On 05/24/2018 08:26 AM, speck for Andi Kleen wrote:
>     A sets the GPA 1 PA 2 PTE to PROT_NONE to bypass the EPT remapping
>     and gets read access to the underlying physical page. Which
>     in this case points to PA 2, so it can read process B's data,
>     if it happened to be in L1.

So this is entirely about a 32-bit PAE guest being able to provide
guest-process->guest-process isolation?

This is the part I don't understand.  Shouldn't the PROT_NONE
mitigations have already been applied to the PTEs?  That mitigation
should keep them from being exploited to read other guest process's data.