Important: Performance impact data found in KB76050 should be reviewed prior to enabling this mitigation.
Mitigations can be applied at either the host or guest level.To enable
Hypervisor-Specific Mitigations for CVE-2018-12207 at the host level perform the following steps:
- Update the ESXi host with the patches detailed in section 3a of VMSA-2019-0020 .
- Connect to the host with an SSH session.
- Edit the /etc/vmware/config file.
- Add this line:
monitor.if_pschange_mc_workaround = "TRUE"
- Perform one of these options to apply the changes:
- Power Off and then Power On the virtual machines (Restart is insufficient)
- Suspend and resume the virtual machines
- vMotion the VM to a different patched host
- vMotion the VM to a different unpatched host and then back to a patched host
- Verify that the vmware.log file shows that that disable_mmu_largepages has been applied. You will see an entry similar to:
YYYY-MM-DDTHH:MM:SS.349Z| vmx| I125: DICT monitor.if_pschange_mc_workaround = "TRUE"
Note: The change to /etc/vmware/config should normally persist across reboot. However, if you are using host profiles, you should recapture the host profile after editing /etc/vmware/config to ensure that the host profile does not remove it.
To enable Hypervisor-Specific Mitigations for CVE-2018-12207 at the guest level perform the following steps:
- Update ESXi with the appropriate patches detailed in section 3a of VMSA-2019-0020 .
- Navigate to where the VM is stored and edit the VM_name.vmx.
- Add this line:
monitor.if_pschange_mc_workaround = "TRUE"
- Perform one of these options to apply the changes
- Power Off and then Power On the virtual machine (Restart is insufficient)
- Suspend and resume the virtual machine
- vMotion the VM to a different patched host
- vMotion the VM to a different unpatched host and then back to a patched host