On Tue, Dec 1, 2020 at 1:41 AM Sean Christopherson <seanjc@xxxxxxxxxx> wrote: > > Hmm, yes, KVM would incorrectly handle this scenario. But, the proposed patch > would not address the issue as KVM always maps non-leaf shadow pages with full > access permissions. > Is it possible to exactly copy the access permissions from the guest for non-leaf shadow pages? Any protection from hypervisor (such as dirty track, rmap_write_protect) can only play on the leaf shadow ptes. > Can we have a testcase in kvm-unit-tests? It's okay of course if it > only fails with ept=0. Yes, it may have a flaw with ept=0. I don't get what "It's okay of course" means. Is it related to kvm-unit-tests? Or no cloud provider uses ept=0?
