Security and the
Virtualization Layer (esxi)
VMware designed the virtualization layer, or VMkernel, to
run virtual machines. It controls the hardware that hosts use and schedules the
allocation of hardware resources among the virtual machines. Because the VMkernel
is fully dedicated to supporting virtual machines and is not used for other
purposes, the interface to the VMkernel is strictly limited to the API required
to manage virtual machines.
ESXi provides additional VMkernel protection with the
following features:
Memory Hardening
The ESXi kernel, user-mode applications, and executable
components such as drivers and libraries are located at random, non-predictable
memory addresses. Combined with the non-executable memory protections made available
by microprocessors, this provides protection that makes it difficult for
malicious code to use memory exploits to take advantage of vulnerabilities.
Kernel Module
Integrity
Digital signing ensures the integrity and authenticity of
modules, drivers and applications as they are loaded by the VMkernel. Module
signing allows ESXi to identify the providers of modules, drivers, or
applications and whether they are VMware-certified.
Trusted Platform
Module(TPM)
Each time ESXi boots, it measures the VMkernel and a subset
of the loaded modules (VIBs) and stores the measurements into Platform
Configuration Register (PCR) 20 of the TPM. This behaviour is enabled by
default and cannot be disabled. Hardware support for this feature is fully
tested and supported by VMware and its OEM partners.
NOTE:- Not all VIBs are measured as part of this
process.
The VMware TPM/TXT feature that leverages the fully tested
hardware support is suitable for a proof-of-concept that demonstrates
monitoring of certain TPM PCR values, by alerting when any values change from
one boot to the next. Third-party solutions could use this feature to detect
changes to VIB measurements stored in these PCRs for the following cases:
- Corruption of the measured images
- Unexpected or unauthorized updates, or other types of changes to themeasured images
For more details you can see:-
No comments:
Post a Comment