Wednesday 30 November 2011

VMware CPUID masks for AES-NI and PCLMULQDQ

Today I have been messing with with CPUID masks in ESXi/vSphere. Most people in my position wouldn't normally have to worry about this, but I work for a small company so the budget especially these days is necessarily lean so we chose go for vSphere 5 Essentials PLUS which does not include Enhanced vMotion Compatibility (EVC)

The problem I had was there were two servers that were brought at different times and as is often the case had slightly different specification based on the deals the vendors were offering at the time. Basically the Intel processors had slightly different capabilities Xeon E5530 and E5620 The problem came up when I tried to vMotion VMs from one box to the other, Virtual Center complained that the older server lacked the PCLMULQDQ and AES-NI CPU features:
Host CPU is incompatible with the virtual machine's requirments at CPUID level 0x1 register 'ecx'
So working my way through the KB articles on the VMware website I realised that we were not licensed for EVC so KB 1993 applied. It took me a while to get my head around what was going on but you need to tell the VM when it starts up to ignore the flags for those 2 CPU features so that it isn't using them, so it can happily be moved between host servers that do and don't support those CPU instructions. 

So down to the nitty gritty, how do you actually disable these features. Connect the vSphere client, to either your vCenter server or the ESX server itself. Right click the VM you wish to make more mobile and choose "Settings", then on the "Options" tab select CPUID Mask then click on the "Advanced..." tab. Scroll down to the "Level 1" section and for "ecx" the mask you need is (presented here for your copy and paste delight):

---- --0- ---- ---- ---- ---- ---- --0-

This was explained in the KB 1993 article but they refer to the "Level" as "a"  which is not mentioned in the ESXi 5.0/vSphere 5 configuration screens.
After I changed this setting all the VMs were happy to v|Motion back and forth between the servers.


  1. Confused the hell out of me as well, and I do think they need to correct their documentation - There is no "A" flag - It is as you've expressed Level 1

  2. Hi, I have this issue with suspended machines (VMs) - any idea how I can change this, as the "advanced" button is greyed out.
    I did a BIOS update and put all VMs to suspended (which worked fine with 4 other servers ...).

    Cheers Stephen

    1. Hi Stephen,
      Unfortunately you are going to have to migrate those VMs to a host that does support those CPU features before you can resume them, then shut the VMs down to change the settings so you are not hit with the same problem next time.
      I hope that helps.



  3. Thank a lot, I've just spent half a day to update bios on R710 and R610 and I had still the same problem. Your solution seems to work perfectly

    Best Regards


  4. People tired to find a relevant place where they can know real facts and myths about the topic mentioned by author of this blog. I want to help a lot of needy people through this blog to come up at my blog to know the real facts and myths regarding this topic. Dell PowerEdge T630