gazjay2093103
Contributor
Contributor

VM Hardware version support

Jump to solution

Is there any increased security risk in running vmx7 VMs on ESXi6.0 than running version11?

Need to understand if I am just missing speed improvements or their are actual risks. I've read VMware Knowledge Base  but it doesn't mention if you stop getting any patches to the VM Hardware version of VMs.

Tags (1)
1 Solution

Accepted Solutions
bluefirestorm
Virtuoso
Virtuoso

There are differences in the maximums between hardware version 7 and 11 and more advanced hardware features.

https://kb.vmware.com/s/article/2051652

Apart from that, hardware version can act as a natural mask of CPU feature. For example, Haswell CPU instructions are available in version 11 (assuming the host CPU is Haswell or later and no EVC mask is applied) while they get masked out if the VM hardware compatibility is version 10 or earlier even if there is no EVC mask.

ESXi Spectre patch require the VM to be set to version 9 or higher for the IBRS, STIBP, IBPB CPU patches to be available.

Performance mitigation against potential higher CPU usage due to Meltdown patch in the guest requires the INVPCID instruction (available in Haswell or newer).

So there is some risk in running lower hardware version (Spectre being one of them) and missing potential benefits in performance from newer CPU instructions.

View solution in original post

2 Replies
bluefirestorm
Virtuoso
Virtuoso

There are differences in the maximums between hardware version 7 and 11 and more advanced hardware features.

https://kb.vmware.com/s/article/2051652

Apart from that, hardware version can act as a natural mask of CPU feature. For example, Haswell CPU instructions are available in version 11 (assuming the host CPU is Haswell or later and no EVC mask is applied) while they get masked out if the VM hardware compatibility is version 10 or earlier even if there is no EVC mask.

ESXi Spectre patch require the VM to be set to version 9 or higher for the IBRS, STIBP, IBPB CPU patches to be available.

Performance mitigation against potential higher CPU usage due to Meltdown patch in the guest requires the INVPCID instruction (available in Haswell or newer).

So there is some risk in running lower hardware version (Spectre being one of them) and missing potential benefits in performance from newer CPU instructions.

View solution in original post

gazjay2093103
Contributor
Contributor

Thanks!

0 Kudos