Intel® Kernel Guard Technology

Overview

Use this policy specification and enforcement framework for ensuring the runtime integrity of kernel and platform assets. The Intel® KGT framework allows policy writers to specify:

  • Which operating system or platform resources to monitor
  • What actions to take when the monitored resource is accessed

 

Resources

Intel KGT Architecture

Use Curl Scripts to Download and Install Intel KGT

Run CoreOS* with Intel KGT

Downloads


Binary Installation Package for Red Hat* Package Manager
Version 1.2.2-0
Version 1.2.1-0
The fix for this package completes the installation by updating the grub.cfg.


Binary Installation Package For Debian*
Version 1.2.1
This release merges patches from a open source to support a cross build using a standard configfs path for Debian*. Reproducible builds are also fixed. 

 

iKGT Source Package
Version 1.2.1
This release merges patches from a open source to support a cross build using a standard configfs path for Red Hat Package Manager. Reproducible builds are also fixed.

Runtime Integrity of Critical Resources

A policy can be specified at:

  • Build time (embedded in the code)
  • Startup time (such as through a Grand Unified Bootloader [GRUB] module)
  • Runtime (via configfs and script)

It is enforced by a component that's outside the operating system.

Intel KGT framework along with an appropriate policy can be used to achieve immutability and runtime integrity of critical resources such as:

  • Kernel code pages
  • Kernel page table mappings
  • Kernel interrupt descriptor table (IDT)
  • Control registers (CR)
  • Model-specific registers (MSR)
  • Memory-mapped I/O (MMIO) regions

 

XMON

Intel KGT is based on XMON, which is a thin Intel® Virtualization Technology (Intel® VT) for IA-32, Intel® 64 and Intel® Architecture (Intel® VT-x) component. XMON runs in vmx-root (ring -1), deprivileges the operating system (which is in ring-0), and uses Intel VT-x controls to trap access to specified resources and enforce policy-specified actions.

XMON uses Intel VT-x features to enforce policy. However, its design is not limited to using Intel VT-x and over time will incorporate additional CPU and platform features.

 

Policy Examples

Asset to Monitor

 Action Result

Control register 4, SMEP flag (CR4:SMEP)

Skip instruction, and then log information

SMEP bit cannot be modified by kernel or any kernel-mode component (platform hardening).

Kernel code pages in memory

On write access, skip instruction

Kernel code pages cannot be modified (kernel immutability).

Kernel code page mapping

On write access, skip the write instruction to the memory

Kernel code page mappings cannot be modified (kernel page-mapping immutability).
View all Show less

Connect to the Team

Ask questions or share your thoughts.

Contact Us

 

open at intel logo

Explore the world of Intel’s open platform projects, contributions, community initiatives, and more at open.intel.com.

Explore