Alternative protection for Windows Server 2016 Hyper-V Hosts against the speculative execution side-channel vulnerabilities
The mitigations recommended in Windows Server guidance to protect against speculative execution side-channel vulnerabilities include applying updated system firmware in order to achieve the full benefit of all known protections. This topic explains an alternative protection mechanism against CVE-2017-5715 (branch target injection) for Windows Server 2016 Hyper-V hosts that do not yet have updated firmware.
These hosts may be configured to provide isolation between the virtual processors (VPs) used for the Hyper-V host’s root partition and guest virtual machines. There are two features in Windows Server 2016 Hyper-V that allow for such a configuration:
The minimum root, or “Minroot” capability allows the host administrator to constrain the Hyper-V host partition to run its virtual processors on a subset of the system’s total logical processors (LPs). The remaining LPs are still available to the hypervisor to run virtual machines.
The CPU Groups feature may be employed to constrain guest VM virtual processors to specific LPs.
By combining these two features, a Hyper-V host administrator can fully isolate the host Hyper-V activity to a separate set of processors, and isolate all guest activity to the remaining processors.
For example, on a system with 32 logical processors, the Hyper-V host can be configured to utilize only eight processors, with the remaining 24 processors dedicated to a CPU group which contains all guest virtual machines on that host. In this manner, full segregation is achieved between the host partition and guest virtual machines.
On systems with simultaneous multi-threading (SMT) enabled, make sure that a core containing two SMT threads is not shared between the host partition and the CPU group. That is, each core’s LPs should be assigned exclusively to either the host partition, or to guest VMs (via the CPU group’s configuration).
For more information about the Minroot capability, see Hyper-V Host CPU Resource Management.
For more information about CPU Groups, see Virtual Machine Resource Controls.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.