Thanks for your comment.
To solve the security problem about the URET instruction, we further add a field, called HUR, in hstatus to control the behavior of URET instruction. When the hstatus.HUR=1, the privilege mode can switch back to VS-mode/VU-mode by executing the URET instruction. Otherwise, the execution of URET instruction causes an illegal instruction trap. The idea is similar to the field hstatus.HU.
The hstatus.HUR is set by the hypervisor only when the vCPU is loaded, and it is cleared only when the vCPU is put. In this case, the vCPU is regarded as a trusted task. So, untrusted user-level tasks can not switch to VS-mode/VU-mode by the URET instruction.