This consists of several components:
1) Kernel support for sending notifications on certain events.
2) qemu support for passing those notifications on to a policy agent.
3) A policy agent that builds a tree of process state and verifies that
this state is unmodified during in-kernel privilege checks.
There's also a minimal amount of code in rkt to add support for this.
Notifications are handled by hitting an io port and passing arguments in
registers. The kernel then blocks the running process until the notification
is handled. This is achieved by the policy agent clearing the blocking flag
and allowing execution to proceed.
A --monitor flag is added to indicate that this mode should be enabled. If
not passed, qemu will simply instruct the kernel to continue rather than
waiting for monitoring.