[v2] AMD: Add Secure AVIC KVM Support

[RFC PATCH v2 16/17] KVM: x86/cpuid: Disable paravirt APIC features for protected APIC
Posted by Neeraj Upadhyay 1 week, 1 day ago
The paravirtualized APIC features, PV_EOI and PV_SEND_IPI, are
predicated on KVM having full visibility and control over the guest's
vAPIC state. This assumption is invalid for guests with a protected APIC
(e.g., AMD SEV-SNP with Secure AVIC, Intel TDX), where the APIC state is
opaque to the hypervisor and managed by the hardware.

- PV_EOI: KVM cannot service a PV_EOI MSR write because it has no
  access to the guest's true In-Service Register (ISR). For these
  guests, EOIs are either accelerated by hardware or virtualized via
  a different, technology-specific VM-Exit, not the PV MSR.

- PV_SEND_IPI: Protected guest models have their own specific IPI
  virtualization flows (e.g., VMGEXIT on ICR write for Secure AVIC).
  Exposing the generic PV_SEND_IPI hypercall would provide a
  conflicting, incorrect path that bypasses the required secure flow.

To prevent the guest from using these incompatible interfaces, clear
the KVM_FEATURE_PV_EOI and KVM_FEATURE_PV_SEND_IPI PV feature CPUID
bits when for guests with protected APIC.

Signed-off-by: Neeraj Upadhyay <Neeraj.Upadhyay@amd.com>
---
 arch/x86/kvm/cpuid.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index e2836a255b16..01b3c4e88282 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -245,6 +245,10 @@ static u32 kvm_apply_cpuid_pv_features_quirk(struct kvm_vcpu *vcpu)
 	if (kvm_hlt_in_guest(vcpu->kvm))
 		best->eax &= ~(1 << KVM_FEATURE_PV_UNHALT);
 
+	if (vcpu->arch.apic->guest_apic_protected)
+		best->eax &= ~((1 << KVM_FEATURE_PV_EOI) |
+			       (1 << KVM_FEATURE_PV_SEND_IPI));
+
 	return best->eax;
 }
 
-- 
2.34.1