The Spectre and Meltdown vulnerabilities have admins scrambling for safety, and virtualization presents a particular challenge -- one that requires host and VM protection in order to maintain Hyper-V security.
These vulnerabilities are inherent to the hardware architecture of processors in modern CPUs, which forces vendors to search for fixes through software patches. Microsoft Hyper-V admins can start the process of applying these patches by using the following steps to protect their VMs.
Install the patches
You can find patches for the Spectre and Meltdown vulnerabilities for Microsoft OSes in the Microsoft Update Catalogue or from Windows Update and Windows Server Update Services. Microsoft has revised many of these patches, so watch out for future revisions, as you might have to reinstall these patches to ensure VM and Hyper-V security.
Add the following registry keys to your Windows VMs via deployment software -- such as System Center Configuration Manager -- a script or a group policy in order to make sure you are secure.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Install the new host BIOS
If you don't install the new host BIOS on the host from your hardware vendor, your VMs won't be completely protected, and Hyper-V security might be threatened by Spectre's three variants. Go to your vendor's site for your host hardware.
As of now, Dell and HP have recalled initial BIOS updates because of instability, but monitor your vendors to see when the next stable release will be available.
Shutdown and restart your VMs
Perform a cold reboot so the Hyper-V VMs can use the instruction set of the newly installed BIOS. You can use a simple PowerShell command to shut down and restart VMs sequentially, or you can do this manually depending on your scale and customer tolerance for brief service interruptions.
To do this with a PowerShell script, use the following:
$VM=Get-VM | ? State -eq "Running"
Stop-VM -VM $VM
Start-VM -VM $VM
Check that the VM is protected
From within the Windows VM, follow these steps to check your protection against the Meltdown and Spectre security flaws.
- Download these tests scripts -- SpeculationControl.psd1, SpeculationControl.psm1 and SpeculationControl-runme.ps1 -- and place them in a folder on the Hyper-V Windows VM called c:\Spectre_Meltdown. Make sure to adjust for the correct path when working from the command line.
- Open PowerShell and change your directory to the location of your scripts, CD C:\Spectre_Meltdown.
- Run Import-Module .\SpeculationControl.psd1.
- Run Get-SpeculationControlSettings.
- If patched correctly, your results should look those shown in Figure A below.
Vendors such as PostgreSQL and Riak are reporting performance impacts that range from 23% to 50%, respectively. Though the effect won't always be that severe, there will certainly be a cost, so use your monitoring tools to make the appropriate adjustments.
There will most likely be vendor adjustments over the next weeks and months to refine and potentially reduce some of the performance losses, but count on less processing resources moving forward.
Watch out for potential roadblocks
Keep an eye on host and VM instability. This will most likely result in hosts or VMs blue-screening. Some BIOS and firmware releases have already been recalled, so don't assume you have the latest version without double-checking.
There's no failback without a shutdown. Processor Compatibility Mode won't save you if you want to go back to a previous unpatched host. Live migrations will result in a VM crash. If you need to go back, shut down the VM and restart it again on the unpatched host.
You can't live-migrate VMs that were booted on a patched host to an unpatched host. Going from unpatched to patched hosts isn't an issue, but Hyper-V security won't be enabled again until the VM is shut down and restarted.
This patching process fundamentally changes the Processor Compatibility Mode setting, as the new processor instruction settings are still seen in this state. This means that to use this setting on your VMs, the hosts must include all the patches and adjustments associated with the Meltdown and Spectre security fix, though they can still be from different processor families.
If you choose not to patch your hosts and VMs for the Spectre and Meltdown vulnerabilities, a public exploit will eventually catch up with you. Patching shouldn't be a question, so patch your hosts and your Hyper-V VMs.
The state of Hyper-V security in your virtual host environment isn't something you should neglect. Assess your current resources to ensure stable performance levels and decide when the best time to patch the vulnerabilities is for both your hosts and VMs. A balance among security, performance and stability needs to be maintained, but don't forego patching indefinitely.