Hypervisor-Assisted Guest Mitigation for Branch Target injection
search cancel

Hypervisor-Assisted Guest Mitigation for Branch Target injection

book

Article ID: 317720

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi VMware Desktop Hypervisor

Issue/Introduction

Update: The Hypervisor-Assisted Guest Mitigation process described in Hypervisor-Assisted Guest Mitigation for CVE-2018-3639, is cumulative and will also mitigate the issues described in this article.

Recent microcode updates by Intel and AMD provide hardware support for branch target injection mitigation (Spectre v2). In order to use this new hardware feature within virtual machines, Hypervisor-Assisted Guest Mitigation must be enabled.

This document will focus on Hypervisor-Assisted Guest Mitigation as it pertains to vSphere. Please review VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754, and CVE-2018-3693 (aka Spectre and Meltdown): VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) for a complete view on VMware’s response to these issues.

See VMware Security Advisory VMSA-2018-0004 for the VMware provided patches related to this KB.

Environment

VMware Workstation Pro
VMware Fusion Pro
VMware vCenter Server
VMware vSphere ESXi

Resolution

Patching the VMware vSphere hypervisor and updating the CPU Microcode (which the vSphere patches will do for the processors described in the below table will allow guest operating systems to use hardware support for branch target mitigation.
 
To enable hardware support for branch target mitigation in vSphere, apply these steps, in the order shown:

Note: Ensure vCenter Server is updated first, for more information, see the vMotion and EVC Information section.

  1. Upgrade to one of the following versions of vCenter 5.5 – 6.5:
Important: Please review the release notes for vCenter as there are new items listed in the ‘known issues’ section.
  1. Apply both of the following ESXi patches. Note: these can both be applied at once so that only 1 reboot of the host is required:
  • ESXi 6.5: ESXi650-201803401-BG* and ESXi650-201803402-BG**
  • ESXi 6.0: ESXi600-201803401-BG* and ESXi600-201803402-BG**
  • ESXi 5.5: ESXi550-201803401-BG* and ESXi550-201803402-BG**

* These ESXi patches provide the framework to allow guest OSes to utilize the new speculative-execution control mechanisms. These patches do not contain microcode.

** These ESXi patches apply the microcode updates listed in the Table below. These patches do not contain the aforementioned framework.

Table 1. Lists the Intel and AMD processors for which microcode updates were included in ESXi patches ESXi650-201803402-BG, ESXi600-201803402-BG, and ESXi550-201803402-BG. Please contact your hardware vendor to determine if BIOS/firmware updates are recommended as there may be additional improvements included with those updates. Microcode updates are  necessary for ESXi to provide the new speculative-execution control mechanisms for guest VMs to mitigate CVE-2017-5715. VMware has included microcode updates in the aforementioned ESXi patches to simplify deployment processes and minimize downtime.


Table

Vendor Code Name FMS Plt ID MCU Rev VMware VCG Name
Intel Sandy Bridge DT 0x206a7 12 0x2d Intel Xeon E3-1100 Series;

Intel Xeon E3-1200 Series;

Intel i7-2655-LE Series;

Intel i3-2100 Series
Intel Sandy Bridge EP 0x206d7 6d 0x713 Intel Xeon E5-1400 Series;

Intel Xeon E5-1600 Series;

Intel Xeon E5-2400 Series;

Intel Xeon E5-2600 Series;

Intel Xeon E5-4600 Series;
Intel Pentium 1400 Series
Intel Ivy Bridge DT 0x306a9 12 0x1f Intel Xeon E3-1100-C-v2 Series;
Intel Xeon E3-1200-v2 Series;
Intel i3-3200 Series;

Intel i7-3500-LE/UE;
Intel i7-3600-QE;
Intel Pentium B925C
Intel Ivy Bridge EP 0x306e4 ed 0x42c Intel Xeon E5-4600-v2 Series;

Intel Xeon E5-2400-v2 Series;

Intel Xeon E5-2600-v2 Series;

Intel Xeon E5-1400-v2 Series;

Intel Xeon E5-2600-v2 Series
Intel Ivy Bridge EX 0x306e7 ed 0x713 Intel Xeon E7-8800/4800/2800-v2 Series
Intel Haswell DT 0x306c3 32 0x24 Intel Xeon E3-1200-v3 Series;
Intel i7-4700 EQ Series;
Intel i3-4300 Series;
Intel i5-4500-TE Series
Intel Haswell EP 0x306f2 6f 0x3c Intel Xeon E5-2400-v3 Series;

Intel Xeon E5-1400-v3 Series;

Intel Xeon E5-1600-v3 Series;

Intel Xeon E5-2600-v3 Series;

Intel Xeon E5-4600-v3 Series
Intel Haswell EX 0x306f4 80 0x11 Intel Xeon E7-8800/4800-v3 Series
Intel Broadwell H 0x40671 22 0x1d Intel Xeon E3-1200-v4 Series;
Intel Core i7-5700EQ
Intel Broadwell EP/EX 0x406f1 ef 0xb00002a Intel Xeon E7-8800/4800-v4 Series;

Intel Xeon E5-4600-v4 Series;

Intel Xeon E5-2600-v4 Series;

Intel Xeon E5-1600-v4 Series
Intel Broadwell DE 0x50662 10 0x15 Intel Xeon D-1500 Series
Intel Broadwell DE 0x50663 10 0x7000012 Intel Xeon D-1500 Series
Intel Broadwell DE 0x50664 10 0xf000011 Intel Xeon D-1500 Series
Intel Broadwell NS 0x50665 10 0xe000009 Intel Xeon D-1500 Series
Intel Skylake H/S 0x506e3 36 0xc2 Intel Xeon E3-1500-v5 Series;

Intel Xeon E3-1200-v5 Series
Intel Skylake SP 0x50654 b7 0x2000043 Intel Xeon Platinum 8100 (Skylake-SP) Series;

Intel Xeon Gold 6100/5100, Silver 4100, Bronze 3100 (Skylake-SP) Series
Intel Kaby Lake H/S/X 0x906e9 2a 0x84 Intel Xeon E3-1200-v6
           
AMD Zen EPYC 0x800f12 n/a 0x8001227 AMD EPYC 7xx1 Series


To enable hardware support for branch target mitigation in Workstation/Fusion, the following steps should be followed:

  1. Deploy one of the following versions of Workstation/Fusion:
    • Workstation 14.1.1
    • Workstation 12.5.9
    • Fusion 10.1.1
    • Fusion 8.5.10
  2. Apply the Microcode/BIOS updates for CVE-2017-5715 from your platform vendor.

For each virtual machine, enable Hypervisor-Assisted Guest mitigation via the following steps:

  1. Apply all security patches for your Guest OS which are available from the OS vendor.
  2. Ensure that your VMs are using Virtual Hardware Version 9 or higher. Upgrading a virtual machine to the latest hardware version (multiple versions) discusses Hardware Versions .
    • Virtual Hardware Version 9 is minimum requirement for Hypervisor-Assisted Guest Mitigation for branch target injection (CVE-2017-5715).
    • For best performance, Virtual Hardware Version 11 or higher is recommended. Virtual Hardware Version 11 enables PCID/INVPCID.  These features may reduce the performance impact of CVE-2017-5754 mitigations on CPUs that support those features. For the latest information on any VMware performance impact, see KB 52337
  3. Power Off and then Power On the virtual machine (Restart is insufficient).

vMotion and EVC Information

An ESXi host that is running a patched vSphere hypervisor with updated microcode will see new CPU features that were not previously available.
These new features will be exposed to all Virtual Hardware Version 9+ VMs that are powered-on by that host. Because these virtual machines now see additional CPU features, vMotion to an ESXi host lacking the microcode or hypervisor patches applied will be prevented.
The vCenter patches enable vMotion compatibility to be retained within an EVC cluster.
In order to maintain this compatibility the new features are hidden from guests within the cluster until all hosts in the cluster are properly updated.  At that time, the cluster will automatically upgrade its capabilities to expose the new features. Unpatched ESXi hosts will no longer be admitted into the EVC cluster.

Confirmation of Correct Operation

To confirm a host has both VMware hypervisor and updated microcode, use the following steps:

  1. Power on a Virtual Machine which is configured to use Virtual Hardware Version 9 or later.
  2. Examine the vmware.log file for that VM and look for one of the following entries:
    • “Capability Found: cpuid.IBRS”
    • “Capability Found: cpuid.IBPB”
    • “Capabliity Found: cpuid.STIBP”
  3. Any of the above log entires indicate that both the CPU microcode and hypervisor are properly updated.

To confirm end to end operation including guest OS enablement of hardware support for branch target mitigation, check with your OS vendor.

ESXi Microcode Update Information

For the known Spectre vulnerabilities, Intel and AMD have supplied CPU microcode updates for many affected processors to add the new speculative-execution control mechanism.
 
Most server vendors will soon be including these CPU microcode updates in their next BIOS/firmware update. It is strongly recommended that customers apply these BIOS/firmware updates for their servers. 
 
The ESXi patches listed above will also automatically apply these critical CPU microcode updates if the server's BIOS/Firmware has not already applied them. The mechanism defined by AMD and Intel always ensures that the latest microcode update is active regardless of the order in which the BIOS and OS apply them. As a result, ESXi will never override a newer version of the microcode update provided by BIOS nor will the BIOS with an older version prevent ESXi from applying the newer version.
 
To confirm that the CPU has updated microcode for these features, power-on a VM on the host and then examine the vmware.log file.
 
An Intel CPU with updated microcode will have a non-zero value in host CPUID[7].EDX[26:27].

hostCPUID level 00000007, 0: 0x00000000 0xd39ffffb 0x00000008 0x0c000000
                                                                 ^ [4-9a-f]in nibble

 
An AMD CPU with updated its microcode will have a non-zero value in host CPUID[0x80000008].EBX[12].

hostCPUID level 80000008, 0: 0x00003030 0x00001007 0x0000603f 0x00000000
                                              ^ [13579bdf] in nibble


Changelog:

01/09/18: Initial publication
03/20/18: Updated KB with patch and procedure information in conjunction with VMSA-2018-0004.3.

04/09/19: Updated KB with information that the Hypervisor-Assisted Guest Mitigation process described in KB55111 is cumulative.