Intel® Kernel Guard Technology (Intel® KGT) is a policy specification and enforcement framework for ensuring runtime integrity of kernel and platform assets. The Intel® KGT framework allows policy writers to specify:
- Which OS/platform resources to monitor
- What actions to take when the monitored resource is accessed
A policy can be specified at build-time (embedded in the code), boot-time (such as through grub module), or at runtime (via configfs and script), and is enforced by an outside-OS component.
The Intel® KGT framework, along with an appropriate policy, can be used to achieve immutability and runtime integrity of critical resources such as kernel code pages, kernel pagetable mappings, kernel interrupt descriptor table (IDT), control registers (CRs), Model Specific Registers (MSR), and Memory Mapped I/O (MMIO) regions.
The Intel® KGT is based on xmon, which is a thin VT-x component. Xmon runs in vmx-root (ring -1), de-privileges the OS (which is in ring-0), and uses VT-x controls to trap access to specified resources and enforce policy specified actions.
Xmon currently uses VT-x features to enforce policy. However, its design is not limited to using VT-x and in the future, it is expected to incorporate additional CPU and platform features.
Some policy examples:
|
Asset to Monitor |
Action |
Result |
|
CR4:SMEP |
Skip instruction, Log |
SMEP bit cannot be modified by kernel or any kernel-mode component - Platform hardening |
|
Kernel code pages in memory |
On write access, skip instruction |
Kernel code pages cannot be modified - Kernel immutability |
|
Kernel code page mapping |
On write access, skip instruction |
Kernel code page mappings cannot be modified - Kernel page mapping immutability |
Please refer to the overview page for additional details.
