Intel® Software Guard Extensions (Intel® SGX) is a hardware-based security solution that allows you to isolate specific application code and data in private memory regions, called enclaves. Use the vSphere Client to register your SGX-capable hosts with multiple CPU sockets with the Intel Registration Server and use remote attestation for applications running inside your vSGX-enabled virtual machines.
Starting with vSphere 7.0, you can enable the Virtual Intel® Software Guard Extensions (vSGX) on virtual machines and provide additional security to your workloads. See Securing Virtual Machines with Intel Software Guard Extensions in the vSphere Virtual Machine Administration documentation. Furthermore, you can use remote attestation for the vSGX-enabled virtual machines. Intel SGX remote attestation is a security mechanism that allows you to establish an authenticated and secure communication channel with a trusted remote entity. To use remote attestation for virtual machines using SGX enclaves, hosts with a single CPU socket do not require Intel registration.
Starting with vSphere 8.0, to enable the remote attestation on a virtual machine running on a host with multiple CPU sockets, you must first register the host with the Intel Registration Server. If an SGX-capable host with multiple CPU sockets is not registered with the Intel Registration Server, you can only power on vSGX-enabled virtual machines that do not require remote attestation.
When you add a host with SGX-capable CPUs, vCenter Server accesses the Unified Extensible Firmware Interface (UEFI) variables provided by the BIOS and reads the current registration status of the host. To enable vCenter Server to retrieve information about the SGX status of a host, you must set the firmware boot mode of the host to UEFI mode. See How to View the SGX Registration Status of Your ESXi Host.
You can change the current SGX registration status of the host by using the registration options in vSphere Client or by rebooting the ESXi host after microcode updates and adding or replacing a CPU package. After each host reboot, you can view the updated registration status of the host by using the vSphere Client.
SGX Registration Statuses of a Host
You can view the current status of an SGX-capable hosts using the vSphere Client and perform the necessary steps to register the hosts with the Intel Registration Server.
SGX Registration Status |
Description |
---|---|
Not Applicable |
SGX-capable hosts with a single CPU socket do not require registration with the Intel Registration Server to enable remote attestation. |
Incomplete |
The registration status is incomplete in one of the following use cases:
|
Complete |
The host is successfully registered with the Intel Registration Server. |
How to View the SGX Registration Status of Your ESXi Host
You can view the current SGX registration status of an ESXi host by using the vSphere Client.
Prerequisites
Make sure that the host is installed on an Intel CPU with SGX capabilities and SGX is enabled.
Set the firmware boot mode of the host to UEFI.
Procedure
What to do next
To use the remote attestation feature for vSGX-enabled virtual machines, you must register the host with the Intel Registration Server if the host registration is incomplete and the host has multiple CPU sockets. See How to Register Your Multi-Socket ESXi Host with the Intel SGX Registration Server.
How to Register Your Multi-Socket ESXi Host with the Intel SGX Registration Server
To use the SGX remote attestation feature for a multi-socket host, register the ESXi host with the Intel Registration Server using the vSphere Client.
The Intel SGX attestation mechanism ensures the trust between the vSGX enclave and an external entity. To use this feature on a multi-socket host with enabled SGX capabilities, you must register the host with the Intel SGX Registration Server.
Prerequisites
Make sure that the host is installed on an Intel CPU with SGX capabilities and SGX is enabled.
Set the firmware boot mode of the host to UEFI.
Procedure
- In the vSphere Client home page, navigate to .
- Select an SGX-capable host from the inventory and click the Configure tab.
- Under Hardware, select SGX and click Register.
Results
Upon successful completion of the registration operation, the registration status of the host changes to Completed.
What to do next
Enable remote attestation for a vSGX-enabled virtual machine. See Securing Virtual Machines with Intel Software Guard Extensions in the vSphere Virtual Machine Administration documentation.