Unexpected EPT Violations

Unexpected EPT Violations


we're currently working in a project that involves extending the KVM hypervisor. While running the VM, we sometimes get EPT violations that shouldn't be possible from our understanding of the Intel documents.

The scenario is as follow (we use Intel VT with EPT enabled):
All guest paging structures (i.e., the paging structures _inside_ the VM) are set to non-writable on the last EPT level. In other words, whenever the guest OS writes to a guest paging structure (e.g. to map/free a page), this triggers an EPT violation.

Now, "occasionally" the following happens:
The VM performs a normal read operation somewhere in memory (doesn't seem to matter where). This then yields an EPT violation and bit 0,  bit 1, and bit 7 are set in the exit qualification field, bit 8 is cleared. According to the Intel specification (Table 27-7), this means that the EPT violation was caused by the MMU setting the dirty or accessed bit in the guest paging structures. At first, this makes sense since these are set to non-writable on the EPT. However, this specific behavior can be disabled according to the Intel docs if bit 6 of the EPTP is cleared (see Section 28.2.4). Then, writes to the access or dirty bits in the PTEs are not considered as memory writes and no EPT violation should happen (to our understanding).

In fact, for almost all memory operations, we never see any EPT violations as explained in the previous paragraph. They only happens "rarely", but it does.

Thus my question is if anybody knows under which circumstances writes to access/dirty bits can actually cause EPT violation although bit 6 of the EPTP is cleared. Or are we just missing something in the documentation?



2 posts / 0 nouveau(x)
Dernière contribution
Reportez-vous à notre Notice d'optimisation pour plus d'informations sur les choix et l'optimisation des performances dans les produits logiciels Intel.

I think you are confusing EPT access/dirty bit updates which are controlled by bit 6 in the EPTP, and the guest page table access/dirty bit updates which are not controlled by bit 6 in the EPTP. Bit 6 in the EPTP AFAICT only controls if the EPT structures themselves are updated with accessed/dirty bits. I don't believe this has any bearing on if you will get an EPT violation exit due to the CPU updating guests paging structures with accessed/dirty bits.

Laisser un commentaire

Veuillez ouvrir une session pour ajouter un commentaire. Pas encore membre ? Rejoignez-nous dès aujourd’hui