Security
has always been and continues to be of paramount importance for
NComputing. Please find below the detailed information pertaining to
Meltdown and Spectre vulnerabilities.
We
believe that there is very little chance that VERDE VDI is directly
vulnerable to the Meltdown and Spectre security issues. However, the
underlying operating system, drivers and
CPU firmware will most
likely require that you patch your hardware systems per the
recommendations posted in the Meltdown and Spectre blog post found here: https://spectreattack.com/#faq-fix. According to this blog post
"Right now, there are no public patches to KVM that expose the new CPUID bits
and MSRs to the virtual machines, therefore there is no urgent need to update
QEMU; remember that updating the host kernel is enough to protect the
host from malicious guests."
As
VERDE takes advantage of the Linux kernel KVM and QEMU packages to
create and manage the VERDE virtual desktops it is also important to
monitor and take the recommendations provided by the QEMU-KVM community
in regard to these bugs. The blog post is located here: https://www.qemu.org/2018/01/04/spectre. In addition to VERDE, it is also important to understand any possible performance impact on the guest OS.
A
snippet taken from a recent Microsoft blog post on the subject
indicates minimal to more significant performance impact depending on
the operating system used and the host CPU.
Take
some comfort in the fact that because you are using VERDE you can
analyze the impact on any given end user workload and if necessary
update your session settings to provide additional virtual memory or
virtual CPU for those user workloads. Once you have updated the session
settings your users will be able to immediately take advantage of the
increased capacity to maintain your baseline performance.
Here is the description of the currently available performance analysis from Microsoft.
- With
Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or
newer CPU), benchmarks show single-digit slowdowns, but we don’t expect
most users to notice a change because these percentages are reflected in
milliseconds.
- With
Windows 10 on older silicon (2015-era PCs with Haswell or older CPU),
some benchmarks show more significant slowdowns, and we expect that some
users will notice a decrease in system performance.
- With
Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or
older CPU), we expect most users to notice a decrease in system
performance.
- Windows
Server on any silicon, especially in any IO-intensive application,
shows a more significant performance impact when you enable the
mitigations to isolate untrusted code within a Windows Server instance.
This is why you want to be careful to evaluate the risk of untrusted
code for each Windows Server instance and balance the security versus
performance tradeoff for your environment.
For
context, on newer CPUs such as on Skylake and beyond, Intel has refined
the instructions used to disable branch speculation to be more specific
to indirect branches, reducing the overall performance penalty of the
Spectre mitigation. Older versions of Windows have a larger performance
impact because Windows 7 and Windows 8 have more user-kernel transitions
because of legacy design decisions, such as all font rendering taking
place in the kernel.
It
is our always recommendation however that customers maintain a schedule
of regular upgrades to our latest release for the best performance, bug
fixes, and new features. Please contact us if you need assistance in planning and implementing your VERDE upgrade.