Hypervisor-Assisted Guest Mitigation for CVE-2018-3639 (Speculative Store Bypass)
Article ID: 317619
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Mitigation of CVE-2018-3639 within a VM or native OS is greatly assisted by a new speculative-execution control bit known as Speculative-Store-Bypass-Disable (SSBD). In order to use this hardware feature within virtual machines, new Hypervisor-Assisted Guest Mitigations must be enabled to pass this control bit to the Guest OSes.
Because there will be multiple documents necessary to explain the mitigation process for CVE-2018-3639, KB54951 was created to provide an overview of VMware’s response - review it prior to continuing.
This document will focus on the technical implementation and requirements of the Hypervisor-Assisted Guest Mitigations for CVE-2018-3639
Because there will be multiple documents necessary to explain the mitigation process for CVE-2018-3639, KB54951 was created to provide an overview of VMware’s response - review it prior to continuing.
This document will focus on the technical implementation and requirements of the Hypervisor-Assisted Guest Mitigations for CVE-2018-3639
Resolution
To enable hardware support for SSBD in vCenter Server and ESXi, the following steps should be followed:
Note: Ensure vCenter Server is updated first, for more information, see the vMotion and EVC Information section.
These new features will be exposed to all Virtual Hardware Version 9+ VMs that are powered-on by that host. Because these virtual machines now see additional CPU features, vMotion to an ESXi host lacking the microcode or hypervisor patches applied will be prevented.
The vCenter patches enable vMotion compatibility to be retained within an EVC cluster.
In order to maintain this compatibility the new features are hidden from guests within the cluster until all hosts in the cluster are properly updated. At that time, the cluster will automatically upgrade its capabilities to expose the new features. Unpatched ESXi hosts will no longer be admitted into the EVC cluster.
After vSphere has been patched for CVE-2018-3639, customers utilizing the per-VM EVC feature, introduced in Hardware Version 14 and newer, will also need to refresh the EVC mode of the VM. This refresh will allow the per-VM EVC mode of the VM to recognize the new CPU features introduced from the patches. Not performing this step may result in the VM running less securely than desired.
Note: for additional advice on managing the per-VM EVC feature, see the vCenter Server 6.7.0b Release Notes.
From the UI: to refresh the per-VM EVC feature of the VM, navigate to the virtual machine. Under the Configure tab, select VMware EVC. Click Edit to bring up the current EVC selection, then click OK.
From the API: Call applyEvcModeVMTask with the list of masks that would be updated post-Spectre patch. A sample code snippet can be found here.
Note: Ensure vCenter Server is updated first, for more information, see the vMotion and EVC Information section.
- Upgrade to the versions of vCenter Server listed in VMSA-2018-0012.1.
- Apply the ESXi patches listed in VMSA-2018-0012.1. Note that per ESXi version two patches are listed and that both of them are required. These patches can both be applied at once so that only one reboot of the host is required.
- Deploy and/or update Workstation/Fusion to the versions listed in VMSA-2018-0012.
- Apply the Microcode/BIOS updates for CVE-2018-3639 from your platform vendor.
- Apply the applicable SSBD security patches for your Guest OS which have been made available from the OS vendor.
Note: Most OS vendors leave the SSBD mitigation off by default. Consult your OS vendor’s documentation on how to switch on the SSBD mitigation after applying the vendor’s security patches for your Guest OS.
- Ensure that your VMs are using Virtual Hardware Version 9 or higher. See KB1010675 for details on Virtual Hardware versions and requirements. For best performance, Virtual Hardware Version 11 or higher is recommended. Virtual Hardware Version 11 enables PCID/INVPCID.
- Power Off and then Power On the virtual machine (Restart is insufficient).
vMotion and EVC Information
An ESXi host that is running a patched vSphere hypervisor with updated microcode will see new CPU features that were not previously available.These new features will be exposed to all Virtual Hardware Version 9+ VMs that are powered-on by that host. Because these virtual machines now see additional CPU features, vMotion to an ESXi host lacking the microcode or hypervisor patches applied will be prevented.
The vCenter patches enable vMotion compatibility to be retained within an EVC cluster.
In order to maintain this compatibility the new features are hidden from guests within the cluster until all hosts in the cluster are properly updated. At that time, the cluster will automatically upgrade its capabilities to expose the new features. Unpatched ESXi hosts will no longer be admitted into the EVC cluster.
After vSphere has been patched for CVE-2018-3639, customers utilizing the per-VM EVC feature, introduced in Hardware Version 14 and newer, will also need to refresh the EVC mode of the VM. This refresh will allow the per-VM EVC mode of the VM to recognize the new CPU features introduced from the patches. Not performing this step may result in the VM running less securely than desired.
Note: for additional advice on managing the per-VM EVC feature, see the vCenter Server 6.7.0b Release Notes.
From the UI: to refresh the per-VM EVC feature of the VM, navigate to the virtual machine. Under the Configure tab, select VMware EVC. Click Edit to bring up the current EVC selection, then click OK.
From the API: Call applyEvcModeVMTask with the list of masks that would be updated post-Spectre patch. A sample code snippet can be found here.
Confirmation of Correct Operation
To confirm a host has both VMware hypervisor and updated microcode, use the following steps:- Power on a Virtual Machine which is configured to use Virtual Hardware Version 9 or later.
- Examine the vmware.log file for that VM and look for the following entry:
“Capability Found: cpuid.SSBD”
- Any of the above log entries indicate that both the CPU microcode and hypervisor are properly updated.
Feedback
Yes
No
Powered by
