You can add SEV-ES to a virtual machine to provide enhanced security to the guest operating system.
You can add SEV-ES to virtual machines running on ESXi 7.0 Update 1 or later.
- The system must be installed with an AMD EPYC 7xx2 (code named "Rome") or later CPU and supporting BIOS.
- SEV-ES must be enabled in the BIOS.
When enabling SEV-ES in the BIOS, enter a value for the Minimum SEV non-ES ASID setting equal to the number of SEV-ES virtual machines plus one. For example, if you have 12 virtual machines that you want to run concurrently, enter 13.
- The ESXi host running in your environment must be at ESXi 7.0 Update 1 or later.
- The guest operating system must support SEV-ES.
Currently, only Linux kernels with specific support for SEV-ES are supported.
- The virtual machine must be enabled for UEFI secure boot.
- The virtual machine must be at hardware version 18 or later.
- The virtual machine must reserve its memory fully, otherwise power-on fails.
- PowerCLI 12.1.0 or later must be installed on a system with access to your environment.
- In a PowerCLI session, run the Connect-VIServer cmdlet to connect as an administrator to the vCenter Server that manages the ESXi host on which you want to add a virtual machine with SEV-ES.
Connect-VIServer -server vCenter_Server_ip_address -User admin_user -Password 'password'
- Create the virtual machine with the New-VM cmdlet, specifying -SEVEnabled $true.
For example, first assign the host information to a variable, then create the virtual machine.
$vmhost = Get-VMHost -Name 10.193.25.83 New-VM -Name MyVM1 $vmhost -NumCPU 2 -MemoryMB 4 -DiskMB 4 -SEVEnabled $trueIf you must specify the virtual hardware version, run the New-VM cmdlet with the -HardwareVersion vmx-18 parameter. For example:
New-VM -Name MyVM1 $vmhost -NumCPU 2 -MemoryMB 4 -DiskMB 4 -SEVEnabled $true -HardwareVersion vmx-18
The virtual machine is created with SEV-ES.