Tag Archives: Spectre vulnerability

pyVmomi script: How to confirm whether EVC cluster is patched or not ? Spectre vulnerability

As per latest update from VMware, new vCenter and ESXi patches are released. These patches primarily will help enable “Hypervisor-Assisted Guest mitigation”. With these patches, one of the important aspects is to make sure whether entire EVC cluster is patched/upgraded or not. In this blog post, we will take a look at the pyVmomi script, which will confirm whether EVC cluster is patched with both hypervisor & microcode patch or not. Before we take a look at the script, let me quote statement from VMware KB on EVC cluster behavior.

“The vCenter patches enable vMotion compatibility to be retained within an EVC cluster.
In order to maintain this compatibility the new features are hidden from guests within the cluster until all hosts in the cluster are properly updated. At that time, the cluster will automatically upgrade its capabilities to expose the new features.”

As per above quote, new features should be available on EVC cluster once all the hosts inside the cluster are patched. Now lets take a look at the script.

This script i.e. is_evc_cluster_patched.py is available on my git-hub repo.

[python]

from pyVim.connect import SmartConnect, Disconnect
from pyVmomi import vim
import atexit
import ssl
import sys
import argparse
import getpass

# Script to confirm whether EVC cluster is patched or not for Spectre vulenerability.

def get_args():
""" Get arguments from CLI """
parser = argparse.ArgumentParser(
description=’Arguments for talking to vCenter’)

parser.add_argument(‘-s’, ‘–host’,
required=True,
action=’store’,
help=’vSpehre service to connect to’)

parser.add_argument(‘-o’, ‘–port’,
type=int,
default=443,
action=’store’,
help=’Port to connect on’)

parser.add_argument(‘-u’, ‘–user’,
required=True,
action=’store’,
help=’Username to use’)

parser.add_argument(‘-p’, ‘–password’,
required=False,
action=’store’,
help=’Password to use’)

parser.add_argument(‘-c’, ‘–cluster’,
required=True,
action=’store’,
default=None,
help=’Name of the cluster you wish to check’)

args = parser.parse_args()

if not args.password:
args.password = getpass.getpass(
prompt=’Enter vCenter password:’)

return args

# Below method helps us to get MOR of the object (vim type) that we passed.
def get_obj(content, vimtype, name):
obj = None
container = content.viewManager.CreateContainerView(content.rootFolder, vimtype, True)
for c in container.view:
if name and c.name == name:
obj = c
break
container.Destroy()
return obj

args = get_args()
s=ssl.SSLContext(ssl.PROTOCOL_TLSv1)
s.verify_mode=ssl.CERT_NONE
si= SmartConnect(host=args.host, user=args.user, pwd=args.password,sslContext=s)
content=si.content
cluster_name=args.cluster

#Cluster object
cluster = get_obj(content,[vim.ClusterComputeResource],cluster_name)
if(not cluster):
print ("Cluster not found, please enter correct EVC cluster name")
quit()

print ("Cluster Name:"+cluster.name)
evc_cluster_manager=cluster.EvcManager()

evc_state=evc_cluster_manager.evcState
current_evcmode_key= evc_state.currentEVCModeKey

if(current_evcmode_key):
print ("Current EVC Mode::"+current_evcmode_key)
else:
print ("EVC is NOT enabled on the cluster, please enable it first")
quit()

feature_capabilities = evc_state.featureCapability

flag=False
for capability in feature_capabilities:

if(capability.key in ["cpuid.STIBP", "cpuid.IBPB","cpuid.IBRS"] and capability.value=="1"):
print ("Found::"+capability.key)
flag=True

if(not flag):
print ("No new cpubit found on EVC cluster,hence cluster is NOT fully patched/upgraded")
else:
print ("EVC cluster is patched, enjoy!, this also confirms all the hosts inside this EVC cluster are patched as well")

atexit.register(Disconnect, si)

[/python]

If you take a look at line 81-85, these are exact same EVC vSphere API properties that we discussed in my tutorial here. Same properties I have used to confirm whether EVC cluster is patched/upgraded or not. This script takes VCIP, username, password and EVC cluster name as parameter. Let us take a look at the output.

Output:

From output, it is clear that EVC cluster is patched successfully. It does mean that all the hosts inside the clusters are patched with both microcode and hypervisor patch. If at-least one of the hosts inside this EVC cluster is NOT patched, EVC cluster is NOT going to expose new cpuids on cluster and will be called as NOT patched.

Please note that since EVC APIs got introduced from vSphere 6.0, above script will be applicable for vSphere 6.0 and 6.5. Also, microcode/BIOS support is available for few Intel/AMD CPU models, please check out VMware KB for more details on it.

Some useful resources on EVC

1. If you want to confirm each host inside the cluster (with or without EVC) is patched or not, please take a look at my latest blog post
2. Empty EVC cluster issue discussed here is fixed with latest vCenter Patches
3. Part-1: Managing EVC using pyVmomi
4. Part 2: Managing EVC using pyVmomi
5. Tutorial on getting started pyVmomi

I hope you enjoyed this post, let me know if you have any questions/doubts.