On Mon, Aug 11, 2025 at 03:14:43PM +0530, Neeraj Upadhyay wrote:
> The SECURE_AVIC_CONTROL MSR holds the GPA of the guest APIC backing
> page and bitfields to control enablement of Secure AVIC and NMI by
> guest vCPUs. This MSR is populated by the guest and the hypervisor
> should not intercept it. A #VC exception will be generated otherwise.
> If this occurs and Secure AVIC is enabled, terminate guest execution.
>
> Reviewed-by: Tianyu Lan <tiala@xxxxxxxxxxxxx>
> Signed-off-by: Neeraj Upadhyay <Neeraj.Upadhyay@xxxxxxx>
> ---
> Changes since v8:
> - No change.
>
> arch/x86/coco/sev/vc-handle.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/arch/x86/coco/sev/vc-handle.c b/arch/x86/coco/sev/vc-handle.c
> index fc770cc9117d..e856a5e18670 100644
> --- a/arch/x86/coco/sev/vc-handle.c
> +++ b/arch/x86/coco/sev/vc-handle.c
> @@ -414,6 +414,15 @@ enum es_result sev_es_ghcb_handle_msr(struct ghcb *ghcb, struct es_em_ctxt *ctxt
> if (sev_status & MSR_AMD64_SNP_SECURE_TSC)
> return __vc_handle_secure_tsc_msrs(regs, write);
> break;
> + case MSR_AMD64_SECURE_AVIC_CONTROL:
> + /*
> + * AMD64_SECURE_AVIC_CONTROL should not be intercepted when
> + * Secure AVIC is enabled. Terminate the Secure AVIC guest
> + * if the interception is enabled.
> + */
> + if (cc_platform_has(CC_ATTR_SNP_SECURE_AVIC))
> + return ES_VMM_ERROR;
> + break;
In light of the recent secure TSC MSR discussions, let's see if Sean really
wants to do two different things for reads and writes here too...
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
