Which two features secure the VMkernel?

Which two features secure the VMkernel? (Choose two)

Memory hardening

Binary translation

Kernel module integrity

Service console firewall


Page 10 from vsphere-esxi-vcenter-server-50-security-guide.pdf

ESXi provides additional VMkernel protection with the following features:
Memory Hardening The ESXi kernel, user-mode applications, and executable components such as drivers and libraries are located at random, non-predictable memory addresses. Combined with the non-executable memory protections made available by microprocessors, this provides protection that makes it difficult for malicious code to use memory exploits to take advantage of vulnerabilities.
Kernel Module Integrity Digital signing ensures the integrity and authenticity of modules, drivers and applications as they are loaded by the VMkernel. Module signing allows ESXi to identify the providers of modules, drivers, or applications and whether they are VMware-certified.
Trusted Platform Module (TPM) Each time ESXi boots, it measures the VMkernel and a subset of the loaded modules (VIBs) and stores the measurements into Platform Configuration Register (PCR) 20 of the TPM. This behavior is enabled by default and cannot be disabled. Hardware support for this feature is fully tested and supported by VMware and its OEM partners.
NOTE Not all VIBs are measured as part of this process.
The VMware TPM/TXT feature that leverages the fully tested hardware support is suitable for a proof-of-concept that demonstrates monitoring of certain TPM PCR values, by alerting when any values change from one boot to the next. Third-party solutions could use this feature to detect changes to VIB measurements stored in these PCRs for the following cases:
* Corruption of the measured images
* Unexpected or unauthorized updates, or other types of changes to the measured images

Leave a Reply

Your email address will not be published. Required fields are marked *