TPS

TPS has been around for a long time, and its purpose is to save memory at the host level. It is similar to storage deduplication, but this time focusing on the memory.

When multiple instances of VMs are run on the same ESXi hypervisor and access the same memory pages, they are stored only once. With TPS, the hypervisor will eliminate the redundant memory pages by mapping the identical content in only one memory page in the physical memory. 

The TPS mechanism runs in the background and calculates a hash of the memory page. Those hashes are stored in a hash table and they are compared to each other by the ESXi server. If the ESXi kernel discovers two corresponding hashes, it will compare the content of the memory page. If the content is exactly the same, then only one memory page will be stored in the physical memory and the other one will be pointed to the same location.

Two types of memory sharing techniques are available:

  • Intra-VM: Memory pages within the same VM will be deduplicated by TPS, but TPS will not share the memory pages between different VMs.
  • Inter-VMMemory pages within the same VM will be deduplicated by TPS and TPS will share the memory pages between different VMs.

There was a major change with vSphere 6.0 and Inter-VM TPS is now disabled by default.

There is no real-world example of exploiting Inter-VM memory sharing to inject malicious code as far we know, but as a security hardening best-practice, the behavior was rather changed.

If you are running a Service Provider environment, you should probably keep the settings at the default to prevent any malicious misuse of the feature. However, if you need, you can change the default behavior.

There are three possible values of Mem.ShareForceSalting:

  • 2: Default value. No Intra-VM TPS
  • 1:  Intra-VM TPS will be used for VMs with the same sched.mem.pshare.salt advanced configuration option.
  • 0:  Inter-VM TPS works as expected.

For more informations about Intra-VM TPS, feel free to visit the following KB: https://kb.vmware.com/s/article/2097593.

For Enterprise companies, I would suggest to switch to the old behavior and enabling Inter-VM TPS since the benefits of the TPS will—from my perspective—outweigh the possible security concerns. For service providers—from my perspective—I would use the same salt for all VMs belonging to the same customer, so the result will be that VMs from a single tenant can share memory pages between each other, but they can't share memory pages between different tenants.

Please note that Mem.ShareForceSalting is a per-host setting and sched.mem.pshare.salt is a per-VM setting.

You can change the Mem.ShareForceSalting settings from the vSphere client  by following these steps:

  1. Select your ESXi hypervisor
  2. Switch to the Configure tab
  3. Locate Advanced System Settings under System
  4. Click Edit
  5. Locate the Mem.ShareForceSalting configuration parameter and change it to the desired value, as shown in the following screenshot:

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.223.119.17