This article documents the Hypervisor-Assisted Guest Mitigations enablement process required to address Microarchitectural Data Sampling (MDS) Vulnerabilities identified by CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091 in vSphere.
In addition to the Hypervisor-Assisted Guest Mitigations described in this article, Hypervisor-Specific Mitigations and Operating System-Specific Mitigations are also required. These additional mitigations are documented VMSA-2019-0008.
To enable hardware support for MD_CLEAR in vCenter Server and ESXi, the following steps should be followed:
Note: Ensure vCenter Server is updated first, for more information, see the vMotion and EVC Information section.
To enable hardware support for MD_CLEAR in Workstation/Fusion, the following steps should be followed:
After enabling hardware support for MD_CLEAR, for each virtual machine enable MDS mitigation via the following steps:
vMotion and EVC Information
An ESXi host that is running a patched vSphere hypervisor with updated microcode will see new CPU features that were not previously available.
These new features will be exposed to all Virtual Hardware Version 9+ VMs that are powered-on by that host. Because these virtual machines now see additional CPU features, vMotion to an ESXi host lacking the microcode or hypervisor patches applied will be prevented.
The vCenter patches enable vMotion compatibility to be retained within an EVC cluster.
In order to maintain this compatibility the new features are hidden from guests within the cluster until all hosts in the cluster are properly updated. At that time, the cluster will automatically upgrade its capabilities to expose the new features. Unpatched ESXi hosts will no longer be admitted into the EVC cluster.
After vSphere has been patched for MDS, customers utilizing the per-VM EVC feature, introduced in Hardware Version 14 and newer, will also need to refresh the EVC mode of the VM. This refresh will allow the per-VM EVC mode of the VM to recognize the new CPU features introduced from the patches. Not performing this step may result in the VM running less securely than desired.
From the UI: to refresh the per-VM EVC feature of the VM, navigate to the virtual machine. Under the Configure tab, select VMware EVC. Click Edit to bring up the current EVC selection, then click OK.
Confirmation of Correct Operation
To confirm a host has both VMware hypervisor and updated microcode, use the following steps:
To confirm end to end operation including guest OS enablement of hardware support for MDS mitigation, check with your OS vendor.