Are my VERDE VDI sessions impacted by Meltdown and Spectre


            Security has always been and continues to be of paramount importance for NComputing. Please find below the detailed information pertaining to Meltdown and Spectre vulnerabilities.


            We believe that there is very little chance that VERDE VDI is directly vulnerable to the Meltdown and Spectre security issues. However, the underlying operating system, drivers  and
            CPU firmware will most likely require that you patch your hardware systems per the recommendations posted in the Meltdown and Spectre blog post found here: https://spectreattack.com/#faq-fix.  According to this blog post

            "Right now, there are no public patches to KVM that expose the new CPUID bits and MSRs to the virtual machines, therefore there is no urgent need to update QEMU; remember that updating the host kernel is enough to protect the host from malicious guests."


            As VERDE takes advantage of the Linux kernel KVM and QEMU packages to create and manage the VERDE virtual desktops it is also important to monitor and take the recommendations provided by the QEMU-KVM community in regard to these bugs.  The blog post is located here: https://www.qemu.org/2018/01/04/spectre. In addition to VERDE, it is also important to understand any possible performance impact on the guest OS.


            A snippet taken from a recent Microsoft blog post on the subject indicates minimal to more significant performance impact depending on the operating system used and the host CPU.


            Take some comfort in the fact that because you are using VERDE you can analyze the impact on any given end user workload and if necessary update your session settings to provide additional virtual memory or virtual CPU for those user workloads.  Once you have updated the session settings your users will be able to immediately take advantage of the increased capacity to maintain your baseline performance.


            Here is the description of the currently available performance analysis from Microsoft.

            • With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we don’t expect most users to notice a change because these percentages are reflected in milliseconds.
            • With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance.
            • With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.
            • Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance and balance the security versus performance tradeoff for your environment.


            For context, on newer CPUs such as on Skylake and beyond, Intel has refined the instructions used to disable branch speculation to be more specific to indirect branches, reducing the overall performance penalty of the Spectre mitigation. Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel.


            It is our always recommendation however that customers maintain a schedule of regular upgrades to our latest release for the best performance, bug fixes, and new features. Please contact us if you need assistance in planning and implementing your VERDE upgrade.
            Updated: 22 Jan 2018 03:36 PM
            Helpful?  
            Help us to make this article better
            0 1