To enable hardware support for SSBD in
vCenter Server and ESXi, the following steps should be followed:
Note: Ensure vCenter Server is updated first, for more information, see the
vMotion and EVC Information section.
- Upgrade to the versions of vCenter Server listed in VMSA-2018-0012.1.
- Apply the ESXi patches listed in VMSA-2018-0012.1. Note that per ESXi version two patches are listed and that both of them are required. These patches can both be applied at once so that only one reboot of the host is required.
To enable hardware support for SSBD in
Workstation/Fusion, the following steps should be followed:
- Deploy and/or update Workstation/Fusion to the versions listed in VMSA-2018-0012.
- Apply the Microcode/BIOS updates for CVE-2018-3639 from your platform vendor.
After enabling hardware support for SSBD, for
each virtual machine enable SSBD mitigation via the following steps:
- Apply the applicable SSBD security patches for your Guest OS which have been made available from the OS vendor.
Note: Most OS vendors leave the SSBD mitigation off by default. Consult your OS vendor’s documentation on how to switch on the SSBD mitigation after applying the vendor’s security patches for your Guest OS.
- Ensure that your VMs are using Virtual Hardware Version 9 or higher. See KB1010675 for details on Virtual Hardware versions and requirements. For best performance, Virtual Hardware Version 11 or higher is recommended. Virtual Hardware Version 11 enables PCID/INVPCID.
- Power Off and then Power On the virtual machine (Restart is insufficient).
vMotion and EVC Information
An ESXi host that is running a patched vSphere hypervisor with updated microcode will see new CPU features that were not previously available.
These new features will be exposed to all Virtual Hardware Version 9+ VMs that are powered-on by that host. Because these virtual machines now see additional CPU features, vMotion to an ESXi host lacking the microcode or hypervisor patches applied will be prevented.
The vCenter patches enable vMotion compatibility to be retained within an EVC cluster.
In order to maintain this compatibility the new features are hidden from guests within the cluster until all hosts in the cluster are properly updated. At that time, the cluster will automatically upgrade its capabilities to expose the new features. Unpatched ESXi hosts will no longer be admitted into the EVC cluster.
After vSphere has been patched for CVE-2018-3639, customers utilizing the
per-VM EVC feature, introduced in Hardware Version 14 and newer, will also need to refresh the EVC mode of the VM. This refresh will allow the per-VM EVC mode of the VM to recognize the new CPU features introduced from the patches. Not performing this step may result in the VM running less securely than desired.
Note: for additional advice on managing the per-VM EVC feature, see the
vCenter Server 6.7.0b Release Notes.
From the UI: to refresh the per-VM EVC feature of the VM, navigate to the virtual machine. Under the Configure tab, select VMware EVC. Click Edit to bring up the current EVC selection, then click OK.
From the API: Call applyEvcModeVMTask with the list of masks that would be updated post-Spectre patch. A sample code snippet can be found
here.
Confirmation of Correct Operation
To confirm a host has both VMware hypervisor and updated microcode, use the following steps:
- Power on a Virtual Machine which is configured to use Virtual Hardware Version 9 or later.
- Examine the vmware.log file for that VM and look for the following entry:
“Capability Found: cpuid.SSBD”
- Any of the above log entries indicate that both the CPU microcode and hypervisor are properly updated.
To confirm end to end operation including guest OS enablement of hardware support for SSBD mitigation, check with your OS vendor.