Intel’s Trusted Execution Technology (TXT): enable in BIOS or not

biosvirtualization

I have a new Dell 7530 mobile workstation that I just started configuring.

This machine uses an Intel Xeon E-2186M and has 32 GB of ECC DRAM. This CPU fully supports the latest hardware virtualization technologies (VT-x, VT-d, EPT).

Initially this machine will be running Windows 10 due to lack of time to switch operating systems. I really hope to have time in about a year to invest in switching to Linux, as I hate the Bea$t's new spyware as a service business model. I certainly will be running Linux virtual machines on it in the interim.

One of my first steps was to go into its BIOS and pour thru all the settings. I was pleased to see that Dell's defaults were mostly good, only a few changes were needed. For example, it was default configured for Secure Boot.

In its Virtualization Support section, they enabled both "Intel Virtualization Technology" (VT-x) and "VT for Direct I/O" (VT-d) by default, which is also good.

However, there was a 3rd option for Intel's Trusted Execution Technology (TXT) that was disabled. I think that the BIOS description said this:

This option specifies whether a Measured Virtual Machine Monitor
(MVMM) can utilize the additional hardware capabilities provided by
Intel Trusted Execution Technology. The TPM Virtualization Technology,
and Virtualization technology for direct I/O must be enabled to use
this feature.

Trusted Execution – disabled by default.

I say "think" because the official Dell documentation for the 7530's BIOS, as of today, does not not mention that option. The text above is for the Dell Latitude E7470, altho it is what I recall my BIOS saying.

From that description, plus Intel's whitepaper, it sounds like something that I would want to enable, since I for sure will be using VirtualBox (and in the future, something more powerful like KVM or Xen). Unfortunately, a web search found no endorsements for that theory.

Instead, all I have found is several reports saying to turn off, especially on Dell systems, for both VirtualBox and KVM: link 1, link 2. (My original question put more links in here, but when I tried to submit, this website claimed that my question was spam…)

Does anyone know the definitive answer?

I note that some of the links saying not to enable it go back several years, so perhaps it was once true advice that now is no longer valid?

Best Answer

I think this option should be enabled.

I had it disabled and I want to check if IOMMU is enabled.

Of course I append intel_iommu=on parameter to /etc/default/grub and update grub and reboot system before.

It gave me an error from my graphic card when I issued a command:

dmesg | grep -E (”DMAR | IOMMU”) it gave me 2 lines:

DMAR: IOMMU enabled

DMAR: BIOS has allocated no shadow GTT; disabling IOMMU for graphics.

So IOMMU for my graphic card was disabled. Then I set "Intel Trusted Execution Technology" in BIOS to enabled and now the command:

dmesg | grep -E (”DMAR | IOMMU”)produced the output:

[    0.057735] ACPI: DMAR 0x00000000CA9B0718 0000B8 (v01 INTEL  CP_DALE  00000001 INTL 00000001)

[    0.417895] DMAR: IOMMU enabled

[    0.504475] DMAR: Host address width 36

[    0.504476] DMAR: DRHD base: 0x000000fed90000 flags: 0x0

[    0.504483] DMAR: dmar0: reg_base_addr fed90000 ver 1:0 cap c9008020e30272 ecap 1000

[    0.504484] DMAR: DRHD base: 0x000000fed91000 flags: 0x0*

[    0.504487] DMAR: dmar1: reg_base_addr fed91000 ver 1:0 cap c0000020230272 ecap 1000

[    0.504488] DMAR: DRHD base: 0x000000fed93000 flags: 0x1

[    0.504493] DMAR: dmar2: reg_base_addr fed93000 ver 1:0 cap c9008020630272 ecap 1000

[    0.504494] DMAR: RMRR base: 0x000000ca971000 end: 0x000000ca985fff

[    0.504496] DMAR: RMRR base: 0x000000cdc00000 end: 0x000000cfffffff

[    1.635058] DMAR: Disabling batched IOTLB flush on Ironlake

[    2.201405] DMAR: No ATSR found

[    2.201519] DMAR: dmar1: Using Register based invalidation

[    2.201541] DMAR: dmar0: Using Register based invalidation

[    2.201568] DMAR: dmar2: Using Register based invalidation
[    2.201599] DMAR: Setting RMRR:

[    2.201821] DMAR: Setting identity map for device 0000:00:02.0 [0xcdc00000 - 0xcfffffff]

[    2.202736] DMAR: Setting identity map for device 0000:00:1a.0 [0xca971000 - 0xca985fff]

[    2.202898] DMAR: Setting identity map for device 0000:00:1d.0 [0xca971000 - 0xca985fff]

[    2.202941] DMAR: Prepare 0-16MiB unity mapping for LPC

[    2.203069] DMAR: Setting identity map for device 0000:00:1f.0 [0x0 - 0xffffff]

[    2.233832] DMAR: Intel(R) Virtualization Technology for Directed I/O

[   14.362393] [drm] DMAR active, disabling use of stolen memory

I think now IOMMU is active. Hope this helps you to decide.

Related Question