Re: [PATCH 12/16] KVM: TDX: Inhibit APICv for TDX guest

[Sean Christopherson]

On Tue, Jan 14, 2025, Binbin Wu wrote:
> On 1/14/2025 1:16 AM, Sean Christopherson wrote:
> > On Mon, Jan 13, 2025, Binbin Wu wrote:
> > > Summary about APICv inhibit reasons:
> > > APICv could still be disabled runtime in some corner case, e.g,
> > > APICV_INHIBIT_REASON_PHYSICAL_ID_ALIASED due to memory allocation failure.
> > > After checking enable_apicv in tdx_bringup(), apic->apicv_active is
> > > initialized as true in kvm_create_lapic().  If APICv is inhibited due to any
> > > reason runtime, the refresh_apicv_exec_ctrl() callback could be used to check
> > > if APICv is disabled for TDX, if APICv is disabled, bug the VM.
> > I _think_ this is a non-issue, and that KVM could do KVM_BUG_ON() if APICv is
> > inihibited by kvm_recalculate_apic_map() for a TDX VM.  x2APIC is mandatory
> > (KVM_APIC_MODE_MAP_DISABLED and "APIC_ID modified" impossible), KVM emulates
> > APIC_ID as read-only for x2APIC mode (physical aliasing impossible), and LDR is
> > read-only for x2APIC (logical aliasing impossible).
> 
> For logical aliasing, according to the KVM code, it's only relevant to
> AMD's AVIC. It's not set in VMX_REQUIRED_APICV_INHIBITS.

Ah, right.

> Is the reason AVIC using logical-id-addressing while APICv using
> physical-id-addressing for IPI virtualization?

Ya, more or less.  AVIC supports virtualizing both physical and logical IPIs,
APICv only supports physical.

> > To ensure no physical aliasing, KVM would need to require KVM_CAP_X2APIC_API be
> > enabled, but that should probably be required for TDX no matter what.
> There is no physical aliasing when APIC is in x2apic mode, vcpu_id is used
> anyway.

Yeah, ignore this, I misremembered the effects of KVM_CAP_X2APIC_API.