Enable the ESXi Side-Channel-Aware Scheduler (SCAv1) or the ESXi Side-Channel-Aware Scheduler v2 (SCAv2) in ESXi 6.7u2 (13006603) or later

 

Implementing Hypervisor-Specific Mitigations for Microarchitectural Data Sampling (MDS) Vulnerabilities

Before Applying SCAv1 and SCAv2 to ESXi Hypervisor ,Let's discuss about MDS and What is Goal of this Article .

Purpose :

In this Blog  will explain the Hypervisor-Specific Mitigation enablement process required to address Micro-architectural Data Sampling (MDS) Vulnerabilities identified by CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091 in vSphere.

The release of vSphere 6.7 Update 2 brought with it a new vSphere CPU scheduler option, the Side-Channel Aware Scheduler version 2 (SCAv2) or “Sibling Scheduler.” This new scheduler can help restore some performance lost to CPU vulnerability mitigations, but also carries some risk with it..

CPU vulnerabilities are security problems that exist in processors delivered by major CPU vendors. They’re particularly serious because these problems may allow attackers to bypass all of the other security controls we’ve built up in our environments.

To prevent present in vulnerabilities like Spectre, Meltdown, L1TF, and MDS,we have few new sets of instructions provided by the CPU vendors using microcode that ship as part of ESXi or is shipped in vendor firmware updates.

So What is L1TF and MDS vulnerabilities ?

L1TF :The L1TF vulnerability exposed a problem where processors can leak information between two threads on a core in an Intel CPU.

MDS :The MDS vulnerability can also allow processes to leak information between processes,Intel has disclosed details on a new wave of speculative-execution vulnerabilities known collectively as “Micro-architectural Data Sampling (MDS)" that can occur on Intel micro-architecture prior to 2nd Generation Intel® Xeon® Scalable Processors (formerly known as Cascade Lake). These issues may allow a malicious user who can locally execute code on a system to infer the values of data otherwise protected by architectural mechanisms.

There are three schedulers to choose from in ESXi 6.7 Update 2: the default, SCAv1, and SCAv2

1. Default Scheduler : In default scheduler it should be assumed that all workloads running on a host with the default scheduler can see each other’s data.

2.SCAv1 :Its  implements per-process protections which assist with L1TF and MDS and is the most secure but can be the slowest.

Availability :
- ESXi 5.5,6.0,6.5 and 6.7 release lines
- Does not require Hardware Refresh .

Security :
-Prevents VM to VM Concurrent-Context Attack Vector information leakage.
-Prevents VM to Hypervisor Concurrent-Context Attack Vector information leakage.
-Prevents Intra-VM Concurrent-Context Attack Vector information leakage.

Perfomance:
-Retain up to 100% performance for low to moderately loaded system.
-Retain up to 70% performance for heavily loaded system.
-Does not utilize Hyper-threading.

3.SCAv2 : Its implements per-VM protections but needs considerations for the risk involved in using it.

Availability :

- ESXi 6.7u2.
- Does not require Hardware Refresh .

Security :
-Prevents VM to VM Concurrent-Context Attack Vector information leakage.
-Prevents VM to Hypervisor Concurrent-Context Attack Vector information leakage.
- Does NOT Prevents Intra-VM Concurrent-Context Attack Vector information leakage.

Perfomance:
-Retain up to 100% performance for low to moderately loaded system.
-Retain up to 90% performance for heavily loaded system.
-Utilize Hyper-threading.

Resolution :

Enabling the ESXi Side-Channel-Aware Scheduler (SCAv1) using the vSphere Web Client or vSphere Client

1. Connect to the vCenter Server using either the vSphere Web or vSphere Client.
2. Select an ESXi host in the inventory.
3. Click the Configure tab.
4. Under the System heading, clickAdvanced System Settings.
5. ClickEdit.
6. Click in the Filter box and search forVMkernel.Boot.hyperthreadingMitigation
7. Select the setting by name
8. Change the configuration option to true (default: false).
9. Click in the Filter box and search for VMkernel.Boot.hyperthreadingMitigationIntraVM
10.Change the configuration option to true (default: true).
11.Click OK.
12. Reboot the ESXi host for the configuration change to go into effect.

Please refer the below screenshot for your reference :

Go to ESXi > Configure >Advanced > filter > Mitigation change value in case of SCAv1 

Note : You can also apply this configuration using ESXi Embedded Host Client and ESXCLI for that you can follow the mentioned Kb :

Enabling the ESXi Side-Channel-Aware Scheduler Version 2 (SCAv2) using the vSphere Web Client or vSphere Client

1.Connect to the vCenter Server using either the vSphere Web or vSphere Client.
2.Select an ESXi host in the inventory.
3.Click the Configure tab.
4.Under the System heading, click Advanced System Settings.
5.Click Edit.
6.Click in the Filter box and search for VMkernel.Boot.hyperthreadingMitigation
7.Select the setting by name
8.Change the configuration option to true (default: false).
9.Click in the Filter box and search for VMkernel.Boot.hyperthreadingMitigationIntraVM
10.Change the configuration option to false (default: true).
11.Click OK.
12.Reboot the ESXi host for the configuration change to go into effect.

Go to ESXi > Configure >Advacnced > filter > Mitigation change value in case of SCAv2

Note : You can also apply this configuration using ESXi Embedded Host Client and ESXCLI for that you can follow the mentioned Kb :

Finally below is configuration which we need to apply for ESXi 6.7u2 (and later) Scheduler Configuration :

Thank You ,Hope this Article will help you to decide which vSphere CPU scheduler you have to configure  in production environment as per the requirement .

 

Step by Step vCenter Deployment 7.x.

Pre-requisites for deployment of vCenter.

1.Fully Qualified Domain Name (FQDN) resolution should be in place with forward and reverse DNS       A records added.

2.vCenter Server 7.0 can only be deployed to, and manage, ESXi hosts v6.5 or later. There is no direct upgrade path for hosts running ESXi v5.5 or 6.0 to v7.0.

3.The ESXi host and all vSphere components should be configured to use Network Time Protocol (NTP.

4.You can use the see the VMware Product Interoperability Matrices.

5.The vCenter Server Appliance requires the following compute specifications, this includes vSphere Lifecycle Manager running as a service on the appliance.

6.Firewall ports should be opened as per the Required Ports for vCenter Server.

Procedure for the installation:

Download and mount the ISO on your computer, then browse to the corresponding directory for your operating system and open the installer file. In my case \vcsa-ui-installer\win32.

 1.Run the installer.exe

2.Once you will run the installer.exe you will get 4 options.

►Install: This option you have to choose when you are going to install new vCenter.

►Upgrade: You have to choose the upgrade option when you are going to upgrade 

   from previous version to latest version. But before that follow the upgrade path as per 

   VMware Product Interoperability Matrices.

►Migrate: This option is applicable when you are going to migrate from windows to 

   appliance vCenter.

►Restore: When you want to restore from previous version of vCenter you have to 

   choose this option.

3. As we are going to install new vCenter choose install option.

4. From 7.0 version external psc with vCenter is depreciated.

5. To Deploy vCenter server Click Next on screen.

6. Accept the license agreement and Click Next .

7. Next screen we need to provide ESXi host on which the vCenter server will deploy,Also                          provide username: root and password : ######

8. You will Get certificate warning, Click Yes to continue.

9. Provie vCenter name and root password which needs to be at least 8 characters, with a number,              uppercase and lowercase letters, and a special character. Click Next to continue.

 

10. Select the deployment size of vCenter server as per you workload requirement. Click Next.

11. Provide Datastore where vCenter server is going to deploy. if you are existing datastore you can choose that datastore.

12. Enter the network settings to be applied to the appliance, including IPv4, DNS, and network adapter settings, then click Next.

13. Once you will provide all IP details Click on Next and you vCenter Deployment will start.

14. It will take 20-25 minute to complete Stage 1 deployment process once it will complete click on

      continue and you can proceed with Stage 2.

Stage 2 Installation

1. Stage 2 will allow to setup VCSA and SSO configuration.

2. Click Next to being vCenter appliance setup. Click Next to Introduction page and provide NTP server details .Make Sure NTP server is configured correctly as part of Pre-requisite.

3.Next page need to configure SSO configuration and password for vSphere.local.
Note : If you want to join current vCenter to existing vCenter choose existing SSO domain 

and provide details existing SSO domain.

4.Click Next and check the box to join VMware customer Experience Improvement program.



5. Last you should review all details provided for VCSA setup and Click Finish.

6.Once you will Click on Finish. vCenter Setup process will start.



7.Once Setup VCSA process will complete we will be able to access vCenter from Browser

   https://<FQDN_vCenter-Name>.