On 8/22/2025 10:58 PM, Borislav Petkov wrote:
On Mon, Aug 11, 2025 at 03:14:35PM +0530, Neeraj Upadhyay wrote:
Subject: Re: [PATCH v9 09/18] x86/sev: Initialize VGIF for secondary VCPUs for Secure AVIC
"vCPU"
Ok
From: Kishon Vijay Abraham I <kvijayab@xxxxxxx>
Secure AVIC requires VGIF to be configured in VMSA. Configure
Please explain in one sentence here for the unenlightened among us what VGIF
is.
Ok. Below is the updated description:
Virtual GIF (VGIF) providing masking capability for when virtual
interrupts (virtual maskable interrupts, virtual NMIs) can be taken by
the guest vCPU. Secure AVIC hardware reads VGIF state from the vCPU's
VMSA. So, set VGIF for secondary CPUs (the configuration for boot CPU is
done by the hypervisor), to unmask delivery of virtual interrupts to
the vCPU.
Also, I can't find anyhwere in the APM the requirement that SAVIC requires
VGIF. Do we need to document it?
I also don't see an explicit mention. I will check on documenting it in
the APM. However, there are references to virtual interrupts (V_NMI,
V_INTR) (which requires VGIF support) and VGIF in terms of functional
usage in below sections of volume 2. In addition, as event injection is
not supported (EventInjCtlr field in the VMCB is ignored), virtual NMI
is required for NMI injection from host to guest.
"15.36.21.2 VMRUN and #VMEXIT
...
The interrupt control information loaded from the VMCB and VMSA for
Secure AVIC mode operation is the same as the information loaded in
Alternate Injection mode. "
Alternate injection section talks about the interrupt controls:
"15.36.16 Interrupt Injection Restrictions
When Alternate Injection is enabled, the EventInjCtlr field in the VMCB
(offset A8h) is ignored on VMRUN. The VIntrCtrl field in the VMCB
(offset 60h) is processed, but only the V_INTR_MASKING, Virtual GIF
Mode, and AVIC Enable bits are used.
...
The remaining fields of VIntrCtrl (V_TPR, V_IRQ, VGIF, V_INTR_PRIO,
V_IGN_TPR, V_INTR_VECTOR, V_NMI, V_NMI_MASK, V_NMI_EN) are read from the
VMSA."
- Neeraj
