How to mitigate L1TF vulnerability warning for a stateless auto-deploy host

Posted by

Problem definition:

For stateless auto-deploy host the setting VMkernel.Boot.hyperthreadingMitigation rolls back to default on every reboot. Thus, causes a warning to appear in vCenter server for the host.

The cause of the warning is the presence of all the needed fixes to mitigate L1 Terminal Fault. However, the patching deploys a code that needs  manual activation. Hence, the warning

Note!

In order to apply on ESXi hosts other than auto deploy please follow VMware KB55806

Enabling the mitigation will have capacity and performance implications. For more detail please go through below article:

KB52337: VMware Performance Impact for CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown)

Pre-requisites:

One non auto-deployed ESXi host with all required configuration as per the environment. This host will be used to extract the host profile.

Procedure:  

Step1: Enable VMkernel.Boot.hyperthreadingMitigation for non auto-deployed ESXi:
  1. Connect to the vCenter Server using either the vSphere Web or vSphere Client.
  2. Select the non auto-deployed ESXi host in the inventory.
  3. Click the Manage (5.5/6.0) or Configure (6.5/6.7) tab.
  4. Click the Settings sub-tab.
  5. Under the System heading, click Advanced System Settings.
  6. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation
  7. Select the setting by name and click the Edit pencil icon.
  8. Change the configuration option to true (default: false).
  9. Click OK.
  10. Reboot the ESXi host for the configuration change to go into effect.
Step2: Extract the host profile:
  1. Connect to the vCenter Server using either the vSphere Web or vSphere Client.
  2. Select the non auto-deployed ESXi host in the inventory.
  3. Right click on the host and go to Host Profiles and select Extract Host profile
Step3: Make necessary changes to the extracted host profile and reconfirm the settings:
  1. Go to Home
  2. Select Host profiles
  3. Right click on your extracted Host profile and select Edit Host profile.
  4. Make sure the VMkernel.Boot.hyperthreadingMitigation is enabled (Figure 1).
  5. Make sure you stateless caching in System Image Cache Configuration is as per your environment (Figure 2).
Figure 1
Figure 2
Setp4: Apply host profile to the “Deploy Rules” of Auto Deploy
  1. Connect to the vCenter Server using either the vSphere Web or vSphere Client.
  2. Go to Home.
  3. Click the Auto Deploy icon.
  4. Click the Deploy Rules tab.
  5. Under the Deploy Rules tab, select your preferred rule and clone it or create new deploy rule.
  6. Now select the newly cloned rule and right click and edit.
  7. Give an appropriate name to that rule.
  8. Go to Select host profile tab in left side and select the VMkernel.Boot.hyperthreadingMitigation enabled host profile.
  9. Click ok.(if new rule created, other detail must be entered as per your requirement. The image profile, host location)
  10. Now activate this new rule.
  11. Boot your ESXi with this Deploy Rule
Setp5: Verify after boot of esxi the value of VMkernel.Boot.hyperthreadingMitigation, It must be true
  1. Connect to the vCenter Server using either the vSphere Web or vSphere Client.
  2. Select an ESXi host in the inventory.
  3. Click the Manage (5.5/6.0) or Configure (6.5/6.7) tab.
  4. Click the Settings sub-tab.
  5. Under the System heading, click Advanced System Settings (Figure 3).
  6. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation
Figure 3