New with VMware vSphere 7.0 Update 2, a feature called Confidential vSphere Pods allows customers to secure CPU registers and memory of the guest operating system from the hypervisor. How does it work?

VMware vSphere 7.0 Update 2 contains many great new features. These include enhancements around lifecycle management, performance, and others. However, VMware is also keen on improving security with the vSphere 7.0 Update 2 release. One of the new security features found in vSphere 7.0 Update 2 is called Confidential vSphere Pods. What are Confidential vSphere Pods? What are the requirements for Confidential vSphere Pods? How can vSphere admins take advantage of them in the new vSphere 7.0 Update 2 environment?

Secure Encrypted Virtualization-Encrypted State (SEV-ES) ^

To understand the requirements and architecture that makes Confidential vSphere Pods possible, let's review a new feature found in vSphere 7.0 Update 1. If you recall, vSphere 7.0 Update 1 introduced support for AMD's Secure Encrypted Virtualization-Encrypted State (SEV-ES) technology. What is SEV-ES?

SEV-ES is a hardware technology found in AMD CPUs. In general terms, it allows the guest operating system's memory and register state to be encrypted. It protects against access from the hypervisor, in this case, ESXi.

AMD's SEV-ES architecture is made possible by the following solution components:

  • A CPU, specifically AMD CPU, featuring a Platform Security Processor (PSP). The CPU with PSP manages encryption keys and encryption.
  • An operating system that is "enlightened." An enlightened OS is an operating system that uses guest-initiated calls to the hypervisor.
  • Virtual Machine Monitor (VMM) and Virtual Machine Executable (VMX) – These initialize an encrypted virtual machine state during virtual machine power-on. These components also handle calls from the guest operating system.
  • VMkernel driver that communicates the unencrypted data between the hypervisor and the guest operating system.

Is this an AMD-only technology? Currently, AMD SEV features are available with their entire line of AMD EYPC processors. Intel does have an equivalent technology called Intel Software Guard Extensions (SGX). However, this new equivalent feature is not yet available in most Xeon processors. This means that AMD currently has the upper hand in implementing SEV features for virtualized environments such as VMware vSphere.

The security industry, in general, is noting the importance of hardware-level security features. The importance of hardware-implemented security is contrasted by the havoc wreaked by hardware-level security vulnerabilities, such as in Meltdown and Spectre.

Keep in mind that Secure Encrypted Virtualization-Encrypted State needs to be enabled in the system's BIOS settings. Each vendor may implement this differently, so be sure to refer to the manufacturer's documentation for this information. After this is enabled in the BIOS, you can add the SEV-ES instructions to a virtual machine. To turn on this feature while creating a new virtual machine using PowerCLI, you can use the following cmdlet:

$vmhost = Get-VMHost -Name
New-VM -Name VM1 $vmhost -NumCPU 4 -MemoryMB 4 -DiskMB 4 -SEVEnabled $true

What about containers?

VMware vSphere 7.0 Update 2 – Confidential vSphere Pods ^

With vSphere 7.0 Update 2, VMware has extended the SEV-ES capabilities to include containers, specifically Confidential vSphere Pods. The new vSphere Confidential Pods use the AMD SEV-ES technology to provide the same security capabilities for containers that is available with virtual machines in vSphere 7.0 Update 1. On a Supervisor Cluster in vSphere with Tanzu, they allow keeping guest operating system memory encrypted and protected against the hypervisor accessing protected memory space.

The world of cybersecurity is all about security "layers." The new SEV-ES feature provided by Confidential vSphere Pods provides an extra layer of protection for modern workloads running on top of vSphere with Tanzu. SEV-ES security prevents leaking information in registers to components of your infrastructure, such as the vSphere hypervisor. In addition to protecting this space, it can also detect malicious modifications to a CPU register state.

Deploying Confidential vSphere Pods ^

So, how is this new feature deployed with vSphere with Tanzu? There are a few prerequisites to note before deploying the new Confidential vSphere Pods. These include the following:

  • SEV-ES must be enabled in the BIOS of the ESXi host. You will need to refer to the particular OEM manufacturer for your system to enable this feature.
  • You must enter a value for the Minimum SEV non-ES ASID setting equal to the number of SEV-ES VMs and confidential vSphere Pods on the host plus one. For example, if you plan to run 200 SEV-ES VMs and 128 vSphere Pods, enter at least 329. You can configure this setting as high as 500.
  • Your vSphere ESXi host must be running ESXi 7.0 Update 2 or higher.

Creating the Confidential vSphere Pods YAML file

Using VMware's official documentation, you can enable the Confidential vSphere Pods feature using the example YAML file provided. The following YAML file can be customized. However, note the sections in bold. The first section under the annotations configuration allows "turning on" the Confidential vSphere Pods feature. VMware notes that the memory requests and memory limits must be set to the same value.

apiVersion: v1
kind: Pod
  name: photon-pod
  namespace: my-podvm-ns
    vmware/confidential-pod: enabled
spec:  # specification of the pod's contents
  restartPolicy: Never
  - name: photon
    command: ["/bin/sh"]
    args:    ["-c", "while true; do echo hello, world!; sleep 1; done"]
        memory: "768Mi"
        memory: "768Mi"     

After creating the Confidential vSphere Pods YAML file, there are three more steps involved for deployment. These steps include:

  1. Log in to the Supervisor Cluster.
  2. Change to the vSphere with Tanzu application namespace.
  3. Use the YAML file to create the Confidential vSphere Pod.

Log in to the Supervisor Cluster

The next step is to log in to your vSphere with Tanzu Supervisor Cluster. To do this, use the following command:

kubectl vsphere login --server=https://<your server address FQDN or IP> --vsphere-username <your username>

Change to the vSphere with Tanzu application namespace

Next, you will change to the vSphere with Tanzu namespace where you want to deploy the application. To do this, use the command:

kubectl config use-context <your namespace>

Use the YAML file to create the Confidential vSphere Pod

Using the YAML file created earlier, you can now deploy the file to provision the Confidential vSphere Pod.

kubectl apply -f <your YAML file name>.yaml

Verifying the state of your vSphere Confidential Pod

To verify the state of the vSphere with Tanzu Pod and that it is configured as a Confidential vSphere Pod, you can view the pod metadata in the vSphere client. You should see the following in the encryption mode for the Pod.

Subscribe to 4sysops newsletter!

Verifying the encryption mode for the vSphere Confidential Pod

Verifying the encryption mode for the vSphere Confidential Pod

Concluding thoughts ^

VMware has made great strides with vSphere 7.0 Update 2 in the realm of security. They are using the available technologies from a hardware perspective, which will enable customers to provide additional layers of protection for mission-critical and sensitive workloads. With the new Confidential vSphere Pods feature, VMware is bringing the capabilities of the SEV-ES technology to containers. Now, VMware customers running vSphere with Tanzu workloads can have the same benefits for Kubernetes pods as was extended to virtual machines in vSphere 7.0 Update 1 using SEV-ES.


Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2021


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account