>>> Have you tested the case when the target kernel doesn't support SAVIC and >>> tries to use a new interrupt vector on the boot CPU? I think it will >>> break. >>> >> >> For a VM launched with VMSA feature containing Secure AVIC, the target >> kernel also is required to support Secure AVIC. Otherwise, guest bootup >> would fail. I will capture this information in the documentation. >> So, as far as I understand, SAVIC kernel kexecing into a non-SAVIC kernel >> is not a valid use case. > > Hm. I thought if SAVIC is not enabled by the guest the guest would boot > without the secure feature, no? > Actually no. The guest VM which is launched by VMM with Secure AVIC enabled would have SecureAVIC reported in sev_status MSR. Secure AVIC is part of SNP_FEATURES_IMPL_REQ and guest boot would terminate due to snp_get_unsupported_features() check in arch/x86/boot/compressed/sev.c if secure avic is not enabled (having said that, I need to update config rules to select CONFIG_AMD_SECURE_AVIC if CONFIG_AMD_MEM_ENCRYPT is enabled). - Neeraj
