Language :

Hypervisor-Assisted Guest Mitigation for Branch Target injection (52085)

 Click here to view full document
Update: The Hypervisor-Assisted Guest Mitigation process described in KB 55111, is cumulative and will also mitigate the issues described in this article.

Recent microcode updates by Intel and AMD provide hardware support for branch target injection mitigation (Spectre v2). In order to use this new hardware feature within virtual machines, Hypervisor-Assisted Guest Mitigation must be enabled.

This document will focus on Hypervisor-Assisted Guest Mitigation as it pertains to vSphere. Please review KB52245: VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) for a complete view on VMware’s response to these issues.

See VMware Security Advisory VMSA-2018-0004.3 for the VMware provided patches related to this KB.

Patching the VMware vSphere hypervisor and updating the CPU Microcode (which the vSphere patches will do for the processors described in the below table will allow guest operating systems to use hardware support for branch target mitigation.
 
To enable hardware support for branch target mitigation in vSphere, apply these steps, in the order shown:

Note: Ensure vCenter Server is updated first, for more information, see the vMotion and EVC Information section.

  1. Upgrade to one of the following versions of vCenter 5.5 – 6.5:
Important: Please review the release notes for vCenter as there are new items listed in the ‘known issues’ section.
  1. Apply both of the following ESXi patches. Note: these can both be applied at once so that only 1 reboot of the host is required:
  • ESXi 6.5: ESXi650-201803401-BG* and ESXi650-201803402-BG**
  • ESXi 6.0: ESXi600-201803401-BG* and ESXi600-201803402-BG**
  • ESXi 5.5: ESXi550-201803401-BG* and ESXi550-201803402-BG**
* These ESXi patches provide the framework to allow guest OSes to utilize the new speculative-execution control mechanisms. These patches do not contain microcode.

** These ESXi patches apply the microcode updates listed in the Table below. These patches do not contain the aforementioned framework.

Table 1. Lists the Intel and AMD processors for which microcode updates were included in ESXi patches ESXi650-201803402-BG, ESXi600-201803402-BG, and ESXi550-201803402-BG. Please contact your hardware vendor to determine if BIOS/firmware updates are recommended as there may be additional improvements included with those updates. Microcode updates are  necessary for ESXi to provide the new speculative-execution control mechanisms for guest VMs to mitigate CVE-2017-5715. VMware has included microcode updates in the aforementioned ESXi patches to simplify deployment processes and minimize downtime.


Table
VendorCode NameFMSPlt IDMCU RevVMware VCG Name
IntelSandy Bridge DT0x206a7120x2dIntel Xeon E3-1100 Series;

Intel Xeon E3-1200 Series;

Intel i7-2655-LE Series;

Intel i3-2100 Series
IntelSandy Bridge EP0x206d76d0x713Intel Xeon E5-1400 Series;

Intel Xeon E5-1600 Series;

Intel Xeon E5-2400 Series;

Intel Xeon E5-2600 Series;

Intel Xeon E5-4600 Series;
Intel Pentium 1400 Series
IntelIvy Bridge DT0x306a9120x1fIntel Xeon E3-1100-C-v2 Series;
Intel Xeon E3-1200-v2 Series;
Intel i3-3200 Series;

Intel i7-3500-LE/UE;
Intel i7-3600-QE;
Intel Pentium B925C
IntelIvy Bridge EP0x306e4ed0x42cIntel Xeon E5-4600-v2 Series;

Intel Xeon E5-2400-v2 Series;

Intel Xeon E5-2600-v2 Series;

Intel Xeon E5-1400-v2 Series;

Intel Xeon E5-2600-v2 Series
IntelIvy Bridge EX0x306e7ed0x713Intel Xeon E7-8800/4800/2800-v2 Series
IntelHaswell DT0x306c3320x24Intel Xeon E3-1200-v3 Series;
Intel i7-4700 EQ Series;
Intel i3-4300 Series;
Intel i5-4500-TE Series
IntelHaswell EP0x306f26f0x3cIntel Xeon E5-2400-v3 Series;

Intel Xeon E5-1400-v3 Series;

Intel Xeon E5-1600-v3 Series;

Intel Xeon E5-2600-v3 Series;

Intel Xeon E5-4600-v3 Series
IntelHaswell EX0x306f4800x11Intel Xeon E7-8800/4800-v3 Series
IntelBroadwell H0x40671220x1dIntel Xeon E3-1200-v4 Series;
Intel Core i7-5700EQ
IntelBroadwell EP/EX0x406f1ef0xb00002aIntel Xeon E7-8800/4800-v4 Series;

Intel Xeon E5-4600-v4 Series;

Intel Xeon E5-2600-v4 Series;

Intel Xeon E5-1600-v4 Series
IntelBroadwell DE0x50662100x15Intel Xeon D-1500 Series
IntelBroadwell DE0x50663100x7000012Intel Xeon D-1500 Series
IntelBroadwell DE0x50664100xf000011Intel Xeon D-1500 Series
IntelBroadwell NS0x50665100xe000009Intel Xeon D-1500 Series
IntelSkylake H/S0x506e3360xc2Intel Xeon E3-1500-v5 Series;

Intel Xeon E3-1200-v5 Series
IntelSkylake SP0x50654b70x2000043Intel Xeon Platinum 8100 (Skylake-SP) Series;

Intel Xeon Gold 6100/5100, Silver 4100, Bronze 3100 (Skylake-SP) Series
IntelKaby Lake H/S/X0x906e92a0x84Intel Xeon E3-1200-v6
      
AMDZen EPYC0x800f12n/a0x8001227AMD EPYC 7xx1 Series

To enable hardware support for branch target mitigation in Workstation/Fusion, the following steps should be followed:
  1. Deploy one of the following versions of Workstation/Fusion:
    • Workstation 14.1.1
    • Workstation 12.5.9
    • Fusion 10.1.1
    • Fusion 8.5.10
  2. Apply the Microcode/BIOS updates for CVE-2017-5715 from your platform vendor.
For each virtual machine, enable Hypervisor-Assisted Guest mitigation via the following steps:
  1. Apply all security patches for your Guest OS which are available from the OS vendor.
  2. Ensure that your VMs are using Virtual Hardware Version 9 or higher. Upgrading a virtual machine to the latest hardware version (multiple versions) (1010675) discusses Hardware Versions .
    • Virtual Hardware Version 9 is minimum requirement for Hypervisor-Assisted Guest Mitigation for branch target injection (CVE-2017-5715).
    • For best performance, Virtual Hardware Version 11 or higher is recommended. Virtual Hardware Version 11 enables PCID/INVPCID.  These features may reduce the performance impact of CVE-2017-5754 mitigations on CPUs that support those features. For the latest information on any VMware performance impact, see KB 52337
  3. Power Off and then Power On the virtual machine (Restart is insufficient).

vMotion and EVC Information

An ESXi host that is running a patched vSphere hypervisor with updated microcode will see new CPU features that were not previously available.
These new features will be exposed to all Virtual Hardware Version 9+ VMs that are powered-on by that host. Because these virtual machines now see additional CPU features, vMotion to an ESXi host lacking the microcode or hypervisor patches applied will be prevented.
The vCenter patches enable vMotion compatibility to be retained within an EVC cluster.
In order to maintain this compatibility the new features are hidden from guests within the cluster until all hosts in the cluster are properly updated.  At that time, the cluster will automatically upgrade its capabilities to expose the new features. Unpatched ESXi hosts will no longer be admitted into the EVC cluster.

Confirmation of Correct Operation

To confirm a host has both VMware hypervisor and updated microcode, use the following steps:
  1. Power on a Virtual Machine which is configured to use Virtual Hardware Version 9 or later.
  2. Examine the vmware.log file for that VM and look for one of the following entries:
    • “Capability Found: cpuid.IBRS”
    • “Capability Found: cpuid.IBPB”
    • “Capabliity Found: cpuid.STIBP”
  3. Any of the above log entires indicate that both the CPU microcode and hypervisor are properly updated.
To confirm end to end operation including guest OS enablement of hardware support for branch target mitigation, check with your OS vendor.

ESXi Microcode Update Information

For the known Spectre vulnerabilities, Intel and AMD have supplied CPU microcode updates for many affected processors to add the new speculative-execution control mechanism.
 
Most server vendors will soon be including these CPU microcode updates in their next BIOS/firmware update. It is strongly recommended that customers apply these BIOS/firmware updates for their servers. 
 
The ESXi patches listed above will also automatically apply these critical CPU microcode updates if the server's BIOS/Firmware has not already applied them. The mechanism defined by AMD and Intel always ensures that the latest microcode update is active regardless of the order in which the BIOS and OS apply them. As a result, ESXi will never override a newer version of the microcode update provided by BIOS nor will the BIOS with an older version prevent ESXi from applying the newer version.
 
To confirm that the CPU has updated microcode for these features, power-on a VM on the host and then examine the vmware.log file.
 
An Intel CPU with updated microcode will have a non-zero value in host CPUID[7].EDX[26:27].

hostCPUID level 00000007, 0: 0x00000000 0xd39ffffb 0x00000008 0x0c000000
                                                                 ^ [4-9a-f]in nibble

 
An AMD CPU with updated its microcode will have a non-zero value in host CPUID[0x80000008].EBX[12].

hostCPUID level 80000008, 0: 0x00003030 0x00001007 0x0000603f 0x00000000
                                              ^ [13579bdf] in nibble


Changelog:

01/09/18: Initial publication
03/20/18: Updated KB with patch and procedure information in conjunction with VMSA-2018-0004.3.

04/09/19: Updated KB with information that the Hypervisor-Assisted Guest Mitigation process described in KB55111 is cumulative.
Ben Paul
4/10/2019 2:55 AM
Marvin Marcos