How to secure data with VMware Virtual Software Guard Extensions (vSGX)

Home Blog How to secure data with VMware Virtual Software Guard Extensions (vSGX)

4sysops - The online community for SysAdmins and DevOps

    0
Intel SGX is a processor-specific technology for application developers who seek to protect select code and data from disclosure or modification, so it is not a protection for a VM but rather protection at the CPU level. With VMware Virtual Software Guard Extensions (vSGX), your applications are able to define private areas of memory (enclaves) that store protected data.
Contents
  1. What are the requirements for vSGX?
  2. Guest OS support
  3. What are the restrictions for vSGX?
  4. BIOS settings—Three options to choose from
  5. Where do I enable vSGX within vSphere Client?
  6. Final thoughts
Avatar
Latest posts by Vladan Seget (see all)

vSGX is implemented via software programs that can create private memory regions that are called enclaves. The enclaves can store cryptographic keys, HR records, or any other kind of secret. In order to use vSGX, the ESXi host has to have an SGX-capable CPU, and the BIOS of the system must support SGX. The enclave is encrypted or decrypted via CPU on-the-fly.

vSGX allows the VMs to see Intel SGX technology only if the hardware supports it. The option can be switched on or off within the web browser. The official definition:

Intel Software Guard eXtensions (SGX) is a modern Intel processor security feature that enables apps to run within protected software containers known as enclaves, providing hardware-based memory encryption that isolates the applications' code and data in memory.

Virtual SGX (vSGX) is implemented as part of the vSphere. The vSGX creation/implementation happens between the VMkernel, the Virtual Machine Manager (VMM), and the management layer, where you can find the principal services (VPX/hostd/VMX). It is the VMkernel that is basically in charge of initializing SGX support on the ESXi host, after validation that the hardware and BIOS support it.

What are the requirements for vSGX?

Well, as said, the underlying hardware, the motherboard with a BIOS, and the CPU must support it. If not, you simply won't be able to proceed with the activation, which happens at the VM level. Intel Coffee Lake CPUs and higher are supported.

Open the virtual hardware edit options via the vSphere web client to view the security devices.

  • EFI firmware
  • Virtual hardware version 17 and above
  • vCenter Server 7.0
  • ESXi 7.0

Guest OS support

Not all OSs are supported, so you must pick a supported guest OS if you want to use this feature. Supported guest OSs are:

  • Linux
  • Windows Server 2016 (x64) and higher
  • Windows 10 (x64) and later

What are the restrictions for vSGX?

As you can see in the image, there are some restrictions to our vSphere infrastructure. We won't be able to use vMotion or DRS, or activate fault tolerance (FT) on a VM that has been enabled for vSGX.

Also, some operations simply won't work, such as suspending a VM, taking snapshots of a VM, or enabling guest integrity.

Note that virtual machine snapshots are supported if you do not snapshot the virtual machine's memory (there is a checkbox to deactivate).

You'll have to back up the data inside those VMs via some software that uses an agent, so the agent installed in the VM does an image level backup that is sent to a remote backup server.

Lastly, you'll need one of the latest versions of vSphere 7.

VMware vSGX restrictions

VMware vSGX restrictions

BIOS settings—Three options to choose from

  • Enabled—You simply enable, so Intel Software Guard Extensions (Intel SGX) is enabled and available for use in applications.
  • Software Controlled—In this case, the Intel SGX can be enabled by software applications, but it is not available until it is triggered. Note that in this case, when the app enables the feature, the guest OS might need to reboot.
  • Disabled—In this case, the feature is disabled. Intel SGX is disabled, and it cannot be enabled through software applications or via the Virtual Hardware assistant. This setting can only be changed again in the BIOS setup screen.

Where do I enable vSGX within vSphere Client?

Open the vSphere client. Then navigate to and select one of your VMs. Under Security devices, select the Enable checkbox for SGX.

Unfortunately, my virtual lab does not have the hardware support.

VMware vSGX not available

VMware vSGX not available

Under VM Options > Boot Options > Firmware, verify that EFI is selected. Also, you can enter the enclave page cache (EPC) size and select Flexible Launch Control (FLC) mode accordingly.

Note: If the VM is not set up with EFI firmware, you may need to reinstall the OS.

This screenshot is from VMware. You can see that you can allocate a certain amount of memory to the feature and also an enclave page cache size.

VMware vSGX activation

VMware vSGX activation

Final thoughts

The hardware-assisted secured enclaves are interesting, as the guest OS or the hypervisor cannot know the secret. But as with any good thing, there are some drawbacks. You need supported hardware, CPU, a motherboard with BIOS support, and a supported guest OS. In addition, there is a small performance penalty where Intel SGX reserves up to 128 MB of system RAM.

Subscribe to 4sysops newsletter!

vSGX is really interesting when you want to eliminate risk and are looking for securing data stored on a VM. If you do not mind some operational restrictions, such as vMotion/DRS, you can benefit from more security for sensitive data. Note that you'll also need applications that can leverage this technology.

Related Articles
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account