Oh I didn't know that - so when we apply latest BIOS patches (Dell R7xx servers) to take care of Meltdown/Spectre issue I know that we need to restart the hypervisors to perform the BIOS update.

But in addition to that, we also need to power cycle the VMs running in the cluster? We couldn't just migrate them off the host being firmware patched and then migrate them back?

Appreciate the detailed response, and noted to make sure VM hardware is version 11 - i suspect this goes without saying that VMware Tools should also be up to date? I'll give CPU-Z a shot; would be good to have a relatively easy method to check pre/post CPU features exposed to ensure VM by VM they are seeing latest changes.

I don't think VMware Tools have any direct relation to EVC levels but updating it should not hurt as there have been security fixes to the SVGA driver and fixes to the vmxnet3 driver made last year. You might want to go through the release notes of the VMware Tools that are newer than the version that you have so that you have clearer picture as to what fix(es) you are getting.

https://docs.vmware.com/en/VMware-Tools/10.2/rn/vmware-tools-1025-release-notes.html

It will be better to see the before and after EVC change by saving the vmware.log files of the VMs that you are interested in. For the Linux VMs, you could also use the /proc/cpuinfo as basis for comparison for the before and after EVC change. While CPU-Z utility is good at what it does and provide, once you see what is inside the vmware.log, you will see how little it presents in the "Instruction" section. If I am not mistaken, the "Instruction" section of CPU-Z is a small subset interpretation of CPUID leaf 1 and leaf 7 of Intel CPUs.

| vmx| I125: hostCPUID level 00000001, 0: 0x00040661 0x02100800 0x7ffafbbf 0xbfebfbff

| vmx| I125: hostCPUID level 00000007, 0: 0x00000000 0x000027ab 0x00000000 0x0c000000

For ESXi vmware.log there should also be guestCPUID section. For Fusion/Workstation vmware.log there is a guest vs. host CPUID (comparing the virtual CPU versus the host CPU) which is a line by line comparison.

This is an output of the Instruction of CPU-Z from a Windows 10 VM on a Crystal Well (Haswell) MacBook Pro laptop running on Fusion 8.5.10.

MMX, SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, EM64T, AES, AVX, AVX2, FMA3

While this is the flags section of /proc/cpuinfo from a Linux VM on the same macOS Fusion host. The ones in bold blue are the same ones reported by CPU-Z. The EM64T just means it has support for 64-bit.

flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts nopl xtopology tsc_reliable nonstop_tsc aperfmperf eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm ida arat epb invpcid_single pln pts dtherm spec_ctrl stibp retpoline kaiser fsgsbase tsc_adjust bmi1 avx2 smep bmi2 invpcid xsaveopt

Almost all the flags in /proc/cpuinfo has a one-to-one equivalent in the Capability Found in the vmware.log. For the Spectre microcode, I think the spec_ctrl in the Linux VM cpuinfo flag is for ibpb and ibrs while stibp has its own flag.

We couldn't just migrate them off the host being firmware patched and then migrate them back?

Unfortunately not. A VM power cycle is required so that the new CPU features are presented to the VM. It's basically the same as with raising the EVC level.

See e.g. Step 3 "For each virtual machine, enable Hypervisor-Assisted Guest mitigation via the following steps:" at https://kb.vmware.com/s/article/52085​

André