Using AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES) in VMware vSphere on ThinkSystem Servers

AMD Secure Encrypted Virtualization (SEV) integrates memory encryption capabilities with the existing AMD-V virtualization architecture to support encrypted virtual machines (VMs). Encrypted VMs can help protect not only from physical threats but also from other virtual machines or even the hypervisor itself. SEV provides additional assurances to help protect the guest VM code and data from the attacker.

SEV uses one key per virtual machine to isolate guests and the hypervisor from one another. The keys are managed by the AMD Secure Processor and are hardware isolated.

The following figure shows the brief overview workflow of AMD SEV.

Figure 1. Workflow of AMD SEV

AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES) builds upon AMD SEV to provide an even smaller attack surface and additional protection for a guest operating system (guest OS) from the hypervisor. The AMD SEV-ES feature provides additional hardware-enforced security for isolating guest VMs from the hypervisor. The AMD SEV-ES technology encrypts all CPU register contents when a VM stops running. This prevents the leakage of information in CPU registers to components like the hypervisor and can even detect malicious modifications to a CPU register state.

The AMD SEV-ES architecture is designed to protect guest VM register state by default, and only allow the guest VM itself to grant selective access as required. This additional security protection functionality is accomplished in two ways:

• First, all VM register state is saved and encrypted when a VM exit event occurs. This state is decrypted and restored on a VMRUN only.
• Second, certain types of VM exit events cause a new exception to be taken within the guest VM. This new Communication Exception (#VC) indicates that the guest VM performed some action which requires hypervisor involvement, an example of which would be an IO access by the VM.

The guest #VC handler is responsible for determining what register state is necessary to expose to the hypervisor for the purpose of emulating this operation. The #VC handler also inspects the returned values from the hypervisor and updates the guest state if the output is deemed acceptable.

The following figure shows the overview workflow of SEV-ES.

Figure 2. Workflow of AMD SEV-ES

AMD SEV-ES supports AMD EPYC 7xx2 (“Rome”) and later processors. The following lists the Lenovo ThinkSystem servers which support AMD SEV-ES and the minimum version of UEFI firmware that supports the AMD SEV-ES.

In vSphere 7.0 Update 1 and later, we can enable AMD SEV-ES on supported AMD EPYC CPUs and guest operating system. SEV-ES requires a supported guest operating system. A virtual machine with SEV-ES enabled won’t work if the guest OS does not support SEV-ES.

The supported VMware host versions that support AMD SEV-ES are as follows:

• VMware vSphere 7.0 Update 1 and later
• VMware vSphere 8.0 and later

The supported Guest OS versions that support AMD SEV-ES are as follows:

• RHEL 8.5 or later
• RHEL 9.0 or later
• SLES 15.3 or later
• Ubuntu 20.04.3 HWE kernel (v5.11)
• Ubuntu 22.04.0 or later
• Photon OS version 3 and later

There are some VM operations unavailable when AMD SEV-ES is enabled. You cannot suspend, migrate with vMotion, or take or restore memory snapshots of such VMs.

The following features are not supported when SEV-ES is enabled:

• UEFI Secure Boot
• Suspend/Resume
• vMotion
• Hot add or remove of CPU or memory
• Powered-on snapshots (however, no-memory snapshots are supported)
• System Management Mode
• VMware Fault Tolerance
• Clones and instant clones
• Guest Integrity

Starting with vSphere 7.0 U1, PowerCLI can be used to enable and disable SEV-ES on virtual machines. Starting in vSphere 7.0 U2, either the vSphere Client or PowerCLI can be used to enable and disable SEV-ES on virtual machines. New virtual machines can be created with SEV-ES or SEV-ES can be enabled on existing virtual machines.

This section describes how to configure and use AMD SEV-ES in vSphere 7.0 Update 1 and later on Lenovo ThinkSystem servers with detailed steps.

Prerequisites

In order to use AMD SEV-ES, the system must meet the following requirements:

1. The system must be installed with an AMD EPYC 7xx2 or later processor.
2. Secure Memory Encryption (SME) and SEV-ES must be enabled in UEFI as described in Enabling SEV-ES in UEFI.
3. The number of SEV-ES virtual machines per ESXi host is controlled by UEFI. When enabling SEV-ES in the UEFI settings, enter a value for SEV-ES ASID Space Limit.
4. The ESXi host running in your host must be at ESXi 7.0 Update 1 or later.
5. The vCenter Server must be at vSphere 7.0 Update 2 or later.
6. The guest operating system must support SEV-ES. Currently only Linux kernels with specific support for SEV-ES are supported.
7. The virtual machine must be at hardware version 18 or later.
8. The virtual machine must have the Reserve all guest memory option enabled, otherwise power-on fails.

There are three ways to enable Secure Memory Encryption (SME) and SEV-ES in UEFI:

• Configure AMD SEV-ES in System Setup
• Configure AMD SEV-ES using Redfish REST API
• Configure AMD SEV-ES using OneCLI

Configure AMD SEV-ES in System Setup

The following steps describe the process to configure SME and SEV-ES via System Setup on a ThinkSystem server.

1. In System Setup, navigate to the System Configuration and Boot Management page.
2. Enable SME by going to System Settings > Memory and set SMEE to Enabled as shown in the following figure.

   
   Figure 3. Enable SME via UEFI settings on SR665 V3

3. Enable AMD SEV-ES and configure SEV-ES ASID Space Limit Control via UEFI settings. Select System Settings > Memory > SEV Control, enable “SEV Control” and configure “SEV-ES ASID Space Limit” as shown in the following figure:

   
   Figure 4. Enable SEV and configure SEV-ES ASID Space Limit via UEFI Settings on SR665 V3

4. Press F4 to Save & Exit.
5. Reboot host to make configuration take effect.

Configure AMD SEV-ES using Redfish REST API

Redfish is a next-generation systems management interface standard, which enables scalable, secure, and open server management. It is a new interface that uses RESTful interface semantics to access data that is defined in model format to perform out-of-band systems management. We can use Redfish REST API to configure AMD SEV-ES on Lenovo ThinkSystem servers.

Lenovo provides some Python and PowerShell sample scripts to use Redfish. These are available as open source code on Lenovo’s Github page, https://github.com/lenovo/.

• Lenovo Python Redfish Scripts: https://github.com/lenovo/python-redfish-lenovo
• Lenovo PowerShell Redfish Scripts: https://github.com/lenovo/powershell-redfish-lenovo

Since Redfish is a REST API, standard REST clients can be used to interact with the service. Postman is an easy-to-use HTTP REST client tool. The tool is available from https://www.getpostman.com/.

The following steps describe the process to configure AMD SEV-ES via Redfish REST API with Postman tool on ThinkSystem servers with AMD EPYC processors:

1. Use the GET method to retrieve properties in BIOS resource for Redfish service with Postman as shown in the following figure.

   https://<BMC_IPADDR>/redfish/v1/Systems/1/Bios
   

   The following figure shows the result on the SR655 V3:

   
   Figure 5. Get BIOS properties via Redfish on SR655 V3

2. Use the PATCH method to update AMD SEV-ES properties in BIOS resource for Redfish service with Postman as shown in the following figure.

   https://<BMC_IPADDR>/redfish/v1/Systems/1/Bios/Pending
   

   The following figure shows the result on the SR655 V3:

   
   Figure 6. Configure AMD SEV-ES via Redfish on SR655 V3

3. Reboot host to make SEV-ES configuration take effect.

Configure AMD SEV-ES using OneCLI

Lenovo XClarity Essentials OneCLI is a collection of several command-line applications, which can be used to configure the server, collect service data for the server, update firmware and device drivers, and perform power-management functions on the server. We can use OneCLI to configure AMD SEV-ES on Lenovo ThinkSystem servers.

OneCLI can be downloaded from the following page on the the Lenovo support site:
https://datacentersupport.lenovo.com/us/en/solutions/ht116433

The following steps describe the process to configure AMD SEV-ES via OneCLI on ThinkSystem servers with AMD EPYC processors:

1. Run the following OneCLI command to check the status of SME as shown in the following figure:

   onecli config show Memory.SMEE --imm <USERID>:<PASSWORD>@<IP>
   

   
   Figure 7. Check SME via OneCLI command on SR655 V3

2. Run the following OneCLI command to enable the SMEE as shown in the following figure:

   onecli config set Memory.SMEE Enabled --imm <USERID>:<PASSWORD>@<IP>
   

   
   Figure 8. Enable SMEE via OneCLI command on SR655 V3

3. Reboot host to make SMEE configuration take effect.
4. Run the following OneCLI command to check the SEV Control as shown in the following figure:

   onecli config show Memory.SEVControl --imm <USERID>:<PASSWORD>@<IP>
   

   
   Figure 9. Check SEV Control via OneCLI command on SR655 V3

5. Run the following OneCLI command to enable the SEV Control as shown in the following figure:

   onecli config set Memory.SEVControl Enabled --imm <USERID>:<PASSWORD>@<IP>
   

   
   Figure 10. Enable SEV Control via OneCLI command on SR655 V3

6. Reboot host to make SEV Control configuration take effect.
7. Run the following OneCLI command to check the SEV-ES ASID Space Limit as shown in the following figure:

   onecli config show Memory.SEV-ESASIDSpaceLimit –imm <USERID>:<PASSWORD>@<IP>
   

   
   Figure 11. Check SEV-ES ASID Space Limit via OneCLI command on SR655 V3

8. Run the following OneCLI command to configure the SEV-ES ASID Space Limit as shown in the following figure:

   onecli config set Memory.SEV-ESASIDSpaceLimit number –imm <USERID>:<PASSWORD>@<IP>
   

   
   Figure 12. Configure SEV-ES ASID Space Limit via OneCLI command on SR655 V3

9. Reboot host to make SEV Control configuration take effect.

There are three ways to enable Secure Memory Encryption (SME) and SEV-ES in UEFI on the SR635 and SR655:

• Configure AMD SEV-ES in System Setup (SR655 and SR635)
• Configure AMD SEV-ES via Redfish REST API (SR655 and SR635)
• Configure AMD SEV-ES via OneCLI (SR655 and SR635)

Configure AMD SEV-ES in System Setup (SR655 and SR635)

The following steps describe the process to configure SMEE and SEV-ES via System Setup on a ThinkSystem server.

1. In System Setup, navigate to the System Configuration and Boot Management page.
2. Enable SME by going to System Settings > Memory and set SMEE to Enabled as shown in the following figure.

   
   Figure 13. Enable SMEE via UEFI Settings on SR655

3. Enable AMD SEV-ES and configure SEV-ES ASID Space Limit Control via UEFI settings. Select Advanced > CPU Configuration > AMD SEV-ES, enable “AMD SEV-ES” and configure “SEV-ES ASID Space Limit” as shown in the following figure:

   
   Figure 14. Configure SEV-ES ASID Space Limit via UEFI Settings on SR655

4. Press F4 to Save & Exit.
5. Reboot host to make configuration take effect.

Configure AMD SEV-ES via Redfish REST API (SR655 and SR635)

Redfish is a next-generation systems management interface standard, which enables scalable, secure, and open server management. It is a new interface that uses RESTful interface semantics to access data that is defined in model format to perform out-of-band systems management. We can use Redfish REST API to configure AMD SEV-ES on Lenovo ThinkSystem servers.

Lenovo provides some Python and PowerShell sample scripts to use Redfish. These are available as open source code on Lenovo’s Github page, https://github.com/lenovo/.

• Lenovo Python Redfish Scripts: https://github.com/lenovo/python-redfish-lenovo
• Lenovo PowerShell Redfish Scripts: https://github.com/lenovo/powershell-redfish-lenovo

Since Redfish is a REST API, standard REST clients can be used to interact with the service. Postman is an easy-to-use HTTP REST client tool. The tool is available from https://www.getpostman.com/.

The following steps describe the process to configure AMD SEV-ES via Redfish REST API with Postman tool on ThinkSystem servers with AMD EPYC processors:

1. Use the GET method to retrieve properties in BIOS resource for Redfish service with Postman as shown in the following figure.

   https://<BMC_IPADDR>/redfish/v1/Systems/Self/Bios
   

   The following figure shows the result on the SR655:

   
   Figure 15. Get BIOS properties via Redfish on SR655

2. Use the PATCH method to update AMD SEV-ES properties in BIOS resource for Redfish service with Postman as shown in the following figure.

   https://<BMC_IPADDR>/redfish/v1/Systems/Self/Bios/SD
   

   The following figure shows the result on the SR655:

   
   Figure 16. Configure AMD SEV-ES via Redfish on SR655

3. Reboot host to make SEV-ES configuration take effect.

Configure AMD SEV-ES via OneCLI (SR655 and SR635)

Lenovo XClarity Essentials OneCLI is a collection of several command-line applications, which can be used to configure the server, collect service data for the server, update firmware and device drivers, and perform power-management functions on the server. We can use OneCLI to configure AMD SEV-ES on Lenovo ThinkSystem servers.

OneCLI can be downloaded from the following page on the the Lenovo support site:
https://datacentersupport.lenovo.com/us/en/solutions/ht116433

The following steps describe the process to configure AMD SEV-ES via OneCLI on ThinkSystem servers with AMD EPYC processors:

1. Run the following OneCLI command to check the status of SME as shown in the following figure:

   onecli config show Bios.Q00094_SMEE --bmc <USERID>:<PASSWORD>@<IP>
   

   
   Figure 17. Check SME via OneCLI command on SR655

2. Run the following OneCLI command to enable the SMEE as shown in the following figure:

   onecli config set Bios.Q00094_SMEE Enabled --bmc <USERID>:<PASSWORD>@<IP>
   

   
   Figure 18. Enable SMEE via OneCLI command on SR655

3. Reboot host to make SMEE configuration take effect.
4. Run the following OneCLI command to check the SEV Control as shown in the following figure:

   onecli config show Bios.Q00071_AMD_SEV_ES --bmc <USERID>:<PASSWORD>@<IP>
   

   
   Figure 19. Check SEV Control via OneCLI command on SR655

5. Run the following OneCLI command to enable the SEV Control as shown in the following figure:

   onecli config set Q00071_AMD_SEV_ES Enabled --bmc <USERID>:<PASSWORD>@<IP>
   

   
   Figure 20. Enable SEV Control via OneCLI command on SR655

6. Reboot host to make SEV Control configuration take effect.

For additional information, see these resources:

• AMD Secure Encrypted Virtualization developer page:
  https://developer.amd.com/sev/

• Protecting VM Register State with SEV-ES:
  https://www.amd.com/system/files/TechDocs/Protecting%20VM%20Register%20State%20with%20SEV-ES.pdf

• AMD64 Architecture Programmer’s Manual Volume 2:
  https://www.amd.com/system/files/TechDocs/24593.pdf

• VMware vSphere documentation, Securing Virtual Machines with AMD Secure Encrypted Virtualization-Encrypted State:
  https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vm_admin.doc/GUID-F1F913CB-05F9-4D4F-B8A7-970A43532003.html

Chengcheng Peng is a VMware Engineer in the Lenovo Infrastructure Solutions Group in Beijing, China. As a VMware engineer with 6 years’ experience, she mainly focuses on vSphere security and storage.

Thanks to the following people for their contributions to this project:

• Boyong Li, Lenovo OS Technical Leader
• Alpus Chen, Lenovo VMware Engineer
• David Hsia, Lenovo VMware Engineer
• Chia-Yu Chu, Lenovo Advisory Engineer
• Gary Cudak, OS Architect and WW Technical Lead
• David Watts, Lenovo Press