It can shoot not only its foot, but anything the monitor's uid has access to. Host files, the host network, other guests belonging to the user, etc.
Yes, that's what I meant. It's obviously nicer if the guest can't do that,
but it's a tradeoff of the potential security impact against on how hard
it is to implement hiding the addresses you don't want your guest to see.
To put it into other words, do you want the optimal performance, or the
optimal security?
It's worse than I thouht: tlb entries generated by guest accesses are tagged with the guest virtual address, to if you remove a guest physical/host virtual page you need to invalidate the entire guest tlb.
Ok, so it's the HW's fault. They either copied bad or decided doing the
s390 approach was too expensive.