By default TPS has been enabled on ESXi hosts. TPS allows virtual machines to share identical memory pages and reduce the overall host memory footprint. This is achieved by allowing the hypervisor to scan at 60 minute intervals (default) for identical memory pages, reclaiming redundant copies and keeping a single memory page in physical RAM mapped to the virtual machines.
A recent article from VMware – Security Considerings and disallowing inter-Virtual Machine Transparent Page Sharing (KB2080735) acknowledges recent academic research that, under certain controlled circumstances, makes it possible to measure memory timings to try and determine a AES encryption key in use on another virtual machine running the same physical CPU. Whilst the probability of this occurring in the real world is low, VMware have taken the decision to disable TPS by default from future ESXi update releases as a security measure. However, administrators can turn it back on for the whole host or even individual virtual machines as needed manually.
TPS no longer enabled by default from the following shipped releases.
- ESXi 5.5 Update release – Q1 2015
- ESXi 5.1 Update release – Q4 2014
- ESXi 5.0 Update release – Q1 2015
- The next major version of ESXi
Click more to read on