On Wed, Mar 26, 2025, Melody (Huibo) Wang wrote: > Hi, > > I am currently enabling Alternate Injection for SEV-SNP guests and have > encountered a design issue. > > The Alternate Injection specification which is a preliminary spec supports > only the SVSM APIC protocol through a subset of X2APIC MSRs, Timer support is > configurable, If timer functionality is not supported, the guest must rely on > the hypervisor to emulate timer support through use of the #HV Timer GHCB > protocol. > > When the OVMF firmware starts, it is in XAPIC mode by default and then, later > during the init phase it switches the guest to X2APIC. However, with > Alternate Injection enabled, the OVMF in its very first phase - SEC - does > XAPIC accesses. The SVSM uses a so-called SVSM APIC protocol which uses a > subset of the X2APIC MSRs. > > The OVMF, however, thinks it starts off in XAPIC memory-mapped mode. There's > a protocol mismatch of sorts. With Alternate Injection enabled in the SEC > phase, it requires X2APIC. The registers (timer registers) - not handled by > SVSM will get routed to KVM, which at that point is operating the guest in > XAPIC mode until the PEI phase switches to X2APIC. > > One potential solution is to have KVM enable X2APIC as soon as Alternate > Injection is activated. While we could start X2APIC during the creation of > the vCPU, APM Volume 2, Figure 16-32 states that we must transition from > XAPIC mode to X2APIC mode first. > > More specifically: > > “If the feature is present, the local APIC is placed into x2APIC mode by > setting bit 10 in the Local APIC Base register (MSR 01Bh). Before entering > x2APIC mode, the local APIC must first be enabled (AE=1, EXTD=0).” > > Therefore, I am uncertain if enabling X2APIC directly during vCPU creation is > permissible. > > Do you have any suggestions for a better solution? Fix OVMF. Or change the AMD architectural specs. Don't hack KVM. > > Please feel free to ask questions if some concepts are unclear and I'll > gladly expand on them. > > Thanks, > Melody
