|
Asking on behalf of a friend " I've done a lot of reading around Spectre, specifically looking at how we protect Hyper-V hosts where the manufacturer is not providing a BIOS update at all - ie HP Gen7 servers (of which our clients have a number of them). MS have advocated here<https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-hosts> that we can use Minproc on the host on a 2016 HyperV machine to isolate the guests from the host, therefore preventing comprimise on the host. Ok - I've configured that and can see I've allocated 4 CPUs to my host. Then the next step is CPUGroups. Again - I've configured that and the VM is working fine. Naturally I want to PROVE that the protection is in place, and the current scripts from Microsoft do nothing to help with that as they look for other specific markers to prove a machine is protected. So - a few questions for you if you might. CPUGroups is a very underdocumented feature in Hyper-V - so this is where my concerns are... 1. CPUGroups - do I need to create a CPUgroup per VM to provide isolation, or can I create a single group for all VMs and that will provide isolation between each VM? 2. How does CPUGroups work across clusters? Do I need to create the group with the same GUID on each cluster node in order for the VM to stay isolated when it moves from node to node? 3. How can I prove that this is working aside from printing a list showing it's configured?" |
