cisco.intersight.intersight_confidential_compute module – Confidential computing BIOS policy for Cisco Intersight

Note

This module is part of the cisco.intersight collection (version 2.18.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install cisco.intersight.

To use it in a playbook, specify: cisco.intersight.intersight_confidential_compute.

Synopsis

  • Creates BIOS policies with hardware-level confidential computing features enabled.

  • Supports AMD SEV (Secure Encrypted Virtualization), AMD SEV-SNP, and Intel SGX (Software Guard Extensions) for secure AI enclaves.

  • Combines the correct BIOS knob settings needed to enable memory encryption and trusted execution environments on Cisco UCS servers.

  • Intended for AI workloads that require protection of proprietary model data in memory.

  • For more information see Cisco Intersight.

Parameters

Parameter

Comments

api_key_id

string / required

Public API Key ID associated with the private key.

If not set, the value of the INTERSIGHT_API_KEY_ID environment variable is used.

api_private_key

path / required

Filename (absolute path) or string of PEM formatted private key data to be used for Intersight API authentication.

If a string is used, Ansible vault should be used to encrypt string data.

Ex. ansible-vault encrypt_string --vault-id tme@/Users/dsoper/Documents/vault_password_file ‘-----BEGIN EC PRIVATE KEY-----

<your private key data>

-----END EC PRIVATE KEY-----’

If not set, the value of the INTERSIGHT_API_PRIVATE_KEY environment variable is used.

api_uri

string

URI used to access the Intersight API.

If not set, the value of the INTERSIGHT_API_URI environment variable is used.

Default: "https://intersight.com/api/v1"

description

aliases: descr

string

The user-defined description of the BIOS policy.

enable_tme

string

Override for Intel Total Memory Encryption (TME).

TME is a prerequisite for SGX and encrypts all system memory with a platform key.

Automatically enabled by intel_sgx profiles; set explicitly only to override.

Choices:

  • "platform-default"

  • "enabled"

  • "disabled"

name

string / required

The name assigned to the BIOS policy.

The name must be between 1 and 62 alphanumeric characters, allowing special characters :-_.

numa_optimized

string

Override for NUMA optimization.

All confidential compute profiles enable NUMA optimization by default.

Choices:

  • "platform-default"

  • "enabled"

  • "disabled"

organization

string

The name of the Organization this resource is assigned to.

Profiles and Policies that are created within a Custom Organization are applicable only to devices in the same Organization.

Default: "default"

security_profile

string / required

The confidential computing security profile to apply.

amd_sev enables AMD Secure Encrypted Virtualization with memory encryption for VMs. Encrypts VM memory with per-VM keys so the hypervisor cannot read guest data. Requires AMD EPYC processors (Milan/Genoa or later).

amd_sev_snp enables AMD SEV with Secure Nested Paging for stronger isolation. Adds integrity protection on top of SEV memory encryption, preventing hypervisor tampering with guest memory mappings. Requires AMD EPYC Genoa or later.

intel_sgx enables Intel Software Guard Extensions for application-level enclaves. Creates hardware-encrypted memory enclaves that protect specific application data even from the OS and hypervisor. Requires Intel Xeon Scalable (Ice Lake or later).

intel_sgx_with_auto_reg enables Intel SGX with automatic registration agent. Includes all intel_sgx settings plus enables the SGX auto-registration agent for simplified attestation service enrollment.

Choices:

  • "amd_sev"

  • "amd_sev_snp"

  • "intel_sgx"

  • "intel_sgx_with_auto_reg"

sev_asid_count

string

Number of AMD SEV Address Space Identifiers (ASIDs) to allocate.

Higher ASID counts allow more concurrent encrypted VMs but may reduce available ASIDs for SEV-SNP.

Only applicable for amd_sev and amd_sev_snp security profiles.

Choices:

  • "platform-default"

  • "253 ASIDs"

  • "509 ASIDs"

sgx_epoch0

string

Intel SGX Epoch 0 value. Changing this invalidates all existing SGX sealed data.

Only applicable for intel_sgx and intel_sgx_with_auto_reg profiles.

Use with caution in production environments.

sgx_epoch1

string

Intel SGX Epoch 1 value. Changing this invalidates all existing SGX sealed data.

Only applicable for intel_sgx and intel_sgx_with_auto_reg profiles.

Use with caution in production environments.

state

string

If present, will verify the resource is present and will create if needed.

If absent, will verify the resource is absent and will delete if needed.

Choices:

  • "present" ← (default)

  • "absent"

tags

list / elements=dictionary

List of tags in Key:<user-defined key> Value:<user-defined value> format.

use_proxy

boolean

If no, it will not use a proxy, even if one is defined in an environment variable on the target hosts.

Choices:

  • false

  • true ← (default)

validate_certs

boolean

Boolean control for verifying the api_uri TLS certificate

Choices:

  • false

  • true ← (default)

Examples

- name: Create AMD SEV policy for encrypted AI VMs
  cisco.intersight.intersight_confidential_compute:
    api_private_key: "{{ api_private_key }}"
    api_key_id: "{{ api_key_id }}"
    organization: AI-Factory
    name: bios-amd-sev-ai
    description: AMD SEV for secure AI inference VMs
    security_profile: amd_sev
    sev_asid_count: "509 ASIDs"

- name: Create AMD SEV-SNP policy for maximum VM isolation
  cisco.intersight.intersight_confidential_compute:
    api_private_key: "{{ api_private_key }}"
    api_key_id: "{{ api_key_id }}"
    name: bios-sev-snp-training
    description: SEV-SNP for secure model training
    security_profile: amd_sev_snp

- name: Create Intel SGX policy for enclave-based inference
  cisco.intersight.intersight_confidential_compute:
    api_private_key: "{{ api_private_key }}"
    api_key_id: "{{ api_key_id }}"
    name: bios-sgx-inference
    description: SGX enclaves for confidential inference
    security_profile: intel_sgx_with_auto_reg

- name: Delete confidential compute policy
  cisco.intersight.intersight_confidential_compute:
    api_private_key: "{{ api_private_key }}"
    api_key_id: "{{ api_key_id }}"
    name: bios-amd-sev-ai
    security_profile: amd_sev
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

api_response

dictionary

The API response output returned by the specified resource.

Returned: always

Sample: {"api_response": {"CbsSevSnpSupport": "enabled", "Name": "bios-amd-sev-ai", "ObjectType": "bios.Policy", "Sev": "509 ASIDs"}}

applied_settings

dictionary

The BIOS settings applied by the security profile and any overrides.

Returned: when state is present

Authors

  • Steve Fulmer (@stevefulme1)