EPT (Hardware second-level memory address translation)

EPT (Extended Page Tables) is a hardware virtualization extension that eliminates the need for software emulation of page tables. In short, the technology allows a guest virtual machine to directly manage its own memory while the hypervisor retains full control over the servers physical memory, offloading work from the central processor.

This technology is widely used in modern enterprise hypervisors such as KVM, VMware ESXi, Microsoft Hyper-V and Xen. EPT is critical for cloud computing and high density virtual machine environments where near native performance is required. Support for EPT is built into Intel processors starting with the Nehalem microarchitecture and into AMD processors featuring Rapid Virtualization Indexing.

KVM (Turns the Linux kernel into a hypervisor)

Using EPT introduces several challenges. Maintaining two translation levels significantly increases the number of translation lookaside buffer misses, especially during intensive data migration. Poor task scheduling can cause frequent and expensive virtual machine exits due to interrupts, negating the benefits of hardware acceleration. Additionally, managing nested page faults remains a nontrivial task for low level virtual machine monitor developers.

How EPT works

The working principle of EPT is based on two stage address translation. In traditional virtualization without hardware support, the hypervisor must intercept every attempt by the guest operating system to modify its page tables and substitute the guests physical addresses with real machine addresses by maintaining shadow structures. Hardware support eliminates this shadow layer. When EPT mode is enabled, the guest system freely works with its own virtual address space, using its own page tables to translate a process virtual address into a so called guest physical address. The processor memory management unit does not stop at this result but launches a second independent translation stage. A special register points to the root of the EPT tables, which belong exclusively to the hypervisor.

The processor hardware walks this nested structure, translating the guest physical address into the true physical address of a cell on the RAM module. If an error occurs at any stage of this two dimensional walk, the processor generates a special event, allowing the hypervisor to swap the page or perform necessary handling. This achieves isolation and full control over real resources without interfering with the normal operation of the guest operating system memory scheduler.

EPT features

  1. Extended page table structure. EPT implements a second level address translation, isolating guest physical memory from the host real physical memory. The guest operating system manages its own tables while the hypervisor builds an EPT map that translates guest physical addresses into the machine address space.
  2. EPT violation exit. When guest execution encounters a missing entry in the EPT hierarchy, the processor initiates a VM Exit with an EPT Violation qualification. The hypervisor analyzes the guest physical offset, the violation type, and emulates the instruction or swaps in the entry if necessary.
  3. EPT violation qualification field. This VMCS element details the exit reason by providing flag bits. These include read or write bits, the instruction fetch bit, and an indicator of the guest linear address state. This information is critical for accurate exception handling without accessing guest structures.
  4. VMCS (Virtual Machine control structure)
  5. Access right separation. EPT introduces its own read, write and execute permission bits independent of guest tables. If the guest allows a write but EPT disallows it, the processor generates a violation. This layering allows the hypervisor to covertly intercept writes to specific memory pages.
  6. EPT context identifier. The processor uses the EPTP field in VMCS, which points to the root of the EPT hierarchy and contains a context identifier. This mechanism allows TLB entries to be tagged, preventing expensive flushes when switching between different virtual machines, thereby improving overall platform performance.
  7. Guest real mode execution. Unlike shadow pages, EPT allows unmodified guest operating systems to run directly without analyzing guest PTEs. Real mode or large page mode translation is handled in hardware via a separate EPT walk, simplifying hypervisor logic.
  8. Large page handling. The EPT hierarchy supports PML4, PDPTE and PDE entries with the page size bit set. Mapping a 2 MB or 1 GB region with a single entry reduces TLB walk depth and lowers overhead when working with memory intensive workloads.
  9. Sub page permission support. The Sub Page Permission feature allows applying a permission mask to parts of a standard 4 KB page. The hypervisor gains a tool for isolating small blocks of data within a single guest page without breaking it into smaller mappings.
  10. Page modification logging. The hardware EPT Based Page Modification Logging technology uses access bits and dirty bits in EPT structures. The processor atomically updates these fields, allowing the hypervisor to efficiently track modified guest pages during live virtual machine migration.
  11. Input output virtualization acceleration. Intel VT d uses structures conceptually similar to EPT to translate addresses for DMA requests. The combined operation of EPT and VT d blocks attempts by devices to access memory belonging to the hypervisor or other virtual machines.
  12. VPID mechanism and TLB tagging. The combined use of EPT and Virtual Processor Identifier eliminates full TLB flushes on task switches. Entries are cached with a VPID tag and an EPT context, ensuring memory domain isolation without performance loss when frequently switching guests.
  13. Memory attribute configuration. The PAT field in EPT entries controls the memory caching type. The hypervisor can force Write Combining for a guest frame buffer or Uncacheable for input output areas, overriding the policy requested by the guest operating system.
  14. Instruction fetch bypass. The execution mode field in EPTP controls EPT settings for code. Enabling Execute Only for data pages prevents malicious code execution, while code remains available for fetching, implementing hardware W^X policy at the hypervisor level.
  15. Integration with APICv. Interrupt virtualization relies on EPT to access local APIC registers. When using the Virtual APIC page, acceleration is achieved by configuring EPT permissions so that the guest directly interacts with shadow copies of registers without an exit.
  16. Fast EPT violation mechanism. Some modern processors optimize handling of frequent exits by providing extended information without analysis delays. The hypervisor receives the ready physical and linear address of the instruction directly in VMCS fields, bypassing costly walks.
  17. MMIO access interception scenario. Virtual devices often require emulation of access to ports and memory mapped registers. The hypervisor removes the mapping for MMIO pages from EPT. The resulting EPT Violation traps control for precise emulation of the required device register.
  18. Integration with Hyper-V enlightenments. To reduce exit overhead, the guest operating system uses enlightened calls. The hypervisor, by managing EPT access bits, instantly enables or disables lazy mapping of stack pages without needing to traverse guest tables via INVLPG.
  19. Hyper-V Enlightenments (Guest OS adaptation to the hypervisor)
  20. Execute disable enforcement. The Execute Disable bit in an EPT entry operates independently of the guest NX bit. The hypervisor gains unconditional control over preventing return oriented programming attacks by forcibly removing the execute flag from virtual machine heap and stack areas.
  21. Multi core access coherence. Atomicity of operations on EPT structures is ensured by bus locks. The hypervisor must follow an invalidation protocol: after modifying an entry, it performs a single INVEPT operation with the correct context type to guarantee change visibility.
  22. EPTP structure. This 64 bit field combines the physical address of the PML4 table, the length of the change logging pool and the invalidation type. Setting the accessed and dirty bits within EPTP itself activates hardware support for access tracking without constantly intercepting guest PTEs.

Comparisons with EPT

  • EPT vs shadow page tables. EPT provides hardware two level translation (GVA to GPA to HPA) without hypervisor intervention, whereas shadow tables require intercepting every guest page modification to synchronize maps. This dramatically reduces overhead under intensive memory workloads, increasing performance by up to 600 percent in certain MMU tests by eliminating stalls caused by hypervisor exits.
  • Shadow Page Tables (Isolation of guest OS page tables)
  • EPT vs NPT or RVI. As conceptual analogs, Intel EPT and AMD NPT perform straightforward address translation but differ in microarchitectural details. Unlike EPT which uses a standard walker, AMD NPT or RVI employs a rapid indexing mechanism to accelerate lookups and also more fully supports A and D bits in its structure, bringing it closer to native x86 tables.
  • NPT (Second-level address translation for virtualization)
  • EPT vs TPT. Unlike orthodox EPT, the TPT architecture returns control of translation structures directly to the guest OS. Whereas any TLB miss with EPT leads to an expensive 24 step hypervisor walk, TPT minimizes such delays and completely eliminates the cycle stealing characteristic of EPT when running applications with random memory access, guaranteeing native level performance.
  • EPT vs Large pages. EPT and huge pages both aim to reduce TLB misses but act differently. Even when using 1 GB pages, EPT does not eliminate the overhead of a nested walk of all levels, retaining a slowdown of about 4 percent. Software large page optimization reduces walk depth but cannot fully negate the hardware complexity of nested translation inherent to EPT.
  • Large Pages (Memory Page enlargement)
  • EPT vs paravirtualized MMU. EPT relies on hardware support and requires synchronization through mmu notifiers when swapping host memory. Paravirtualization, in contrast, requires modifying the guest OS to interact directly with the hypervisor via hypercalls, which reduces the number of VM exits without being tied to a processor version. The choice is between performance on unmodified guests (EPT) and the ability to run on older hardware without hardware extensions (PV).
  • PV (Virtual machine I/O acceleration)

OS and driver support

EPT support is implemented at the hypervisor level, not within the guest operating system, so the guest OS does not require any code changes to work with second level address translation (SLAT). The hypervisor (VMM) is responsible for creating and managing EPT structures, configuring the hardware EPTP register to activate translation from GPA to HPA. Virtual device drivers in the guest OS benefit implicitly from performance gains because the processor performs two level address translation (GVA to GPA to HPA) in hardware on each memory access, without hypervisor calls. Operating systems such as Windows (starting with version 8 for Hyper V) and Linux (with the KVM module) use EPT as a mandatory extension for running nested virtual machines and improving overall input output performance.

VMM (Hardware resource isolation and emulation)

Security

EPT based security is implemented by setting access rights (read, write, execute) in EPT table entries, allowing the hypervisor to isolate virtual machine memory from one another at the hardware level. In trusted execution environments such as Intel TDX, security is enhanced by using separate EPTs for each protected domain, preventing data access from one virtual machine to another even if the guest OS is compromised. Additionally, the #VE mechanism, activated via EPT settings, allows redirecting access violation events directly to a guest handler, avoiding resource heavy VM exits and minimizing the attack surface on the VMM.

Logging

Logging using EPT is implemented through the hardware Page Modification Logging feature, which tracks changes in guest OS memory pages. The processor automatically writes guest physical addresses of modified pages into a dedicated 4 kilobyte PML buffer when the dirty bit in the EPT entry changes from 0 to 1, avoiding forced interception of every write operation. When the buffer fills (after 512 entries), a PML Full VM Exit event is generated, causing the hypervisor to flush the accumulated addresses to a log and empty the buffer, thereby tracking changed memory regions for live virtual machine migration or snapshot creation.

Limitations

EPT limitations are related to increased latencies on TLB misses, because when a translation is not present in the cache, the processor must perform a multi level walk of both page tables (guest and EPT) involving up to 24 sequential memory accesses. Hardware limits on EPT entry size (for example, 48 bit addressing in early Intel versions) restricted the maximum host physical memory, though modern Skylake and newer processors support 5 level EPT, removing this limitation and extending the address space to 57 bits. Additionally, using PML for logging does not work selectively for individual memory ranges but operates on the entire EPT table, requiring software filtering of logged addresses for partial tracking.

History and development

EPT development began with the introduction of hardware memory virtualization in Intel Nehalem architecture processors (2008) as a response to the high overhead of software shadow page table techniques. A key evolutionary step was the introduction in Haswell architecture of optimized EPT Violation handling, which reduced latencies during context switches, along with the addition of PML for efficient logging. Further development is associated with the emergence of Intel TDX technology, where the concept of Secure EPT allows the hypervisor to manage memory allocation for isolated environments while the processor hardware itself controls the integrity of EPT structures, ensuring that malicious code cannot reassign physical pages.

Latest publications