Re: [PATCH 1/2] KVM: SEV: Don't set CR8 write intercept when disabling AVIC for SEV-ES guests
From: Aithal, Srikanth
Date: Wed Mar 11 2026 - 00:54:39 EST
On 3/11/2026 2:48 AM, Sean Christopherson wrote:
Don't set the CR8 write intercept when disabling AVIC for SEV-ES vCPUs, as
attempting to intercept CR8 will generate a #VC and in all likelihood kill
the VM.
Note! At first glance, one might think KVM's handling of CR8 write traps
for SEV-ES is flawed, as KVM traps CR8 writes even when AVIC is enabled,
despite the fact that hardware updates the AVIC backing page as well. But
KVM unconditionally inhibits AVIC for SEV-ES guests as current hardware
apparently can't support it (see c538dc792ff7 ("KVM: SVM: Do not activate
AVIC for SEV-enabled guest")).
However, KVM's overall handling of CR8 _is_ broken, as sync_cr8_to_lapic()
will clobber with stale information from the unencrypted VMCB. That issue
will be fixed separately.
Reported-by: Srikanth Aithal <sraithal@xxxxxxx>
Closes: https://lore.kernel.org/all/19935696-36cf-411b-af90-aabe6a98d7e7@xxxxxxx
Fixes: e992bf67bcba ("KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated")
Cc: stable@xxxxxxxxxxxxxxx
Acked-by: Naveen N Rao (AMD) <naveen@xxxxxxxxxx>
Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx>
---
arch/x86/kvm/svm/avic.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/svm/avic.c b/arch/x86/kvm/svm/avic.c
index 13a4a8949aba..f7ec7914e3c4 100644
--- a/arch/x86/kvm/svm/avic.c
+++ b/arch/x86/kvm/svm/avic.c
@@ -226,7 +226,8 @@ static void avic_deactivate_vmcb(struct vcpu_svm *svm)
vmcb->control.int_ctl &= ~(AVIC_ENABLE_MASK | X2APIC_MODE_MASK);
vmcb->control.avic_physical_id &= ~AVIC_PHYSICAL_MAX_INDEX_MASK;
- svm_set_intercept(svm, INTERCEPT_CR8_WRITE);
+ if (!sev_es_guest(svm->vcpu.kvm))
+ svm_set_intercept(svm, INTERCEPT_CR8_WRITE);
/*
* If running nested and the guest uses its own MSR bitmap, there
This fixes the SEV-ES boot issue. Thank you.
Tested-by: Srikanth Aithal <sraithal@xxxxxxx>