The figure is taken from here.
Q1. It seems that the EPT table keeps a whole copy of the guest page table, making it a 4-level page table. Is that correct?
Q2. Isn't it a bit of waste of space?
Q3. What exactly is an EPT violate? Does it mean this: the guest is trying to access a new guest virtual address (gVA), EPT table does not have a record for it yet, so it traps into VMM, and add the two gVA and gPA entries to the EPT table. Is that correct?
EPT maps guest physical address to host physical address.
Before EPT(hardware support for GPA<-->HPA) support was introduced Hypervisor had to manually maintain a shadow copy of the Guest Page Table mappings entries.
The PTE entries in the actual guest Page table would have lowered access permissions i.e. if it actual permission was write it would be lowered down to a read. This will result in a page fault which would be intercepted by the Hypervisor.
The Hypervisor will in turn update the corresponding shadow page table entries. This entire process was dog shit slow. Thats why EPT was introduced so that GPA to HPA translation is done by the hardware itself which is way faster.
So now answering your first question-- It does not. If you want to virtualize an OS without EPT support, you still need to maintain an additional shadow page table structures apart from the guest OS's page tables.
Q3-- The Guest Virtual Address(GVA) is translated normally by the hardware by traversing the page tables in the guest OS as it would have been done in an OS running on native hardware. Once we get the Guest Physical Address(GPA) after doing this translation EPT comes into the picture. Now Hardware translates GPA to HPA as HPA are the address real CPU knows about.
Ept violation VMExit happens when EPT does not have an existing mapping for a guest physical address(GPA) to host physical address(HPA). This results in a vmExit to VMM which will then create a new mapping. (The Ept violations is same as a page fault in normal OS, the only difference being the type of mapping being created.)
My 2 cent, please correct me if my memory went wrong.
Q1: No, EPT stores GPA to HPA mapping. With EPT, guest page table is only maintained in guest.
Q2: Without EPT, VMM should maintain shadow page table instead. So I don't think EPT wastes space.
Q3: EPT stores GPA to HPA mapping. GPA to GVA mapping is maintained in guest in this case.
My little contribution, one year late...
Q1:Yes EPT is like a mmu translation tree (4-level or less), but it translates GPA to HPA (Guest physical addresses to host physical ones).
Q2:For virtualization, translation tree (shadow or EPT) is necessary, so it's not a waste of space. Hardware translation is faster than shadow one (software) and prevents vmexit wich slows down process.
Q3: yes, an EPT violation occurs like a page fault but it occurs for access violation too. EPT allows a fine control of page access (read, write, execute).
