About two years ago, IBM PureApplication System 2.2.6.0 and IBM Cloud Pak System 2.3.0.0 provided mitigation against CVE-2018-3646, CVE-2018-3620 of the built-in VMware 6.5 stack (see Impact of HyperThreadingMitigation introduced in IBM PureApplication System 2.2.6.0 or IBM Cloud Pak System 2.3.0.0). The mitigation provided by IBM here was to enable the Side-Channel-Aware Scheduler (SCA) v1 by default in the VMware ESX hypervisor. For those clients who insisted and accepted the security risks, IBM also provided an option to leave SCAv1 disabled (allowing for higher performance).
IBM Cloud Pak System 2.3.3.0 and higher are running on VMware 6.7, which provides support for Side-Channel-Aware Scheduler v2. So I was curious whether IBM Cloud Pak System would provide an option to enable SCAv2, as it provides a compromise between security and performance that could be attractive to some clients.
I had a look at the IBM Support document Considerations on impact of HyperThreadingMitigation security introduced on Intel systems in IBM PureApplication System V2.2.6.0 and IBM Cloud Pak System V2.3.x.x, and noticed that from 2.3.3.0 onwards IBM Cloud Pak System provides an option to enable SCAv2. Note that the default in IBM Cloud Pak System remains SCAv1 (the most secure option).
| IBM Cloud Pak System version | Default SCA configuration | Alternative SCA configuration |
| < 2.2.6 | Disabled | N/A |
| 2.2.6 | SCAv1 | Disabled |
| 2.3.0 | SCAv1 | Disabled |
| 2.3.1 | SCAv1 | Disabled |
| 2.3.2 | SCAv1 | Disabled |
| 2.3.3 and higher | SCAv1 | SCAv2 |
VMware has a lot of material to help clients understand the security and performance implications of SCAv1 vs SCAv2. I would recommend reviewing the VMware document Implementing Hypervisor-Specific Mitigations for Microarchitectural Data Sampling (MDS) Vulnerabilities (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091) in vSphere (67577) to learn more about that. The diagram below provides a nice visual summary of the trade-offs between the two.
IBM Cloud Pak System 