Starting in vSphere 7.0 Update 2, you can use the vSphere Client to add SEV-ES to a virtual machine to provide enhanced security to the guest operating system.

You can add SEV-ES to virtual machines running on ESXi 7.0 Update 1 or later.

Prerequisites

  • The system must be installed with an AMD EPYC 7xx2 (code named "Rome") or later CPU and supporting BIOS.
  • SEV-ES must be enabled in the BIOS.
  • The number of SEV-ES virtual machines per ESXi host is controlled by the BIOS. When enabling SEV-ES in the BIOS, enter a value for the Minimum SEV non-ES ASID setting equal to the number of SEV-ES virtual machines plus one. For example, if you have 12 virtual machines that you want to run concurrently, enter 13. Settings as high as 500 are supported by ESXi.
    Note: vSphere 7.0 Update 1 supports 16 SEV-ES enabled virtual machines per ESXi host. Using a higher setting in the BIOS does not prevent SEV-ES from working, however, the limit of 16 still applies.
  • The ESXi host running in your environment must be at ESXi 7.0 Update 1 or later.
  • The vCenter Server must be at vSphere 7.0 Update 2 or later.
  • The guest operating system must support SEV-ES.

    Currently, only Linux kernels with specific support for SEV-ES are supported.

  • The virtual machine must be enabled for UEFI secure boot.
  • The virtual machine must be at hardware version 18 or later.
  • The virtual machine must have the Reserve all guest memory option enabled, otherwise power-on fails.

Procedure

  1. Connect to vCenter Server by using the vSphere Client.
  2. Select an object in the inventory that is a valid parent object of a virtual machine, for example, an ESXi host or a cluster.
  3. Right-click the object, select New Virtual Machine, and follow the prompts to create a virtual machine.
    Option Action
    Select a creation type Create a virtual machine.
    Select a name and folder Specify a name and target location.
    Select a compute resource Specify an object for which you have privileges to create virtual machines.
    Select storage In the VM storage policy, select the storage policy. Select a compatible datastore.
    Select compatibility Ensure that ESXi 7.0 and later is selected.
    Select a guest OS Select Linux, and select a version of Linux with specific support for SEV-ES.
    Customize hardware Under VM Options > Boot Options > Firmware, ensure that EFI is selected. Under VM Options > Encryption, select the Enable check box for AMD SEV-ES.
    Ready to complete Review the information and click Finish.

Results

The virtual machine is created with SEV-ES.