From: Sean Christopherson <seanjc@google.com>
To: "Melody (Huibo) Wang" <huibo.wang@amd.com>
Cc: "kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"pbonzini@redhat.com" <pbonzini@redhat.com>,
"svsm-devel@coconut-svsm.dev" <svsm-devel@coconut-svsm.dev>,
Jon Lange <jlange@microsoft.com>,
Thomas Lendacky <Thomas.Lendacky@amd.com>,
David Kaplan <David.Kaplan@amd.com>,
Joerg Roedel <jroedel@suse.de>
Subject: Re: RESEND: SEV-SNP Alternate Injection
Date: Thu, 27 Mar 2025 07:20:58 -0700 [thread overview]
Message-ID: <Z-Veys6h0OSx4L_e@google.com> (raw)
In-Reply-To: <4732241e-b706-481b-a73a-01ef77622d8a@amd.com>
On Wed, Mar 26, 2025, Melody (Huibo) Wang wrote:
> Hi,
>
> I am currently enabling Alternate Injection for SEV-SNP guests and have
> encountered a design issue.
>
> The Alternate Injection specification which is a preliminary spec supports
> only the SVSM APIC protocol through a subset of X2APIC MSRs, Timer support is
> configurable, If timer functionality is not supported, the guest must rely on
> the hypervisor to emulate timer support through use of the #HV Timer GHCB
> protocol.
>
> When the OVMF firmware starts, it is in XAPIC mode by default and then, later
> during the init phase it switches the guest to X2APIC. However, with
> Alternate Injection enabled, the OVMF in its very first phase - SEC - does
> XAPIC accesses. The SVSM uses a so-called SVSM APIC protocol which uses a
> subset of the X2APIC MSRs.
>
> The OVMF, however, thinks it starts off in XAPIC memory-mapped mode. There's
> a protocol mismatch of sorts. With Alternate Injection enabled in the SEC
> phase, it requires X2APIC. The registers (timer registers) - not handled by
> SVSM will get routed to KVM, which at that point is operating the guest in
> XAPIC mode until the PEI phase switches to X2APIC.
>
> One potential solution is to have KVM enable X2APIC as soon as Alternate
> Injection is activated. While we could start X2APIC during the creation of
> the vCPU, APM Volume 2, Figure 16-32 states that we must transition from
> XAPIC mode to X2APIC mode first.
>
> More specifically:
>
> “If the feature is present, the local APIC is placed into x2APIC mode by
> setting bit 10 in the Local APIC Base register (MSR 01Bh). Before entering
> x2APIC mode, the local APIC must first be enabled (AE=1, EXTD=0).”
>
> Therefore, I am uncertain if enabling X2APIC directly during vCPU creation is
> permissible.
>
> Do you have any suggestions for a better solution?
Fix OVMF. Or change the AMD architectural specs. Don't hack KVM.
>
> Please feel free to ask questions if some concepts are unclear and I'll
> gladly expand on them.
>
> Thanks,
> Melody
prev parent reply other threads:[~2025-03-27 14:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-26 22:21 RESEND: SEV-SNP Alternate Injection Melody (Huibo) Wang
2025-03-27 14:20 ` Sean Christopherson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z-Veys6h0OSx4L_e@google.com \
--to=seanjc@google.com \
--cc=David.Kaplan@amd.com \
--cc=Thomas.Lendacky@amd.com \
--cc=huibo.wang@amd.com \
--cc=jlange@microsoft.com \
--cc=jroedel@suse.de \
--cc=kvm@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=svsm-devel@coconut-svsm.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.