Information
AMD EPYC platforms support SEV-ES, a technology to encrypt memory and CPU register state, and limit visibility to the hypervisor, in order to increase workload security and decrease exposure to certain types of attacks. When configured properly, vSphere supports the use of SEV-ES inside guest virtual machines and containers under vSphere and vSphere with Tanzu. Enabling SEV-ES in system firmware eases future enablement inside virtual machines, containers, and guest OSes.
Enabling AMD SEV-ES (Secure Encrypted Virtualization-Encrypted State) on host hardware enhances the security of virtual machines by encrypting their memory and CPU state, reducing the risk of unauthorized data access and tampering from compromised hypervisors or malicious actors.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Impact:
Use of SEV-ES in a particular VM requires the guest OS to support it, and will limit some operational features such as vMotion, snapshots, and so on. Consult the documentation for more information about these tradeoffs.