>Palo, Sean, Any update? > >After thinking more about this, I actualy think I will do something >different, something that actually was proposed here, and I was against it: > > >1. I will add new inhibit APICV_INHIBIT_REASON_RO_SETTINGS, which will be set >first time any vCPU touches apic id and/or apic base because why not... > >That will take care of non nested case cleanly, and will take care of IPIv >for now (as long as it does't support nesting). Yes. This works well with intel IPIv. > >2. For my nested AVIC, I will do 2 things: > > a. My code never reads L1 apic ids, and always uses vcpu_id, thus > in theory, if I just ignore the problem, and the guest changes apic ids, > the nested AVIC will just keep on using initial apic ids, thus there is no danger > of CVE like issue if the guest tries to change theses ids in the 'right' time. > > b. on each nested vm entry I'll just check that apic id is not changed from the default, > if AVIC is enabled for the nested guest. > > if so the nested entry will fail (best with kvm_vm_bugged) to get attention of > the user, but I can just fail it with standard vm exit reason of 0xFFFFFFFF. For sake of simplicity, I prefer to make APIC ID read-only for VMs that supports (nested) AVIC or IPIv (KVM can check guest CPUID/MSR to know this). When guest attempts to change read-only APIC ID, KVM can raise an internal error, saying KVM cannot emulate this action. To get rid of such an error, users should launch the VM with nested AVIC/IPIv disabled or upgrade VM kernel to not change APIC ID.
