Intel® Software Guard Extensions (Intel® SGX) is a hardware-based security solution that allows you to isolate specific application code and data in private memory regions, called enclaves. Use the vSphere Client to register your SGX-capable hosts with multiple CPU sockets with the Intel Registration Server and use remote attestation for applications running inside your vSGX-enabled virtual machines.

Starting with vSphere 7.0, you can enable the Virtual Intel® Software Guard Extensions (vSGX) on virtual machines and provide additional security to your workloads. See Securing Virtual Machines with Intel Software Guard Extensions in the vSphere Virtual Machine Administration documentation. Furthermore, you can use remote attestation for the vSGX-enabled virtual machines. Intel SGX remote attestation is a security mechanism that allows you to establish an authenticated and secure communication channel with a trusted remote entity. To use remote attestation for virtual machines using SGX enclaves, hosts with a single CPU socket do not require Intel registration.

Starting with vSphere 8.0, to enable the remote attestation on a virtual machine running on a host with multiple CPU sockets, you must first register the host with the Intel Registration Server. If an SGX-capable host with multiple CPU sockets is not registered with the Intel Registration Server, you can only power on vSGX-enabled virtual machines that do not require remote attestation.

When you add a host with SGX-capable CPUs, vCenter Server accesses the Unified Extensible Firmware Interface (UEFI) variables provided by the BIOS and reads the current registration status of the host. To enable vCenter Server to retrieve information about the SGX status of a host, you must set the firmware boot mode of the host to UEFI mode. See How to View the SGX Registration Status of Your ESXi Host.

You can change the current SGX registration status of the host by using the registration options in vSphere Client or by rebooting the ESXi host after microcode updates and adding or replacing a CPU package. After each host reboot, you can view the updated registration status of the host by using the vSphere Client.

SGX Registration Statuses of a Host

You can view the current status of an SGX-capable hosts using the vSphere Client and perform the necessary steps to register the hosts with the Intel Registration Server.

SGX Registration Status

Description

Not Applicable

SGX-capable hosts with a single CPU socket do not require registration with the Intel Registration Server to enable remote attestation.

Incomplete

The registration status is incomplete in one of the following use cases:

  • When you add a new host to a vCenter Server instance and the host is not registered yet.

  • After a host firmware update that performs an Intel SGX Trusted Computing Base (TCB) recovery.

  • For hosts which have multiple CPU packages, when a CPU package is added or replaced, you must manually perform an SGX factory reset on BIOS setup. Then the host must be registered as if a newly added host.

  • When you manually perform an SGX factory reset on the BIOS setup, you must register the host again.

Complete

The host is successfully registered with the Intel Registration Server.

How to View the SGX Registration Status of Your ESXi Host

You can view the current SGX registration status of an ESXi host by using the vSphere Client.

Prerequisites

  • Make sure that the host is installed on an Intel CPU with SGX capabilities and SGX is enabled.

  • Set the firmware boot mode of the host to UEFI.

Procedure

  1. In the vSphere Client, navigate to an SGX-capable host.
  2. On the Summary tab, navigate to the Hardware card.
  3. Expand the SGX node to view the value of the Registration Status property.

    For more information about the different registration statuses, see SGX Registration Statuses of a Host.

What to do next

To use the remote attestation feature for vSGX-enabled virtual machines, you must register the host with the Intel Registration Server if the host registration is incomplete and the host has multiple CPU sockets. See How to Register Your Multi-Socket ESXi Host with the Intel SGX Registration Server.

How to Register Your Multi-Socket ESXi Host with the Intel SGX Registration Server

To use the SGX remote attestation feature for a multi-socket host, register the ESXi host with the Intel Registration Server using the vSphere Client.

The Intel SGX attestation mechanism ensures the trust between the vSGX enclave and an external entity. To use this feature on a multi-socket host with enabled SGX capabilities, you must register the host with the Intel SGX Registration Server.

Prerequisites

  • Make sure that the host is installed on an Intel CPU with SGX capabilities and SGX is enabled.

  • Set the firmware boot mode of the host to UEFI.

Procedure

  1. In the vSphere Client home page, navigate to Home > Hosts and Clusters.
  2. Select an SGX-capable host from the inventory and click the Configure tab.
  3. Under Hardware, select SGX and click Register.

Results

Upon successful completion of the registration operation, the registration status of the host changes to Completed.

What to do next

Enable remote attestation for a vSGX-enabled virtual machine. See Securing Virtual Machines with Intel Software Guard Extensions in the vSphere Virtual Machine Administration documentation.