Protecting against vulnerabilities using HyperClear & Core Scheduler


In recent years, attackers have discovered sophisticated techniques which can exploit vulnerabilities in CPU hardware.

Remember the “Meltdown” and “Spectre” bugs in January 2018? In very basic terms, these bugs exploited Hyper-Threading technology to allow a virtual machine running on a processor core to observe data in the CPU cache for other virtual machines running on the same hardware.

To address these issues, Microsoft developed the “HyperClear” mitigation.
HyperClear implements multiple mitigation strategies which mostly work behind the scenes and require no configuration.

However, HyperClear also includes a “core scheduler”, which may require a system administrator to take action.

The traditional Hyper-V scheduler operates at the level of individual SMT threads (Simultaneous Multi-Threading). When making scheduling decisions, the Hyper-V scheduler would schedule a virtual processor onto a SMT thread, without regards to what the sibling SMT threads of the same core were doing. Thus, a single physical core could be running virtual processors from different Virtual Machines (VMs) simultaneously (see below).

CPU_Core_bug

Starting in Windows Server 2016, Hyper-V introduced a new scheduler implementation for SMT systems known as the ” Core Scheduler ” which addresses the issue by giving a virtual machine exclusive access of a physical core, so that it will never be shared with another VM simultaneously. 

CPU_HyperClear

For Windows and Hyper-V Server 2019, you do not need to do anything at the hypervisor level, but you still need to enable the virtual machines to use core scheduling. For Windows and Hyper-V Server 2016, you must manually switch the scheduler type on the hypervisor.

 

Comment!

Leave a Reply

Your email address will not be published. Required fields are marked *