Vol. 3C 28-7
VMX SUPPORT FOR ADDRESS TRANSLATION
28.2.3 EPT-Induced
VM Exits
Accesses using guest-physical addresses may cause VM exits due to EPT misconfigurations, EPT violations, and
page-modification log-full events. An EPT misconfiguration occurs when, in the course of translating a guest-
physical address, the logical processor encounters an EPT paging-structure entry that contains an unsupported
value (see Section 28.2.3.1). An EPT violation occurs when there is no EPT misconfiguration but the EPT paging-
structure entries disallow an access using the guest-physical address (see Section 28.2.3.2). A page-modifica-
tion log-full event occurs when the logical processor determines a need to create a page-modification log entry
and the current log is full (see Section 28.2.5).
These events occur only due to an attempt to access memory with a guest-physical address. Loading CR3 with a
guest-physical address with the MOV to CR3 instruction can cause neither an EPT configuration nor an EPT violation
until that address is used to access a paging structure.
1
If the “EPT-violation #VE” VM-execution control is 1, certain EPT violations may cause virtualization exceptions
instead of VM exits. See Section 25.5.6.1.
28.2.3.1 EPT Misconfigurations
AN EPT misconfiguration occurs if any of the following is identified while translating a guest-physical address:
•
The value of bits 2:0 of an EPT paging-structure entry is either 010b (write-only) or 110b (write/execute).
•
The value of bits 2:0 of an EPT paging-structure entry is 100b (execute-only) and this value is not supported
by the logical processor. Software should read the VMX capability MSR IA32_VMX_EPT_VPID_CAP to determine
whether this value is supported (see Appendix A.10).
•
The value of bits 2:0 of an EPT paging-structure entry is not 000b (the entry is present) and one of the
following holds:
Table 28-5. Format of an EPT Page-Directory Entry (PDE) that References an EPT Page Table
Bit
Position(s)
Contents
0
Read access; indicates whether reads are allowed from the 2-MByte region controlled by this entry
1
Write access; indicates whether writes are allowed to the 2-MByte region controlled by this entry
2
Execute access; indicates whether instruction fetches are allowed from the 2-MByte region controlled by this entry
6:3
Reserved (must be 0)
7
Must be 0 (otherwise, this entry maps a 2-MByte page)
8
If bit 6 of EPTP is 1, accessed flag for EPT; indicates whether software has accessed the 2-MByte region controlled
by this entry (see Section 28.2.4). Ignored if bit 6 of EPTP is 0
11:9
Ignored
(N–1):12
Physical address of 4-KByte aligned EPT page table referenced by this entry
1
51:N
Reserved (must be 0)
63:52
Ignored
NOTES:
1. N is the physical-address width supported by the logical processor.
1. If the logical processor is using PAE paging—because CR0.PG = CR4.PAE = 1 and IA32_EFER.LMA = 0—the MOV to CR3 instruction
loads the PDPTEs from memory using the guest-physical address being loaded into CR3. In this case, therefore, the MOV to CR3
instruction may cause an EPT misconfiguration, an EPT violation, or a page-modification log-full event.