Intel releases UEFI iKGT

September 24, 2015 ~ hucktech ~ Leave a comment

Intel Kernel Guard Technology (iKGT) has been around for a while, but has not supported UEFI. Until now. The initial checkin has appeared in the Github project!

https://github.com/01org/ikgt-uefi-loader

Intel Kernel Guard Tech: multiple projects

September 19, 2015 ~ hucktech ~ Leave a comment

Earlier I briefly mentioned Intel Kernel Guard Technologies (iKGT).

https://firmwaresecurity.com/tag/ikgt/

I don’t see any checkins yet to the UEFI project, still empty.

But I just noticed that this project contains multiple other projects, which I didn’t notice earlier, and a few of them aren’t empty:

https://github.com/01org?utf8=%E2%9C%93&query=iKGT

https://github.com/01org/ikgt-uefi-loader
https://github.com/01org/ikgt-loader
https://github.com/01org/ikgt-manifest
https://github.com/01org/ikgt-api
https://github.com/01org/ikgt-core
https://github.com/01org/ikgt-plugin
https://github.com/01org/ikgt-usage

Intel porting KGT to UEFI

September 3, 2015 ~ hucktech ~ Leave a comment

The other day I learned about Intel KGT:

Intel KGT

Then I noticed Matthew Garrett’s twitter feed, saying that it didn’ t work with UEFI… But today I note that Vincent Zimmer of Intel has a new Twitter post, saying that Intel is working on porting KGT to work with UEFI:

@mjg59 I spoke w/ maintainer of IKGT https://t.co/dHeBdptCgS. Efforts now underway to open source a variant w/ a UEFI @uefibios launch

— vincent zimmer (@vincentzimmer) September 3, 2015

Looking forward to UEFI-enabled iKGT!

Intel KGT

September 1, 2015 ~ hucktech ~ 1 Comment

Wow, I wasn’t aware of Intel’s Kernel-Guard Technology (KGT) for Linux, until today. 😦

As found on the Twitter feed of Alex Bazhaniuk (@ABazhaniuk):

@mjg59 can be interesting: https://t.co/vhCwkkB1uI

— Alex Bazhaniuk (@ABazhaniuk) September 1, 2015

Intel Kernel-Guard Technology (Intel KGT) is a policy specification and enforcement framework for ensuring runtime integrity of kernel and platform assets. The Intel® KGT framework allows policy writers to specify:
* Which OS/platform resources to monitor
* Actions to take when the monitored resource is accessed
* A policy

A policy can be specified at build-time (embedded in the code), boot-time (such as through grub module), or at runtime (via configfs and script), and is enforced by an outside-OS component. The Intel KGT framework, along with an appropriate policy, can be used to achieve immutability and runtime integrity of critical resources such as kernel code pages, kernel pagetable mappings, kernel interrupt descriptor table (IDT), control registers (CRs), MSRs, and MMIO regions. The Intel KGT is based on xmon, which is a thin VT-x component. Xmon runs in vmx-root (ring -1), de-privileges the OS, and uses VTx controls to trap access to specified resources and enforce policy specified actions. Xmon is not limited to using VT-x and, in the future, is expected to incorporate other CPU and platform features in addition to VT-x to enforce policy.

Their Overview page gives a good introduction.
https://01.org/intel-kgt/overview

It looks like the last release was August 7th, with Intel TXT/tboot support:
https://lists.01.org/pipermail/intel-kgt/2015-August/000012.html

More Information:
https://github.com/01org/ikgt-manifest
https://01.org/intel-kgt/