2 Replies Latest reply on Jan 24, 2019 9:50 AM by gazjay2093103

    VM Hardware version support

    gazjay2093103 Lurker

      Is there any increased security risk in running vmx7 VMs on ESXi6.0 than running version11?

       

      Need to understand if I am just missing speed improvements or their are actual risks. I've read VMware Knowledge Base  but it doesn't mention if you stop getting any patches to the VM Hardware version of VMs.

        • 1. Re: VM Hardware version support
          bluefirestorm Master

          There are differences in the maximums between hardware version 7 and 11 and more advanced hardware features.

          https://kb.vmware.com/s/article/2051652

           

          Apart from that, hardware version can act as a natural mask of CPU feature. For example, Haswell CPU instructions are available in version 11 (assuming the host CPU is Haswell or later and no EVC mask is applied) while they get masked out if the VM hardware compatibility is version 10 or earlier even if there is no EVC mask.

           

          ESXi Spectre patch require the VM to be set to version 9 or higher for the IBRS, STIBP, IBPB CPU patches to be available.

           

          Performance mitigation against potential higher CPU usage due to Meltdown patch in the guest requires the INVPCID instruction (available in Haswell or newer).

           

          So there is some risk in running lower hardware version (Spectre being one of them) and missing potential benefits in performance from newer CPU instructions.