NPT (Second-level address translation for virtualization)

NPT (Nested Page Tables) is a hardware mechanism that eliminates the need for software address translation by the hypervisor. It allows the guest operating system to directly manage its own memory, while the processor independently translates the guest virtual address first to the guest physical address and then immediately to the actual machine address without resource-intensive exits to the hypervisor.

This technology is used in hardware virtualization platforms such as Intel VT-x with EPT and AMD-V with RVI. It is critically important for modern cloud environments where many virtual machines share a physical server. NPT is used in enterprise-class hypervisors, including VMware ESXi, Microsoft Hyper-V, and KVM, providing isolation of guest environments while maintaining performance close to that of physical hardware.

Intel VT-x (Hardware Virtualization of the CPU)AMD-V (Hardware virtualization using the processor)EPT (Hardware second-level memory address translation)KVM (Turns the Linux kernel into a hypervisor)

The main problem is the lengthening of the address translation chain, as the processor must traverse two page table hierarchies. On a TLB miss, this causes multiple accesses to RAM, increasing latency. Managing stale entries in the shadow structure cache may also require cache flushing during virtual machine context switches, and complex page placement strategies can sometimes provoke conflicts at the level of the third-level cache, destroying performance.

How NPT works

The working principle is based on two-stage addressing, fully implemented by the processor memory management unit. The hypervisor configures the root pointer of its own page table in the virtual machine control structure, creating the guests physical address space. The guest operating system works with familiar virtual addresses and maintains its own page tables, unaware of the second translation level. When the guest tries to access memory, the MMU first uses the guest CR3 value to walk the guest tables, obtaining the intermediate guest physical address. This address is not the final machine address but serves as a virtual index for the second walk through the NPT tables set up by the hypervisor. The processor hardware traverses up to four levels of the guest hierarchy and then up to four levels of the nested EPT or RVI hierarchy. Each level is a 512-entry array of entries, where access rights bits from both structures are combined by logical AND, ensuring compliance with restrictions set by both the operating system and the hypervisor. To accelerate this complex walk, a specialized virtualization cache is used, tagging entries with the virtual machine identifier and address space tag, which avoids a full walk of both tables on repeated accesses to the same memory regions.

NPT functionality

  1. Two-dimensional address translation. NPT implements a second level of virtual-to-physical address translation, controlled exclusively by the hypervisor. The guest OS translates the guest virtual address (gVA) to the guest physical address (gPA) using standard means. Then the hardware MMU performs an additional walk through the NPT tables, converting the gPA to the actual host physical address (hPA).
  2. Separation of responsibilities. The hypervisor gains full control over the real physical memory, while the guest OS manipulates an isolated, continuous gPA address space. This architecture eliminates the need for an expensive binary translator of shadow page tables, offloading all nested translation computational work to the processors hardware memory management unit.
  3. Shadow Page Tables (Isolation of guest OS page tables)
  4. Shadow structure format. From the MMU perspective, NPT and guest page tables have an identical multi-level format (usually 4 or 5 levels) and use the same permission bits. The key difference is in the base address field: in NPT, it points directly to an hPA, while in guest tables, it points to a gPA requiring further translation. NPT entries contain access rights bits that act as a mask over the guest permissions.
  5. Hardware structure walk. On each memory access, the hardware sequentially walks the guest page tables, producing a gPA. This address is interpreted as an index into the root NPT table, starting a second identical depth walk. Thus, the full translation process requires up to 24 (12+12) sequential memory accesses in the worst case, if result caching mechanisms are not used.
  6. Effective access permissions. The resulting page access permissions are determined by the logical AND of the attributes set in the guest PTE and the host NPTE. If the guest marks a page as writable, but the hypervisor clears the read/write flag in the NPTE, any write attempt will cause a VMExit. This allows operation interception without modifying the guest tables.
  7. VMExit (Hypervisor interception of VM control)
  8. Page fault correction. Page fault handling becomes two-level. An exception arising from a missing entry in the guest tables is injected directly into the guest OS. If the fault occurs due to a missing mapping in the NPT, the processor generates a forced exit to the hypervisor. The hypervisor then emulates the instruction or modifies its table, after which it restarts guest execution.
  9. Tagged TLBs. To minimize the latency of two-dimensional translation, modern processors use tagged Translation Lookaside Buffers. Each TLB entry caches the full path from gVA to hPA and is tagged with the guest address space identifier (VPID). When the guest context switches, TLB flush is not required if the VPID is unique, which significantly reduces overhead when switching between virtual machines.
  10. Hyper-V memory management. In the Microsoft Hyper-V architecture, the Vid component (Virtualization Infrastructure Driver) uses NPT to implement Second Level Address Translation. This allows pages to be dynamically redistributed between partitions using hot memory addition, without violating the integrity of guest physical maps. Manipulations are reduced to changing pointers in the NPTE without stopping the virtual machine.
  11. Intel EPT mechanism. Hardware support for NPT in Intel processors is marketed as Extended Page Tables. EPT is activated by the enable EPT bit in the VMCS control structure. The Intel architecture requires the implementation of an EPT pointer that stores the physical address of the hierarchy root and completely separates the guest physical space from the system bus through an additional address remapping level.
  12. VMCS (Virtual Machine control structure)
  13. AMD RVI implementation. In AMD processors, NPT technology is implemented through Rapid Virtualization Indexing. A feature of AMD is tight integration with the tagged TLB and support for large pages (1GB) directly in NPT structures. This allows the hypervisor to map large contiguous blocks of guest memory, such as device video memory, bypassing translation levels and saving TLB resources.
  14. Large Pages (Memory Page enlargement)
  15. Lazy mapping strategy. Hypervisors actively use lazy resource allocation through NPT. When a guest starts, the hypervisor creates empty NPT entries. The first time the guest accesses an unmapped area, an EPT violation is generated. The hypervisor handler allocates a real physical hPA page, linking it to the gPA, which saves host memory until the guest module is actually loaded.
  16. Page splitting for monitoring. To monitor guest security modules, the hypervisor maps the same physical page (hPA) into different gPAs with different rights. For example, kernel code is mapped as executable and readable, but through a separate alias, the same memory is exported as non-executable for a scanner process, preventing W^X attacks at the physical data placement level.
  17. DMA redirection. Direct memory access devices work with gPAs, knowing nothing about the real physical memory. The IOMMU controller (Intel VT-d or AMD-Vi) receives a copy of the NPT from the hypervisor. During a DMA transaction from a passed-through device, the IOMMU independently walks the NPT, translating the gPA from the DMA descriptor into a valid hPA, providing isolation and protection from incorrect device transactions.
  18. Intel VT-d (Hardware isolation of direct device access)AMD-Vi (Hardware I/O virtualization)IOMMU (Isolation of direct memory access addresses)
  19. TLB pressure reduction. Two-dimensional translation catastrophically increases TLB misses due to the exponential growth of walk depth. To compensate, processors increase the associativity of the translation cache and introduce separate microarchitectural caches for intermediate NPT results. Using large pages (2MB/1GB) in NPT drastically reduces the number of entries needed to cover the guests working set.
  20. Copy-on-write migration. When creating snapshots, the hypervisor marks all NPT entries as write-protected. When the guest attempts to modify data, an EPT violation occurs. The handler copies the original page to a new hPA, updates the NPTE with write permission on the copy, leaving the original unchanged for other virtual machines using the same memory image.
  21. Compression and deduplication. The Transparent Page Sharing technique scans real pages, identifying identical content. If duplicate hPAs are found, the hypervisor modifies the corresponding NPTEs of several guests, directing their gPAs to a single reference page with read-only rights. The freed physical memory is returned to the hypervisor pool without the guest operating systems knowledge.
  22. INVLPG instruction handling. When the guest OS flushes a TLB entry, the processor selectively invalidates translation caches for the specified gVA. However, the hardware does not touch the NPT structures. If the hypervisor modifies an NPTE, it must execute its own INVEPT (Intel) or INVLPGA (AMD) to forcibly flush entries based on outdated host physical memory translations from the TLB.
  23. Interaction with the PG cache. Processor cores store intermediate values of guest table walks in a special descriptor cache. The validity of these entries directly depends on the static nature of the NPT. Any modification of an NPTE requires not just a TLB flush, but also full state coordination between logical threads, using interprocessor interrupts to avoid speculative access through stale mappings.
  24. Shadow code paging. In untrusted guest scenarios, the hypervisor uses NPT to create a shadow representation of executable code. Instruction pages are mapped with execute permission but read disabled. An attempt by the guest to read executable memory as data causes a violation, allowing code introspection to be intercepted, since the processor cannot physically fetch an instruction if it cannot read it through the first-level cache.

Comparisons

  • NPT vs Shadow Page Tables. NPT implements two-dimensional address translation in hardware, eliminating VM-exit overhead when modifying shadow structures. Shadow tables required synchronization of every guest page modification, whereas NPT allows the hypervisor to lazily intercept only truly necessary events, drastically reducing CPU load.
  • NPT vs EPT. These are essentially identical implementations of hardware secondary translation from AMD and Intel respectively. The difference lies only in the name and microarchitectural nuances of TLB miss handling. Both mechanisms use an identical gVA -> gPA -> hPA translation layer, freeing the hypervisor from maintaining complex shadow structures for guest memory.
  • NPT vs Paravirtualized Paging. In paravirtualization, the guest OS is aware of running under a hypervisor and directly passes table modification requests through hypercalls. NPT wins in versatility, requiring no guest OS kernel modifications, but the PV approach can provide speed gains during intensive MMU operations due to the absence of double TLB misses.
  • PV (Virtual machine I/O acceleration)
  • NPT vs Software MMU Virtualization. Software MMU emulation tracks each guest instruction manually through shadow tables, generating an avalanche of exits to the hypervisor. NPT offloads all access rights checking and translation logic to the processors hardware memory unit, providing near-native speed for workloads sensitive to paging and context switches.
  • NPT vs Stage-2 ARM Translation. Conceptually, this is the same nested page walk model implemented in x86 and ARM architectures. ARM Stage-2 operates with a descriptor format tied to the load/store architecture, whereas NPT is based on classic 64-bit x86 entries. The fundamental difference is only in access rights handling and caching of intermediate results in specialized translation lookaside buffers.

OS and driver support

Implementing NPT support requires deep modification of the hypervisor kernel and does not affect the guest OS, as address translation occurs in hardware at the processor level. In the KVM kernel, a separate page table type (EPT/NPT) is created to support NPT, for which an enumeration pmap_type (PT_X86, PT_EPT, PT_RVI) is introduced into the pmap memory management subsystem, allowing runtime switching of PTE bit macros, such as the dirty bit (PG_M), between offset 0x040 for x86_64 and 0x200 for EPT. Handling of NPT hardware exceptions is implemented by modifying kvm_x86_ops and hooks like private_max_mapping_level, which, for example for SEV-SNP, limit the mapping level to 4K if the RMP table does not allow page coalescing, and VFIO drivers for device passthrough require correct handling of MMIO holes, where guest accesses to PCI device physical addresses are intercepted by the absence of NPT entries and generate a VMEXIT.

VFIO (Direct device Input-Output virtualization)

Security

NPT-based security is built on creating hardware-isolated memory views, where for each guest process (or group of processes) the hypervisor creates a unique NPT hierarchy that isolates critical kernel regions from malicious code. The mechanism is implemented by intercepting writes to the guest CR3 (process context switch) using a monitoring flag in the VMCS, where the VMM monitor checks the identifier of the new process against a protection profile-linked reference to the desired NPT hierarchy, and if it does not match, the micro-hypervisor atomically replaces the EPTP pointer with the required set of tables. To prevent DMA attacks, an IOMMU is used, excluding protected pages from the space accessible to devices, and to counter real-mode attacks (such as SeaBIOS modification), the address translation code in QEMU/KVM is modified so that even when guest paging is disabled, the second NPT translation stage is always forced, eliminating direct access to host memory (GPA == HPA).

SeaBIOS (Hardware initialization and system boot)QEMU (Emulator and hardware virtualizer of a computer)VMM (Hardware resource isolation and emulation)

Logging

NPT operation logging is implemented by analyzing accessed/dirty bits in EPT PTEs, where bit 8 signals a read and bit 9 signals a page modification, allowing the bhyve hypervisor when swapping guest memory to detect rarely used pages without tracing guest tables. Anomaly detection is performed using an execution trapping mechanism, where the hypervisor, having configured filters for writes to CR3 and execution of privileged instructions, receives signals for each task switch and can log suspicious memory map changes to a guest monitor log buffer for subsequent analysis by security tools (for example, by comparing the address written to CR3 with a reference base). When using SEV-SNP, the translation error log is maintained by checking RMP entries with the snp_lookup_rmpentry function during NPF (Nested Page Fault) processing, where in case of a page assignment failure (assigned == false), the event is logged as an attempted unauthorized access to private memory.

Limitations

A key limitation of NPT is the catastrophic increase in TLB miss cost: if a native system miss requires 4 memory accesses, then with hardware virtualization enabled, the GVA -> GPA -> HPA translation requires up to 24 sequential DRAM accesses for a full walk through all table levels, forcing processor architectures to increase TLB sizes and introduce ASID tags to prevent complete cache flushes when switching between virtual machines. The technology does not fully isolate guest context switches without CR3 target-list support, as intercepting each task switch causes a heavyweight VMEXIT, and to minimize losses, bhyve implements heuristics for preloading target values into VMCS hardware registers to allow frequent switches without exiting to the hypervisor. Furthermore, NPT has no built-in protection against remapping: a malicious guest can reassign its GPT to bypass NPT DEP restrictions by changing code physical addresses to writable and executable, so security practitioners must combine the technology with shadow paging and delegation (SecPod).

DRAM (Storage and Byte-addressing of Data)

History and development

The evolution began with the realization that shadow paging consumed up to 75% of hypervisor resources, leading AMD and Intel in the second generation of hardware extensions (AMD Barcelona, Intel Nehalem) to add support for two-dimensional NPT/EPT translation, presenting it as a direct way to eliminate VMM traps on guest table updates. In 2015-2016, researchers developed paging delegation-based isolation methods (SecPod, micro-VM), where guest memory operations are delegated to a protected space, and NPT evolved from a mere accelerator into a foundation for security systems with the creation of separate NPT hierarchies for each process (memory views), which is implemented in commercial hypervisors through proprietary protection profile control mechanisms. By 2024, development focused on supporting confidential computing: the introduction of private_max_mapping_level hooks for SEV-SNP solved the page size mismatch problem (2MB vs 4K mapping), Linux drivers gained full support for 5-level paging in NPT for guests running on processors with 57-bit virtual address space support, and QEMU acquired correct NPT emulation for guests in real mode.

Latest publications