With vSphere with Tanzu, you can run confidential vSphere Pods on a Supervisor Cluster. A confidential vSphere Pod uses a hardware technology that keeps the guest OS memory encrypted, protecting it against access from the hypervisor.
Prerequisites
To enable SEV-ES on an
ESXi host, a vSphere administrator must follow these guidelines:
- Use the hosts that support the SEV-ES functionality. Currently, SEV-ES supports only AMD EPYC 7xx2 CPUs (code named Rome) and later CPUs.
- Use the ESXi version of 7.0 Update 2 or later.
- Enable SEV-ES in an ESXi system's BIOS configuration. See your system's documentation for more information about accessing the BIOS configuration.
- When enabling SEV-ES in the BIOS, enter a value for the Minimum SEV non-ES ASID setting equal the number of SEV-ES VMs and confidential vSphere Pods on the host plus one. For example, if you plan to run 100 SEV-ES VMs and 128 vSphere Pods, enter at least 229. You can enter a setting as high as 500.