Starting with vSphere 7.0 Update 1, you can enable Secure Encrypted Virtualization-Encrypted State (SEV-ES) on supported AMD CPUs and guest operating systems.

Currently, SEV-ES supports only AMD EPYC 7xx2 CPUs (code named "Rome") and later CPUs, and only versions of Linux kernels that include specific support for SEV-ES.

SEV-ES Components and Architecture

The SEV-ES architecture consists of the following components.

  • AMD CPU, specifically, the Platform Security Processor (PSP) that manages encryption keys and handles encryption.
  • Enlightened operating system, that is, an operating system that uses guest-initiated calls to the hypervisor.
  • Virtual Machine Monitor (VMM) and Virtual Machine Executable (VMX), to initialize an encrypted virtual machine state during virtual machine power-on, and also to handle calls from the guest operating system.
  • VMkernel driver, to communicate unencrypted data between the hypervisor and the guest operating system.

Implementing and Managing SEV-ES on ESXi

You must first enable SEV-ES in a system's BIOS configuration. See your system's documentation for more information about accessing the BIOS configuration. After you have enabled SEV-ES in the system's BIOS, you can then add SEV-ES to a virtual machine.

You use PowerCLI commands to enable and disable SEV-ES on virtual machines. You can create new virtual machines with SEV-ES, or enable SEV-ES on existing virtual machines. Privileges to manage virtual machines enabled with SEV-ES are the same as for managing regular virtual machines.

Unsupported VMware Features on SEV-ES

The following features are not supported when SEV-ES is enabled.

  • System Management Mode
  • vMotion
  • Powered-on snapshots (however, no-memory snapshots are supported)
  • Hot add or remove of CPU or memory
  • Suspend/resume
  • VMware Fault Tolerance
  • Clones and instant clones
  • Guest Integrity