To protect the enclave contents from disclosure and modifications, you can enable vSGX on a virtual machine in the VMware Host Client.
Some operations and features are not compatible with SGX.
- Migration with Storage vMotion
- Suspending or resuming the virtual machine
- Taking a snapshot of the virtual machine
- Fault Tolerance
- Enabling Guest Integrity (GI, platform foundation for VMware AppDefense 1.0)
Power off the virtual machine.
- Verify that the virtual machine uses EFI firmware.
- Verify that the ESXi host is version 7.0 or later.
- Verify that the guest operating system in the virtual machine is Linux, Windows 10 (64-bit) or later, or Windows Server 2016 (64-bit) or later.
- Verify that you have the privilege on the virtual machine.
- Verify that the ESXi host is installed on an SGX-capable CPU, and SGX is enabled in the BIOS of the ESXi host. For information about the supported CPUs, see https://kb.vmware.com/s/article/71367.
- In the VMware Host Client inventory, click Virtual Machines.
- Right-click a virtual machine in the list and select Edit settings from the pop-up menu.
- On the Virtual Hardware tab, expand Security devices.
- Select the Enable check box.
- Under Enclave page cache size, enter a new value in the text box and select the size in MB or GB from the drop-down menu.
Note: The enclave page cache size must be a multiple of 2.
- From the Launch control configuration drop-down menu, select the appropriate mode.
Option Action Locked Enables the launch enclave configuration.
Under Launch enclave public key hash, enter a valid SHA256 hash.
The SHA256 hash key must contain 64 characters.
Unlocked Enables the launch enclave configuration of the guest operating system.
- Click Save.