Sorry, you need to enable JavaScript to visit this website.

Description

Intel® Kernel Guard Technology (Intel® KGT) is a policy specification and enforcement framework for ensuring runtime integrity of kernel and platform assets.  The Intel® KGT framework allows policy writers to specify:
  • Which OS/platform resources to monitor
  • What actions to take when the monitored resource is accessed

A policy can be specified at build-time (embedded in the code), boot-time (such as through grub module), or at runtime (via configfs and script), and is enforced by an outside-OS component. 

The Intel® KGT framework, along with an appropriate policy, can be used to achieve immutability and runtime integrity of critical resources such as kernel code pages, kernel pagetable mappings, kernel interrupt descriptor table (IDT), control registers (CRs), Model Specific Registers (MSR), and Memory Mapped I/O (MMIO) regions.
 
The Intel® KGT is based on xmon, which is a thin VT-x component. Xmon runs in vmx-root (ring -1), de-privileges the OS (which is in ring-0), and uses VT-x controls to trap access to specified resources and enforce policy specified actions. 
 
Xmon currently uses VT-x features to enforce policy. However, its design is not limited to using VT-x and in the future, it is expected to incorporate additional CPU and platform features.  
 
Some policy examples: 

 

Asset to Monitor

Action

Result

CR4:SMEP

Skip instruction, Log

SMEP bit cannot be modified by kernel or any kernel-mode component - Platform hardening

Kernel code pages in memory

On write access, skip instruction

Kernel code pages cannot be modified - Kernel immutability

Kernel code page mapping

On write access, skip instruction

Kernel code page mappings cannot be modified - Kernel page mapping immutability

 

Please refer to the overview page for additional details.

 

CONTACT US

Please contact Zachary Zou (zachary.zou@intel.com) or Kai Wang (kai.z.wang@intel.com).

 

Intel® VT-x refers to Intel® Virtualization Technology (Intel® VT) for IA-32, Intel® 64 and Intel® Architecture.

 

Maintainers