Re: [PATCH 11/15] KVM: x86: Add CONFIG_KVM_IOAPIC to allow disabling in-kernel I/O APIC

[Sean Christopherson <seanjc@google.com>]

On Thu, May 29, 2025, Kai Huang wrote:
> On Thu, 2025-05-29 at 07:31 -0700, Sean Christopherson wrote:
> > On Thu, May 29, 2025, Kai Huang wrote:
> > > On Thu, 2025-05-29 at 23:55 +1200, Kai Huang wrote:
> > > > On Mon, 2025-05-19 at 16:28 -0700, Sean Christopherson wrote:
> > > > > Add a Kconfig to allowing building KVM without support for emulating an
> > > > 		   ^
> > > > 		   allow
> > > > 
> > > > > I/O APIC, PIC, and PIT, which is desirable for deployments that effectively
> > > > > don't support a fully in-kernel IRQ chip, i.e. never expect any VMM to
> > > > > create an in-kernel I/O APIC.  
> > > > 
> > > > Do you happen to know what developments don't support a full in-kernel IRQ chip?
> > 
> > Google Cloud, for one.  I suspect/assume many/most CSPs don't utilize an in-kernel
> > I/O APIC.
> > 
> > > > Do they only support userspace IRQ chip, or not support any IRQ chip at all?
> > 
> > The former, only userspace I/O APIC (and associated devices), though some VM
> > shapes, e.g. TDX, don't provide an I/O APIC or PIC.
> 
> Thanks for the info.
> 
> Just wondering what's the benefit of using userspace IRQCHIP instead of
> emulating in the kernel?

Reduced kernel attack surface (this was especially true years ago, before KVM's
I/O APIC emulation was well-tested) and more flexibility (e.g. shipping userspace
changes is typically easier than shipping new kernels.  I'm pretty sure there's
one more big one that I'm blanking on at the moment.

> I thought one should either use in-kernel IRQCHIP or doesn't use any.
> 
> > 
> > > Forgot to ask:
> > > 
> > > Since this new Kconfig option is not only for IOAPIC but also includes PIC and
> > > PIT, is CONFIG_KVM_IRQCHIP a better name?
> > 
> > I much prefer IOAPIC, because IRQCHIP is far too ambiguous and confusing, e.g.
> > just look at KVM's internal APIs, where these:
> > 
> >   irqchip_in_kernel()
> >   irqchip_kernel()
> > 
> > are not equivalent.  In practice, no modern guest kernel is going to utilize the
> > PIC, and the PIT isn't an IRQ chip, i.e. isn't strictly covered by IRQCHIP either.
> 
> Right.
> 
> Maybe it is worth to further have dedicated Kconfig for PIC, PIT and IOAPIC?

Nah.  PIC and I/O APIC can't be split (without new uAPI and non-trivial complexity),
and I highly doubt there is any use case that would want an in-kernel I/O APIC
with a userspace PIT.  I.e. in practice, the threealmost always come as a group;
either a setup wants all, or a setup wants none.

> But hmm, I am not sure whether emulating IOAPIC has more value than PIC.

AIUI, it's not really an either or, since most software expects both an I/O APIC
and PIC.  Any remotely modern kernel will definitely prefer the I/O APIC, but I
don't think it's something that can be guaranteed.

> For modern guests all emulated/assigned devices should just use MSI/MSI-X?

Not all emulated devices, since some legacy hang off the I/O APIC, i.e. aren't
capable of generating MISs.

> > So I think/hope the vast majority of users/readers will be able to intuit that
> > CONFIG_KVM_IOAPIC also covers the PIC and PIT.
> 
> Sure.
> 
> Btw, I also find irqchip_in_kernel() and irqchip_kernel() confusing.  I am not
> sure the value of having irqchip_in_kernel() in fact.  The guest should always
> have an in-kernel APIC for modern guests.  I am wondering whether we can get rid
> of it completely (the logic will be it is always be true), or we can have a
> Kconfig to only build it when user truly wants it.

For better or worse, an in-kernel local APIC is still optional.  I do hope/want
to make it mandatory, but that's not a small ABI change.