Re: [PATCH v2 3/5] KVM: SVM: Only disable x2AVIC WRMSR interception for MSRs that are accelerated

[Naveen N Rao]

On Wed, May 06, 2026 at 11:47:44AM -0700, Sean Christopherson wrote:
> When x2AVIC is enabled, disable WRMSR interception only for MSRs that are
> actually accelerated by hardware.  Disabling interception for MSRs that
> aren't accelerated is functionally "fine", and in some cases a weird "win"
> for performance, but only for cases that should never be triggered by a
> well-behaved VM (writes to read-only registers; the #GP will typically
> occur in the guest without taking a #VMEXIT, even for fault-like exits).
> 
> But overall, disabling interception for MSRs that aren't accelerated is at
> best confusing and unintuitive, and at worst introduces avoidable risk, as
> the effective guest-visible behavior depends on the whims of the CPU (the
> behavior of x2APIC MSR writes on at least Zen4 doesn't match the behavior
> documented in the table in "15.29.3.1 Virtual APIC Register Accesses" of
> the APM).

Revisiting this:
- As far as I can tell, the guest-visible behavior looks to be the same 
  with/without MSR interception? Did you see different behavior for 
  specific APIC MSRs or across Zen processor families?
- The main difference with x2AVIC looks to be about invalid APIC MSR 
  accesses generating #GP directly in the guest (but that wouldn't be 
  guest-visible). I was pointed to this statement in the APM Section 
  15.29.10 x2AVIC:
	x2APIC MSR intercept checks and access checks have higher 
	priority than AVIC access permission checks.

Note the "access checks" qualifier, which covers the #GP seen for 
invalid MSR accesses.

- Naveen