Kernel diver for virtualization?

Kernel diver for virtualization?

Hello,

I've been reading up on the Intel-VT and the VMX instructions, but it seems that in order to get the CPU into a VMX-ready state I need to modify the CR4 register, which can only be done from within the kernel (at least under Windows). My problem is that I would like to write a dead-simple driver that only turned on the VMX operations and maybe did some minor housekeeping, yet to install this drvier under 64bit Windows I need to digitally sign the driver... which would cost hundreds of dollars. Why do I need kernel access in order to be able to write a small hypervisor for my project? As a university student I have absolutely no means of paying for the required certificates from VeriSign or whatever.

How is this issue solved with other projects? Does every single project that use Intel-VT pay for special certificates and such, or am I missing something? Is a pricey certificate needed for every single open source project that would like to use virtualization one way or the other?

Have a nice day,
Peter

6 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Ring0 privilege level is required to turn on VMX. The problem with drivers signing is related to Microsoft. It is not a problem to obtain a certificate from one of providers (verisign.com, globalsign.com) for commercial project.
For educational purposes one of following can be done:
1) Usethe test certificate
2) Boot Windows with disabled driver signature enforcement

Actually I was thinking about more than educational purpose and less than commercial (i.e. an open source project).

My question though is why do I need Ring0 privilege level?

My question though is why do I need Ring0 privilege level?

This is requirement of IA-32 architecture. To enter VMX operation, CR4.VMXE bit must be set. Writing to CR4 can be done with Ring0 privilege (CPL=0) only. Otherwise #GP(0) exception will be raised by processor.

I know *why* practically (to edit the register), but *why* theoretically? Why couldn't vritualization always be enabled?

Quoting - Pter Szilgyi
I know *why* practically (to edit the register), but *why* theoretically? Why couldn't vritualization always be enabled?

Theoretically - due to security reasons. It is not acceptable to let any user mode software manipulate system registers and turn virtualization on.

Leave a Comment

Please sign in to add a comment. Not a member? Join today