Don't set the CR8 write intercept when disabling AVIC for SEV-ES vCPUs, as
attempting to intercept CR8 will generate a #VC and in all likelihood kill
the VM.

Note!  At first glance, one might think KVM's handling of CR8 write traps
for SEV-ES is flawed, as KVM traps CR8 writes even when AVIC is enabled,
despite the fact that hardware updates the AVIC backing page as well.  But
KVM unconditionally inhibits AVIC for SEV-ES guests as current hardware
apparently can't support it (see c538dc792ff7 ("KVM: SVM: Do not activate
AVIC for SEV-enabled guest")).

However, KVM's overall handling of CR8 _is_ broken, as sync_cr8_to_lapic()
will clobber with stale information from the unencrypted VMCB.  That issue
will be fixed separately.

Reported-by: Srikanth Aithal <sraithal@amd.com>
Closes: https://lore.kernel.org/all/19935696-36cf-411b-af90-aabe6a98d7e7@amd.com
Fixes: e992bf67bcba ("KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated")
Cc: stable@vger.kernel.org
Acked-by: Naveen N Rao (AMD) <naveen@kernel.org>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/svm/avic.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/svm/avic.c b/arch/x86/kvm/svm/avic.c
index 13a4a8949aba..f7ec7914e3c4 100644
--- a/arch/x86/kvm/svm/avic.c
+++ b/arch/x86/kvm/svm/avic.c
@@ -226,7 +226,8 @@ static void avic_deactivate_vmcb(struct vcpu_svm *svm)
 	vmcb->control.int_ctl &= ~(AVIC_ENABLE_MASK | X2APIC_MODE_MASK);
 	vmcb->control.avic_physical_id &= ~AVIC_PHYSICAL_MAX_INDEX_MASK;
 
-	svm_set_intercept(svm, INTERCEPT_CR8_WRITE);
+	if (!sev_es_guest(svm->vcpu.kvm))
+		svm_set_intercept(svm, INTERCEPT_CR8_WRITE);
 
 	/*
 	 * If running nested and the guest uses its own MSR bitmap, there
-- 
2.53.0.473.g4a7958ca14-goog

On 3/11/2026 2:48 AM, Sean Christopherson wrote:
> Don't set the CR8 write intercept when disabling AVIC for SEV-ES vCPUs, as
> attempting to intercept CR8 will generate a #VC and in all likelihood kill
> the VM.
> 
> Note!  At first glance, one might think KVM's handling of CR8 write traps
> for SEV-ES is flawed, as KVM traps CR8 writes even when AVIC is enabled,
> despite the fact that hardware updates the AVIC backing page as well.  But
> KVM unconditionally inhibits AVIC for SEV-ES guests as current hardware
> apparently can't support it (see c538dc792ff7 ("KVM: SVM: Do not activate
> AVIC for SEV-enabled guest")).
> 
> However, KVM's overall handling of CR8 _is_ broken, as sync_cr8_to_lapic()
> will clobber with stale information from the unencrypted VMCB.  That issue
> will be fixed separately.
> 
> Reported-by: Srikanth Aithal <sraithal@amd.com>
> Closes: https://lore.kernel.org/all/19935696-36cf-411b-af90-aabe6a98d7e7@amd.com
> Fixes: e992bf67bcba ("KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated")
> Cc: stable@vger.kernel.org
> Acked-by: Naveen N Rao (AMD) <naveen@kernel.org>
> Signed-off-by: Sean Christopherson <seanjc@google.com>
> ---
>   arch/x86/kvm/svm/avic.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kvm/svm/avic.c b/arch/x86/kvm/svm/avic.c
> index 13a4a8949aba..f7ec7914e3c4 100644
> --- a/arch/x86/kvm/svm/avic.c
> +++ b/arch/x86/kvm/svm/avic.c
> @@ -226,7 +226,8 @@ static void avic_deactivate_vmcb(struct vcpu_svm *svm)
>   	vmcb->control.int_ctl &= ~(AVIC_ENABLE_MASK | X2APIC_MODE_MASK);
>   	vmcb->control.avic_physical_id &= ~AVIC_PHYSICAL_MAX_INDEX_MASK;
>   
> -	svm_set_intercept(svm, INTERCEPT_CR8_WRITE);
> +	if (!sev_es_guest(svm->vcpu.kvm))
> +		svm_set_intercept(svm, INTERCEPT_CR8_WRITE);
>   
>   	/*
>   	 * If running nested and the guest uses its own MSR bitmap, there

This fixes the SEV-ES boot issue. Thank you.
Tested-by: Srikanth Aithal <sraithal@amd.com>