VMware vSphere

TPS – Security Risk

In Future Releases and Patches TPS is disable for Security Reasons. It is possible to use Transparent Page Sharing to gain unauthorized access to data, but this was tested under highly controlled conditions.

If you have a high overcommitted rate and would like to use TPS on the future Versions, you can enable TPS manually. You must configure “salt”. The vmkernel can control the participant for tps. In earlier Release it was enough that the Memory Page Content was the same, but now the vms must have the same “salt” value.
To set “salt” go to the Advanced option and set Mem.ShareForceSalting to 1.( 0 = disabled, 1 = enabled).

Each VM that should share the RAM with another one, should have the same salt value. This Value can you configure in the VMX File of each VM:
sched.mem.pshare.salt. If the options is not set in the vmx file vmkernel uses the vc.uuid value, but this value is unique for each vm and so we have no tps. 😉

If you have an older release or Patch, but you would like to disable TPS:

1. Go to the Advanced Setting of the ESXi Host
2. Click Mem
3. Search for Mem.ShareScanGHz and set this value to 0 (disable)
To take affect the host need a restart.

If you later use an new Patch, think about the Setting, because you must than set the value to the default value: Mem.ShareScanGHz to 4.

KB Number kb2080735

Thanks for READING!