Is there any increased security risk in running vmx7 VMs on ESXi6.0 than running version11?
Need to understand if I am just missing speed improvements or their are actual risks. I've read VMware Knowledge Base but it doesn't mention if you stop getting any patches to the VM Hardware version of VMs.
There are differences in the maximums between hardware version 7 and 11 and more advanced hardware features.
https://kb.vmware.com/s/article/2051652
Apart from that, hardware version can act as a natural mask of CPU feature. For example, Haswell CPU instructions are available in version 11 (assuming the host CPU is Haswell or later and no EVC mask is applied) while they get masked out if the VM hardware compatibility is version 10 or earlier even if there is no EVC mask.
ESXi Spectre patch require the VM to be set to version 9 or higher for the IBRS, STIBP, IBPB CPU patches to be available.
Performance mitigation against potential higher CPU usage due to Meltdown patch in the guest requires the INVPCID instruction (available in Haswell or newer).
So there is some risk in running lower hardware version (Spectre being one of them) and missing potential benefits in performance from newer CPU instructions.
There are differences in the maximums between hardware version 7 and 11 and more advanced hardware features.
https://kb.vmware.com/s/article/2051652
Apart from that, hardware version can act as a natural mask of CPU feature. For example, Haswell CPU instructions are available in version 11 (assuming the host CPU is Haswell or later and no EVC mask is applied) while they get masked out if the VM hardware compatibility is version 10 or earlier even if there is no EVC mask.
ESXi Spectre patch require the VM to be set to version 9 or higher for the IBRS, STIBP, IBPB CPU patches to be available.
Performance mitigation against potential higher CPU usage due to Meltdown patch in the guest requires the INVPCID instruction (available in Haswell or newer).
So there is some risk in running lower hardware version (Spectre being one of them) and missing potential benefits in performance from newer CPU instructions.
Thanks!