the user guide 3.1 described how to mitigate the CVE-2018-3646 in page 104, which is setting up the ESXi host parameter ''VMkernel.Boot.hyperthreadingMitigation" to ''true".
i'm wondering about if I utilize vSphere 6.7U3 with VMmark 3.1 and wanna mitigate the CVE-2018-3646 correctly, should I also set the ESXi host parameter "VMkernel.Boot.hyperthreadingMitigationIntraVM" to "false"?
these two parameters are described in VMware Knowledge Base , in which the ESXi Side-Channel-Aware Scheduler Version 2 (SCAv2) must be enabled to deal with "Concurrent-context attack vector".
the user guide 3.1 p.104 only mentioned about the configuration of ''VMkernel.Boot.hyperthreadingMitigation". Does the config. of "VMkernel.Boot.hyperthreadingMitigationIntraVM" impact on VMmark test's compliance???
thx
Correct, to use SCAv2 you would set the following
HyperthreadingMitigation = TRUE
HyperthreadingMitigationIntraVM = FALSE
The Security Mitigations table in the disclosure report only needs to indicate the vulnerability is mitigated, it does not require an indication of how it was mitigated.
SCAv1 and SCAv2 both mitigate CVE-2018-3646, however SCAv2 does not mitigate Intra-VM Concurrent-context attack vector process information leakage.
The User's Guide was published before SCAv2 was available, thus it doe not contain any information about this new feature. At this time we accept submissions which use either solution for mitigation.
I suggest reviewing the whitepaper we published for a detailed analysis of the performance impact of both schedulers. Performance of vSphere 6.7 Scheduling Options
jamesz08 thanks for the professional answer and data!
so I think configuring parameter "VMkernel.Boot.hyperthreadingMitigationIntraVM" to false is still required to enable the SCAv2.
by the way, does setting up this parameter involve in the edit of "Security Mitigations Section of Disclosure Report" (for publication)?
thanks in advance~!
Correct, to use SCAv2 you would set the following
HyperthreadingMitigation = TRUE
HyperthreadingMitigationIntraVM = FALSE
The Security Mitigations table in the disclosure report only needs to indicate the vulnerability is mitigated, it does not require an indication of how it was mitigated.