Hi everybody,
We have a cluster running 10 HPE Proliant DL380 G9 und VCenter 6.5. Vcenter Appliance is running the latest Version from VMware and also the ESXi Hosts are up to date running Version VMware ESXi, 6.5.0, 8935087.
Cluster is running in EVC Mode in Intel® "Haswell" Generation because 5 of our hosts are running with Intel(R) Xeon(R) CPU E5-2699 v3 @ 2.30GHz and the other five are running with Intel(R) Xeon(R) CPU E5-2699 v4 @ 2.20GHz.
All of these hosts have applied latest Bios und Microcode Update from HPE (Version 2.60). According to HPE this should fix CVE-2018-3639.
According to VMware Knowledge Base we should find “Capability Found: cpuid.SSBD” in vmware.log of guest VMs after powering down and restarting them. But we don't have this. So it looks like the patch is not correctly applied to all servers in the cluster or something else is missing.
On a Windows Guest VM running Get-SpeculationControlSettings results in:
Speculation control settings for CVE-2017-5715 [branch target injection]
For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629
Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: True
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: False
Speculation control settings for CVE-2018-3639 [speculative store bypass]
Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass mitigation is present: False
Windows OS support for speculative store bypass mitigation is present: True
Windows OS support for speculative store bypass mitigation is enabled system-wide: False
Suggested actions
* Follow the guidance for enabling Windows Server support for speculation control mitigations described in https://supp
ort.microsoft.com/help/4072698
BTIHardwarePresent : True
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : True
BTIDisabledByNoHardwareSupport : False
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False
SSBDWindowsSupportPresent : True
SSBDHardwareVulnerable : True
SSBDHardwarePresent : False
SSBDWindowsSupportEnabledSystemWide : False
Another HPE Proliant DL380 Proliant G9 running Windows native without VMware and with HPE Bios Version 2.60 brings the following result when running Get-SpeculationControlSettings:
Speculation control settings for CVE-2017-5715 [branch target injection]
For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629
Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: True
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: False
Speculation control settings for CVE-2018-3639 [speculative store bypass]
Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass mitigation is present: True
Windows OS support for speculative store bypass mitigation is present: True
Windows OS support for speculative store bypass mitigation is enabled system-wide: False
Suggested actions
* Follow the guidance for enabling Windows Server support for speculation control mitigations described in https://supp
ort.microsoft.com/help/4072698
BTIHardwarePresent : True
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : True
BTIDisabledByNoHardwareSupport : False
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False
SSBDWindowsSupportPresent : True
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True
SSBDWindowsSupportEnabledSystemWide : False
So according to this one. The HPE Bios have the problem fixed but only VMware have something missing.
does somebody have such issues? what can we do to get this fixed?
Thank you for help,
It looks like thee new CPU features are not presented to the VMs.
What you may try - unless already done - is to re-apply the EVC mode in the cluster settings, i.e. open the EVC settings and click Ok.
Then power-cycle one of the VM's to see whether this did the trick.
André
It looks like thee new CPU features are not presented to the VMs.
What you may try - unless already done - is to re-apply the EVC mode in the cluster settings, i.e. open the EVC settings and click Ok.
Then power-cycle one of the VM's to see whether this did the trick.
André
Thank you Andre. I already applied the EVC Settings but this did not work. No I tried to remove EVC Mode from Cluster and then reapply EVC Mode again. After that VMs get the required CPU features when they powered on again.
Same Issue here with Dell R730 / R740 :smileyangry: