VMware EVC now exposes Spectre mitigation MSRs with latest patches

Edit: speak of the devil… new vCenter and vSphere patches just released: https://www.vmware.com/security/advisories/VMSA-2018-0004.html Headline revised to reflect update.

Edit 2: As this update requires shutting down and starting VMs (full power cycle, simply restart does not work), use this PowerCLI command to find VMs that don’t yet have new features exposed

Get-VM |? {$_.extensiondata.runtime.featurerequirement.key -notcontains 'cpuid.IBRS'  -or $_.extensiondata.runtime.featurerequirement.key -notcontains 'cpuid.IBPB'}

While you can apply VMware patches and BIOS microcode updates, guests will not see any mitigation options if EVC is enabled (as these options were not in original CPU specification). It’s the same for KVM/QEMU CPU masking, however Hyper-V allows exposing new flags (probably because it doesn’t have anything like EVC besides “compatibility” flag).

I haven’t yet tested without EVC but with all things patched up, clients with Broadwell EVC don’t see required MSRs with ESXi 6.5.

2 thoughts on “VMware EVC now exposes Spectre mitigation MSRs with latest patches”

  1. Hi,

    do you have any updates on this?

    I have a patched vCenter 5.5 EVC enabled (Westmere CPU) cluster, vCenter and ESXi are patched, installed BIOS updates on all ESXi hosts, but i do not see the new features now…

    vmGuest Version is 10 and i did a cold boot (Power Off,Power On)

    Thanks

    1. Sorry, I haven’t checked my blog for a while.
      It’s hard speculate here but if you’ve updated with microcode released in late march, it should work. Ask VMware support?

Leave a Reply to DZ Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.