page faults.... the hypervisor encrypts/decrypts on-demand. Much the same as virtual memory works (just that the plain-text data is only ever in the internal cache).
My point is that it is impossible to know where the next code chunk is if it is properly encrypted. How does the page fault handler know which block to decrypt next without first decrypting the whole code module, where module is a closed piece of code without jumps outside.
In my opinion every scheme to enable that will cripple the encryption.
the code is decrypted into internal SRAM. executed normally. then an entirely normal page-fault happens at which point the hypervisor catches the trap and decrypts the data again into internal SRAM and maps it appropriately then allows the access to continue.
In my opinion every scheme to enable that will cripple the encryption.