VMware designed the virtualization layer, or VMkernel, to run virtual machines. It controls the hardware that hosts use and schedules the allocation of hardware resources among the virtual machines. Because the VMkernel is fully dedicated to supporting virtual machines and is not used for other purposes, the interface to the VMkernel is strictly limited to the API required to manage virtual machines.

ESXi provides additional VMkernel protection with the following features:

Memory Hardening

The ESXi kernel, user-mode applications, and executable components such as drivers and libraries are located at random, non-predictable memory addresses. Combined with the non-executable memory protections made available by microprocessors, this provides protection that makes it difficult for malicious code to use memory exploits to take advantage of vulnerabilities.

Kernel Module Integrity

Digital signing ensures the integrity and authenticity of modules, drivers and applications as they are loaded by the VMkernel. Module signing allows ESXi to identify the providers of modules, drivers, or applications and whether they are VMware-certified.

Trusted Platform Module (TPM)

Each time ESXi boots, it measures the VMkernel and a subset of the loaded modules (VIBs) and stores the measurements into Platform Configuration Register (PCR) 20 of the TPM. This behavior is enabled by default and cannot be disabled. Hardware support for this feature is fully tested and supported by VMware and its OEM partners.


Not all VIBs are measured as part of this process.

The VMware TPM/TXT feature that leverages the fully tested hardware support is suitable for a proof-of-concept that demonstrates monitoring of certain TPM PCR values, by alerting when any values change from one boot to the next. Third-party solutions could use this feature to detect changes to VIB measurements stored in these PCRs for the following cases:

Corruption of the measured images

Unexpected or unauthorized updates, or other types of changes to the measured images