
Intel Kernel Guard Technology - andrewaylett
https://01.org/intel-kgt
======
benjarrell
Seriously‽ [https://01.org/intel-kgt/documentation/download-and-
install-...](https://01.org/intel-kgt/documentation/download-and-install-ikgt-
curl-scripts)

    
    
      To download and install iKGT for Debian systems, use the following curl command:
      $ curl https://01.org/sites/default/files/downloads/intel-kernel-guard-technolo... | bash
     
      To download and install iKGT for RPM systems, use the following curl command:
      $ curl https://01.org/sites/default/files/downloads/intel-kernel-guard-technolo... | bash

~~~
pmh
Amusingly enough, they grab the source tarball over http:

    
    
        servername=01.org/sites/default/files/downloads/intel-kernel-guard-technology
        ...
        wget http://${servername}/ikgt1.0-0amd64deb.tar.gz

------
cuongpm
This is interesting.

I'm wondering by utilizing VT-x to implement the xmon module, whether this
framework can be used to protect a hardware virtualized hypervisor (e.g., KVM)
or not.

~~~
Sanddancer
Yep. This is all stuff that VT-x can already do, only it's giving a nice
little wrapper to do it to the "base" operating system. More than a bit of me
sees this as something to encourage operating system developers to actually
use the security features that virtualization allows, instead of doing the
bare minimum and obvious with it.

~~~
cuongpm
The protected OS is de-privileged though. In order to protect a hardware
virtualized hypervisor (i.e., one that also requires VT-x), they need to
implement some sort of nested virtual machine.

~~~
wtallis
_Haswell_ and later processors have extra hardware support to make nested
virtual machines faster. It's not a problem.

~~~
dman
Any details about this?

~~~
wtallis
The feature is called VMCS shadowing. Wikipedia's description cites an Intel
whitepaper ([https://www-
ssl.intel.com/content/dam/www/public/us/en/docum...](https://www-
ssl.intel.com/content/dam/www/public/us/en/documents/white-papers/intel-vmcs-
shadowing-paper.pdf)) which describes how it's intended to help with the case
of using McAfee's Deep Safe hypervisor (which does basically the same thing as
this Kernel Guard, but for Windows) nested inside of Xen.

------
namplaa
I can hardly wait to see the presentation on how the circumvent it.

