Side Channel Attack Mitigation in VMware ESXi

search cancel

Side Channel Attack Mitigation in VMware ESXi

book

Article ID: 330041

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

This article covers the mitigation options outlined for various security vulnerabilities described in the following Knowledge Base articles:

VMware response to ‘L1 Terminal Fault - VMM’ (L1TF - VMM) Speculative-Execution vulnerability in Intel processors for vSphere: CVE-2018-3646 (55806)
Mitigation Instructions for CVE-2022-21123, CVE-2022-21125, and CVE-2022-21166 (VMSA-2022-0016) (88632)

Environment

VMware vSphere ESXi 6.x

VMware vSphere ESXi 7.0.x

VMware vSphere ESXi 8.0.x

Resolution

The following kernel boot options are available and can be changed from either the vSphere or ESXi Host Client, through esxcli via CLI, PowerCLI or via API. These options are only applicable when the host's CPUs have hyperthreading capability and when it is enabled in the BIOS. Please follow the individual KB articles for the possible vectors that are being mitigated on the host and for steps to configure the below mitigation options.

Option	Description
`hyperthreadingMitigation`	Turn on the Side-Channel Aware Scheduler (SCA) mitigation policy in ESXi host. This option, together with `hyperthreadingMitigationIntraVM` controls what SCA policy is used. This is only applicable on hosts with CPUs that are affected by the L1TF vulnerability.
`hyperthreadingMitigationIntraVM`	Turn on the SCA mitigation policy that disables hyperthreading at the software level. If this option is set to TRUE, hyperthreading will be turned off (SCAv1). If this option is set to FALSE, and `hyperthreadingMitigation` is turned on, then inter-VM hyperthreading is on (SCAv2). This is only applicable on hosts with CPUs that are affected by the L1TF vulnerability.
`forceHyperthreadingMitigation`	This option turns on the SCAv2 mitigation, which effectively disables hyper thread sharing between VMs. This option can be used to mitigate the vulnerability in Mitigation Instructions for CVE-2022-21123, CVE-2022-21125, and CVE-2022-21166 on any applicable processor. Note: On the L1TF vulnerable processors mentioned in VMware response to ‘L1 Terminal Fault - VMM’ (L1TF - VMM) Speculative-Execution vulnerability in Intel processors for vSphere: CVE-2018-3646, this option does not override if the currently active policy is SCAv1.

Feedback

thumb_up Yes

thumb_down No