You can add SEV-ES to a virtual machine to provide enhanced security to the guest operating system.

You can add SEV-ES to virtual machines running on ESXi 7.0 Update 1 or later.

Prerequisites

  • The system must be installed with an AMD EPYC 7xx2 (code named "Rome") or later CPU and supporting BIOS.
  • SEV-ES must be enabled in the BIOS.

    When enabling SEV-ES in the BIOS, enter a value for the Minimum SEV non-ES ASID setting equal to the number of SEV-ES virtual machines plus one. For example, if you have 12 virtual machines that you want to run concurrently, enter 13.

  • The ESXi host running in your environment must be at ESXi 7.0 Update 1 or later.
  • The guest operating system must support SEV-ES.

    Currently, only Linux kernels with specific support for SEV-ES are supported.

  • The virtual machine must be enabled for UEFI secure boot.
  • The virtual machine must be at hardware version 18 or later.
  • The virtual machine must reserve its memory fully, otherwise power-on fails.
  • PowerCLI 12.1.0 or later must be installed on a system with access to your environment.

Procedure

  1. In a PowerCLI session, run the Connect-VIServer cmdlet to connect as an administrator to the vCenter Server that manages the ESXi host on which you want to add a virtual machine with SEV-ES.
    Connect-VIServer -server vCenter_Server_ip_address -User admin_user -Password 'password'
  2. Create the virtual machine with the New-VM cmdlet, specifying -SEVEnabled $true.
    For example, first assign the host information to a variable, then create the virtual machine.
    $vmhost = Get-VMHost -Name 10.193.25.83
    New-VM -Name MyVM1 $vmhost -NumCPU 2 -MemoryMB 4 -DiskMB 4 -SEVEnabled $true
    If you must specify the virtual hardware version, run the New-VM cmdlet with the -HardwareVersion vmx-18 parameter. For example:
    New-VM -Name MyVM1 $vmhost -NumCPU 2 -MemoryMB 4 -DiskMB 4 -SEVEnabled $true -HardwareVersion vmx-18

Results

The virtual machine is created with SEV-ES.