07-12-2010 10:05 PM
I've just recently realized that the Insyde BIOS on my HP dv5t laptop is disabling the "Execute Disable" security features of the CPU for some reason, and it does not provide an option to enable them. I find this very strange and also worrysome.
These features are a very important protection mechanism against malware, viruses, and exploits. They are also required by some types of virtualization software, such as Microsoft's Hyper-V.
You can see this on Windows 7 by going through Control Panel -> System and Security -> System -> Advanced System Settings -> Advanced -> Performance -> Settings -> Data Execution Prevention.
Quite a journey I know, but once there you can see that WIndows will tell you that "Your Processor does not support hardware-based DEP" and that it is falling back to software protection only. You can also see it on Linux by looking at the cpu flags in /proc/cpuinfo, or from the output of the 'dmesg' command.
Since all modern processors since the Pentium 4 support NX, and since my previous HP laptops supported the feature just fine, it took me a while to get to the bottom of this.
It turns out that the new "Insyde" BIOS that HP has decided to use for newer laptops is silently disabling the feature!
Now what I have not yet discovered is a workaround to turn this important processor feature back on.
Does anyone have any ideas?
07-13-2010 10:02 PM - edited 07-13-2010 11:44 PM
This is a known issue with a certain generation of Intel based notebooks, not specific to a particular OEM or BIOS vendor.
The actual processor feature that Microsoft uses in the Software-enforced DEP is the newer "Execute Disable Bit (XD)" not the older NX bit feature. Microsoft KB 875352
During this generation of development, there was no good reason to enable the XD bit. Windows XP SP2 DEP had not arrived. The current hypervisors had not arrived. So the recommendation to the industry was to disable the bit. Because of the security issues with "Blue Pill Attacks", some OEMs decided to remove the enable feature from their setup programs in their BIOSs.
None of this history helps you.
There are some actions you can take to resolve the issue.
1) contact HP support and ask for a BIOS update. They MIGHT have one for your product that enables this bit.
2) There are some Acer and Sony notebook customers that have created simple tools to enable this and the VT bit in their BIOS. I haven't seen anyone report success with your HP notebook model, but also haven't seen any failure.
07-15-2010 04:46 AM
Yeah, the thing is this is a new laptop with what appears to be most recent version of the Insyde BIOS for this particular model.
Also, I understand why disabling VT is very often desireable (and there is an option to enable/disable VT in this Insyde BIOS version), but I dont get why DX would be both off by default and have no option to enable, on a laptop model that is meant to only ship with Windows 7... DX and VT are completely independent features. VT enables BluePill attacks. DX really only adds security (sure there are pre-BluePill cloaking attacks like ShadowWalker, but these do not require DX).
Also, XP SP2 came out in 2004.. It's been 6 years and 2 major Windows releases since we've had widespread software usage of the DX/NX features..
So, these excuses don't make any sense to me. This feels like someone's big screwup at Insyde...
I've been looking hard for ways to enable the option. The problem is that the Insyde BIOS is not as well-known and documented as the more popular BIOSes. Modding information on it is very scarce, and as far as I can tell, the tools for general mods/patches don't really exist.
The best I could find is a suggestion to flip a bit in the MSRs. However, the MSR bit can only be flipped while the OS is *NOT* trying to use the feature (otherwise it hardlocks).. *AND*, upon reboot, the Insyde BIOS simply flips the MSR itself back to the "disabled" state before calling the boot loader! Very evil.
08-16-2010 08:34 PM
I have the same problem on my Packard Bell MV46-008 after a bios update to the latest version of it's Insyde BIOS.
I not completely sure if the older version of the BIOS had NX enabled.
'# dmidecode' revealed my BIOS to be very old though the date given on the Packard Bell website was last modified 05/05/10.
Perhaps Helpless42's explanation applies in my case.
Release Date: 11/14/2006
I intend to write to Packard Bell/Acer and Insyde about this. I'm sorry I'm not knowledgeable enough to offer you any technical suggestions. Please let me know if you discover a solution.