Intel Side Channel Vulnerability “L1TF”
Mid of August Intel released - and of course the whole industry - the information about the L1 Terminal Fault aka L1TF - a speculative execution side channel cache timing vulnerability which could potentially allow unauthorized access to the Level 1 cache of a processor core. Intel defines “L1TF is a highly sophisticated attack method, and today, Intel is not aware of any reported real-world exploits”. But in some cases, or per company policy the mitigation is necessary.
After the mitigation provided by VMware and enabled “Side-Channel Aware Scheduler” for vSphere, the scheduler will not anymore schedule an additional thread to the same processor core. The reason is, that one of the threads of the processor core goes into deep sleep after the mitigation.
But how does this affect SAP and SAP HANA workload on VMware vSphere?
This affects virtual machines with more vCPUs configured as physical cores are available in the server. Therefore, a resizing of the virtual machines is needed, depending on your Intel CPU architecture like Haswell, Broadcom or Skylake CPUs.
The following list shows the maximum number of cores of the last three Intel CPUs certified for SAP HANA.
- Haswell: 72 cores (18 per CPU) on 4-socket servers
- Broadwell: 96 cores (24 per CPU) on 4-socket servers
- Skylake: 112 cores (28 per CPU) on 4-socket servers
Disclaimer: Picture by vmware.com
This resizing of a virtual machine could be a performance capacity issue, therefore it is highly recommended to check your SAP HANA sizing - like “Quicksizer” by SAP - before you resize the virtual machine(s) because the mitigation will cause performance degradation for larger virtual machines, as described above.
The recommendation is to download and apply patches provided by VMware, do any necessary virtual machine(s) capacity or resizing adjustment and enable the full mitigation for the hypervisor. The full mitigation ensures that the hypervisor uses one hyper-thread per core.
Note: Turning off Hyper-Threading at the server level alone will not mitigate the issue.
Visit the VMware Security Advisory VMSA-2018-0021 for more details:
The “central VMware Knowledge Base article about the “L1 Terminal Fault’ (L1TF)” is VMware KB 55636 - VMware Overview of ‘L1 Terminal Fault’ (L1TF) Speculative-Execution vulnerabilities in Intel processors: CVE-2018-3646, CVE-2018-3620, and CVE-2018-3615 (55636).
The following VMware KB articles provide more details about “Side-Channel-Aware Schedule”, “HTaware Mitigation Tool” and “VMware Performance Impact Statement”. 55806, 56931, 55767.
Tags: SAP, SAP HANA, VMware, Intel, Security