You can add SEV-ES to an existing virtual machine to provide enhanced security to the guest operating system.
You can add SEV-ES to virtual machines running on ESXi 7.0 Update 1 or later.
- The system must be installed with an AMD EPYC 7xx2 (code named "Rome") or later CPU and supporting BIOS.
- SEV-ES must be enabled in the BIOS.
- The number of SEV-ES virtual machines per ESXi host is controlled by the BIOS. When enabling SEV-ES in the BIOS, enter a value for the Minimum SEV non-ES ASID setting equal to the number of SEV-ES virtual machines plus one. For example, if you have 12 virtual machines that you want to run concurrently, enter 13. Settings as high as 500 are supported by ESXi.
Note: vSphere 7.0 Update 1 supports 16 SEV-ES enabled virtual machines per ESXi host. Using a higher setting in the BIOS does not prevent SEV-ES from working, however, the limit of 16 still applies.
- The ESXi host running in your environment must be ESXi 7.0 Update 1 or later.
- The guest operating system must support SEV-ES.
Currently, only Linux kernels with specific support for SEV-ES are supported.
- The virtual machine must be enabled for UEFI secure boot.
- The virtual machine must be at hardware version 18 or later.
- The virtual machine must have the Reserve all guest memory option enabled, otherwise power-on fails.
- PowerCLI 12.1.0 or later must be installed on a system with access to your environment.
- Ensure that the virtual machine is powered off.
- In a PowerCLI session, run the Connect-VIServer cmdlet to connect as an administrator to the vCenter Server that manages the ESXi host with the virtual machine to which you want to add SEV-ES.
Connect-VIServer -server vCenter_Server_ip_address -User admin_user -Password 'password'
- Add SEV-ES to the virtual machine with the Set-VM cmdlet, specifying -SEVEnabled $true.
$vmhost = Get-VMHost -Name 10.193.25.83 Set-VM -Name MyVM2 $vmhost -SEVEnabled $trueIf you must specify the virtual hardware version, run the Set-VM cmdlet with the -HardwareVersion vmx-18 parameter. For example:
Set-VM -Name MyVM2 $vmhost -SEVEnabled $true -HardwareVersion vmx-18
SEV-ES is added to the virtual machine.