Minor clarification: it eliminates the chance of a #VE during the syscall gap
_if the VMM is benign_. If the VMM is malicious, it can unmap and remap the
syscall page to induce an EPT Violation #VE due to the page not being accepted.
This question?
Can the hypervisor cause an already-accepted secure-EPT page to transition to
the unaccepted state?
Yep. I wrote the above before following the link, I should have guessed which
question it was :-)
IIRC, the proposed middle ground was to add a TDCALL and/or TDPARAMS setting that
would allow the guest to opt-out of EPT Violation #VE due to page not accepted,