Correction (self-reply): Switching to 32-bit mode won't work - or could be easily prevented at any rate: you can't switch directly to real 32-bit mode ("legacy mode"), only to "compatibility mode" where the page table format stays the same, and task switching isn't supported. Switching to legacy mode requires a wrmsr, which is blocked. Even if there was a benefit to going into compatibility mode with kernel privileges, once there you're limited to the bottom 4GB of the address space, which would normally be reserved for user mode, and since SMEP is forced on you can't execute user pages in kernel mode. So the inner kernel just needs to prevent any executable kernel pages from being mapped below 4GB.
Told you I wasn't an x86 expert. But the other points stand.
...though in the current implementation the inner kernel doesn't block the relevant MSR write, so it may be possible anyway, although the manual says you're supposed to disable paging first, which is blocked. In any case, this, along with the hardware VM thing (since VMX can be disabled in cr4), would be easy to fix. I'm not so sure about the interrupt approach.
Told you I wasn't an x86 expert. But the other points stand.
...though in the current implementation the inner kernel doesn't block the relevant MSR write, so it may be possible anyway, although the manual says you're supposed to disable paging first, which is blocked. In any case, this, along with the hardware VM thing (since VMX can be disabled in cr4), would be easy to fix. I'm not so sure about the interrupt approach.