In vSphere 7.0 Update 2 and later, you can use the vSphere Client to add SEV-ES to an existing virtual machine to provide enhanced security to the guest operating system.

You can add SEV-ES to virtual machines running on ESXi 7.0 Update 1 or later.

Prerequisites

  • The system must be installed with an AMD EPYC 7xx2 (code named "Rome") or later CPU and supporting BIOS.
  • SEV-ES must be activated in the BIOS.
  • The number of SEV-ES virtual machines per ESXi host is controlled by the BIOS. When activating SEV-ES in the BIOS, enter a value for the Minimum SEV non-ES ASID setting equal to the number of SEV-ES virtual machines plus one. For example, if you have 12 virtual machines that you want to run concurrently, enter 13.
    Note: vSphere 7.0 Update 1 and later supports 16 SEV-ES activated virtual machines per ESXi host. Using a higher setting in the BIOS does not prevent SEV-ES from working, however, the limit of 16 still applies. vSphere 7.0 Update 2 and later supports 480 SEV-ES activated virtual machines per ESXi host.
  • The ESXi host running in your environment must be at ESXi 7.0 Update 1 or later.
  • The vCenter Server must be at vSphere 7.0 Update 2 or later.
  • The guest operating system must support SEV-ES.

    Currently, only Linux kernels with specific support for SEV-ES are supported.

  • The virtual machine must be at hardware version 18 or later.
  • The virtual machine must have the Reserve all guest memory option checked, otherwise power-on fails.
  • Ensure that the virtual machine is powered off.

Procedure

  1. Connect to vCenter Server by using the vSphere Client.
  2. Right-click the virtual machine in the inventory that you want to modify and select Edit Settings.
  3. Under VM Options > Boot Options > Firmware, ensure that EFI is selected.
  4. In the Edit Settings dialog box, under VM Options > Encryption, select the Enable check box for AMD SEV-ES.
  5. Click OK.

Results

SEV-ES is added to the virtual machine.