28-2 Vol. 3C
VMX SUPPORT FOR ADDRESS TRANSLATION
The translation from guest-physical addresses to physical addresses is determined by a set of EPT paging struc-
tures. The EPT paging structures are similar to those used to translate linear addresses while the processor is in
IA-32e mode. Section 28.2.2 gives the details of the EPT paging structures.
If CR0.PG = 1, linear addresses are translated through paging structures referenced through control register CR3.
While the “enable EPT” VM-execution control is 1, these are called guest paging structures. There are no guest
paging structures if CR0.PG = 0.
1
When the “enable EPT” VM-execution control is 1, the identity of guest-physical addresses depends on the value
of CR0.PG:
•
If CR0.PG = 0, each linear address is treated as a guest-physical address.
•
If CR0.PG = 1, guest-physical addresses are those derived from the contents of control register CR3 and the
guest paging structures. (This includes the values of the PDPTEs, which logical processors store in internal,
non-architectural registers.) The latter includes (in page-table entries and in other paging-structure entries for
which bit 7—PS—is 1) the addresses to which linear addresses are translated by the guest paging structures.
If CR0.PG = 1, the translation of a linear address to a physical address requires multiple translations of guest-phys-
ical addresses using EPT. Assume, for example, that CR4.PAE = CR4.PSE = 0. The translation of a 32-bit linear
address then operates as follows:
•
Bits 31:22 of the linear address select an entry in the guest page directory located at the guest-physical
address in CR3. The guest-physical address of the guest page-directory entry (PDE) is translated through EPT
to determine the guest PDE’s physical address.
•
Bits 21:12 of the linear address select an entry in the guest page table located at the guest-physical address in
the guest PDE. The guest-physical address of the guest page-table entry (PTE) is translated through EPT to
determine the guest PTE’s physical address.
•
Bits 11:0 of the linear address is the offset in the page frame located at the guest-physical address in the guest
PTE. The guest-physical address determined by this offset is translated through EPT to determine the physical
address to which the original linear address translates.
In addition to translating a guest-physical address to a physical address, EPT specifies the privileges that software
is allowed when accessing the address. Attempts at disallowed accesses are called EPT violations and cause
VM exits. See Section 28.2.3.
A logical processor uses EPT to translate guest-physical addresses only when those addresses are used to access
memory. This principle implies the following:
•
The MOV to CR3 instruction loads CR3 with a guest-physical address. Whether that address is translated
through EPT depends on whether PAE paging is being used.
2
— If PAE paging is not being used, the instruction does not use that address to access memory and does not
cause it to be translated through EPT. (If CR0.PG = 1, the address will be translated through EPT on the
next memory accessing using a linear address.)
— If PAE paging is being used, the instruction loads the four (4) page-directory-pointer-table entries (PDPTEs)
from that address and it does cause the address to be translated through EPT.
•
Section 4.4.1 identifies executions of MOV to CR0 and MOV to CR4 that load the PDPTEs from the guest-
physical address in CR3. Such executions cause that address to be translated through EPT.
•
The PDPTEs contain guest-physical addresses. The instructions that load the PDPTEs (see above) do not use
those addresses to access memory and do not cause them to be translated through EPT. The address in a
PDPTE will be translated through EPT on the next memory accessing using a linear address that uses that
PDPTE.
1. “Enable EPT” is a secondary processor-based VM-execution control. If bit 31 of the primary processor-based VM-execution controls
is 0, the logical processor operates as if the “enable EPT” VM-execution control were 0. See Section 24.6.2.
1. If the capability MSR IA32_VMX_CR0_FIXED0 reports that CR0.PG must be 1 in VMX operation, CR0.PG can be 0 in VMX non-root
operation only if the “unrestricted guest” VM-execution control and bit 31 of the primary processor-based VM-execution controls are
both 1.
2. A logical processor uses PAE paging if CR0.PG = 1, CR4.PAE = 1 and IA32_EFER.LMA = 0. See Section 4.4 in the Intel® 64 and IA-32