Some time back, VMware has updated one of KBs on “Hypervisor-Assisted Guest Mitigation for branch target injection”. Please take a look at this KB here. In this KB, there is one important section on “how to confirm a host has both patched microcode and patched VMware hypervisor?” In fact, there are multiple ways to confirm it and one of the ways is specified in the KB itself i.e. scanning VM vmware.log file for new cpuids. Last time, I had automated exactly the same way using PowerCLI. Since there is a very handy host level vSphere API property available to confirm these patches, I thought to write a quick pyVmomi script. This will be very handy for people who prefer pyVmomi. Also as it uses native vSphere APIs, it will be faster than its PowerCLI equivalent.
This script i.e. hosts_patched.py available on my git repo as well.
from pyVim.connect import SmartConnect, Disconnect from pyVmomi import vim import atexit import ssl import sys import argparse import getpass # Script to confirm whether EVC cluster is patched or not for Spectre vulenerability. def get_args(): """ Get arguments from CLI """ parser = argparse.ArgumentParser( description='Arguments for talking to vCenter') parser.add_argument('-s', '--host', required=True, action='store', help='vSpehre service to connect to') parser.add_argument('-o', '--port', type=int, default=443, action='store', help='Port to connect on') parser.add_argument('-u', '--user', required=True, action='store', help='Username to use') parser.add_argument('-p', '--password', required=False, action='store', help='Password to use') parser.add_argument('-c', '--cluster', required=True, action='store', default=None, help='Name of the cluster you wish to check') args = parser.parse_args() if not args.password: args.password = getpass.getpass( prompt='Enter vCenter password:') return args # Below method helps us to get MOR of the object (vim type) that we passed. def get_obj(content, vimtype, name): obj = None container = content.viewManager.CreateContainerView(content.rootFolder, vimtype, True) for c in container.view: if name and c.name == name: obj = c break container.Destroy() return obj args = get_args() s=ssl.SSLContext(ssl.PROTOCOL_TLSv1) s.verify_mode=ssl.CERT_NONE si= SmartConnect(host=args.host, user=args.user, pwd=args.password,sslContext=s) content=si.content cluster_name=args.cluster #Cluster object cluster = get_obj(content,[vim.ClusterComputeResource],cluster_name) if(not cluster): print ("Cluster not found, please enter correct EVC cluster name") quit() print ("Cluster Name:"+cluster.name) # Get all the hosts available inside cluster hosts = cluster.host #Iterate through each host to get MaxEVC mode supported on the host for host in hosts: print ("----------------------------------") print ("Host:"+host.name) feature_capabilities = host.config.featureCapability flag=False for capability in feature_capabilities: if(capability.key in ["cpuid.STIBP", "cpuid.IBPB","cpuid.IBRS"] and capability.value=="1"): print ("Found::"+capability.key) flag=True if(not flag): print ("No new cpubit found, hence "+host.name+" is NOT patched") else: print ("New CPU bit is found, hence "+host.name+" is patched") atexit.register(Disconnect, si)
This script takes VCIP, username, password and cluster-name (with or without EVC) as parameter. Let us take a look at below output.
vmware@localhost:~$ python hosts_patched.py -s 10.192.30.40 -u Administrator@vsphere.local -c EVCCluster
Enter vCenter password:
New CPU bit is found, hence 10.20.43.35 is patched
No new cpubit found, hence 10.20.43.36 is NOT patched
Based on above script, it is clear that there are 2 hosts inside the cluster and only one of them has exposed new cpuids, that confirms it is patched with both ESXi hypervisor & microcode.
1. I highly recommend you take a look at last post on EVC cluster.
2. Empty EVC cluster issue discussed here is fixed with latest vCenter Patches
3. My PowerCLI script to achieve the same
4. Tutorial on getting started pyVmomi
I hope you enjoyed this post, let me know if you have any questions/doubts.