VMware Cloud Community
BenjaminK82
Enthusiast
Enthusiast
‎05-09-2018 05:59 AM
Jump to solution

ESX 6.7 Spectre and Meltdown

Hi,

I just installed  ESX 6.7 in my homelab.

I have an E3-1230V2 and a Supermicro X9SCM-F (SM doesn't provide a new BIOS with updated microcodes).

I verified that I have the microcode version listed in KB 52085:

[root@xxxx:/vsish -e cat /hardware/cpu/cpuList/0 | grep “Current Revision:”

Current Revision:0x0000001f


I manually verified in vmware.log of some VMs that the new CPU features are NOT listed.


Inside a Windows VM I ran Get-SpeculationControlSettings and it showed the VM to be vulnarable.

VM hardware version is upgraded to 14 and I restarted the Host and VMs multiple times.

What am I missing?

.

Reply
0 Kudos
1 Solution

Accepted Solutions
bluefirestorm
Champion
Champion
‎05-10-2018 07:39 AM
Jump to solution

The Spectre microcode is present

2018-05-10T14:01:11.634Z| vmx| I125: hostCPUID level 00000007, 0: 0x00000000 0x00000281 0x00000000 0x0c000000

You could remove the masks from /etc/vmware/config since it is already a standalone. So remove the featureCompat.evc.* and featMask.evc.* lines

2018-05-10T14:01:11.668Z| vmx| I125: DICT featureCompat.evc.completeMasks = "TRUE"

2018-05-10T14:01:11.668Z| vmx| I125: DICT  featMask.evc.cpuid.Intel = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.FAMILY = "Val:6"

2018-05-10T14:01:11.668Z| vmx| I125: DICT  featMask.evc.cpuid.MODEL = "Val:0x3a"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.STEPPING = "Val:0"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.NUMLEVELS = "Val:0xd"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.NUM_EXT_LEVELS = "Val:0x80000008"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.CMPXCHG16B = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT     featMask.evc.cpuid.DS = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.LAHF64 = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT     featMask.evc.cpuid.LM = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT  featMask.evc.cpuid.MWAIT = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT     featMask.evc.cpuid.NX = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT     featMask.evc.cpuid.SS = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT   featMask.evc.cpuid.SSE3 = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT  featMask.evc.cpuid.SSSE3 = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT  featMask.evc.cpuid.SSE41 = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.POPCNT = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.RDTSCP = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT  featMask.evc.cpuid.SSE42 = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT    featMask.evc.cpuid.VMX = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT   featMask.evc.hv.capable = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT    featMask.evc.cpuid.AES = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.PCLMULQDQ = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT  featMask.evc.vt.realmode = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT    featMask.evc.cpuid.AVX = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT   featMask.evc.cpuid.PCID = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.XCR0_MASTER_SSE = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.XCR0_MASTER_YMM_H = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT  featMask.evc.cpuid.XSAVE = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.ENFSTRG = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT   featMask.evc.cpuid.F16C = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.FSGSBASE = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.RDRAND = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT   featMask.evc.cpuid.SMEP = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.misc.cpuidFaulting = "Val:1"

View solution in original post

Reply
4 Replies
a_p_
Leadership
Leadership
‎05-10-2018 02:57 AM
Jump to solution

Please attach the vmware.log for one of the affected VM's to a reply post.

In addition to this post the guest operating system's "Get-SpeculationControlSettings" output.

Add details about the guest OS, i.e. version, edition, patch level.

You may also want to read https://support.microsoft.com/en-hk/help/4072698/windows-server-guidance-to-protect-against-the-spec... for how to enable protection on a server.

André

Reply
0 Kudos
BenjaminK82
Enthusiast
Enthusiast
‎05-10-2018 07:11 AM
Jump to solution

Hallo Andre,

OS is 2012 R2 with all patches including the recent patchday from Windows Update.

The ESX host was once member of a cluster with EVC enabled but is now a standalone host with free license (I don't know if that matters because of CPU Capabilities masking from EVC).

The host was updated from 6.5 to 6.7. Unfortunatly I didn't check if it worked under 6.5.

Here is the log and the output of Get-SpeculationControlSettings:

PS C:\Users\XXX\Desktop> Get-SpeculationControlSettings

Speculation control settings for CVE-2017-5715 [branch target injection]

For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629

Hardware support for branch target injection mitigation is present: False

Windows OS support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is enabled: False

Windows OS support for branch target injection mitigation is disabled by system policy: False

Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True

Windows OS support for kernel VA shadow is present: True

Windows OS support for kernel VA shadow is enabled: True

Windows OS support for PCID performance optimization is enabled: False [not required for security]

Suggested actions

* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injectio

n mitigation.

BTIHardwarePresent             : False

BTIWindowsSupportPresent       : True

BTIWindowsSupportEnabled       : False

BTIDisabledBySystemPolicy      : False

BTIDisabledByNoHardwareSupport : True

KVAShadowRequired              : True

KVAShadowWindowsSupportPresent : True

KVAShadowWindowsSupportEnabled : True

KVAShadowPcidEnabled           : False

vmware.log.zip
Reply
0 Kudos
bluefirestorm
Champion
Champion
‎05-10-2018 07:39 AM
Jump to solution

The Spectre microcode is present

2018-05-10T14:01:11.634Z| vmx| I125: hostCPUID level 00000007, 0: 0x00000000 0x00000281 0x00000000 0x0c000000

You could remove the masks from /etc/vmware/config since it is already a standalone. So remove the featureCompat.evc.* and featMask.evc.* lines

2018-05-10T14:01:11.668Z| vmx| I125: DICT featureCompat.evc.completeMasks = "TRUE"

2018-05-10T14:01:11.668Z| vmx| I125: DICT  featMask.evc.cpuid.Intel = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.FAMILY = "Val:6"

2018-05-10T14:01:11.668Z| vmx| I125: DICT  featMask.evc.cpuid.MODEL = "Val:0x3a"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.STEPPING = "Val:0"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.NUMLEVELS = "Val:0xd"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.NUM_EXT_LEVELS = "Val:0x80000008"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.CMPXCHG16B = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT     featMask.evc.cpuid.DS = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.LAHF64 = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT     featMask.evc.cpuid.LM = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT  featMask.evc.cpuid.MWAIT = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT     featMask.evc.cpuid.NX = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT     featMask.evc.cpuid.SS = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT   featMask.evc.cpuid.SSE3 = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT  featMask.evc.cpuid.SSSE3 = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT  featMask.evc.cpuid.SSE41 = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.POPCNT = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.RDTSCP = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT  featMask.evc.cpuid.SSE42 = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT    featMask.evc.cpuid.VMX = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT   featMask.evc.hv.capable = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT    featMask.evc.cpuid.AES = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.PCLMULQDQ = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT  featMask.evc.vt.realmode = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT    featMask.evc.cpuid.AVX = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT   featMask.evc.cpuid.PCID = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.XCR0_MASTER_SSE = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.XCR0_MASTER_YMM_H = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT  featMask.evc.cpuid.XSAVE = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.ENFSTRG = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT   featMask.evc.cpuid.F16C = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.FSGSBASE = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.cpuid.RDRAND = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT   featMask.evc.cpuid.SMEP = "Val:1"

2018-05-10T14:01:11.668Z| vmx| I125: DICT featMask.evc.misc.cpuidFaulting = "Val:1"

Reply
BenjaminK82
Enthusiast
Enthusiast
‎05-10-2018 08:24 AM
Jump to solution

Hi bluefirestorm,

as suggested I removed the lines from /etc/vmware/config and now it's working.

Thank you!

Reply
0 Kudos