On Tue, Mar 15, 2022 at 05:30:32PM +0200, Maxim Levitsky wrote: >Yep, I have a patch for this ( which I hope to be accepted really soon >(KVM: x86: SVM: allow AVIC to co-exist with a nested guest running) > >I also implemented working support for nested AVIC, which includes support for IPI without vm exits >between L2's vCPUs. I had sent an RFC for that. > >With all patches applied both L1 and L2 switch hands on AVIC, L1's avic is inhibited >(only locally) on the vCPU which runs nested, and while it runs nested, L2 uses AVIC >to target other vCPUs which also run nested. > >I and Paolo talked about this, and we reached a very promising conclusion. > >I will add new KVM cap, say KVM_CAP_READ_ONLY_APIC, which userspace will set >prior to creating a vCPU, and which will make APIC ID fully readonly when set. Will KVM report violations to QEMU? then, QEMU can know the VM attempted to change APIC ID and report an error to admin. Then admin can relaunch the VM without setting this new cap. > >As a bonus, if you don't object, I will also make this cap, make APIC base read-only, >since this feature is also broken in kvm, optional in x86 spec, and not really >used by guests just like writable apic id. > >I hope to have patches in day or two for this. Great. And no objection to making APIC base read-only.