Windows Server 2016 Hyper-V 主機防堵推測執行旁路漏洞所需的其他保護Alternative protection for Windows Server 2016 Hyper-V Hosts against the speculative execution side-channel vulnerabilities

Windows Server 防堵推測執行旁路漏洞的指引中建議的風險降低措施包括套用更新的系統韌體,以便發揮所有已知防護的十足效益。The mitigations recommended in Windows Server guidance to protect against speculative execution side-channel vulnerabilities include applying updated system firmware in order to achieve the full benefit of all known protections. 本主題說明尚未安裝更新韌體的 Windows Server 2016 Hyper-V 主機,其防範 CVE-2017-5715 (分支目標插入) 所需的替代保護機制。This topic explains an alternative protection mechanism against CVE-2017-5715 (branch target injection) for Windows Server 2016 Hyper-V hosts that do not yet have updated firmware.

這些主機可能經過設定要在 Hyper-V 主機根磁碟分割所用虛擬處理器 (VP) 與客體虛擬機器之間提供隔離。These hosts may be configured to provide isolation between the virtual processors (VPs) used for the Hyper-V host’s root partition and guest virtual machines. 在允許此類設定的 Windows Server 2016 Hyper-V 中,有兩項功能:There are two features in Windows Server 2016 Hyper-V that allow for such a configuration:

  • 最小根 (或「Minroot」功能) 可讓主機系統管理員限制 Hyper-V 主機磁碟分割,以便在系統總體邏輯處理器 (LP) 的一個子集上執行其虛擬處理器。The minimum root, or “Minroot” capability allows the host administrator to constrain the Hyper-V host partition to run its virtual processors on a subset of the system’s total logical processors (LPs). 剩餘的 LP 仍可供 Hypervisor 用來執行虛擬機器。The remaining LPs are still available to the hypervisor to run virtual machines.

  • 「CPU 群組」功能可以用來將客體 VM 虛擬處理器局限於特定 LP。The CPU Groups feature may be employed to constrain guest VM virtual processors to specific LPs.

Hyper-V 主機系統管理員可以結合這兩個功能,將 Hyper-V 主機活動完全隔離到指定的一組處理器,而將所有客體活動隔離到剩餘的處理器。By combining these two features, a Hyper-V host administrator can fully isolate the host Hyper-V activity to a separate set of processors, and isolate all guest activity to the remaining processors.

例如,在有 32 個邏輯處理器的系統上,可以設定 Hyper-V 主機僅使用 8 個處理器,而剩餘的 24 個處理器專用於包含該主機上所有客體虛擬機器的 CPU 群組。For example, on a system with 32 logical processors, the Hyper-V host can be configured to utilize only eight processors, with the remaining 24 processors dedicated to a CPU group which contains all guest virtual machines on that host. 這樣就達到主機磁碟分割與客體虛擬電腦之間完全分隔的目的。In this manner, full segregation is achieved between the host partition and guest virtual machines.

在啟用同步多執行緒 (SMT) 的系統上,注意不要在主機磁碟分割和 CPU 群組之間共用包含兩個 SMT 執行緒的核心。On systems with simultaneous multi-threading (SMT) enabled, make sure that a core containing two SMT threads is not shared between the host partition and the CPU group. 也就是說,必須專門將每個核心的 LP (透過 CPU 群組的設定) 完全指派給主機磁碟分割或客體 VM。That is, each core’s LPs should be assigned exclusively to either the host partition, or to guest VMs (via the CPU group’s configuration).

如需 Minroot 功能的詳細資訊,請參閱 Hyper-V 主機 CPU 資源管理For more information about the Minroot capability, see Hyper-V Host CPU Resource Management.

如需 CPU 群組的詳細資訊,請參閱虛擬機器資源控制項For more information about CPU Groups, see Virtual Machine Resource Controls.