Are my VERDE VDI sessions impacted by Meltdown and Spectre

Are my VERDE VDI sessions impacted by Meltdown and Spectre


Security has always been and continues to be of paramount importance for NComputing. Please find below the detailed information pertaining to Meltdown and Spectre vulnerabilities.


We believe that there is very little chance that VERDE VDI is directly vulnerable to the Meltdown and Spectre security issues. However, the underlying operating system, drivers  and
CPU firmware will most likely require that you patch your hardware systems per the recommendations posted in the Meltdown and Spectre blog post found here: https://spectreattack.com/#faq-fix.  According to this blog post

"Right now, there are no public patches to KVM that expose the new CPUID bits and MSRs to the virtual machines, therefore there is no urgent need to update QEMU; remember that updating the host kernel is enough to protect the host from malicious guests."


As VERDE takes advantage of the Linux kernel KVM and QEMU packages to create and manage the VERDE virtual desktops it is also important to monitor and take the recommendations provided by the QEMU-KVM community in regard to these bugs.  The blog post is located here: https://www.qemu.org/2018/01/04/spectre. In addition to VERDE, it is also important to understand any possible performance impact on the guest OS.


A snippet taken from a recent Microsoft blog post on the subject indicates minimal to more significant performance impact depending on the operating system used and the host CPU.


Take some comfort in the fact that because you are using VERDE you can analyze the impact on any given end user workload and if necessary update your session settings to provide additional virtual memory or virtual CPU for those user workloads.  Once you have updated the session settings your users will be able to immediately take advantage of the increased capacity to maintain your baseline performance.


Here is the description of the currently available performance analysis from Microsoft.

  • With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we don’t expect most users to notice a change because these percentages are reflected in milliseconds.
  • With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance.
  • With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.
  • Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance and balance the security versus performance tradeoff for your environment.


For context, on newer CPUs such as on Skylake and beyond, Intel has refined the instructions used to disable branch speculation to be more specific to indirect branches, reducing the overall performance penalty of the Spectre mitigation. Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel.


It is our always recommendation however that customers maintain a schedule of regular upgrades to our latest release for the best performance, bug fixes, and new features. Please contact us if you need assistance in planning and implementing your VERDE upgrade.
    • Related Articles

    • Meltdown and Spectre, are NComputing thin client devices vulnerable?

      Security has always been and continues to be of paramount importance for NComputing. Please find the detailed information pertaining to each hardware product family as it relates to these vulnerabilities: • RX-Series: Not affected • L Series, M ...
    • Running VERDE (CM/MC/VDI) on a vSphere - VMWARE ESX server

      Product Line:  VERDE The ESX server is capable of doing nested virtualization, so it's possible to run VERDE servers that run VDI sessions on this ESX host. You must enable the "vhv.enable=TRUE" flag in the .vmx file to take advantage of this ...
    • VERDE VDI Optimization for Windows 10

      Product Line:  VERDE   Introduction   A basic Windows 10 ISO is not configured by default for VDI implementation.  If not configured correctly, a Windows 10 guest will consume a a large amount of CPU, Memory and network resources per desktop. The ...
    • VERDE VDI Session WorkFlow

      Product Line:  VERDE The following diagram displays the VDI Session Workflow:
    • Secure VERDE Isolated Gateway install and configuration Instructions

      Product Line:  VERDE  Often customers request an Isolated Gateway.  A more secure method of accessing the Guest Images. Here's a little explanation about the Gateway's function, followed by instructions for its implementation. OVERVIEW: The Verde ...