Intel HLAT (Hypervisor-managed Linear Address Translation)

转载自：[Intel VT-rp - Part 1. remapping attack and HLAT

Satoshi’s notes](https://tandasat.github.io/blog/2023/07/05/intel-vt-rp-part-1.html)

Hypervisor-managed linear address translation.

Intel VT-rp (Redirect Protection) was introduced with the 12th generation and consists of three features:

HLAT: Hypervisor-managed linear address translation
PW: Paging-write
GPV: Guest-paging verification

In short, when HLAT is enabled, LA -> GPA translation may be done based on the hypervisor-managed paging structures as depicted below.

Normally, when LA -> GPA translation is needed, the processor reads CR3 and walks through the paging structures managed by the guest OS.
On the other hand, when HLAT is enabled, the processor reads the HLATP (HLAT pointer) VMCS field and walks through another set of the paging structures managed by the hypervisor.

The below is a pseudo-code of how a processor translates LA -> GPA -> PA with and without HLAT.

# Translate LA to PA with EPT
def translate_la_during_vmx_non_root(la):
    gpa = translate_la(la)
    return translate_gpa(gpa)

# Translate LA to GPA
def translate_la(la):
    # (1) Determine if HLAT paging should occur
    if should_do_hlat_paging(la):
        # (2) If so, use paging structures through HLATP VMCS
        pml4 = hlatp_vmcs()
    else:
        pml4 = guest_cr3_vmcs()
    # (3) Walk paging structures as usual
    # ...

# Determine if HLAT paging should occur
def should_do_hlat_paging(la):
    return (
        hlat_enabled and
        is_in_range(la, hlat_prefix_size_vmcs())
    )

The layout of the hypervisor-managed paging structures and the process of HLAT paging is almost identical to the traditional paging structure and paging.

This makes the remapping attack no-op, because even if the guest-managed paging structures (or the guest CR3) is modified, those will not be used.