December 16th, 2020

Why does PF_VIRT_FIRMWARE_ENABLED return false even when virtualization is enabled in the firmware?

Raymond Chen
Raymond Chen

The Is­Processor­Feature­Present function has a processor feature called PF_VIRT_FIRMWARE_ENABLED. A customer enabled virtualization in their firmware, but calling Is­Processor­Feature­Present with that feature still returned FALSE. Why is this function lying?

It’s not lying.

Even if you enable virtualization in firmware, it may not actually be available. If the operating system is running inside a virtual machine, then it cannot access the virtualization extensions because the virtualization host is using them. Checking for PF_VIRT_FIRMWARE_ENABLED will say “No virtual extensions for you.”

Even if you think that you’re not running inside a virtual machine, you could be. If Hyper-V is enabled, then the root operating system is not actually in charge. The root operating system is running inside its own virtual machine, under the control of the hypervisor.

And remember that features like Virtualization Based Security and and Windows Defender Application Guard are security features which secretly use Hyper-V to create virtual machines to isolate untrusted code into their own containers.

Bonus chatter: I dimly recall that the IBM 360 supported self-virtualization, so you could have the host hypervisor create a virtual machine, and in the virtual machine, the operating system could itself act as a hypervisor for its own little universe of virtual machines. It’s virtual machine turtles all the way down!

Category
Old New Thing
Topics
Code

Author

Raymond Chen

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

3 comments

Discussion is closed. Login to edit/delete existing comments.

Newest
Newest Popular Oldest
    • Jonathan BarnerMicrosoft employee

      Yes, Since Windows 10 1607 / Server2016. However, it’s only one nesting level, unlike System/360.

  • Dehn LODER

    360 virtualization: Melinda Varian documented some of this history. The following happened circa 1970:

    When [Alain] Auroux started, Cambridge was running a 360/67, not a S/370, and that 67 was a production system, so he had to avoid destabilizing it. “Vanilla” CP-67 systems created System/360 virtual machines, but they did not virtualize the 360/67; that is, they did not allow a guest to create its own virtual storage. Auroux’s first step was to modify CP-67 to...

    Read more

Read next