Mitigation of  CVE-2018-3639 within a VM or native OS is greatly assisted by a new speculative-execution control bit known as Speculative-Store-Bypass-Disable (SSBD).  In order to use this hardware feature within virtual machines, new Hypervisor-Assisted Guest Mitigations must be enabled to pass this control bit to the Guest OSes.

Because there will be multiple documents necessary to explain the mitigation process for CVE-2018-3639, KB54951 was created to provide an overview of VMware’s response - review it prior to continuing.

This document will focus on the technical implementation and requirements of the Hypervisor-Assisted Guest Mitigations for CVE-2018-3639

To enable hardware support for SSBD in vCenter Server and ESXi, the following steps should be followed:

Note: Ensure vCenter Server is updated first, for more information, see the vMotion and EVC Information section.

1. Upgrade to the versions of vCenter Server listed in VMSA-2018-0012:VMware vSphere, Workstation and Fusion updates enable Hypervisor-Assisted Guest Mitigations for Speculative Store Bypass issue..
2. Apply the ESXi patches listed in VMSA-2018-0012. Note that per ESXi version two patches are listed and that both of them are required. These patches can both be applied at once so that only one reboot of the host is required.

To enable hardware support for SSBD in Workstation/Fusion, the following steps should be followed: 

1. Deploy and/or update Workstation/Fusion to the versions listed in VMSA-2018-0012.
2. Apply the Microcode/BIOS updates for CVE-2018-3639 from your platform vendor.

After enabling hardware support for SSBD, for each virtual machine enable SSBD mitigation via the following steps: 

3. Apply the applicable SSBD security patches for your Guest OS which have been made available from the OS vendor.

4. Ensure that your VMs are using Virtual Hardware Version 9 or higher. See Upgrading a virtual machine to the latest hardware version for details on Virtual Hardware versions and requirements. For best performance, Virtual Hardware Version 11 or higher is recommended. Virtual Hardware Version 11 enables PCID/INVPCID.
5. Power Off and then Power On the virtual machine (Restart is insufficient).

vMotion and EVC Information

An ESXi host that is running a patched vSphere hypervisor with updated microcode will see new CPU features that were not previously available.

These new features will be exposed to all Virtual Hardware Version 9+ VMs that are powered-on by that host. Because these virtual machines now see additional CPU features, vMotion to an ESXi host lacking the microcode or hypervisor patches applied will be prevented.

The vCenter patches enable vMotion compatibility to be retained within an EVC cluster.

In order to maintain this compatibility the new features are hidden from guests within the cluster until all hosts in the cluster are properly updated.  At that time, the cluster will automatically upgrade its capabilities to expose the new features. Unpatched ESXi hosts will no longer be admitted into the EVC cluster.

After vSphere has been patched for CVE-2018-3639, customers utilizing the Configure the EVC Mode of a Virtual Machine, introduced in Hardware Version 14 and newer, will also need to refresh the EVC mode of the VM. This refresh will allow the per-VM EVC mode of the VM to recognize the new CPU features introduced from the patches. Not performing this step may result in the VM running less securely than desired.

Note: for additional advice on managing the per-VM EVC feature, see the vCenter Server 6.7.0b Release Notes.

From the UI: to refresh the per-VM EVC feature of the VM, navigate to the virtual machine. Under the Configure tab, select VMware EVC. Click Edit to bring up the current EVC selection, then click OK.

From the API: Call applyEvcModeVMTask with the list of masks that would be updated post-Spectre patch. A sample code snippet can be found here.

Confirmation of Correct Operation

To confirm a host has both VMware hypervisor and updated microcode, use the following steps: 

1. Power on a Virtual Machine which is configured to use Virtual Hardware Version 9 or later.
2. Examine the vmware.log file for that VM and look for the following entry: 

3. Any of the above log entries indicate that both the CPU microcode and hypervisor are properly updated.

To confirm end to end operation including guest OS enablement of hardware support for SSBD mitigation, check with your OS vendor.