VMware designed the virtualization layer, or VMkernel, to run virtual machines. It controls the hardware that hosts use and schedules the allocation of hardware resources among the virtual machines. Because the VMkernel is fully dedicated to supporting virtual machines and is not used for other purposes, the interface to the VMkernel is strictly limited to the API required to manage virtual machines.

ESXi provides additional VMkernel protection with the following features:

Memory Hardening

The ESXi kernel, user-mode applications, and executable components such as drivers and libraries are located at random, non-predictable memory addresses. Combined with the non-executable memory protections made available by microprocessors, this provides protection that makes it difficult for malicious code to use memory exploits to take advantage of vulnerabilities.

Kernel Module Integrity

Digital signing ensures the integrity and authenticity of modules, drivers and applications as they are loaded by the VMkernel. Module signing allows ESXi to identify the providers of modules, drivers, or applications and whether they are VMware-certified.

Trusted Platform Module (TPM)

This module is a hardware element that represents the core of trust for a hardware platform and enables attestation of the boot process, as well as cryptographic key storage and protection. Each time ESXi boots, TPM measures the VMkernel with which ESXi booted in one of its Platform Configuration Registers (PCRs). TPM measurements are propagated to vCenter Server when the host is added to the vCenter Server system.

You can use TPM with third-party solutions to provide policy-based protection against the following threats against the ESXi image:

Corruption of the stored image

Certain kinds of tampering

Unexpected or unauthorized updates or other types of changes

Enable the dynamic launch of the VMkernel using TPM with an advanced configuration option, enableTboot, in the vSphere Client. This is referred to as Dynamic Root of Trust for Measurement (DRTM). By default, the use of DRTM for measuring VMkernel is disabled.


If TPM is present on a system, but disabled in the BIOS, the following error message might appear: Error loading TPM. This is the expected behavior and the error message can be safely ignored.