Update: The Hypervisor-Assisted Guest Mitigation process described in Hypervisor-Assisted Guest Mitigation for CVE-2018-3639, is cumulative and will also mitigate the issues described in this article.
Recent microcode updates by Intel and AMD provide hardware support for branch target injection mitigation (Spectre v2). In order to use this new hardware feature within virtual machines, Hypervisor-Assisted Guest Mitigation must be enabled.
This document will focus on Hypervisor-Assisted Guest Mitigation as it pertains to vSphere. Please review VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754, and CVE-2018-3693 (aka Spectre and Meltdown): VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) for a complete view on VMware’s response to these issues.
See VMware Security Advisory VMSA-2018-0004 for the VMware provided patches related to this KB.
VMware Workstation Pro
VMware Fusion Pro
VMware vCenter Server
VMware vSphere ESXi
Patching the VMware vSphere hypervisor and updating the CPU Microcode (which the vSphere patches will do for the processors described in the below table will allow guest operating systems to use hardware support for branch target mitigation.
To enable hardware support for branch target mitigation in vSphere, apply these steps, in the order shown:
Note: Ensure vCenter Server is updated first, for more information, see the vMotion and EVC Information section.
* These ESXi patches provide the framework to allow guest OSes to utilize the new speculative-execution control mechanisms. These patches do not contain microcode.
** These ESXi patches apply the microcode updates listed in the Table below. These patches do not contain the aforementioned framework.
Table 1. Lists the Intel and AMD processors for which microcode updates were included in ESXi patches ESXi650-201803402-BG, ESXi600-201803402-BG, and ESXi550-201803402-BG. Please contact your hardware vendor to determine if BIOS/firmware updates are recommended as there may be additional improvements included with those updates. Microcode updates are necessary for ESXi to provide the new speculative-execution control mechanisms for guest VMs to mitigate CVE-2017-5715. VMware has included microcode updates in the aforementioned ESXi patches to simplify deployment processes and minimize downtime.
Table
Vendor | Code Name | FMS | Plt ID | MCU Rev | VMware VCG Name |
---|---|---|---|---|---|
Intel | Sandy Bridge DT | 0x206a7 | 12 | 0x2d | Intel Xeon E3-1100 Series; Intel Xeon E3-1200 Series; Intel i7-2655-LE Series; Intel i3-2100 Series |
Intel | Sandy Bridge EP | 0x206d7 | 6d | 0x713 | Intel Xeon E5-1400 Series; Intel Xeon E5-1600 Series; Intel Xeon E5-2400 Series; Intel Xeon E5-2600 Series; Intel Xeon E5-4600 Series; Intel Pentium 1400 Series |
Intel | Ivy Bridge DT | 0x306a9 | 12 | 0x1f | Intel Xeon E3-1100-C-v2 Series; Intel Xeon E3-1200-v2 Series; Intel i3-3200 Series; Intel i7-3500-LE/UE; Intel i7-3600-QE; Intel Pentium B925C |
Intel | Ivy Bridge EP | 0x306e4 | ed | 0x42c | Intel Xeon E5-4600-v2 Series; Intel Xeon E5-2400-v2 Series; Intel Xeon E5-2600-v2 Series; Intel Xeon E5-1400-v2 Series; Intel Xeon E5-2600-v2 Series |
Intel | Ivy Bridge EX | 0x306e7 | ed | 0x713 | Intel Xeon E7-8800/4800/2800-v2 Series |
Intel | Haswell DT | 0x306c3 | 32 | 0x24 | Intel Xeon E3-1200-v3 Series; Intel i7-4700 EQ Series; Intel i3-4300 Series; Intel i5-4500-TE Series |
Intel | Haswell EP | 0x306f2 | 6f | 0x3c | Intel Xeon E5-2400-v3 Series; Intel Xeon E5-1400-v3 Series; Intel Xeon E5-1600-v3 Series; Intel Xeon E5-2600-v3 Series; Intel Xeon E5-4600-v3 Series |
Intel | Haswell EX | 0x306f4 | 80 | 0x11 | Intel Xeon E7-8800/4800-v3 Series |
Intel | Broadwell H | 0x40671 | 22 | 0x1d | Intel Xeon E3-1200-v4 Series; Intel Core i7-5700EQ |
Intel | Broadwell EP/EX | 0x406f1 | ef | 0xb00002a | Intel Xeon E7-8800/4800-v4 Series; Intel Xeon E5-4600-v4 Series; Intel Xeon E5-2600-v4 Series; Intel Xeon E5-1600-v4 Series |
Intel | Broadwell DE | 0x50662 | 10 | 0x15 | Intel Xeon D-1500 Series |
Intel | Broadwell DE | 0x50663 | 10 | 0x7000012 | Intel Xeon D-1500 Series |
Intel | Broadwell DE | 0x50664 | 10 | 0xf000011 | Intel Xeon D-1500 Series |
Intel | Broadwell NS | 0x50665 | 10 | 0xe000009 | Intel Xeon D-1500 Series |
Intel | Skylake H/S | 0x506e3 | 36 | 0xc2 | Intel Xeon E3-1500-v5 Series; Intel Xeon E3-1200-v5 Series |
Intel | Skylake SP | 0x50654 | b7 | 0x2000043 | Intel Xeon Platinum 8100 (Skylake-SP) Series; Intel Xeon Gold 6100/5100, Silver 4100, Bronze 3100 (Skylake-SP) Series |
Intel | Kaby Lake H/S/X | 0x906e9 | 2a | 0x84 | Intel Xeon E3-1200-v6 |
AMD | Zen EPYC | 0x800f12 | n/a | 0x8001227 | AMD EPYC 7xx1 Series |
To enable hardware support for branch target mitigation in Workstation/Fusion, the following steps should be followed:
For each virtual machine, enable Hypervisor-Assisted Guest mitigation via the following steps:
An ESXi host that is running a patched vSphere hypervisor with updated microcode will see new CPU features that were not previously available.
These new features will be exposed to all Virtual Hardware Version 9+ VMs that are powered-on by that host. Because these virtual machines now see additional CPU features, vMotion to an ESXi host lacking the microcode or hypervisor patches applied will be prevented.
The vCenter patches enable vMotion compatibility to be retained within an EVC cluster.
In order to maintain this compatibility the new features are hidden from guests within the cluster until all hosts in the cluster are properly updated. At that time, the cluster will automatically upgrade its capabilities to expose the new features. Unpatched ESXi hosts will no longer be admitted into the EVC cluster.
To confirm a host has both VMware hypervisor and updated microcode, use the following steps:
To confirm end to end operation including guest OS enablement of hardware support for branch target mitigation, check with your OS vendor.
For the known Spectre vulnerabilities, Intel and AMD have supplied CPU microcode updates for many affected processors to add the new speculative-execution control mechanism.
Most server vendors will soon be including these CPU microcode updates in their next BIOS/firmware update. It is strongly recommended that customers apply these BIOS/firmware updates for their servers.
The ESXi patches listed above will also automatically apply these critical CPU microcode updates if the server's BIOS/Firmware has not already applied them. The mechanism defined by AMD and Intel always ensures that the latest microcode update is active regardless of the order in which the BIOS and OS apply them. As a result, ESXi will never override a newer version of the microcode update provided by BIOS nor will the BIOS with an older version prevent ESXi from applying the newer version.
To confirm that the CPU has updated microcode for these features, power-on a VM on the host and then examine the vmware.log file.
An Intel CPU with updated microcode will have a non-zero value in host CPUID[7].EDX[26:27].
hostCPUID level 00000007, 0: 0x00000000 0xd39ffffb 0x00000008 0x0c000000
^ [4-9a-f]in nibble
An AMD CPU with updated its microcode will have a non-zero value in host CPUID[0x80000008].EBX[12].
hostCPUID level 80000008, 0: 0x00003030 0x00001007 0x0000603f 0x00000000
^ [13579bdf] in nibble
Changelog:
01/09/18: Initial publication
03/20/18: Updated KB with patch and procedure information in conjunction with VMSA-2018-0004.3.
04/09/19: Updated KB with information that the Hypervisor-Assisted Guest Mitigation process described in KB55111 is cumulative.