Can speculative execution cause an Extended Page Table (EPT) violation on x86 processors?
Assume I want to access a structure that has different Guest Physical Address (GPA) to Host Physical Address (HPA) mappings in two different EPTs. This structure is supposed to be accessible only if, lets say EPT #2 is active in the VMM. The guest OS is paravirtualized, and we utilize the vmfunc instruction for the EPT switch.
; Switch to EPT #2
mov $0x2, %rcx
mov $0x0, %rax
vmfunc
; Access structure (read)
mov (%rdx), %rbx
; Do something with %rbx
; ...
; Switch back to EPT #1
mov $0x1, %rcx
mov $0x0, %rax
vmfunc
Could speculative execution cause an EPT violation if the mov instruction is executed before the first vmfunc instruction? Or does vmfunc act as a "fence" and prohibits any speculative execution or out-of-order execution in general?