lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <a91b5470-33a0-4a23-ac1a-a7f1d4559cc1@amd.com>
Date: Mon, 25 Aug 2025 11:55:44 +0530
From: "Upadhyay, Neeraj" <neeraj.upadhyay@....com>
To: Borislav Petkov <bp@...en8.de>
Cc: linux-kernel@...r.kernel.org, tglx@...utronix.de, mingo@...hat.com,
 dave.hansen@...ux.intel.com, Thomas.Lendacky@....com, nikunj@....com,
 Santosh.Shukla@....com, Vasant.Hegde@....com, Suravee.Suthikulpanit@....com,
 David.Kaplan@....com, x86@...nel.org, hpa@...or.com, peterz@...radead.org,
 seanjc@...gle.com, pbonzini@...hat.com, kvm@...r.kernel.org,
 kirill.shutemov@...ux.intel.com, huibo.wang@....com, naveen.rao@....com,
 francescolavra.fl@...il.com, tiala@...rosoft.com
Subject: Re: [PATCH v9 09/18] x86/sev: Initialize VGIF for secondary VCPUs for
 Secure AVIC



On 8/22/2025 10:58 PM, Borislav Petkov wrote:
> On Mon, Aug 11, 2025 at 03:14:35PM +0530, Neeraj Upadhyay wrote:
>> Subject: Re: [PATCH v9 09/18] x86/sev: Initialize VGIF for secondary VCPUs for Secure AVIC
> 
> "vCPU"
> 

Ok

>> From: Kishon Vijay Abraham I <kvijayab@....com>
>>
>> Secure AVIC requires VGIF to be configured in VMSA. Configure
> 
> Please explain in one sentence here for the unenlightened among us what VGIF
> is.
> 

Ok. Below is the updated description:

Virtual GIF (VGIF) providing masking capability for when virtual 
interrupts (virtual maskable interrupts, virtual NMIs) can be taken by 
the guest vCPU. Secure AVIC hardware reads VGIF state from the vCPU's 
VMSA. So, set VGIF for secondary CPUs (the configuration for boot CPU is 
done by the hypervisor), to unmask delivery of virtual interrupts  to 
the vCPU.

> Also, I can't find anyhwere in the APM the requirement that SAVIC requires
> VGIF. Do we need to document it?
> 

I also don't see an explicit mention. I will check on documenting it in 
the APM. However, there are references to virtual interrupts (V_NMI, 
V_INTR) (which requires VGIF support) and VGIF in terms of functional 
usage in below sections of volume 2. In addition, as event injection is 
not supported (EventInjCtlr field in the VMCB is ignored), virtual NMI 
is required for NMI injection from host to guest.

"15.36.21.2 VMRUN and #VMEXIT

...

The interrupt control information loaded from the VMCB and VMSA for 
Secure AVIC mode operation is the same as the information loaded in 
Alternate Injection mode. "

Alternate injection section talks about the interrupt controls:

"15.36.16 Interrupt Injection Restrictions

When Alternate Injection is enabled, the EventInjCtlr field in the VMCB 
(offset A8h) is ignored on VMRUN. The VIntrCtrl field in the VMCB 
(offset 60h) is processed, but only the V_INTR_MASKING, Virtual GIF 
Mode, and AVIC Enable bits are used.

...

The remaining fields of VIntrCtrl (V_TPR, V_IRQ, VGIF, V_INTR_PRIO, 
V_IGN_TPR, V_INTR_VECTOR, V_NMI, V_NMI_MASK, V_NMI_EN) are read from the 
VMSA."


- Neeraj

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ