background image

Vol. 3C 28-7

VMX SUPPORT FOR ADDRESS TRANSLATION

28.2.3 EPT-Induced 

VM Exits

Accesses using guest-physical addresses may cause VM exits due to EPT misconfigurations, EPT violations, and 
page-modification log-full events. An EPT misconfiguration occurs when, in the course of translating a guest-
physical address, the logical processor encounters an EPT paging-structure entry that contains an unsupported 
value (see Section 28.2.3.1). AEPT violation occurs when there is no EPT misconfiguration but the EPT paging-
structure entries disallow an access using the guest-physical address (see Section 28.2.3.2). A page-modifica-
tion log-full event
 occurs when the logical processor determines a need to create a page-modification log entry 
and the current log is full (see Section 28.2.5).
These events occur only due to an attempt to access memory with a guest-physical address. Loading CR3 with a 
guest-physical address with the MOV to CR3 instruction can cause neither an EPT configuration nor an EPT violation 
until that address is used to access a paging structure.

1

If the “EPT-violation #VE” VM-execution control is 1, certain EPT violations may cause virtualization exceptions 
instead of VM exits. See Section 25.5.6.1.

28.2.3.1   EPT Misconfigurations

AN EPT misconfiguration occurs if any of the following is identified while translating a guest-physical address:

The value of bits 2:0 of an EPT paging-structure entry is either 010b (write-only) or 110b (write/execute).

The value of bits 2:0 of an EPT paging-structure entry is 100b (execute-only) and this value is not supported 
by the logical processor. Software should read the VMX capability MSR IA32_VMX_EPT_VPID_CAP to determine 
whether this value is supported (see Appendix A.10).

The value of bits 2:0 of an EPT paging-structure entry is not 000b (the entry is present) and one of the 
following holds:

Table 28-5.  Format of an EPT Page-Directory Entry (PDE) that References an EPT Page Table

Bit 

Position(s)

Contents

0

Read access; indicates whether reads are allowed from the 2-MByte region controlled by this entry

1

Write access; indicates whether writes are allowed to the 2-MByte region controlled by this entry

2

Execute access; indicates whether instruction fetches are allowed from the 2-MByte region controlled by this entry

6:3

Reserved (must be 0)

7

Must be 0 (otherwise, this entry maps a 2-MByte page)

8

If bit 6 of EPTP is 1, accessed flag for EPT; indicates whether software has accessed the 2-MByte region controlled 

by this entry (see Section 28.2.4). Ignored if bit 6 of EPTP is 0

11:9

Ignored

(N–1):12

Physical address of 4-KByte aligned EPT page table referenced by this entry

1

51:N

Reserved (must be 0)

63:52

Ignored

NOTES:

1. N is the physical-address width supported by the logical processor.

1. If the logical processor is using PAE paging—because CR0.PG = CR4.PAE = 1 and IA32_EFER.LMA = 0—the MOV to CR3 instruction 

loads the PDPTEs from memory using the guest-physical address being loaded into CR3. In this case, therefore, the MOV to CR3 

instruction may cause an EPT misconfiguration, an EPT violation, or a page-modification log-full event.