From: Sean Christopherson <seanjc@google.com>
To: "Melody (Huibo) Wang" <huibo.wang@amd.com>
Cc: "kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"pbonzini@redhat.com" <pbonzini@redhat.com>,
"svsm-devel@coconut-svsm.dev" <svsm-devel@coconut-svsm.dev>,
Jon Lange <jlange@microsoft.com>,
Thomas Lendacky <Thomas.Lendacky@amd.com>,
David Kaplan <David.Kaplan@amd.com>,
Joerg Roedel <jroedel@suse.de>
Subject: Re: RESEND: SEV-SNP Alternate Injection
Date: Thu, 27 Mar 2025 07:20:58 -0700 [thread overview]
Message-ID: <Z-Veys6h0OSx4L_e@google.com> (raw)
In-Reply-To: <4732241e-b706-481b-a73a-01ef77622d8a@amd.com>
On Wed, Mar 26, 2025, Melody (Huibo) Wang wrote:
> Hi,
>
> I am currently enabling Alternate Injection for SEV-SNP guests and have
> encountered a design issue.
>
> The Alternate Injection specification which is a preliminary spec supports
> only the SVSM APIC protocol through a subset of X2APIC MSRs, Timer support is
> configurable, If timer functionality is not supported, the guest must rely on
> the hypervisor to emulate timer support through use of the #HV Timer GHCB
> protocol.
>
> When the OVMF firmware starts, it is in XAPIC mode by default and then, later
> during the init phase it switches the guest to X2APIC. However, with
> Alternate Injection enabled, the OVMF in its very first phase - SEC - does
> XAPIC accesses. The SVSM uses a so-called SVSM APIC protocol which uses a
> subset of the X2APIC MSRs.
>
> The OVMF, however, thinks it starts off in XAPIC memory-mapped mode. There's
> a protocol mismatch of sorts. With Alternate Injection enabled in the SEC
> phase, it requires X2APIC. The registers (timer registers) - not handled by
> SVSM will get routed to KVM, which at that point is operating the guest in
> XAPIC mode until the PEI phase switches to X2APIC.
>
> One potential solution is to have KVM enable X2APIC as soon as Alternate
> Injection is activated. While we could start X2APIC during the creation of
> the vCPU, APM Volume 2, Figure 16-32 states that we must transition from
> XAPIC mode to X2APIC mode first.
>
> More specifically:
>
> “If the feature is present, the local APIC is placed into x2APIC mode by
> setting bit 10 in the Local APIC Base register (MSR 01Bh). Before entering
> x2APIC mode, the local APIC must first be enabled (AE=1, EXTD=0).”
>
> Therefore, I am uncertain if enabling X2APIC directly during vCPU creation is
> permissible.
>
> Do you have any suggestions for a better solution?
Fix OVMF. Or change the AMD architectural specs. Don't hack KVM.
>
> Please feel free to ask questions if some concepts are unclear and I'll
> gladly expand on them.
>
> Thanks,
> Melody
prev parent reply other threads:[~2025-03-27 14:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-26 22:21 RESEND: SEV-SNP Alternate Injection Melody (Huibo) Wang
2025-03-27 14:20 ` Sean Christopherson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z-Veys6h0OSx4L_e@google.com \
--to=seanjc@google.com \
--cc=David.Kaplan@amd.com \
--cc=Thomas.Lendacky@amd.com \
--cc=huibo.wang@amd.com \
--cc=jlange@microsoft.com \
--cc=jroedel@suse.de \
--cc=kvm@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=svsm-devel@coconut-svsm.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox