I pathed my host esxi 6.5 to 9298722
now getting this warning. I already updated vcenter to 9451637
any idea?
It's on the right in the "Attachments" box (HTAwareMitigation-1.0.0.9.zip).
André
This is a warning regarding Intels L1 Terminal Fault (L1TF) vulnerability.
Please read the mentioned KB article as well as https://kb.vmware.com/s/article/56931, which contains a script for "HTAware Mitigation Load Analysis Usage" as well as "HTAware Mitigation Remediation".
André
Same thing has been mentioned in the blog - Warning “esx.problem.hyperthreading.unmitigated” after installing ESXi patches. | Kalle's playground
For the fix, you have to refer the KB - VMware Knowledge Base
Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered.
Cheers,
Supreet
ok looks like I applied the patches in right order
1) vCenter patches
2) ESXi patches
3) Evaluate and set “VMkernel.Boot.hyperthreadingMitigation” to “true” if you want to enable the patch.
my problem is now with step 3.
if I dont do anything what will happen? how do I evaluate VMkernel.Boot.hyperthreadingMitigation
If you don't follow the mitigation plan detailed in the KB VMware Knowledge Base, hosts will remain susceptible to the risk explained in the advisory CVE -CVE-2018-3646.
Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered.
Cheers,
Supreet
i dont understand . then what was the patch update to 9298722 for?
I was vulnerable at 8935087
what dopes going to 9298722 gets me?
should i stay at 8935087 instead?
ESXi650-201808401-BG (esx-base): https://kb.vmware.com/kb/56547
ESXi650-201808402-BG (microcode): https://kb.vmware.com/kb/56563
ESXi650-201808403-BG (esx-ui): https://kb.vmware.com/kb/56896
You have applied this first patch which is for esx-base, and seems other two you haven't applied yet whereas CPU microcode is in 2nd patch
Updating to this patch is step-1 of the mitigation plan. The other two steps are dependent on this one. Below are the three mitigation steps from the above shared KB VMware Knowledge Base -
Update Phase: Apply vSphere Updates and Patches
Planning Phase: Assess Your Environment
Scheduler-Enablement Phase: Enable the ESXi Side-Channel-Aware Scheduler
Host is susceptible to the L1TF (CVE -CVE-2018-3646) issue even on the build-8935087.
Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered.
Cheers,
Supreet
looksl ike I have all the patches
Did you see my previous reply?
André
yes. another question after patching host to latest build and enabling
ESXi Side-Channel-Aware Scheduler
will my hosts really take a 30% hit in performance?
It actually depends on the current resource usage, that's why the KB article contains a script to analyze the current usage. Based on the results, you may consider what to do next.
André
can you tell me where this powershell script download link is?
I am not seeing it
It's on the right in the "Attachments" box (HTAwareMitigation-1.0.0.9.zip).
André
yes got it. Thanks Andre
Seeing this as report on one of my clusters
someone let me ask HTAwareMitigation-1.0.0.16.zip, I can't download it from: https://kb.vmware.com/s/article/56931
I recently turned on the side channel aware scheduler to be "security compliant". But the obvious change is that my total number of logical processors on the esxi host is cut IN HALF.
I don't know how this is an acceptable solution or a work around. Basically, if you buy a server for esxi with an intel chip, turning on side channel aware scheduler disables hyperthreading. So that's where you lose half your logical processors.
Let me show you the math.
A 12 core intel cpu server with esxi installed would have 24 logical processors available for your vm's on that host.
INSTEAD, with side channel aware scheduler turned on the same example would mean you have 12 logical processors available on your host.
This directly affects your capacity, deployment, and obviously if you have a vm that uses more than the number of logical processors you get performance hit.
This directly affects shops that purchases intel cpu's with lower core counts.
All the sales people don't explain this part, all they do is generalize the problem and say it depends on your work load.
That's BS, you lose HALF of your LOGICAL PROCESSORS, how about that.