ESXI 6.* , Meltdown and Spectra patches.

VMware has released patch E600-20180140 BG etc  earler.
We already applied BIOS and BIOS  but have not applied OS patches yet since we have E5-2699 V4 CPU.
After reading these  KB articles,  https://kb.vmware.com/s/article/52345
https://www.virtuallyghetto.com/2018/01/automating-intel-sighting-remediation-using-powercli-ssh-not-required.html
I have couple of questions for experts who have applied the  patches already.
1 Do we have to add the line cpuid.7.edx = "----:00--:----:----:----:----:----:----" to /etc/vmware/config ?
2. Do we have to power  the after/before applying the OS patch?
I would appreciate your help.
LVL 2
sara2000Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Have you applied ESXi600-201801402-BG ?

Are you hosts affected by the issue ? If so yes you need to make those changes.

e.g. your CPU have the incorrect microcode

Have you run the script that William Lam created ?
0
sara2000Author Commented:
Have you applied ESXi600-201801402-BG ?
Yes
Are you hosts affected by the issue ?
This is where I am confused, if William script results  that  "IntelSighting"  true the CPU line in config?
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Okay, so you've applied the patch..... your CPU is a Broadwell... it's microcode is affected....

so from that VMware KB...

On each affected ESXi host, add the following line in the /etc/vmware/config file:
cpuid.7.edx = "----:00--:----:----:----:----:----:----"
This will hide the speculative-execution control mechanism for virtual machines which are power-cycled afterwards on the ESXi host.
This line will need to be removed after applying a future fixed microcode from Intel in order to enable the full guest OS mitigations for CVE-2017-5715.
When convenient, power-cycle virtual machines on the affected ESXi hosts; rebooting of the ESXi host is not required.
Stateless vSphere ESXi Hosts using ESXi 5.5 or 6.0, this line must be re-applied every time the ESXi host reboots. VMware is investigating other options at this time.
For information on how to use a text editor, see Editing files on an ESX host using vi or nano (1020302).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

sara2000Author Commented:
Thank you, Andrew, Excellent explanation. Last question about the VM. Is it necessary to power cycle?
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Yes, but not hosts.
0
sara2000Author Commented:
I have added that line for masked CPU in /etc/vmware/config file
I ran William script again for verify-esximicrocodepatch -vmhost  myhost , but the result is same as before.
Is it ok? or I did something wrong?
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
I know William's script is not perfect.

If you've patched, have a CPU which is affected, you have down all you  can at this time.

Restart VMs, at your convenience.

and Patch VMs!
0
sara2000Author Commented:
Thanks, Andrew.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VMware

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.