25-14 Vol. 3C
VMX NON-ROOT OPERATION
Individual VM functions may perform additional fault checking (e.g., one might cause a general-protection excep-
tion if CPL > 0). In addition, specific VM functions may include checks that might result in a VM exit. If such a
VM exit occurs, VM-exit information is saved as described in the previous paragraph. The specification of a
VM function may indicate that additional VM-exit information is provided.
The specific behavior of the EPTP-switching VM function (including checks that result in VM exits) is given in
Section 25.5.5.3.
25.5.5.3 EPTP Switching
EPTP switching is VM function 0. This VM function allows software in VMX non-root operation to load a new value
for the EPT pointer (EPTP), thereby establishing a different EPT paging-structure hierarchy (see Section 28.2 for
details of the operation of EPT). Software is limited to selecting from a list of potential EPTP values configured in
advance by software in VMX root operation.
Specifically, the value of ECX is used to select an entry from the EPTP list, the 4-KByte structure referenced by the
EPTP-list address (see Section 24.6.14; because this structure contains 512 8-Byte entries, VMFUNC causes a
VM exit if ECX ≥ 512). If the selected entry is a valid EPTP value (it would not cause VM entry to fail; see Section
26.2.1.1), it is stored in the EPTP field of the current VMCS and is used for subsequent accesses using guest-phys-
ical addresses. The following pseudocode provides details:
IF ECX ≥ 512
THEN VM exit;
ELSE
tent_EPTP ← 8 bytes from EPTP-list address + 8 * ECX;
IF tent_EPTP is not a valid EPTP value (would cause VM entry to fail if in EPTP)
THEN VMexit;
ELSE
write tent_EPTP to the EPTP field in the current VMCS;
use tent_EPTP as the new EPTP value for address translation;
IF processor supports the 1-setting of the “EPT-violation #VE” VM-execution control
THEN
write ECX[15:0] to EPTP-index field in current VMCS;
use ECX[15:0] as EPTP index for subsequent EPT-violation virtualization exceptions (see Section 25.5.6.2);
FI;
FI;
FI;
Execution of the EPTP-switching VM function does not modify the state of any registers; no flags are modified.
As noted in Section 25.5.5.2, an execution of the EPTP-switching VM function that causes a VM exit (as specified
above), uses the basic exit reason 59, indicating “VMFUNC”. The length of the VMFUNC instruction is saved into the
VM-exit instruction-length field. No additional VM-exit information is provided.
An execution of VMFUNC loads EPTP from the EPTP list (and thus does not cause a fault or VM exit) is called an
EPTP-switching VMFUNC. After an EPTP-switching VMFUNC, control passes to the next instruction. The logical
processor starts creating and using guest-physical and combined mappings associated with the new value of bits
51:12 of EPTP; the combined mappings created and used are associated with the current VPID and PCID (these are
not changed by VMFUNC).
1
If the “enable VPID” VM-execution control is 0, an EPTP-switching VMFUNC invalidates
combined mappings associated with VPID 0000H (for all PCIDs and for all EP4TA values, where EP4TA is the value
of bits 51:12 of EPTP).
Because an EPTP-switching VMFUNC may change the translation of guest-physical addresses, it may affect use of
the guest-physical address in CR3. The EPTP-switching VMFUNC cannot itself cause a VM exit due to an EPT viola-
tion or an EPT misconfiguration due to the translation of that guest-physical address through the new EPT paging
structures. The following items provide details that apply if CR0.PG = 1:
•
If 32-bit paging or IA-32e paging is in use (either CR4.PAE = 0 or IA32_EFER.LMA = 1), the next memory
access with a linear address uses the translation of the guest-physical address in CR3 through the new EPT
1. If the “enable VPID” VM-execution control is 0, the current VPID is 0000H; if CR4.PCIDE = 0, the current PCID is 000H.