This article documents the additional Transparent Page Sharing (TPS) management capabilities that are introduced in the following releases:
The article explains the concept of salting and the corresponding configuration options.
Please refer to KB2080735 and KB2097593 for changes to the default TPS settings in the ESXi Update releases of Q4 2014 and Q1 2015. These changes are related to recent academic research that leverages Transparent Page Sharing (TPS) to gain unauthorized access to data under certain highly controlled conditions.
Prompted by security concern explained in KB2080735, the concept of salting has been introduced, which can be used to control and manage the virtual machine participating in TPS. Earlier for two Virtual machines to share pages, the contents of the pages should be same. With the concept of salting, along with the content of the pages, the salt values for the two virtual machines should be same.
A new host config option Mem.ShareForceSalting is introduced to enable or disable salting.
By default salting is disabled (Mem.ShareForceSalting=0). This means TPS happens as it used to before this patch, that is, all the Virtual Machines on an ESXi box participate in TPS.
When salting is enabled (Mem.ShareForceSalting=1), in order for two VMs to share a page, both their salt and the content of the page should be same. A salt value is a configurable vmx option for each virtual machine. Salt value can be manually specified in the virtual machine’s vmx file with the new VMX option sched.mem.pshare.salt. If this option is not present in virtual machine’s vmx file, the value of vc.uuid vmx option will be considered as default value. Since the vc.uuid is unique to each virtual machine, by default TPS happens only among pages belonging to a particular virtual machine (Intra-VM).
If a group of virtual machines are trust worthy to share pages among them, common salt value can be configured for all those virtual machines which will make them all participate in TPS (inter-VM).
Following table explains the behavior of these new config options.
Mem.ShareForceSalting | Comments |
0 [Default] | Inter-VM TPS behavior is still retained. The value of VMX option sched.mem.pshare.salt even if present is ignored. |
1 | By default Salt value is generated using vc.uuid for each Virtual Machine. Vc.uuid is unique randomly generated string for a virtual machine in a Virtual Center. If VMX option sched.mem.pshare.salt value is configured manually, this will override default value from vc.uuid. |
To address the security concern explained in KB2080735, inter-vm TPS can be disabled by setting Mem.ShareForceSalting to 1. VMX config option sched.mem.pshare.salt can then be used to selectively enable TPS among trust worthy virtual machines as explained above.
Where can I find more information on Transparent Page Sharing?
For more information on page-sharing, see Transparent Page Sharing (TPS) in hardware MMU systems (KB1021095)
What is the default behavior of Transparent Page Sharing in above mentioned patch releases?
By default, Mem.ShareForceSalting is set 0, which means by default Inter-VM page sharing is enabled. This behavior is same as old TPS behavior that exists in all older releases.
How can I disallow inter-VM TPS?
This is done by enabling salting.
How can I enable /disable salting?
Set advanced memory config option (ShareForceSalting) to 1
How can I allow inter-VM TPS between two or more virtual machines?
Inter-VM TPS is enabled for two or more VMs by enabling salting and by giving them the same salt value.
How can I specify salt value of a virtual machine?
Steps to specify the salt value for a VM
How can I prepare for the ESXi Update releases that no longer allow inter-VM TPS by default?
VMware recommends to monitor free memory available on the host along with the total ballooned and total swapped memory before disallowing inter-VM TPS. Once inter-VM TPS is disabled, available free memory might drop which further can lead to increased ballooning and swapping. If increased ballooning and swapping activity is observed along with noticeable performance issues, more physical memory can be added on the host or the memory load on the host can be reduced.
To monitor the stats - Run esxtop(1)
If I followed KB2080735 to disable TPS, do I need to any additional measures?
Yes, if you followed KB2080735, you need to re-enable TPS by setting ShareScanGHz to default (4). Our Powercli script will take care of setting to default.
How can I enable/disable salting for multiple ESXi hosts?
The powercli script attached to this KB (pshare-salting.ps1) allows for toggling pshare salting for patches in Oct/Nov.
Usage
.\pshare-salting.ps1 <vcenter IP/hostname> -s -> Enables pshare salting
.\pshare-salting.ps1 <vcenter IP/hostname> -o -> Turn offs pshare salting and falls back to default TPS behavior.