Root-trusted guest memory page management is described. A root-trusted guest is loaded by a hardware platform and authenticated. The root-trusted guest is configured to manage memory operations of different guests via special privileges that permit the root-trusted guest to execute memory operations using a guest's private memory page. To do so, a guest page table includes a novel “T-bit” in each entry, which indicates whether the root-trusted guest or a different guest owns the associated memory page. Each entry in the guest page table for the root-trusted guest additionally includes a “C-bit” that indicates whether the corresponding memory page is a protected page. Combined C-bit and T-bit values for a page table entry dictate whether operations performed as part of handling a guest's memory request are offloaded from the hardware platform to the root-trusted guest.