Limitations of Virtual Software Guard Extensions (SGX) in vSphere
Article ID: 311903
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
This article documents limitations and issues that may arise when using Virtual Software Guard Extensions (SGX) in vSphere. For a full list of supported processors, refer to the vSphere Compatibility Guide.
VMware vSphere 7.0 (and subsequent releases) support virtualizing Intel Secure Guard Extensions (SGX) to virtual machines on selected Intel processors when the VM is using virtual Hardware Version 17 or greater.
VMware vSphere 7.0 (and subsequent releases) support virtualizing Intel Secure Guard Extensions (SGX) to virtual machines on selected Intel processors when the VM is using virtual Hardware Version 17 or greater.
Environment
VMware vSphere ESXi 7.0.0
Resolution
-
Limitations on Hyper-Threading for Intel® Xeon® E-2100 and E-2200 Series
There are support limitations for Intel Xeon E-2100 Series and Intel Xeon E-2200 (4 or 6-core) Series. Due to security mitigations, Intel SGX is not available for virtual machines if Hyper-Threading is enabled on these hosts. Attempting to enable SGX on such processors when Hyper-Threading is enabled could result in a message displayed on the host summary page similar to:
- Configuring SGX support for virtual machines fails.
Below Intel series are the affected processors:
- Intel Xeon E-2100 Series
- Intel Xeon E-2200 (4 or 6-core) Series including:
- Intel® Xeon® E-2286G
- Intel® Xeon® E-2276G
- Intel® Xeon® E-2274G
- Intel® Xeon® E-2246G
- Intel® Xeon® E-2244G
- Intel® Xeon® E-2236
- Intel® Xeon® E-2234
- Intel® Xeon® E-2226G
- Intel® Xeon® E-2224
- Intel® Xeon® E-2224G
Solution:
Customers that require Intel SGX can disable Hyper-Threading on an ESXi host (at a possible performance loss) using either one of these steps:
- Disable Hyper-Threading on the ESXi host's BIOS configuration. This option is labeled Enable HyperThreading by some manufacturers, and Logical Processors by others.
- Set the advanced configuration option VMkernel.Boot.hyperthreading to "false" in the ESXi host settings. Restart the ESXi host for the setting to take effect.
Customers that do not require Intel SGX or cannot afford to disable Hyper-Threading can suppress the warnings on a per-host basis:
- Set the advanced configuration option SuppressSgxDisabledWarning to 1 in the ESXi host settings. Restart the ESXi host for the setting to take effect.
Notes: For more information on the Intel errata code CFW101, see Intel® Xeon® E-2100 and E-2200 Processor Family Spec Update.
Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. The inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.
Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. The inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.
-
Limitations on SGX Remote Attestation for 3rd Gen or Later Intel® Xeon® Scalable Processors
On 3rd Gen or later Intel Xeon Scalable Processor platforms, enabling support for remote attestation of SGX enclaves requires the host to register its SGX cryptographic identity with a public Intel service. Starting from vSphere 8.0, vSphere has built-in functionality to perform SGX registration. Older releases of vSphere cannot perform this registration step.
Solution:
To enable SGX remote attestation, register the host in vSphere if running vSphere 8.0 or later. If running an older version of vSphere, it may be possible for third-party software to register the host during the provisioning stage. Note that this workaround is not officially verified nor supported by vSphere. For more details, see Remote Attestation for Multi-Package Platforms using Intel® SGX Datacenter Attestation Primitives (DCAP) .
-
Limitations on adding or replacing a CPU Package in a CPU Socket for 3rd Gen or Later Intel® Xeon® Scalable Processor
On 3rd Gen or later Intel Xeon Scalable Processor platforms, when a CPU package is added or replaced in a CPU socket, SGX will automatically be disabled on the next host power-on.
Solution:
On the first boot following the addition or replacement of a CPU package in a CPU socket, customers should manually initiate an SGX Reset on the host's BIOS configuration. Optionally, customers can disable the SGX APB Support BIOS configuration option to automate this process in the future.
Note: This process will reset the encryption keys used by SGX, making any sealed data inaccessible. SGX remote attestation will be disabled following this process. SGX host registration will again be required to re-enabled it.
Feedback
Yes
No
Powered by
