Re: [PATCH v2] KVM: SVM: Inhibit AVIC on SNP-enabled system without HvInUseWrAllowed feature

[Sean Christopherson <seanjc@google.com>]

On Fri, Oct 18, 2024, Suravee Suthikulpanit wrote:
> On 10/18/2024 4:57 PM, Joao Martins wrote:
> > On 18/10/2024 09:50, Suravee Suthikulpanit wrote:
> > > On SNP-enabled system, VMRUN marks AVIC Backing Page as in-use while
> > > the guest is running for both secure and non-secure guest. Any hypervisor
> > > write to the in-use vCPU's AVIC backing page (e.g. to inject an interrupt)
> > > will generate unexpected #PF in the host.
> > > 
> > > Currently, attempt to run AVIC guest would result in the following error:
> > > 
> > >      BUG: unable to handle page fault for address: ff3a442e549cc270
> > >      #PF: supervisor write access in kernel mode
> > >      #PF: error_code(0x80000003) - RMP violation
> > >      PGD b6ee01067 P4D b6ee02067 PUD 10096d063 PMD 11c540063 PTE 80000001149cc163
> > >      SEV-SNP: PFN 0x1149cc unassigned, dumping non-zero entries in 2M PFN region: [0x114800 - 0x114a00]
> > >      ...
> > > 
> > > Newer AMD system is enhanced to allow hypervisor to modify the backing page
> > > for non-secure guest on SNP-enabled system. This enhancement is available
> > > when the CPUID Fn8000_001F_EAX bit 30 is set (HvInUseWrAllowed).
> > > 
> > > This table describes AVIC support matrix w.r.t. SNP enablement:
> > > 
> > >                 | Non-SNP system |     SNP system
> > > -----------------------------------------------------
> > >   Non-SNP guest |  AVIC Activate | AVIC Activate iff
> > >                 |                | HvInuseWrAllowed=1
> > > -----------------------------------------------------
> > >       SNP guest |      N/A       |    Secure AVIC
> > >                 |                |    x2APIC only
> > > 
> > > Introduce APICV_INHIBIT_REASON_HVINUSEWR_NOT_ALLOWED to deactivate AVIC

Please use human/reader friendly terms, that's a very convoluted way of saying:

	APICV_INHIBIT_REASON_IN_USE_AVIC_PAGE_READ_ONLY

> > > when the feature is not available on SNP-enabled system.
> > > 
> > I misread your first sentence in v1 wrt to non-secure guests -- but it's a lot
> > more obvious now. If this was sort of a dynamic condition at runtime (like the
> > other inhibits triggered by guest behavior or something that can change at
> > runtime post-boot, or modparam) then the inhibit system would be best acquainted
> > for preventing enabling AVIC on a per-vm basis. But it appears this is
> > global-defined-at-boot that blocks any non-secure guest from using AVIC if we
> > boot as an SNP-enabled host i.e. based on testing BSP-defined feature bits solely.
> > 
> > Your original proposal perhaps is better where you disable AVIC globally in
> > avic_hardware_setup(). Apologies for (mistankenly) misleading you and wasting
> > your time :/
> 
> Repost from v1 thread:
> 
> I was considering the APICV inhibit as well, and decided to go with
> disabling AVIC since it does not require additional APICV_INHIBIT_REASON_XXX
> flag, and we can simply disable AVIC support during kvm-amd driver
> initialization.
> 
> After rethink this, it is better to use per-VM APICv inhibition instead
> since certain AVIC data structures will be needed for secure AVIC support in
> the future.

I don't follow.  I agree with Joao, this seems like an all-or-nothing situation.
There's no point in an inhibit unless Secure AVIC CPUs will exist WITHOUT
HvInuseWrAllowed, but even then, to keep things simple(r), I'm tempted to make
SNP+AVIC require HvInuseWrAllowed