VMware Cloud Community
tateconcepts
Contributor
Contributor
‎02-10-2018 09:41 AM

Apple Mac Pro 6,1 no longer compatible with vSphere 6.5u1 (or previous releases) due to Security Updates

VMware Community and Team,

It appears the Apple has bricked the Mac Pro 6,1 recently where VMware vSphere 6.5u1 will no longer install properly (yes I know of @lamw - no reply from him on if anyone recently was successful). Upon installation, it seems that the usual message on the nfs41client fails but as it completes, one is presented with a message that there are no network adapters present.

Oddly enough, I then went into shell and ran dmesg and lspci - it appears that the BCM577xx series is indeed being presented to the hypervisor (including the same vendor and hardware ID for the thunderbolt to gigabit ethernet adapter) but the driver for them is not. I did check the HCL and what I found was a specific EFI or Boot ROM version that is much older than what is currently available today. After reading into Duo Security's white paper regarding "Apple of my EFI" it seems they have been unwilling or more likely, less concerned with providing VMware as a partner any updates to your HCL regarding changes made at ring 2 that affect you at ring 1. I can only speculate that the amount of PR from that incident in SEP-2017 is the result of this. This update seems to be applied only if one has or did apply macOS 10.13 High Sierra - which permits this EFI to be presented as a security update. If applied (for which the majority of supply today that exists) by any previous owner or by the OEM (Apple of course) then you will most certainly encounter a failure of installation.

I also tested this in the Apple Store on a display model which had 10.13 no less. It failed of course in the same manner. Please see here for my details to William Lam (Apple Communities have them too but they are either too ignorant or more likely unconcerned with this issue). https://www.virtuallyghetto.com/2017/01/esxi-6-5-support-for-apple-mac-pro-61.html (I am the last of those comments with Boot ROM version).

Does anyone here have a Mac Pro 6,1 that they can confirm this issue and provide the Boot ROM listed (boot off MacOS installed to an external disk to test unless you just have one with High Sierra for giggles)?

*** IMPORTANT PRODUCT SECURITY NOTE ***

It is in Apple's best interest to perform this EFI firmware update because if it is not present, I can pwn you permanently with a Thunderkit rootkit and you will be unable to get me out of your host. Apple no longer provides a known means to downgrade your EFI however I am aware that only productsecurity@apple.com can reapply the EFI if you become compromised. This is and should be a major concern for anyone running current versions or planning on running any type 1 and especially a type 2 hypervisor - because if I have ring 2 access, I have access to ESXi at ring 1 and all guests at ring 0. VMware team, please get in contact with Apple product security and SE team to obtain updated HCL information.

For all existing vSphere or ESXi customers running any version of VMware vSphere - it is likely you are vulnerable and therefore have risk. Therefore you either update your EFI and brick your system or accept the risk and do no nothing - without proper auditing (logging) and accounting (reviewing them regularly) you would not notice the exploit is present nor would you even be able to remove it, except by running macOS 10.13, permitting the update and thereby bricking your system with vSphere/ESXi - obviously you will still be able to run macOS and a type 2 hypervisor.

0 Kudos
1 Reply
vaxman
Contributor
Contributor
‎03-02-2018 09:28 AM

> also tested this in the Apple Store on a display model which had 10.13 no less.

You tried what in a where?

Erm, Thunderstrike is really old (2015) and reportedly patched at 10.10.2 (2015). I think what you are referring to is Specter/Meltdown (2017) which requires a microcode update to the Intel processor that is reportedly present in recent versions of the Mac OS X installer/updater (2017). It's definitely possible that microcode is destabilizing the ESXi 6.5U1 hypervisor. That would totally qualify as an edge case, given how the big time operators at VMware disregard Apple (even after it became the most valuable company and brand in history), even firing Fusion staff (instead of increasing it). Combined with reported issues pertaining to the D300/500/700 pass-thru under ESXi, it's probably better to boot the Mac Pro 6,1 into Mac OS X and run VMware Fusion, the scriptable variant of it or even jump ship to the (at this point) apparently better supported Parallels (unless you use the higher-end features of vSphere).

0 Kudos