SEV-ES Components and Architecture

The SEV-ES architecture consists of the following components.

• AMD CPU, specifically, the Platform Security Processor (PSP) that manages encryption keys and handles encryption.
• Enlightened operating system, that is, an operating system that uses guest-initiated calls to the hypervisor.
• Virtual Machine Monitor (VMM) and Virtual Machine Executable (VMX), to initialize an encrypted virtual machine state during virtual machine power-on, and also to handle calls from the guest operating system.
• VMkernel driver, to communicate unencrypted data between the hypervisor and the guest operating system.

Implementing and Managing SEV-ES on ESXi

You must first activate SEV-ES in a system's BIOS configuration. See the documentation for your system for more information about accessing the BIOS configuration. After you have activated SEV-ES in the BIOS for your system, you can then add SEV-ES to a virtual machine.

You use either the vSphere Client (in vSphere 7.0 Update 2 and later) or PowerCLI commands to activate and deactivate SEV-ES on virtual machines. You can create new virtual machines with SEV-ES, or activate SEV-ES on existing virtual machines. Privileges to manage virtual machines activated with SEV-ES are the same as for managing regular virtual machines.

Unsupported VMware Features on SEV-ES

The following features are not supported when SEV-ES is activated.

• System Management Mode
• vMotion
• Powered-on snapshots (however, no-memory snapshots are supported)
• Hot add or remove of CPU or memory
• Suspend/resume
• VMware Fault Tolerance
• Clones and instant clones
• Guest Integrity
• UEFI Secure Boot