Additional capabilities to manage Transparent Page Sharing
Transparent Page Sharing (TPS) is the ability for virtual machines to share identical memory pages. This allows hosts to most efficiently use memory, particularly when those hosts have many almost identical virtual machines running on them. The net benefit is better memory usage, potentially leading to greater consolidation ratios. TPS is one of the memory management techniques which has given VMware an advantage over the competition for years.
Today VMware introduced additional capabilities to manage Transparent Page Sharing (TPS). This addition was prompted by recent academic research that leveraged TPS to gain unauthorized access to data under certain highly controlled conditions.
VMware also announced that starting in December with the next ESXi Update release, TPS among virtual machines will no longer be enabled by default. Even though they believe the security risk associated with enabling TPS is very low, VMware strives to be “secure by default” wherever possible.
Customers are advised to review the usage of TPS in their environment and plan for the upcoming ESXi Update releases which no longer have TPS between virtual machines enabled by default. Note also that many systems utilize the hardware capabilities in modern processors to facilitate memory sharing which means large pages will be used. Due to this, TPS is likely not used except in situations where there is memory overcommitment.
So, what’s the problem?
Published academic papers have demonstrated that by forcing a flush and reload of cache memory, it is possible to measure memory timings to try and determine an AES encryption key in use on another virtual machine running on the same physical processor of the host server if Transparent Page Sharing is enabled.The solution
Prompted by security concern explained in KB2080735, the concept of salting has been introduced, which can be used to control and manage the virtual machine participating in TPS. Earlier for two virtual machines to share pages, the contents of the pages should be same. With the concept of salting, along with the content of the pages, the salt values for the two virtual machines should be same.
A new host config option Mem.ShareForceSalting is introduced to enable or disable salting.
By default salting is disabled (Mem.ShareForceSalting=0). This means TPS happens as it used to before this patch, that is, all the Virtual Machines on an ESXi box participate in TPS.
When salting is enabled (Mem.ShareForceSalting=1), in order for two VMs to share a page, both their salt and the content of the page should be same. A salt value is a configurable vmx option for each virtual machine. Salt value can be manually specified in the virtual machine’s vmx file with the new VMX option sched.mem.pshare.salt. If this option is not present in virtual machine’s vmx file, the value of vc.uuid vmx option will be considered as default value. Since the vc.uuid is unique to each virtual machine, by default TPS happens only among pages belonging to a particular virtual machine (Intra-VM).
If a group of virtual machines are trust worthy to share pages among them, common salt value can be configured for all those virtual machines which will make them all participate in TPS (inter-VM).
Versions affected
The additional Transparent Page Sharing (TPS) management capabilities that are introduced in the following releases:
- ESXi 5.5 patch released October 16, 2014 (see KB2087359 for patch details)
- ESXi 5.1 patch planned for Q4, 2014
- ESXi 5.0 patch planned for Q4, 2014
Please refer to KB2080735 for changes to the default TPS setting that are planned for upcoming ESXi Update releases. These changes are related to recent academic research that leverages Transparent Page Sharing (TPS) to gain unauthorized access to data under certain highly controlled conditions.
For more information visit:
Leave a Reply
You must be logged in to post a comment.