Hi I believe the change [1] vmm(4): wire faulted in pages, might have been a bit heavy handed a broken the use of VMM_IOC_MPROTECT_EPT ioctl.
[1] https://marc.info/?l=openbsd-cvs&m=161144130825752 please see the patch below which restores this functionality Cheers Adam diff 917cc7a95e2615798ffadc2455c3a44858a11e95 /home/adams/devl/openbsd/src blob - d2b4c387464638441fc98898e77dd01cb9bc3250 file + sys/arch/amd64/amd64/vmm.c --- sys/arch/amd64/amd64/vmm.c +++ sys/arch/amd64/amd64/vmm.c @@ -5509,8 +5509,19 @@ svm_handle_np_fault(struct vcpu *vcpu) int vmx_fault_page(struct vcpu *vcpu, paddr_t gpa) { - int ret; + int fault_type, ret; + fault_type = vmx_get_guest_faulttype(); + if (fault_type == -1) { + printf("%s: invalid fault type\n", __func__); + return (EINVAL); + } + + if (fault_type == VM_FAULT_PROTECT) { + vcpu->vc_exit.vee.vee_fault_type = VEE_FAULT_PROTECT; + return (EAGAIN); + } + ret = uvm_fault(vcpu->vc_parent->vm_map, gpa, VM_FAULT_WIRE, PROT_READ | PROT_WRITE | PROT_EXEC);
