Hi,
I just installed ESX 6.7 in my homelab.
I have an E3-1230V2 and a Supermicro X9SCM-F (SM doesn't provide a new BIOS with updated microcodes).
I verified that I have the microcode version listed in KB 52085:
[root@xxxx:/vsish -e cat /hardware/cpu/cpuList/0 | grep “Current Revision:”
Current Revision:0x0000001f
I manually verified in vmware.log of some VMs that the new CPU features are NOT listed.
Inside a Windows VM I ran Get-SpeculationControlSettings and it showed the VM to be vulnarable.
VM hardware version is upgraded to 14 and I restarted the Host and VMs multiple times.
What am I missing?
.
The Spectre microcode is present
2018-05-10T14:01:11.634Z| vmx| I125: hostCPUID level 00000007, 0: 0x00000000 0x00000281 0x00000000 0x0c000000
You could remove the masks from /etc/vmware/config since it is already a standalone. So remove the featureCompat.evc.* and featMask.evc.* lines
2018-05-10T14:01:11.668Z| vmx| I125: DICT featureCompat.evc.completeMasks = "TRUE"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.Intel = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.FAMILY = "Val:6"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.MODEL = "Val:0x3a"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.STEPPING = "Val:0"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.NUMLEVELS = "Val:0xd"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.NUM_EXT_LEVELS = "Val:0x80000008"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.CMPXCHG16B = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.DS = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.LAHF64 = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.LM = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.MWAIT = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.NX = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.SS = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.SSE3 = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.SSSE3 = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.SSE41 = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.POPCNT = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.RDTSCP = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.SSE42 = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.VMX = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.hv.capable = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.AES = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.PCLMULQDQ = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.vt.realmode = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.AVX = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.PCID = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.XCR0_MASTER_SSE = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.XCR0_MASTER_YMM_H = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.XSAVE = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.ENFSTRG = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.F16C = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.FSGSBASE = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.RDRAND = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.SMEP = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.misc.cpuidFaulting = "Val:1"
Please attach the vmware.log for one of the affected VM's to a reply post.
In addition to this post the guest operating system's "Get-SpeculationControlSettings" output.
Add details about the guest OS, i.e. version, edition, patch level.
You may also want to read https://support.microsoft.com/en-hk/help/4072698/windows-server-guidance-to-protect-against-the-spec... for how to enable protection on a server.
André
Hallo Andre,
OS is 2012 R2 with all patches including the recent patchday from Windows Update.
The ESX host was once member of a cluster with EVC enabled but is now a standalone host with free license (I don't know if that matters because of CPU Capabilities masking from EVC).
The host was updated from 6.5 to 6.7. Unfortunatly I didn't check if it worked under 6.5.
Here is the log and the output of Get-SpeculationControlSettings:
PS C:\Users\XXX\Desktop> Get-SpeculationControlSettings
Speculation control settings for CVE-2017-5715 [branch target injection]
For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629
Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: False [not required for security]
Suggested actions
* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injectio
n mitigation.
BTIHardwarePresent : False
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled : False
The Spectre microcode is present
2018-05-10T14:01:11.634Z| vmx| I125: hostCPUID level 00000007, 0: 0x00000000 0x00000281 0x00000000 0x0c000000
You could remove the masks from /etc/vmware/config since it is already a standalone. So remove the featureCompat.evc.* and featMask.evc.* lines
2018-05-10T14:01:11.668Z| vmx| I125: DICT featureCompat.evc.completeMasks = "TRUE"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.Intel = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.FAMILY = "Val:6"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.MODEL = "Val:0x3a"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.STEPPING = "Val:0"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.NUMLEVELS = "Val:0xd"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.NUM_EXT_LEVELS = "Val:0x80000008"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.CMPXCHG16B = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.DS = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.LAHF64 = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.LM = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.MWAIT = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.NX = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.SS = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.SSE3 = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.SSSE3 = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.SSE41 = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.POPCNT = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.RDTSCP = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.SSE42 = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.VMX = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.hv.capable = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.AES = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.PCLMULQDQ = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.vt.realmode = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.AVX = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.PCID = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.XCR0_MASTER_SSE = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.XCR0_MASTER_YMM_H = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.XSAVE = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.ENFSTRG = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.F16C = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.FSGSBASE = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.RDRAND = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.SMEP = "Val:1"
2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.misc.cpuidFaulting = "Val:1"
Hi bluefirestorm,
as suggested I removed the lines from /etc/vmware/config and now it's working.
Thank you!