To protect the enclave contents from disclosure and modifications, you can enable vSGX on a virtual machine in the VMware Host Client.

Some operations and features are not compatible with SGX.

  • Migration with Storage vMotion
  • Suspending or resuming the virtual machine
  • Taking a snapshot of the virtual machine
  • Fault Tolerance
  • Enabling Guest Integrity (GI, platform foundation for VMware AppDefense 1.0)

Prerequisites

  • Power off the virtual machine.

  • Verify that the virtual machine uses EFI firmware.
  • Verify that the ESXi host is version 7.0 or later.
  • Verify that the guest operating system in the virtual machine is Linux, Windows 10 (64-bit) or later, or Windows Server 2016 (64-bit) or later.
  • Verify that you have the Virtual machine.Configuration.Modify device settings privilege on the virtual machine.
  • Verify that the ESXi host is installed on an SGX-capable CPU, and SGX is enabled in the BIOS of the ESXi host. For information about the supported CPUs, see https://kb.vmware.com/s/article/71367.

Procedure

  1. In the VMware Host Client inventory, click Virtual Machines.
  2. Right-click a virtual machine in the list and select Edit settings from the pop-up menu.
  3. On the Virtual Hardware tab, expand Security devices.
  4. Select the Enable check box.
  5. Under Enclave page cache size, enter a new value in the text box and select the size in MB or GB from the drop-down menu.
    Note: The enclave page cache size must be a multiple of 2.
  6. From the Launch control configuration drop-down menu, select the appropriate mode.
    Option Action
    Locked Enables the launch enclave configuration.

    Under Launch enclave public key hash, enter a valid SHA256 hash.

    The SHA256 hash key must contain 64 characters.
    Unlocked Enables the launch enclave configuration of the guest operating system.
  7. Click Save.