VMware designed the virtualization layer, or VMkernel, to run virtual machines. It controls the hardware that hosts use and schedules the allocation of hardware resources among the virtual machines. Because the VMkernel is fully dedicated to supporting virtual machines and is not used for other purposes, the interface to the VMkernel is strictly limited to the API required to manage virtual machines.

ESXi provides additional VMkernel protection with the following features:

Memory Hardening

The ESXi kernel, user-mode applications, and executable components such as drivers and libraries are located at random, non-predictable memory addresses. Combined with the non-executable memory protections made available by microprocessors, this provides protection that makes it difficult for malicious code to use memory exploits to take advantage of vulnerabilities.

Kernel Module Integrity

Digital signing ensures the integrity and authenticity of modules, drivers and applications as they are loaded by the VMkernel. Module signing allows ESXi to identify the providers of modules, drivers, or applications and whether they are VMware-certified. VMware software and certain third-party drivers are signed by VMware.

Trusted Platform Module (TPM)

vSphere uses Intel Trusted Platform Module/Trusted Execution Technology (TPM/TXT) to provide remote attestation of the hypervisor image based on hardware root of trust. The hypervisor image consists of the following elements:

  • ESXi software (hypervisor) in VIB (package) format

  • Third-party VIBs

  • Third-party drivers

To leverage this capability, your ESXi system must have TPM and TXT enabled.

When TPM and TXT are enabled, ESXi measures the entire hypervisor stack when the system boots and stores these measurements in the Platform Configuration Registers (PCR) of the TPM. The measurements include the VMkernel, kernel modules, drivers, native management applications that run on ESXi, and any boot-time configuration options. All VIBs that are installed on the system are measured.

Third-party solutions can use this feature to build a verifier that detects tampering of the hypervisor image, by comparing the image with an image of the expected known good values. vSphere does not provide a user interface to view these measurements.

The measurements are exposed in a vSphere API. An event log is provided as part of the API, as specified by the Trusted Computing Group (TCG) standard for TXT.