Reading Time: 3 minutes

Meltdown and Spectre remediations can imply not only performance degradation, but also some management issues. For example in how EVC works as described in VMware KB 52085 (Hypervisor-Assisted Guest Mitigation for Branch Target injection).

An ESXi host that is running a patched vSphere hypervisor with updated microcode will see new CPU features that were not previously available. These new features will be exposed to all Virtual Hardware Version 9+ VMs that are powered-on by that host. Because these virtual machines now see additional CPU features, vMotion to an ESXi host lacking the microcode or hypervisor patches applied will be prevented.

The vCenter patches enable vMotion compatibility to be retained within an EVC cluster. In order to maintain this compatibility, the new features are hidden from guests within the cluster until all hosts in the cluster are properly updated.  At that time, the cluster will automatically upgrade its capabilities to expose the new features. Unpatched ESXi hosts will no longer be admitted into the EVC cluster.

What does it mean? That you may have issues in adding hosts in an EVC enable cluster with a mixed of hosts patched and not patched for Meltdown and Spectre bugs.

And VMware KB 1034926 (vMotion/EVC incompatibility issues due to AES/PCLMULQDQ) explain one of this possible cases.

For EVC, when you attempt to add the same models to clusters configured with the highest possible EVC mode based on the micro-architecture, the following error message appears:

Host CPU is incompatible with the virtual machine’s requirements at CPUID level 0x1 register ‘ecx’.
Host bits: 0000:0010:1001:1000:0010:0010:0000:0011
Required: x000:0x0x:10×1:1xx0:xxx0:xx1x:xxxx:xx01
Mismatch detected for these features:
* AES-NI
* PCLMULQDQ

The host’s CPU hardware should support the cluster’s current Enhanced vMotion Compatibility mode, but some of the necessary CPU features are missing from the host. Check the host’s BIOS configuration to ensure that no necessary features are disabled (such as XD, VT, AES, or PCLMULQDQ for Intel, or NX for AMD). For more information, see KB article 1003212.

Problematic BIOS software includes, but might not be limited to, Dell BIOS versions 2.1.9 and 2.1.15 and Cisco UCSM prior to version 1.4(3q).

  1. Check your BIOS settings for an option to enable the features (look for “AES” or “Advanced Encryption Standard”). Note: In some cases, you may need to enable the feature.
  2. Ask your system vendor for a new BIOS to enable the features.
  3. If you are unable to enable the features, use a Nehalem or earlier EVC cluster for these CPUs if you need to vMotion between them.

But one reason could also be Meltdown and Spectre patching not applied on all hosts.

See also EVC and CPU Compatibility FAQ (1005764)

Share

Related Posts

  • Analyze performance impact of Spectre and Meltdown patches

    The mitigations for Meltdown and Spectre issues have involved a combination of different type of fixes: some software based, such as Microsoft and Linux versions of the "kernel page table isolation" protection, but also fome hardware based, like the Intel's microcode updates (part that is…

  • New Meltdown and Spectre variants

    We are still far from a solution for the Meltdown and Spectre, considering the delay of the microcode releases and the complexity of the possible Spectre fixes... And now, some security researchers from NVIDIA and Princeton have discovered new variants of the Meltdown and Spectre…

  • New patches for VMware vCloud Suite

    VMware has recently released several patches for its vCloud Suite: VMware vCenter Server 5.1.0a and modules (Release Notes) VMware vSphere Data Protection 5.1.1 (Release Notes) vSphere Storage Appliance 5.1.1 (Release Notes) VMware vCloud Networking and Security 5.1.1 vCloud Director 5.1.1 Note also that View 5.1.x…

Virtualization, Cloud and Storage Architect. Tech Field delegate. VMUG IT Co-Founder and board member. VMware VMTN Moderator and vExpert 2010-24. Dell TechCenter Rockstar 2014-15. Microsoft MVP 2014-16. Veeam Vanguard 2015-23. Nutanix NTC 2014-20. Several certifications including: VCDX-DCV, VCP-DCV/DT/Cloud, VCAP-DCA/DCD/CIA/CID/DTA/DTD, MCSA, MCSE, MCITP, CCA, NPP.