Pages

Sunday, 19 October 2014

Additional Transparent Page Sharing management capabilities in ESXi 5.5 patch October 16, 2014 and ESXi 5.1 and 5.0 patches in Q4, 2014 (2091682)

Details

This article documents the additional Transparent Page Sharing (TPS) management capabilities that are introduced in the following releases:
  • ESXi 5.5 patch released October 16, 2014 (see KB2087359 for patch details)
  • ESXi 5.1 patch planned for Q4, 2014
  • ESXi 5.0 patch planned for Q4, 2014

The article explains the concept of salting and the corresponding configuration options.

Please refer to KB2080735 for changes to the default TPS setting that are planned for upcoming ESXi Update releases. These changes are related to recent academic research that leverages Transparent Page Sharing (TPS) to gain unauthorized access to data under certain highly controlled conditions.

Solution

Prompted by security concern explained in KB2080735, the concept of salting has been introduced, which can be used to control and manage the virtual machine participating in TPS. Earlier for two Virtual machines to share pages, the contents of the pages should be same. With the concept of salting, along with the content of the pages, the salt values for the two virtual machines should be same.

A new host config option Mem.ShareForceSalting is introduced to enable or disable salting.

By default salting is disabled (Mem.ShareForceSalting=0). This means TPS happens as it used to before this patch, that is, all the Virtual Machines on an ESXi box participate in TPS.

When salting is enabled (Mem.ShareForceSalting=1), in order for two VMs to share a page, both their salt and the content of the page should be same. A salt value is a configurable vmx option for each virtual machine. Salt value can be manually specified in the virtual machine’s vmx file with the new VMX option sched.mem.pshare.salt. If this option is not present in virtual machine’s vmx file, the value of vc.uuid vmx option will be considered as default value. Since the vc.uuid is unique to each virtual machine, by default TPS happens only among pages belonging to a particular virtual machine (Intra-VM).

If a group of virtual machines are trust worthy to share pages among them, common salt value can be configured for all those virtual machines which will make them all participate in TPS (inter-VM).
Following table explains the behavior of these new config options.
Mem.ShareForceSalting
Comments
0 [Default]
Inter-VM TPS behavior is still retained. The value of VMX option sched.mem.pshare.salteven if present is ignored.
1
By default Salt value is generated using vc.uuid for each Virtual Machine. Vc.uuid is unique randomly generated string for a virtual machine in a Virtual Center.
If VMX option sched.mem.pshare.salt value is configured manually, this will override default value from vc.uuid.

To address the security concern explained in KB2080735, inter-vm TPS can be disabled by setting Mem.ShareForceSalting to 1. VMX config option sched.mem.pshare.salt can then be used to selectively enable TPS among trust worthy virtual machines as explained above.

Frequently Asked Questions

Where can I find more information on Transparent Page Sharing?

For more information on page-sharing, see Transparent Page Sharing (TPS) in hardware MMU systems (KB1021095) 
What is the default behavior of Transparent Page Sharing in above mentioned patch releases?

By default, Mem.ShareForceSalting is set 0, which means by default Inter-VM page sharing is enabled. This behavior is same as old TPS behavior that exists in all older release.
How can I disallow inter-VM TPS?

This is done by enabling salting.
How can I enable /disable salting?

Set advanced memory config option (ShareForceSalting) to 1
  1. Log in to ESXi or vCenter with the VI-Client.
  2. Select the ESXi relevant host.
  3. In the Configuration tab, click Advanced Settings (link) under the software section.
  4. In the Advanced Settings window, click Mem.
  5. Look for Mem.ShareForceSalting and set the value to 1 (enable salting) / 0 (disable salting)
  6. Click OK.
  7. Follow one of the options shown here to get immediate effect on page sharing

    • Migrate all the VMs to some other host in cluster and back to original host or,
    • Gracefully shutdown and power-on the VMs
How can I allow inter-VM TPS between two or more virtual machines?

Inter-VM TPS is enabled for two or more VMs by enabling salting and by giving them the same salt value.
How can I specify salt value of a virtual machine?

Steps to specify the salt value for a VM
  1. Log in to ESXi or vCenter with the VI-Client.
  2. Select the ESXi relevant host.
  3. In the Configuration tab, click Advanced Settings (link) under the software section.
  4. In the Advanced Settings window, click Mem.
  5. Look for Mem.ShareForceSalting and set the value to 1.
  6. Click OK.
  7. Power off the VM, which you want to set salt value.
  8. Right click on VM, click on Edit settings.
  9. Select options menu, click on General under Advanced section
  10. Click on Configuration Parameters…
  11. Click on Add Row, new row will be added.
  12. On LHS add text sched.mem.pshare.salt and on RHS specify the unique string.
  13. Power on the VM to take effect of salting.
  14. Repeat steps 7 to 13 to set the salt value for individual VMs.
  15. Same salting values can be specified to achieve the page sharing across VMs.
How can I prepare for the ESXi Update releases that no longer allow inter-VM TPS by default?

Vmware recommends to monitor free memory available on the host along with the total ballooned and total swapped memory before disallowing inter-VM TPS. Once inter-VM TPS is disabled, available free memory might drop which further can lead to increased ballooning and swapping. If increased ballooning and swapping activity is observed along with noticeable performance issues, more physical memory can be added on the host or the memory load on the host can be reduced.

To monitor the stats - Run esxtop(1)
  1. Run esxtop on host, switch to memory mode by pressing m
  2. free from ‘PMEM /MB’ row gives free memory available on the host
  3. curr from ‘MEMCTL/MB’ row gives total ballooned memory
  4. curr from ‘SWAP/MB’ row gives total swapped memory
If I followed KB2080735 to disable TPS, do I need to any additional measures?

Yes, if you followed KB2080735, you need to re-enable TPS by setting ShareScanGHz to default (4). Our Powercli script will take care of setting to default.
How can I enable/disable salting for multiple ESXi hosts?

The powercli script attached to this KB (pshare-salting.ps1) allows for toggling pshare salting for patches in Oct/Nov.

Usage

.\pshare-salting.ps1 <vcenter IP/hostname> -s -> Enables pshare salting

.\pshare-salting.ps1 <vcenter IP/hostname> -o -> Turn offs pshare salting and falls back to default TPS behavior.
Source KB:-
http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2091682&src=vmw_so_vex_ragga_1012

No comments:

Post a Comment