VMware decides to disable TPS in future ESXi releases by default

In a knowledge base article titled: “Security considerations and disallowing inter-Virtual Machine Transparent Page Sharing (2080735)” published on October 16th, VMware states that it will disable the Transparant Page Sharing functionality by default in future updates and the next version of ESXi.

The decision to do so, is based on a recent academic research which levegad TPS to gain unauthorized access to data. The outcome of the research can be found in the following document: “Additional Transparent Page Sharing management capabilities in ESXi 5.5 patch October 16, 2014 and ESXi 5.1 and 5.0 patches in Q4, 2014 (2091682)

Transparent page sharing is a method by which redundant copies of pages are eliminated. This helps to free memory that a virtual machine would otherwise be using. Because of the way TPS works with hardware-assisted memory virtualization systems like Intel EPT Hardware Assist and AMD RVI Hardware Assist, esxtop may show zero or few shared pages in these systems. Page sharing will show up in esxtop only when host memory is overcommitted.

clip_image001

Inter-Virtual Machine TPS will no longer be enabled by default starting with the following releases:

  • ESXi 5.5 Update release – Q1 2015
  • ESXi 5.1 Update release – Q4 2014
  • ESXi 5.0 Update release – Q1 2015
  • The next major version of ESXi

Also patches for current releases will be provided introducing addional TPS management capabilities.