How to determine instruction fetches are allowed or not by page table and EPT in x86-64?

Question

Format of a Page-Table Entry that Maps a 4-KByte Page Bit

Format of an EPT Page-Table Entry that Maps a 4-KByte Page Bit

It seems EPT.bit2 and EPT.bit10 are used to determine whether instruction fetches are allowed or not in Supervisor-mode \ User-mode.

But how do I know an IPA is supervisor-mode linear address or user-mode linear address ? by U/S bit in page table?

If my understanding is correct, it means we must combine page table and EPT to judge whether instruction fetches are allowed or not, right?

In Intel Manual Volume 3C, Chapter 27, 2.3.2 EPT Violations, The manual describes several situations where fetches are not allowed. I only care about the situations when VM-execution control = 1.

---

• The access is an instruction fetch and the EPT paging structures prevent execute access to any of the bytes being fetched. Whether this occurs depends upon the setting of the “mode-based execute control for EPT” VM-execution control:

  • If the control is 0, an instruction fetch from a byte is prevented if bit 2 (execute access) was clear in any of the EPT paging-structure entries used to translate the guest-physical address of the byte.
  • If the control is 1, an instruction fetch from a byte is prevented in either of the following cases:

    • Paging maps the linear address of the byte as a supervisor-mode address and bit 2(EPT.bit2) (execute access for supervisor-mode linear addresses) was clear in any of the EPT paging-structure entries used to translate the guest-physical address of the byte.

      Paging maps a linear address as a supervisor-mode address if the U/S flag(of page table) (bit 2) is 0 in at least one of the paging-structure entries controlling the translation of the linear address.

    • Paging maps the linear address of the byte as a user-mode address and bit 10 (EPT.bit10)(execute access for user- mode linear addresses) was clear in any of the EPT paging-structure entries used to translate the guest- physical address of the byte.

      Paging maps a linear address as a user-mode address if the U/S flag(of page table) is 1 in all of the paging-structure entries controlling the translation of the linear address. If paging is disabled (CR0.PG = 0), every linear address is a user-mode address.

---

How can I tell whether an address is supervisor-mode address or user-mode address here ? By the high bits of the address (0xffff... is supervisor-mode address, 0x0000... is user-mode address)?

In terms of Page-Table Entry, EPT-entry and EPT Violations, can we say this:

1. if page table's U/S = 0 in all levels, then EPT.bit2 = 1 in all levels, fetches are allowed.
2. if page table's U/S = 1 in all levels, then EPT.bit10 = 1 in all levels, fetches are allowed.
3. Not allowed under other circumstances

Answer 1

Using addresses with the high bit set for supervisor mode is a convention, but it doesn't affect anything about how address translation or protection is done. The CPL (bits 1:0 of the CS register) control whether accesses are supervisor mode or user mode. If CPL < 3, accesses are supervisor mode access; if CPL = 3, accesses are user-mode accesses.

If "mode-based execute control for EPT" is 1:

1. If paging is disabled or U/S = 1 in all page table levels, and EPT bit 10 = 1 in all EPT levels, fetches are allowed.
2. If CPL < 3, U/S = 0 in any page table level, and EPT bit 2 = 1 in all EPT levels, fetches are allowed.

If "mode-based execute control for EPT" is 0:

1. If paging is disabled or CPL < 3 or U/S = 1 in all page table levels, and EPT bit 2 = 1 in all EPT levels, fetches are allowed.

In addition, bit 63 (XD) must be 0 in all page table levels if CR4.PAE is 1.