Intel EPT (Extended Page Table)

[cianfa72]

Hi,

Maybe this is not the right place to ask for....

I'm using an application running in a VM implemented by VirtualBox. Now when I setup the VM I can flag the following:

VT-x/AMD-V, PAE/NX and Nested Paging (aka EPT in Intel)

How can I check if my processor (core i5) is working in EPT mode when running into the VM process context ?

thanks.

[jnc100]

I don't think its possible to reliably determine whether what your kernel thinks is a physical address actually is or is instead a translated physical address using the EPT mechanism. As far as I'm aware, the only sensible way is to detect whether you're running in a virtual machine and then asking the hypervisor whether EPT is used or not, a process which is VM-specific. If you run linux within the VM, does the output of dmesg give any clues as to whether EPT is used or not?

Regards,
John.

[cianfa72]

If you run linux within the VM, does the output of dmesg give any clues as to whether EPT is used or not?

No, dmesg does not give any information about it....anyway my question was related to understand if exist any flag (in some processor register i guess...) that when set enable EPT nested translation for each virtual memory address accessed..

[jnc100]

my question was related to understand if exist any flag (in some processor register i guess...) that when set enable EPT nested translation for each virtual memory address accessed..

Within the guest? Not as far as I am aware. Out of interest, why do you need this information?

Regards,
John.

[cianfa72]

not inside the guest but in the host...I'm just curious for it

[jnc100]

In that case there is no processor flag that I'm aware of, it is instead specified as a flag within the VMCS, which is in the address space of the hosting process. How you'd inspect this from another process is another question. I suppose there would be away to increase the verbosity of the hypervisor's logs to let it tell you when its using EPT, or perhaps use VirtualBox's debug interface, but I guess the VirtualBox guys would know more about how to do that.

Regards,
John.

[cianfa72]

In that case there is no processor flag that I'm aware of, it is instead specified as a flag within the VMCS, which is in the address space of the hosting process.

Excuse me...I'm not an expert

what does it mean "VMCS" ? How does the processor know to perform the nested translation (EPT) when executing in the context of the guest ?

[stlw]

what does it mean "VMCS" ? How does the processor know to perform the nested translation (EPT) when executing in the context of the guest ?

Sometimes you have to go RTFM by yourself:
http://download.intel.com/products/proc ... 326019.pdf

[cianfa72]

Thanks.

A doubt reading the manual: but the EPT structure (used to translate the guest physical addresses into the host physical addresses) could be different from that used by the CPU to translate the linear address space (into the host physical addresses) of the process hosting the VM instance ?

[feryno]

Hi,

Maybe this is not the right place to ask for....

I'm using an application running in a VM implemented by VirtualBox. Now when I setup the VM I can flag the following:

VT-x/AMD-V, PAE/NX and Nested Paging (aka EPT in Intel)

How can I check if my processor (core i5) is working in EPT mode when running into the VM process context ?

thanks.

you can detect whether executing the CPUID takes more cycles (e.g. 100 cycles natively, 800 or even more cycles under VT-X because it causes vm exit)
but you can't detect whether hypervisor set some bit in VMCS to activate EPT
maybe you can measure CPU cycles when accessing memory (the same as when measuring CPUID cycles) and detect some increase ?
anyway don't expect any exact method of detecting whether EPT is active, maybe you'll be able to only say: EPT is very probably active because accessing memory takes slightly more CPU cycles...

[cianfa72]

Reading the ia-32 64 manual it is not so clear to me if EPTP (EPT pointer) is a processor register (such as CR3 register) or not. If that is the case do you think it is possible to access it to view the content ?

[stlw]

Reading the ia-32 64 manual it is not so clear to me if EPTP (EPT pointer) is a processor register (such as CR3 register) or not. If that is the case do you think it is possible to access it to view the content ?

EPTP is the VMCS field and not register. Moreover EPTP is not control field i.e. it doesn't enable or disable EPT. Enable/disable EPT controlled through secondary vmexit control VMCS field. You still have to read the manual if you won't understand what VMCS is.

Stanislav