossible to run any type of virtualization on the computer. The problem is there is no mention of this in any documentation available about the computer or its product siblings. For this reason it is fair to say the computer does not perform to specifications.

Hardware Virtualization will not be available on Sony Vaios. Period!
Right off the bat the tech told me flat out that Hardware Virtualization not only is not available on older or current Vaio models, both laptops and desktops, but that there will be no support for Hardware Virtualization in future models either! When I mentioned that this would become a hot topic once Windows 7 with its much talked about Virtual XP feature is released in November of this year he responded “Even when we start shipping Vaios with Windows 7, hardware virtualization will be disabled.” And he continues: “Sony has no plans to make this function available in any of our computers.”

Hardware Virtualization is disabled to cut cost!
This of course begged the obvious question of why: “It’s part of our licensing deal with Intel,” he explained: “To retain a competitive edge they sell the boards to Sony with a guarantee from us that we will disable the feature on all our computers. That way we get the boards at a discount and they (Intel) can sell them at full price to other computer manufacturers who want the feature enabled.” At this point I mentioned that I had just been in touch with Dell who confirmed that all their new XPS laptops have Hardware Virtualization enabled and that these computers on average retail for $400 less than the comparable Sony ones. “VT (Hardware Virtualization) is a fairly obscure function that not many people use. Corporate feels that it’s not worth it. That is in spite of us techs recommending they enable it” was his somewhat surprising response.

It’s not on the box, so you can’t return it
As I promised in my first post about this situation I am hell bent on returning my laptop for a full refund claiming either defect or that it does not perform to spec. I asked the tech about this and he at once told me they will not refund the computer under any circumstances: “It doesn’t say on the box that the computer supports Virtualization so they (corporate) feel that you have no case. If it’s not on the box you won’t get your money back is where they stand.” I pointed out that if you look up the specs of the processor on Intel’s website or go to a store and buy it on its own the spec sheet clearly states that it has Intel Virtualization Technology. To that he had no answer. I then pointed out that the box doesn’t say anything about stereo sound or colour screen either but that if they shipped computers that only had mono sound and black and white screens people would be furious. His response was the same as before: “Virtualization is something few people use and corporate doesn’t think this is a real issue. And they are willing to take the hit of bad publicity if people start to complain. They are willing to lose customers over this!” In other words they don’t think enough people will voice their frustration or make life difficult for them so they are willingly screwing their customers to turn a profit.


...

I was given a Sony Vaio Duo free, it was about 5 years old at the time, I think with a Duo core and dedicated ATI graphics card Duo at the time and that was when I was shocked to discover the Virtualization was present but no way of turning it and the bios hardly had anything in there, no power saving modes,  not even setting ACHI or IDE mode (which saw on many at the time they were being made) and it to boot from the cdrom (on a secondary hard drive adatpr frame) but there wasn't I couldn't anything for that. I found just Useless apart from some specifications and a clock.

it seemed they cared more about the decorating and painting pink and silver it (the paint was wearing off) than making it flexible.

What I was missing though was that I was lucky not to ever choose buying a Sony laptop or something like that one considering that that one I read had a retail value I think of £650 which I thought was a way overpriced decoration.

[SilverSolder]

Sony had a period where they were making some terrible decisions (rootkit CDs and all that) - this sounds like the kind of inept thing that a sub-par team like that could make...  Despite being a Sony fan in the past, I stopped using their products due to the root kit and I have never returned as a customer - one of the few companies that have ever made me angry enough to "ban" them from my life!  (pretty much the only one, I think)

[GlennSprigg]

(OP here).  I get what people are saying here, and I guess I'm a bit 'unedjermicated' regarding the differences between Software
and Hardware 'Virtualization'. I understand that using 'guests' within say VirtualBox, (yes, software virtualization!), is safe, because there
is no real(?) connection to the Host/OS etc. unless you include a special 'Shared' folder, or allow Copy/paste between Host & Guest... 

I'm 'assuming' though, that the likes of 'BlueStacks' on my PC is/can use Hardware Virtualization, as that's what it was complaining about.
However, I don't understand the technicalities of how that affects security?? (As in, how the hardware is 'shared')...
I mean, one of the reasons for setting this up for the 'Missus', is that she's a bit gullible with some of the 'PC' Games she downloads/Runs,
and often ends up with a lot of other crap software installed, including browser extensions etc... 

So I felt that just downloading Android Apps, within BlueStacks, then they are similarly 'Contained', and can't affect the rest of the PC !!
And I've set up special utilities within BlueStacks to quickly clean it up, if/when required!   

[SilverSolder]

You could let her download games inside a VirtualBox as well, many of them work well enough, depending!

[GlennSprigg]

You could let her download games inside a VirtualBox as well, many of them work well enough, depending!

Yea... I hear what you are saying, but without that 'Hardware' Virtualization, the performance is usually crappy/slow/jittery... 

[vidarr]

It has always been this way.  What would be nice is a setting for it that you can access in the OS and then reboot.  My ASUS boards have something like this, kind of.
Intel could easily add this to their driver installation media.
When most people see a BIOS screen, their brain automatically shuts down. 
The mouse isn't working what do I do................?

[ejeffrey]

(OP here).  I get what people are saying here, and I guess I'm a bit 'unedjermicated' regarding the differences between Software
and Hardware 'Virtualization'. I understand that using 'guests' within say VirtualBox, (yes, software virtualization!), is safe, because there
is no real(?) connection to the Host/OS etc. unless you include a special 'Shared' folder, or allow Copy/paste between Host & Guest... 

There is basically no difference between software virtualization and hardware virtualization other than performance.  They are both basically doing the same thing -- they execute the guest code natively until an instruction accesses protected state (such as the processor ring or page table pointers or performing IO), then the host steps in to emulate that behavior on the virtual machine state.  In hardware accelerated virtualization, the CPU provides support to make that more efficient.  In all cases the host has control over what the guest is and is not allowed to do.