[CentOS] Virtual Machine Manager Doesn't see vmx flag

Thu Mar 17 11:27:47 UTC 2011
David McGuffey <davidmcguffey at verizon.net>

On Wed, 2011-03-16 at 03:36 -0500, Johnny Hughes wrote:
> On 03/15/2011 08:17 PM, David McGuffey wrote:
> > 
...
> 
> Did you verify that this was working before applying those settings in
> the NSA guide?
> 
No...the prototype worked A-OK on another machine with the same CentOS
5.5 DVD, so I focused on the security hardening process...my bad...won't
do that again.

> What does/is VMM "claiming" ... are you seeing only fully virtualized
> and not paravirtualized as a selection or what is the problem that you
> are encountering?  I am not an expert on KVM, but when I install a KVM
> VM in Virtual Machine Manager, I have to select "Fully Virtualized"
> initally, then if I want to install the virtio (paravirtualized)
> drivers, I need to do it like this:
> 

The selection for full/para virtualization is locked in para and all
grayed out.

> I am fairly sure that only if you are running Xen will you actually see
> a "Paravirtualized" selection in Virtual Machine Manager ... however I
> would suggest that you use KVM and not Xen as KVM is where RHEL
> Virtualization is moving towards and Xen is being moved away from.
> 

Not running the xen kernel.

> The BIOS of many machines can "disable" virtual machine extensions (also
> called other things ... usually with Virtual, Virtual Technologies, or
> VT in the name).  According to KVM (link below), sometimes certain
> settings do need to be turned off while others need to be on, so there
> may be a specific set of on and off that make it work on this type of
> machine.
> 

That must be the problem.  Searching dmesg shows the following two lines
next to each other:
   kvm: disabled by bios
   ksm: loaded

mobprobe kvm-intel also reports:
.../weak-updates/kmod-kvm...

A search of that gives some guidance, but I'm sure the first challenge I
have is to find the right bios settings, possibly updating the bios
along the way.

> So, it is possible for vmx to show up in the cpu flags but for it to be
> disabled.  Specifically, some Dell machines need "Trusted Computer" or
> "Trusted Execution" enabled as well.
> 
> http://www.linux-kvm.org/page/FAQ#.22KVM:_disabled_by_BIOS.22_error
> 
> Verifying the latest version of the BIOS is installed can be very
> important for memory sizes greater than 4 GB of RAM and proper APIC
> operation on Linux as well.  If you need to flash the BIOS on a Dell
> machine that has Linux installed, I use a "Free DOS" iso to boot from
> and put the Dell BIOS on my USB key, which is normally detected as C: or
> D: on my machines when booting the "Free Dos" ISO.  I use fdfullcd.iso
> from here (use the LiveCD and do NOT install Free DOS on your main drive
> :D):

Thanks...that is probably what I'm going to have to do.

Dave M