Edit: speak of the devil… new vCenter and vSphere patches just released: https://www.vmware.com/security/advisories/VMSA-2018-0004.html Headline revised to reflect update.
Edit 2: As this update requires shutting down and starting VMs (full power cycle, simply restart does not work), use this PowerCLI command to find VMs that don’t yet have new features exposed
Get-VM |? {$_.extensiondata.runtime.featurerequirement.key -notcontains 'cpuid.IBRS' -or $_.extensiondata.runtime.featurerequirement.key -notcontains 'cpuid.IBPB'}
While you can apply VMware patches and BIOS microcode updates, guests will not see any mitigation options if EVC is enabled (as these options were not in original CPU specification). It’s the same for KVM/QEMU CPU masking, however Hyper-V allows exposing new flags (probably because it doesn’t have anything like EVC besides “compatibility” flag).
I haven’t yet tested without EVC but with all things patched up, clients with Broadwell EVC don’t see required MSRs with ESXi 6.5.
Hi,
do you have any updates on this?
I have a patched vCenter 5.5 EVC enabled (Westmere CPU) cluster, vCenter and ESXi are patched, installed BIOS updates on all ESXi hosts, but i do not see the new features now…
vmGuest Version is 10 and i did a cold boot (Power Off,Power On)
Thanks
Sorry, I haven’t checked my blog for a while.
It’s hard speculate here but if you’ve updated with microcode released in late march, it should work. Ask VMware support?