This article covers the mitigation options outlined for various security vulnerabilities described in the following Knowledge Base articles:
The following kernel boot options are available and can be changed from either the vSphere or ESXi Host Client, through esxcli via CLI, PowerCLI or via API. These options are only applicable when the host's CPUs have hyperthreading capability and when it is enabled in the BIOS. Please follow the individual KB articles for the possible vectors that are being mitigated on the host and for steps to configure the below mitigation options.
Option | Description |
hyperthreadingMitigation | Turn on the Side-Channel Aware Scheduler (SCA) mitigation policy in ESXi host. This option, together with hyperthreadingMitigationIntraVM controls what SCA policy is used. This is only applicable on hosts with CPUs that are affected by the L1TF vulnerability. |
hyperthreadingMitigationIntraVM | Turn on the SCA mitigation policy that disables hyperthreading at the software level. If this option is set to TRUE, hyperthreading will be turned off (SCAv1). If this option is set to FALSE, and hyperthreadingMitigation is turned on, then inter-VM hyperthreading is on (SCAv2). This is only applicable on hosts with CPUs that are affected by the L1TF vulnerability. |
forceHyperthreadingMitigation |
This option turns on the SCAv2 mitigation, which effectively disables hyper thread sharing between VMs. This option can be used to mitigate the vulnerability in KB 88632 on any applicable processor. Note: On the L1TF vulnerable processors mentioned in KB 55806, this option does not override if the currently active policy is SCAv1. |