为什么许多电脑都是默认关闭CPU虚拟化？

欢迎大家来到IT世界,在知识的湖畔探索吧!

先说答案，很久之前（2006），虚拟化在所有的Intel和AMD电脑上默认都是开启的；但随着Blue Pill这种VM攻击模型浮出水面，AMD、Intel和微软都发布了相关指引，指导OEM/ODM默认关闭个人电脑的CPU虚拟化功能，规避相关可能的安全风险。它的影响一直延续至今，直到最近才有所好找，部分厂家放松了这根弦，默认打开了CPU虚拟化。

2006年，Joanna Rutkowska在黑帽大会上公布了利用VM的rootkit原型 。蓝色药丸的名字取材于著名电影《黑客帝国》，意味着一种虚拟场景。

欢迎大家来到IT世界,在知识的湖畔探索吧!

这种rootkit可以在BIOS启动后，直接进入一层很薄的VMM，这个VMM再去启动操作系统。后来启动的操作系统并不知道发生了什么，像矩阵电影中的人类一样浑浑噩噩的干着正常的营生。VMM则在后面收集信息，甚至伪造信息。理论上，VMM可以干任何事情，比传统的Rootkit权限更高，从而危害更大。

模型发布后不久，AMD和Intel相继发布了相关指引，引导OEM、ODM默认关闭虚拟化，从而规避相关可能的安全风险。不久微软也公布了相关内容 ，其中关于默认值的部分值得关注：

Recommended Defaults for Enabling/Disabling Virtualization Extensions. The default setting of this switch requires some thought. Consider the costs of disabling Intel Virtualization Technology/AMD Virtualization through a system firmware setting: If these facilities are disabled by default in system firmware, users would have to explicitly enable that support on each platform instance for legitimate uses, which would represent a significant challenge for enterprises that have thousands of machines and plan on using the hardware extensions. The cost of enabling virtualization hardware support through a manual system firmware setting would result in an increase in deployment time and cost. This cost can be mitigated through the use of various in-band and out-of-band mechanisms for remote management. (More on this in a moment.) Given the current usage model for the virtualization extensions, we believe that the following default settings are the right ones for system firmware: For systems that are destined for a server role (and for only these systems), enable the virtualization extensions. The threat of running malicious code as an administrator on servers is reduced through Windows Server policies and organizational best practices. For systems that are destined for a client role, disable (and lock off) the virtualization extensions. For systems that might be deployed in either a server or client role (such as high-end workstations), it would be prudent to disable the extensions by default. As always, the exception to any guideline is when a customer specifically indicates to a manufacturer that they do not want to follow that guideline.

请注意这部分：For systems that are destined for a client role, disable (and lock off) the virtualization extensions.

从那之后，不论Intel还是AMD，绝大部分个人电脑的CPU虚拟化都是关闭的。部分OEM还在BIOS选项后面注明：“HP recommends keeping this setting off unless you need it”等等信息。另外据当时统计，不到10%的用户才会对CPU虚拟化感兴趣，这样做也没有引起很大麻烦。直到最近，随着各种虚拟化需求的增加，个人电脑的虚拟化才逐步默认打开了。最近的推荐是除非下面几种情况，默认应该关闭：

1. 产品搭载VMM发货
2. 产品搭载需要VT的安全软件发货（如麦咖啡Deep Defender）
3. 需要Intel TXT功能开启的时候（几乎没人用）。

最后啰嗦一句，实际上现代几乎所有服务器的虚拟化都是默认开启的。毕竟，不支持虚拟化的服务器不配称作一个好服务器。