Hi VMware Community,
I have opened a VMware Support request, but have got no qualified answer in a week, so perhaps someone here in the community can help me.
We have a fully patched Environment to mitigate the meltdown & spectre vulnerabilities. But all testing tools are saying that the systems are attackable, and VMware Support told me that they are
not responsible for the Windows VMs. But from the Microsoft side all things are done, patches installed and the needed registry values for Windows Servers are there.
The Technical Details of the Environment:
- The customer has a 2-node VMware ESXi 5.5 Cluster
- Host-Patchlevel is ESXi 5.5 U3h (Build 7618464)
- Server-Hardware = Fujitsu Primergy RX 200 S8
- Bios Updates are installed V4.6.5.4 - R1.18.0
Bios-Changelog:
BIOS V4.6.5.4 R1.18.0 for D3302-A1x (12.02.2018)
Update CPU Microcode to ID=0000042C
Fixed side-channel analysis security flaws - known as Spectre & Meltdown- Windows VMs patched (Microsoft Updates installed)
- VMs (Windows Server 2008 R2) rebooted (Full Powercycle) :
Issue:
Microsoft PowerShell Query "Get-SpeculationControlSettings" Shows inside VMs that Hardware Support is not present.
https://support.microsoft.com/de-de/help/4074629/understanding-the-output-of-get-speculationcontrols...
Output of PowerShell Script: "Hardware support for branch target injection mitigation is present: False"
BTIHardwarePresent : False
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled : False
Question:
How can check that Meltdown & Spectre Mitigation is correctly configured on the VMware side?
The PowerCLI Script from:
https://www.virtuallyghetto.com/2018/01/verify-hypervisor-assisted-guest-mitigation-spectre-patches-...
shows that Meltdown/Spectre mitigation is not working but I know that this is not an official VMware script, so is there an official solution to query the mitigation status?
Output of Script for all VMs = HypervisorAssistedGuestAffected = True
I further checked the VMware KB article KB52085
Confirmation of Correct Operation
To confirm a host has both patched microcode and patched VMware hypervisor, use the following steps:
- Power on a Virtual Machine which is configured to use Virtual Hardware Version 9 or later.
- Examine the vmware.log file for that VM and look for one of the following entries:
- “Capability Found: cpuid.IBRS”
- “Capability Found: cpuid.IBPB”
- “Capabliity Found: cpuid.STIBP”
- Any of the above log entires indicate that both the CPU microcode and hypervisor are properly updated.
1. = VM Hardware Version is = 10
2. = VMware.log checks no entries like that are there
I would really appreciate any help.
Regards Philipp
I agree, the documentation is kind of confusing.
Anyway, new patches have been released today, see VMSA-2018-0004.3
André
Output from "InSpectre" Release #7 on a VM (WIN 2008 R2) from the Cluster:
Spectre & Meltdown Vulnerability and Performance Status
System is Meltdown protected: YES
System is Spectre protected: NO!
Performance: SLOWER
CPUID: 306E4This 64-bit OS on Intel Processor:
OS is Meltdown aware: Yes
OS is Spectre aware: Yes
OS Meltdown data: 0x0033
OS Spectre data: 0x0004
PCID/INVPCID support: Yes / No
CPU microcode updated: No
CPU is meltdown vulnerable: YesThis system's processor identification:
Intel Xeon CPU E5-2630 v2 @ 2.60GHz
Full Output of the Microsoft PowerShell Test Module from the same VM:
Speculation control settings for CVE-2017-5715 [branch target injection]
For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: TrueSpeculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: False [not required for security]Suggested actions
* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
BTIHardwarePresent : False
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled : False
In case you had forgotten to remove "Intel Sightings" KB52345 CPUID leaf 7 EDX register mask from the /etc/vmware/config when the patches were recalled; it has to be REMOVED. It masks out IBRS, IBPB, and STIBP from the VM.
The Get-SpeculationControlSettings KVAShadowPcidEnabled is "FALSE" because the CPU is Ivy Bridge. Haswell and later have the INVPCID instruction. Only certain versions of Windows make use of INVPCID instruction.
https://kb.vmware.com/s/article/52345
cpuid.7.edx = "----:00--:----:----:----:----:----:----"
Hi bluefirestorm,
thx for your fast Response but the only entries in the config file on both hosts are:
HOST1 /etc/VMware/config
libdir = "/usr/lib/vmware"
authd.proxy.nfc = "vmware-hostd:ha-nfc"
authd.proxy.nfcssl = "vmware-hostd:ha-nfcssl"
authd.proxy.vpxa-nfcssl = "vmware-vpxa:vpxa-nfcssl"
authd.proxy.vpxa-nfc = "vmware-vpxa:vpxa-nfc"
authd.fullpath = "/sbin/authd"HOST2 /etc/VMware/config
libdir = "/usr/lib/vmware"
authd.proxy.nfc = "vmware-hostd:ha-nfc"
authd.proxy.nfcssl = "vmware-hostd:ha-nfcssl"
authd.proxy.vpxa-nfcssl = "vmware-vpxa:vpxa-nfcssl"
authd.proxy.vpxa-nfc = "vmware-vpxa:vpxa-nfc"
authd.fullpath = "/sbin/authd"
btw: I didn't set the entry (cpuid.7.edx = "----:00--:----:----:----:----:----:----") manually because we didn't patch the system in januar with the faulty microcode updates.
Regards Philipp
One more thing to check is the hostCPUID entry in the vmware.log of the VM, leaf 7, EDX register.
vmx| I125: hostCPUID level 00000007, 0: 0x00000000 0x000027ab 0x00000000 0x00000000
It should show as 0x0C000000 if the CPU has the microcode patches instead of all hexadecimal zeroes for bit 26-27 for the 3 Spectre microcode updates. I am not 100% sure, but I think the hostCPUID dump is unfiltered (i.e. it just dumps whatever the CPUID instruction returns); whereas the "Capability Found" entries is an indicator that the hypervisor is looking for those features based on the CPUID instruction queries. So if it is indeed unfiltered, this can confirm whether the firmware update on the ESXi host itself is successful.
I haven't seen any official announcement from VMware with regards to ESXi Spectre patches now that Intel has issued new working microcode for many different generations of CPUs starting from February. It might be the case that the ESXi version 5.5 update H is not exposing those 3 microcode features. So you might have to wait for an official VMware announcement with regards to ESXi patches for Spectre.
Just an FYI: On a consumer laptop of mine, I used the microcode downloaded from the Microsoft catalog (not a firmware update from the laptop manufacturer, the manufacturer did not list the laptop model I have as pending firmware updates for Spectre) for a Skylake CPU, and I get "all green" with the Get-SpeculationControlSettings Powershell with Workstation Pro 12.5.9 on Windows 10 host with a Windows 10 VM.
Hi Bluestorm.
I thought the new ESXi Update VMware ESXi 5.5, Patch Release ESXi550-201801301-BG - Updates esx-base VIB (52406) includes the spectre mitigations, or do I misunderstand the following to quotes.
This ESXi patch provides hypervisor-specific mitigations for CVE-2017-5753 and CVE-2017-5715. For more details, see VMware Security Advisory VMSA-2018-0002
*ESXi550-201801301-BG does NOT include the unstable microcode mentioned in KB52345 and mitigates both CVE-2017-5753 and CVE-2017-5715.
VMware.log from a VM of the Cluster.
2018-03-15T13:41:22.663Z| vmx| I120: Log for VMware ESX pid=308852 version=5.5.0 build=build-7618464 option=Release
2018-03-15T13:41:22.663Z| vmx| I120: The process is 64-bit.
2018-03-15T13:41:22.663Z| vmx| I120: Host codepage=UTF-8 encoding=UTF-8
2018-03-15T13:41:22.663Z| vmx| I120: Host is VMkernel 5.5.0
2018-03-15T13:41:22.655Z| vmx| I120: VTHREAD initialize main thread 0 "vmx" pid 308852
2018-03-15T13:41:22.655Z| vmx| I120: Msg_SetLocaleEx: HostLocale=UTF-8 UserLocale=NULL
2018-03-15T13:41:22.656Z| vmx| I120: ConfigDB: Failed to load /usr/lib/vmware/config
2018-03-15T13:41:22.656Z| vmx| I120: ConfigDB: Failed to load ~/.vmware/config
2018-03-15T13:41:22.656Z| vmx| I120: OBJLIB-LIB: Objlib initialized.
2018-03-15T13:41:22.657Z| vmx| I120: PREF Optional preferences file not found at /usr/lib/vmware/config. Using default values.
2018-03-15T13:41:22.657Z| vmx| I120: PREF Optional preferences file not found at //.vmware/config. Using default values.
2018-03-15T13:41:22.657Z| vmx| I120: PREF Failed to load user preferences.
2018-03-15T13:41:22.663Z| vmx| I120: Hostname=esxi01.company.intra
2018-03-15T13:41:22.663Z| vmx| I120: IP=127.0.0.1 (lo0)
2018-03-15T13:41:22.663Z| vmx| I120: IP=10.1.11.10 (vmk0)
2018-03-15T13:41:22.663Z| vmx| I120: IP=192.168.1.10 (vmk1)
2018-03-15T13:41:22.663Z| vmx| I120: IP=192.168.1.11 (vmk2)
2018-03-15T13:41:22.663Z| vmx| I120: vmkernel build type: release
2018-03-15T13:41:22.663Z| vmx| I120: System uptime 100022516293 us
2018-03-15T13:41:22.663Z| vmx| I120: Command line: "/bin/vmx" "-s" "sched.group=host/user" "-#" "product=2;name=VMware ESX;version=5.5.0;buildnumber=7618464;licensename=VMware ESX Server;licenseversion=5.0;" "-@" "duplex=3;msgs=ui" "/vmfs/volumes/55098883-94a1f357-8c64-a0369f642eec/S002/S002.vmx"
2018-03-15T13:41:22.663Z| vmx| I120: Environment: "USER=root" "HOME=/" "SHELL=/bin/sh" "LANG=C"
2018-03-15T13:41:22.663Z| vmx| I120: Msg_SetLocaleEx: HostLocale=UTF-8 UserLocale=NULL
2018-03-15T13:41:22.663Z| vmx| I120: Duplex socket: 3
2018-03-15T13:41:22.663Z| vmx| W110: CnxNeedScrub: Time to scrub dir /var/run/vmware
2018-03-15T13:41:22.691Z| vmx| I120: Connecting 'ui' to fd '3' with user '(null)'
2018-03-15T13:41:22.692Z| vmx| I120: VmdbAddConnection: cnxPath=/db/connection/#1/, cnxIx=1
2018-03-15T13:41:22.692Z| vmx| I120: /vmfs/volumes/55098883-94a1f357-8c64-a0369f642eec/S002/S002.vmx: Setup symlink /var/run/vmware/841361a48ddd381b3474398e2ca00c61 -> /var/run/vmware/root_0/1521121282663586_308852
2018-03-15T13:41:22.692Z| vmx| I120: Vix: [308852 mainDispatch.c:463]: VMAutomation: Initializing VMAutomation.
2018-03-15T13:41:22.692Z| vmx| I120: Vix: [308852 mainDispatch.c:760]: VMAutomationOpenListenerSocket() listening
2018-03-15T13:41:22.696Z| vmx| I120: Vix: [308852 mainDispatch.c:3964]: VMAutomation_ReportPowerOpFinished: statevar=0, newAppState=1870, success=1 additionalError=0
2018-03-15T13:41:22.696Z| vmx| I120: Transitioned vmx/execState/val to poweredOff
2018-03-15T13:41:22.696Z| vmx| I120: Vix: [308852 mainDispatch.c:3964]: VMAutomation_ReportPowerOpFinished: statevar=1, newAppState=1873, success=1 additionalError=0
2018-03-15T13:41:22.696Z| vmx| I120: Vix: [308852 mainDispatch.c:3964]: VMAutomation_ReportPowerOpFinished: statevar=2, newAppState=1877, success=1 additionalError=0
2018-03-15T13:41:22.696Z| vmx| I120: Vix: [308852 mainDispatch.c:3964]: VMAutomation_ReportPowerOpFinished: statevar=3, newAppState=1881, success=1 additionalError=0
2018-03-15T13:41:22.697Z| vmx| I120: FeatureCompat: No EVC masks.
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID vendor: GenuineIntel
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID family: 0x6 model: 0x3e stepping: 0x4
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID codename: Ivy Bridge EP/EN/EX
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID name: Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000000, 0: 0x0000000d 0x756e6547 0x6c65746e 0x49656e69
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000001, 0: 0x000306e4 0x00200800 0x77bee3ff 0xbfebfbff
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000002, 0: 0x76036301 0x00f0b2ff 0x00000000 0x00ca0000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000003, 0: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000004, 0: 0x3c004121 0x01c0003f 0x0000003f 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000004, 1: 0x3c004122 0x01c0003f 0x0000003f 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000004, 2: 0x3c004143 0x01c0003f 0x000001ff 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000004, 3: 0x3c07c163 0x04c0003f 0x00002fff 0x00000006
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000004, 4: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000005, 0: 0x00000040 0x00000040 0x00000003 0x00001120
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000006, 0: 0x00000077 0x00000002 0x00000009 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000007, 0: 0x00000000 0x00000281 0x00000000 0x0c000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000008, 0: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000009, 0: 0x00000001 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000a, 0: 0x07300403 0x00000000 0x00000000 0x00000603
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000b, 0: 0x00000001 0x00000002 0x00000100 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000b, 1: 0x00000005 0x0000000c 0x00000201 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000b, 2: 0x00000000 0x00000000 0x00000002 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000c, 0: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 0: 0x00000007 0x00000240 0x00000340 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1: 0x00000001 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2: 0x00000100 0x00000240 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 4: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 5: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 6: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 7: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 8: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 9: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, a: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, b: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, c: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, d: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, e: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, f: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 10: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 11: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 12: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 13: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 14: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 15: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 16: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 17: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 18: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 19: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1a: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1b: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1c: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1d: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1e: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1f: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 20: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 21: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 22: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 23: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 24: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 25: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 26: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 27: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 28: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 29: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2a: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2b: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2c: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2d: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2e: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2f: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 30: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 31: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 32: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 33: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 34: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 35: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 36: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 37: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 38: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 39: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3a: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3b: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3c: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3d: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3e: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3f: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000000, 0: 0x80000008 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000001, 0: 0x00000000 0x00000000 0x00000001 0x2c100800
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000002, 0: 0x20202020 0x6e492020 0x286c6574 0x58202952
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000003, 0: 0x286e6f65 0x43202952 0x45205550 0x36322d35
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000004, 0: 0x76203033 0x20402032 0x30362e32 0x007a4847
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000005, 0: 0x00000000 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000006, 0: 0x00000000 0x00000000 0x01006040 0x00000000
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000007, 0: 0x00000000 0x00000000 0x00000000 0x00000100
2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000008, 0: 0x0000302e 0x00000000 0x00000000 0x00000000
2018-03-15T13:41:22.699Z| vmx| I120: CPUID differences from hostCPUID.
Regards Philipp
From the log you pasted it looks that the CPU has the microcode updates for mitigation against Spectre as the EDX register output value is 0x0c000000 (which means bit 26-27 are values are 1) and there are no EVC masks that would mask them out.
CPUID leaf (EAX in) | ECX in | EAX out | EBX out | ECX out | EDX out |
---|---|---|---|---|---|
00000007 | 0 | 0x00000000 | 0x00000281 | 0x00000000 | 0x0c000000 |
So it is a matter of the hypervisor (in your case ESXi 5.5) exposing the IBRS, IBPB, STIBP to the VM. Maybe it is U3h has the patches from U3g removed. It is unclear from the KB whether that was the case. You may have to ask VMware for a definitive answer.
Hi bluefirestorm,
thank you for you support it's greatly appreciated.
Maybe it is U3h has the patches from U3g removed. It is unclear from the KB whether that was the case.
Perhaps I am wrong but VMware statement in the article in my understanding is that spectre mitigations should be included.
But I had the same discussion with an german community colleague yesterday. (CVE-2017-5753 and CVE-2017-5715 = https://meltdownattack.com/#faq-cve-spectre)
ESXi550-201801301-BG does NOT include the unstable microcode mentioned in KB52345 and mitigates both CVE-2017-5753 and CVE-2017-5715
@VMware:
I hate this Situation really, we need a clear and transparent communication. and we need a official PowerCLI or alternative to test the mitigation status.
Our customers trust us and we trust in you, so please do your Job and inform us in a proper way!
Regards Philipp
Hi, i also have the Same Issue. Answer fromm Support is that the 5.5u3h Patch does not include the hypervisor assisted guestos mitigation.
It was included in the 5.5u3g patch which was pulled due to instable Microcode stuff. I asked about when the patch will be rereleased with hypervisor assisted guestos mitigation and the answer is : no ETA yet. Very dissatisfying.
Hi marvinp,
thank you for your respone, ok sounds plausible, but then I don't understand the "3h" Patchnotes or even why this patch was released...
If the spectre mitigation are not included then the notes are misleading or in other words totally wrong :smileyconfused:.
This ESXi patch provides hypervisor-specific mitigations for CVE-2017-5753 and CVE-2017-5715. For more details, see VMware Security Advisory VMSA-2018-0002
.
Regards Philipp
I agree, the documentation is kind of confusing.
Anyway, new patches have been released today, see VMSA-2018-0004.3
André
Hi a.p.,
thx for your answer, I will try out this patch asap.
Regards Philipp
Hi André,
installed the Patches, Spectre Mitigations checks are all green inside the VMs.
Thx for your Support.
Regards Philipp