[svsm-devel] RESEND: SEV-SNP Alternate Injection

Sean Christopherson seanjc at google.com
Thu Mar 27 15:20:58 CET 2025 

On Wed, Mar 26, 2025, Melody (Huibo) Wang wrote:
> Hi,
> 
> I am currently enabling Alternate Injection for SEV-SNP guests and have
> encountered a design issue.
> 
> The Alternate Injection specification which is a preliminary spec supports
> only the SVSM APIC protocol through a subset of X2APIC MSRs, Timer support is
> configurable, If timer functionality is not supported, the guest must rely on
> the hypervisor to emulate timer support through use of the #HV Timer GHCB
> protocol.
> 
> When the OVMF firmware starts, it is in XAPIC mode by default and then, later
> during the init phase it switches the guest to X2APIC. However, with
> Alternate Injection enabled, the OVMF in its very first phase - SEC - does
> XAPIC accesses. The SVSM uses a so-called SVSM APIC protocol which uses a
> subset of the X2APIC MSRs.
> 
> The OVMF, however, thinks it starts off in XAPIC memory-mapped mode. There's
> a protocol mismatch of sorts. With Alternate Injection enabled in the SEC
> phase, it requires X2APIC. The registers (timer registers) - not handled by
> SVSM will get routed to KVM, which at that point is operating the guest in
> XAPIC mode until the PEI phase switches to X2APIC.
> 
> One potential solution is to have KVM enable X2APIC as soon as Alternate
> Injection is activated. While we could start X2APIC during the creation of
> the vCPU, APM Volume 2, Figure 16-32 states that we must transition from
> XAPIC mode to X2APIC mode first.
> 
> More specifically:
> 
> “If the feature is present, the local APIC is placed into x2APIC mode by
> setting bit 10 in the Local APIC Base register (MSR 01Bh). Before entering
> x2APIC mode, the local APIC must first be enabled (AE=1, EXTD=0).”
> 
> Therefore, I am uncertain if enabling X2APIC directly during vCPU creation is
> permissible.
> 
> Do you have any suggestions for a better solution?

Fix OVMF.  Or change the AMD architectural specs.  Don't hack KVM.

> 
> Please feel free to ask questions if some concepts are unclear and I'll
> gladly expand on them.
> 
> Thanks,
> Melody

More information about the Svsm-devel mailing list