Will patching a higher layer protect against the spectre/meltdown vulnerability in a lower layer?

Question

The question I am about to ask is similar to the following question:

Do I need to patch Linux for Meltdown/Spectre if the hypervisor has been patched, and I trust the guest?

However, I would like to take the question a bit further or a bit deeper.

Consider the following environment, where a UCS virtualization layer, is hosting VMware ESXi instances, which themselves will be hosting Windows, Linux and other OSes, which layer should I protect in order to protect the underlying layers?

-> Hardware
   -> CPU
   -> RAM
   -> Mainboard
   -> Storage
      -> Operating System (UCS Management)
         -> partitioned "hardware" servers 
            -> physical CPUs
            -> physical RAM
            -> Storage
               -> OS of VMware ESXi Hosts
                  -> partitioned "virtual" servers
                     -> virtual CPUs
                     -> virtual RAM
                     -> Storage
                        -> OS of virtual Windows Server
                           -> Microsoft Hypervisor
                              -> virtual CPUs
                              -> virtual RAM
                              -> Storage
                                 -> OS of Microsoft Hypervisor Server/Client
                           -> Microsoft SQL Server
                              -> SQL Server OS (yes, SQL Server has its own OS)

Seeing as the various vendors are supplying patches for the various levels (VMware, Microsoft OS, Microsoft SQL Server), will it be sufficient for me to patch for example, only the first highest possible "physiscal" layer (UCS Operating system) to guarantee that the underlying layers will no longer be affected by the vulnerability?

The idea behind this question is to minimise the possible amount of patching that would have to be implemented to protect the underlying layers.

How far must I patch?

Answer 1

For Meltdown you need to patch guest VMs as the patch is in the kernel. So you need those guest kernels up to date.

For Spectre, the patches are in the CPU microcode, so they need to be loaded to the host system. I think vmware has already these, but the current microcode updates doesn't have fixes for all CPUs included yet, so there will be one more update by the end of January.

Answer 2

Yes, no, and maybe. There are two vulnerabilities here:

1. Meltdown. In an unpatched system, an attacker can access any memory the kernel can access, and only that memory. For example, an attacker at the UCS layer can access everything by attacking the UCS kernel; an attacker at the SQL Server layer can only attack those pieces that SQL Server can access. Patching at a given layer only protects that layer, so a UCS-layer patch won't keep an SQL Server-layer attacker from reading SQL Server OS's memory.
   
   Because a Meltdown attack can't reach outside of virtualization (but can reach outside of containers, sandboxing, and paravirtualization), you've already got some protection just by having your layers.

2. Spectre. Spectre isn't so much a vulnerability as huge family of vulnerabilities. Because of this, there are many partial patches that fix various aspects of it; there cannot be a universal "fix everything" patch (except perhaps a performance-killing microcode update that disables the branch predictor).
   
   Unlike Meltdown, Spectre can reach outside of virtualization: an attacker at the SQL Server level can (with great difficulty) perform an attack on the UCS layer. Each layer you patch will protect itself, and some patches (such as Intel's IBRS/IBPB microcode update) will make attacks harder across all layers. Your setup does give you some inherent protection, though: Spectre can only reach across virtual CPUs, not physical ones.