Reading Time: 3 minutes

Meltdown and Spectre remediations can imply not only performance degradation, but also some management issues. For example in how EVC works as described in VMware KB 52085 (Hypervisor-Assisted Guest Mitigation for Branch Target injection).

An ESXi host that is running a patched vSphere hypervisor with updated microcode will see new CPU features that were not previously available. These new features will be exposed to all Virtual Hardware Version 9+ VMs that are powered-on by that host. Because these virtual machines now see additional CPU features, vMotion to an ESXi host lacking the microcode or hypervisor patches applied will be prevented.

The vCenter patches enable vMotion compatibility to be retained within an EVC cluster. In order to maintain this compatibility, the new features are hidden from guests within the cluster until all hosts in the cluster are properly updated.  At that time, the cluster will automatically upgrade its capabilities to expose the new features. Unpatched ESXi hosts will no longer be admitted into the EVC cluster.

What does it mean? That you may have issues in adding hosts in an EVC enable cluster with a mixed of hosts patched and not patched for Meltdown and Spectre bugs.

And VMware KB 1034926 (vMotion/EVC incompatibility issues due to AES/PCLMULQDQ) explain one of this possible cases.

For EVC, when you attempt to add the same models to clusters configured with the highest possible EVC mode based on the micro-architecture, the following error message appears:

Host CPU is incompatible with the virtual machine’s requirements at CPUID level 0x1 register ‘ecx’.
Host bits: 0000:0010:1001:1000:0010:0010:0000:0011
Required: x000:0x0x:10×1:1xx0:xxx0:xx1x:xxxx:xx01
Mismatch detected for these features:

The host’s CPU hardware should support the cluster’s current Enhanced vMotion Compatibility mode, but some of the necessary CPU features are missing from the host. Check the host’s BIOS configuration to ensure that no necessary features are disabled (such as XD, VT, AES, or PCLMULQDQ for Intel, or NX for AMD). For more information, see KB article 1003212.

Problematic BIOS software includes, but might not be limited to, Dell BIOS versions 2.1.9 and 2.1.15 and Cisco UCSM prior to version 1.4(3q).

  1. Check your BIOS settings for an option to enable the features (look for “AES” or “Advanced Encryption Standard”). Note: In some cases, you may need to enable the feature.
  2. Ask your system vendor for a new BIOS to enable the features.
  3. If you are unable to enable the features, use a Nehalem or earlier EVC cluster for these CPUs if you need to vMotion between them.

But one reason could also be Meltdown and Spectre patching not applied on all hosts.

See also EVC and CPU Compatibility FAQ (1005764)