Intel Software Guard Extensions (SGX) technology meets the needs of the trusted computing industry. With Intel SGX, software programs can create private memory regions called enclaves.
- Data in enclaves can be accessed only by the intended program.
- The enclave region is isolated from other programs, operating systems, hypervisors, and so on.
- Enclaves are used by the software program to secure data.
vSGX is implemented as part of the vSphere core virtualization stack. vSGX allows applications running on VMs to create their enclaves.
Intel SGX Architecture
Applications frequently work with private information such as passwords, encryption keys, bank account numbers, and so on. This private data should be accessed only by the designated recipient. The job of the operating system is to protect such private data from other applications and users.
Operating systems and applications often employ safeguards to protect this private data. Despite these protections, most computer systems are still vulnerable.Malware with administrative privileges can access all operating system resources including all applications running on that system. Malware can target an application’s protected data to extract encryption keys and secret data directly from memory.With Intel SGX, applications can create enclaves, which protect the confidentiality and integrity of applications from privileged malware.Privileged malware is malware that gets privileges by manipulating the underlying system.
Enclave Page Cache (EPC) is a static portion of physical RAM. This portion is allocated at boot time by the BIOS. EPC stores running enclaves. EPC is a limited resource, typically not more than 93 MB. Launch control configuration is an architectural component from which the platform can control which enclaves can be launched.
Virtual SGX is implemented as part of the vSphere core virtualization stack. The vSGX implementation occurs between the VMkernel, VMM, and the management layer (VPX/hostd/VMX).
VMkernel is responsible to initialize SGX support on the ESXi host. It also performs the initial hardware compatibility checks. Host level EPC allocation & management is done by VMKernel. VMM handles the core virtualization of Intel’s SGX instructions, EPC memory, and launch control configuration.
VPX/hostd/VMX perform VM compatibility checks for power-on and initial DRS placement. They also implement feature restrictions and perform basic life cycle management of the vSGX features when a VM is powered on, reset, or powered off.
vSGX Requirements
To use vSGX, you must meet the following requirements:
- The ESXi host must have Intel Coffee Lake CPUs or better.
- SGX must be enabled on the ESXi host.
- Hyper-threading must be disabled on certain Coffee Lake SKUs.
- Virtual hardware version 17 or later is required.
- VMs must be powered off to enable this feature.
- Supported guest operating systems:
- Windows 10
- Windows Server 2016 or above
- Linux
vSGX Restrictions
vSGX has the following restrictions:
- For VMs configured with vSGX, the following operations are not supported:
- vMotion (But cold migration is supported.)
- Suspend and resume
- Snapshots
- Fault tolerance
- For vSGX enabled VMs, the following VM configuration attributes are fixed:
- Guest firmware type: EFI.
- Standby response: Put the guest OS instandby mode and leave the VM powered on.
vSGX Configuration Parameters
vSGX has the following configuration parameters:
- VM’s EPC:
- EPC size must in multiples of 2 MB.
- EPC is fully reserved at VM power-on time.
- The ESXi host must have enough EPC to support the powering on of the VM.
- You can use the SHA256 key from the host. This option is auto-populated.
- You can manually enter the SHA256 key.
Troubleshooting:
Information about the ESXi host’s support for SGX can be found by executing the following command:
vsish –e cat /hardware/cpu/sgxInfo
For More information on the What’s New in vSphere 7.0 Please Visit: https://knowitlikepro.com/category/vmware/whats-new-in-vsphere-7-0/
