1. Patchew
  2. linux
  3. [PATCH v9 00/18] AMD: Add Secure AVIC Guest Support
  4. View patch

[PATCH v9 09/18] x86/sev: Initialize VGIF for secondary VCPUs for Secure AVIC

Neeraj Upadhyay posted 18 patches 1 month, 3 weeks ago
There is a newer version of this series
[PATCH v9 09/18] x86/sev: Initialize VGIF for secondary VCPUs for Secure AVIC
Posted by Neeraj Upadhyay 1 month, 3 weeks ago 
From: Kishon Vijay Abraham I <kvijayab@amd.com>

Secure AVIC requires VGIF to be configured in VMSA. Configure
for secondary CPUs (the configuration for boot CPU is done by
the hypervisor).

Signed-off-by: Kishon Vijay Abraham I <kvijayab@amd.com>
Reviewed-by: Tianyu Lan <tiala@microsoft.com>
Signed-off-by: Neeraj Upadhyay <Neeraj.Upadhyay@amd.com>
---
Changes since v8:
 - Added Tianyu's Reviewed-by.

 arch/x86/coco/sev/core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/x86/coco/sev/core.c b/arch/x86/coco/sev/core.c
index 3f64ed6bd1e6..e341d6239326 100644
--- a/arch/x86/coco/sev/core.c
+++ b/arch/x86/coco/sev/core.c
@@ -951,6 +951,9 @@ static int wakeup_cpu_via_vmgexit(u32 apic_id, unsigned long start_ip, unsigned
 	vmsa->x87_ftw		= AP_INIT_X87_FTW_DEFAULT;
 	vmsa->x87_fcw		= AP_INIT_X87_FCW_DEFAULT;
 
+	if (cc_platform_has(CC_ATTR_SNP_SECURE_AVIC))
+		vmsa->vintr_ctrl	|= V_GIF_MASK;
+
 	/* SVME must be set. */
 	vmsa->efer		= EFER_SVME;
 
-- 
2.34.1
Re: [PATCH v9 09/18] x86/sev: Initialize VGIF for secondary VCPUs for Secure AVIC
Posted by Borislav Petkov 1 month, 1 week ago 
On Mon, Aug 11, 2025 at 03:14:35PM +0530, Neeraj Upadhyay wrote:
> Subject: Re: [PATCH v9 09/18] x86/sev: Initialize VGIF for secondary VCPUs for Secure AVIC

"vCPU"

> From: Kishon Vijay Abraham I <kvijayab@amd.com>
> 
> Secure AVIC requires VGIF to be configured in VMSA. Configure

Please explain in one sentence here for the unenlightened among us what VGIF
is.

Also, I can't find anyhwere in the APM the requirement that SAVIC requires
VGIF. Do we need to document it?

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette
Re: [PATCH v9 09/18] x86/sev: Initialize VGIF for secondary VCPUs for Secure AVIC
Posted by Upadhyay, Neeraj 1 month, 1 week ago 

On 8/22/2025 10:58 PM, Borislav Petkov wrote:
> On Mon, Aug 11, 2025 at 03:14:35PM +0530, Neeraj Upadhyay wrote:
>> Subject: Re: [PATCH v9 09/18] x86/sev: Initialize VGIF for secondary VCPUs for Secure AVIC
> 
> "vCPU"
> 

Ok

>> From: Kishon Vijay Abraham I <kvijayab@amd.com>
>>
>> Secure AVIC requires VGIF to be configured in VMSA. Configure
> 
> Please explain in one sentence here for the unenlightened among us what VGIF
> is.
> 

Ok. Below is the updated description:

Virtual GIF (VGIF) providing masking capability for when virtual 
interrupts (virtual maskable interrupts, virtual NMIs) can be taken by 
the guest vCPU. Secure AVIC hardware reads VGIF state from the vCPU's 
VMSA. So, set VGIF for secondary CPUs (the configuration for boot CPU is 
done by the hypervisor), to unmask delivery of virtual interrupts  to 
the vCPU.

> Also, I can't find anyhwere in the APM the requirement that SAVIC requires
> VGIF. Do we need to document it?
> 

I also don't see an explicit mention. I will check on documenting it in 
the APM. However, there are references to virtual interrupts (V_NMI, 
V_INTR) (which requires VGIF support) and VGIF in terms of functional 
usage in below sections of volume 2. In addition, as event injection is 
not supported (EventInjCtlr field in the VMCB is ignored), virtual NMI 
is required for NMI injection from host to guest.

"15.36.21.2 VMRUN and #VMEXIT

...

The interrupt control information loaded from the VMCB and VMSA for 
Secure AVIC mode operation is the same as the information loaded in 
Alternate Injection mode. "

Alternate injection section talks about the interrupt controls:

"15.36.16 Interrupt Injection Restrictions

When Alternate Injection is enabled, the EventInjCtlr field in the VMCB 
(offset A8h) is ignored on VMRUN. The VIntrCtrl field in the VMCB 
(offset 60h) is processed, but only the V_INTR_MASKING, Virtual GIF 
Mode, and AVIC Enable bits are used.

...

The remaining fields of VIntrCtrl (V_TPR, V_IRQ, VGIF, V_INTR_PRIO, 
V_IGN_TPR, V_INTR_VECTOR, V_NMI, V_NMI_MASK, V_NMI_EN) are read from the 
VMSA."


- Neeraj
Re: [PATCH v9 09/18] x86/sev: Initialize VGIF for secondary VCPUs for Secure AVIC
Posted by Borislav Petkov 1 month, 1 week ago 
On Mon, Aug 25, 2025 at 11:55:44AM +0530, Upadhyay, Neeraj wrote:
> Ok. Below is the updated description:
> 
> Virtual GIF (VGIF) providing masking capability for when virtual interrupts
> (virtual maskable interrupts, virtual NMIs) can be taken by the guest vCPU.
> Secure AVIC hardware reads VGIF state from the vCPU's VMSA. So, set VGIF for
> secondary CPUs (the configuration for boot CPU is done by the hypervisor),
> to unmask delivery of virtual interrupts  to the vCPU.

Yap.

> I also don't see an explicit mention. I will check on documenting it in the
> APM. However, there are references to virtual interrupts (V_NMI, V_INTR)
> (which requires VGIF support)

Oh, I don't doubt that SAVIC requires VGIF - I just spotted a documentation
hole here so let's start the process of documenting this internally.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.