search

Dasharo / dasharo-issues

The Dasharo issue tracker
https://dasharo.com/
25 stars 0 forks source link

Windows 11 VBS (Virtualization-based Security) appears Not enabled on System Information #539

Open zirblazer opened 1 year ago

zirblazer commented 1 year ago

Device

MSI PRO Z690-A WIFI DDR4

Dasharo version

1.1.1 / 1.1.2

Affected component(s) or functionality

VBS (Virtualization-based Security)

Brief summary

VBS is Not enabled and may actually not work

Additional context

Both me and miczyg have VBS (Virtualization-based Security) as Not enabled on Windows 11. This can be checked by opening System Information and looking for Virtualization-based Security on System Summary. One of VBS prerequisites is to enable Memory integrity, which can be found at Windows Security / Device security / Core isolation menu. miczyg reported an INACCESSIBLE_BOOT_DEVICE BSOD after enabling it.

Note that I'm positively aware that it MAY have been at some point functional because I recall having disabled some Windows security features because Intel XTU (Extreme Tuning Utility) requires VBS to be disabled and both me and miczyg toyed with that. But I don't recall if this was with MSI Firmware or with Dasharo, so it means that it may have been broken all along but no one noticed it. Also note that this means than certain BSODs when migrating from MSI Firmware to Dasharo could actually be caused by Memory integrity being enabled in Windows but failing on Dasharo. I have no idea about Windows requeriments to allow you to enable it if it isn't actually functional. I have seen some people suggesting to disable Intel VT-x on Firmware to solve the BSODs issues if you lock yourself out of Windows, but Dasharo doesn't expose VT-x control (It is always enabled) so you can't workaround it this way.

Basically, more investigation needed. Basic VBS info: https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs

pietrushnic commented 1 year ago

@miczyg1 insights from twitter

Ohh my! I have checked the requirements on MS Documentation and we may lack WSMT table and MOR v2. In case of MAT I would have to check. But thanks for pointing it. Will put it to the backlog.

And from Dwizzzle:

Yeah it won't automatically enabled without the WSMT table (this is a controversial decision in my opinion :P) but users can still auto-enable. Feature request: Integrate FASR or PPAM to enable Windows Secure Launch and upcharge for it! The 14900k with a full opensource SCPC!

pietrushnic commented 11 months ago

Fact how it is validated may add some knowledge about implementation and compliance expectations: