Enable vSGX on a Virtual Machine

You can enable vSGX on a virtual machine when you deploy a virtual machine, edit or clone an existing virtual machine.

To use remote attestation for virtual machines using SGX enclaves, hosts with a single CPU socket do not require registration with the Intel Registration Server.

With vSphere 8.0, by enabling SGX host registration, you allow remote attestation for VMs running on multi-socket hosts.

Prerequisites

To use vSGX, your vSphere Client environment must meet a list of requirements:

Virtual machine requirements:
- EFI firmware
- Hardware version 17 or later
- Verify that the virtual machine is powered off
- Verify that you have the privileges to create, clone, or edit virtual machine settings. For more information, see Create a Virtual Machine with the New Virtual Machine Wizard and Clone an Existing Virtual Machine
- To enable remote attestation, verify that the virtual machine is of hardware version 20 or later
Component requirements:
- vCenter Server 7.0 and later
- ESXi 7.0 or later
- The ESXi host must be installed on an SGX-capable CPU and SGX must be enabled in the BIOS of the ESXi host. For information about the supported CPUs, see the VMware KB article at https://kb.vmware.com/s/article/71367.
- To enable the remote attestation for the host, register the host with the Intel Registration Server. This way, the virtual machine running on the host can use the remote attestation. For more information on how to register a mult-socket ESXi, see the vCenter Server and Host Management documentation.
Guest OS support:
- Linux
- Windows Server 2016 (64-bit) and later
- Windows 10 (64-bit) and later

Note: Some operations and features are not supported for a virtual machine when vSGX is enabled.

Migration with vMotion
Migration with Storage vMotion
Suspending or resuming the virtual machine
Taking snapshot of the virtual machine, especially if you take a snapshot of the virtual machine memory
Fault Tolerance
Enabling Guest Integrity (GI, platform foundation for VMware AppDefense™ 1.0).

Procedure

You can enable SGX when you deploy a virtual machine or edit an existing virtual machine.

Option	Action
Deploy a virtual machine	Right-click any inventory object that is a valid parent object of a virtual machine and select New Virtual Machine. On the Select a creation type page, select Create a new virtual machine, and click Next. Navigate through the pages of the wizard. On the Customize hardware page, click the Virtual Hardware tab.
Edit a virtual machine	Right-click a virtual machine in the inventory and select Edit Settings. Click the Virtual Hardware tab.
Clone an existing virtual machine	Right-click a virtual machine in the inventory and select Clone > Clone to Virtual Machine. Navigate through pages of the wizard. On the Select clone options page, select Customize this virtual machine's hardware and click Next. Click the Virtual Hardware tab.

On the Virtual Hardware tab, expand Security Devices.
To enable SGX, select the Enable check box.
In the Enclave page cache size (MB) text box, enter the size of the cache size in MB.

Note: The enclave page cache size must be multiple of 2 MB.
To prevent the VM from powering on hosts that do not support SGX remote attestation, such as unregistered multi-socket SGX hosts, select the Remote attestation check box.

From the Launch control configuration drop-down menu, select the appropriate mode.

Option	Action
Unlocked	This option enables the launch enclave configuration of the guest operating system.
Locked	This option allows you to configure the launch enclave. Select the Launch enclave public key hash option. To use one of the public keys configured on the host, select Use from host and from the drop-down menu, select a public key hash. To enter the public key manually, select Enter manually and enter a valid SHA256 hash (64) characters key.

Click OK.