How can the BIOS block virtualization?
Solution 1
It's not that the CPU is blocking a program; it doesn't have a concept of apps at that low of a level. The problem is that Docker on non-Linux operating systems can require hardware virtualization. You haven't specified your OS, but I did a tiny bit of snooping and discovered that you probably use Windows.
Hardware virtualization is a CPU feature that, as you might guess from the name, lets the CPU help with virtualization. On many machines, you have to enable it in the BIOS. This is, in part, to prevent security issues. Basically, you couldn't start a program because it attempted to use a feature that was effectively absent as opposed to actively blocked.
Solution 2
Ben N answer is clearly the most useful and clear one.
For those who still wonder, however here is the full story.
Virtualization is achieved with hardware assist from the CPU. Since a virtualized OS would interfere with the host one, as they compete for the same resources, a mechanism is needed to stop the guest from having uncontrolled access to the hardware. This can be down with software, slow, techniques or with assist from the CPU.
Hardware assisted virtualization is implemented with specific, optional instructions, you can read about it in Chapters 23, 24, 25, 26, 27 and 28 of Intel Manual 3B Part 3. Software must first check for this instructions to be supported, before attempting using them.
For security reason, the CPU has a special register, it is an MSR, called IA32_FEATURE_CONTROL that holds bits telling with feature to enable or disable.
Quoting
Bit 0 is the lock bit. If this bit is clear, VMXON causes a general-protection exception. If the lock bit is set, WRMSR to this MSR causes a general-protection exception; the MSR cannot be modified until a power-up reset condition. System BIOS can use this bit to provide a setup option for BIOS to disable support for VMX. To enable VMX support in a platform, BIOS must set bit 1, bit 2, or both (see below), as well as the lock bit.
The fundamental point is that once the register is locked, it cannot be unlocked until a power-up.
Since BIOS/UEFI comes first, it has the power to disable virtualization by clearing the appropriate bits and locking the register before any OS can prevent that. When the virtualization feature is disabled this way, the CPU reports that it the optional instruction extension is missing (and actually faults if they are used) and so the software cannot use the hardware virtualization.
Related videos on Youtube
Alvaro Joao
I'm a fullstack developer, passionate about my profession and wishing to contribute to a better world through technology. Undergraduate in CS by Federal University of Pernambuco and Memorial University of Newfoundland. Degree in deep learnig from Coursera. Currently working for Booking.com, as Software Engineer and aspiring to Machine Learning Data Scientist. contact: [email protected]
Updated on September 18, 2022Comments
-
Alvaro Joao over 1 year
I'm starting to work with Docker and after a few hours of trying to make it work, I found out that my BIOS was blocking it and that I needed to adjust the BIOS settings. I was told that the BIOS is somehow related to the motherboard.
How can the BIOS block this kind of process, overruling the operating system?
-
Frank Thomas about 8 yearsYou have it backward. The BIOS settings for virtualization tell the CPU to allow a specific kind of processing. if the virtualization extensions are not enabled in bios, the CPU will not be able to execute the program. The situation is a lot like like trying to run a program compiled for a DEC Alpha processor architecture on an x64 system. without the extensions, the program will attempt to run instructions that the CPU doesn't understand. Your Docker is blocking itself from executing because it has detected that your CPU as it is currently configured cannot run it.
-
-
ss4566654768 about 8 years
a tiny bit of snooping
Ha..ha -
Alvaro Joao about 8 yearsyes I'm using a windows 7! thanks for the explanation!!! I get it now!
-
Celeritas about 8 yearsI am familiar with this setting but still unclear, what exactly is hardware virtualization (in the context of the BIOS setting)?
-
nanofarad about 8 years@Celeritas Hardware virtualization is a set of features provided by the CPU and BIOS that make running virtual machines more efficient, such as by transparently managing memory accesses made by the VM in a more efficient way than can be done at a pure software level, and handling/trapping "privileged" instructions such as I/O operations for the virtualization software to more efficiently handle.
-
Ben N about 8 years@RACING121 The N stands for NSA :)
-
Tonny about 8 yearsThat is a very good add-on to the question. Most people have no idea the setting requires a reset to change, so it can not be enabled "on the fly" while the OS is running.
-
Lie Ryan about 8 years@Celeritas: primarily it's to enable Intel VT-x and AMD-V and other related technologies. There are instruction sets that are not very useful for regular applications, but is used by hypervisors to run virtualized systems more efficiently.
-
Paul Stelian over 7 yearsOHH so that's how it works! I googled it and found your answer (which is what interests me, for my personal concepts)