• CI rules are still enforced even if a vulnerability
allows unauthorized kernel mode memory access • Memory pages are only marked executable if CI validation succeeds • Kernel memory cannot be marked both writable and executable • BUT impacts – Driver compatibility – UEFI Runtime services compatibility