AMD Posts Linux Patches For New Secure AVIC Guest Feature
([AMD] 3 Hours Ago
AMD Secure AVIC Guests)
- Reference: 0001491448
- News link: https://www.phoronix.com/news/AMD-Secure-AVIC-Guest-Support
- Source link:
AMD engineers today posted the first "request for comments" patches in enabling support for Secure AVIC guest handling as a new hardware feature with upcoming processors.
Secure AVIC guest support is a new capability for virtual machines (VMs) making use of Secure Encrypted Virtualization (SEV-SNP) with upcoming processors. Given the SEV-SNP mention, it's for EPYC class server processors. Today's patches do not indicate what generation of AMD processors will initially boast this capability.
The RFC Linux kernel patches explain this Secure AVIC guest support as:
"Secure AVIC is a new hardware feature in the AMD64 architecture to allow SEV-SNP guests to prevent hypervisor from generating unexpected interrupts to a vCPU or otherwise violate architectural assumptions around APIC behavior.
One of the significant differences from AVIC or emulated x2APIC is that Secure AVIC uses a guest-owned and managed APIC backing page. It also introduces additional fields in both the VMCB and the Secure AVIC backing page to aid the guest in limiting which interrupt vectors can be injected into the guest.
...
The Secure AVIC feature provides SEV-SNP guests hardware acceleration for performance sensitive APIC accesses while securely managing the guest-owned APIC state through the use of a private APIC backing page. This helps prevent malicious hypervisor from generating unexpected interrupts for a vCPU or otherwise violate architectural assumptions around APIC behavior.
Add a new x2APIC driver that will serve as the base of the Secure AVIC support."
This Secure AVIC guest support depends upon Secure AVIC host support, with those kernel patches currently available via [1]this AMD GitHub tree .
Those interested can now find this AMD Secure AVIC guest support under review on [2]the Linux kernel mailing list . As it's just being posted today and under an RFC flag, it's far too late for appearing in the upcoming Linux v6.12 kernel and thus will appear in a kernel release likely at some point in 2025 depending upon how long the review/revision process takes. For some of these core features around VMs/security it has taken quite a bit of time to bake such as [3]SEV-SNP in good shape on the mainline kernel finally with Linux 6.11 .
[1] https://github.com/AMDESE/linux-kvm/tree/savic-host
[2] https://lore.kernel.org/lkml/20240913113705.419146-1-Neeraj.Upadhyay@amd.com/
[3] https://www.phoronix.com/news/AMD-SEV-SNP-SVSM-Linux-6.11
Secure AVIC guest support is a new capability for virtual machines (VMs) making use of Secure Encrypted Virtualization (SEV-SNP) with upcoming processors. Given the SEV-SNP mention, it's for EPYC class server processors. Today's patches do not indicate what generation of AMD processors will initially boast this capability.
The RFC Linux kernel patches explain this Secure AVIC guest support as:
"Secure AVIC is a new hardware feature in the AMD64 architecture to allow SEV-SNP guests to prevent hypervisor from generating unexpected interrupts to a vCPU or otherwise violate architectural assumptions around APIC behavior.
One of the significant differences from AVIC or emulated x2APIC is that Secure AVIC uses a guest-owned and managed APIC backing page. It also introduces additional fields in both the VMCB and the Secure AVIC backing page to aid the guest in limiting which interrupt vectors can be injected into the guest.
...
The Secure AVIC feature provides SEV-SNP guests hardware acceleration for performance sensitive APIC accesses while securely managing the guest-owned APIC state through the use of a private APIC backing page. This helps prevent malicious hypervisor from generating unexpected interrupts for a vCPU or otherwise violate architectural assumptions around APIC behavior.
Add a new x2APIC driver that will serve as the base of the Secure AVIC support."
This Secure AVIC guest support depends upon Secure AVIC host support, with those kernel patches currently available via [1]this AMD GitHub tree .
Those interested can now find this AMD Secure AVIC guest support under review on [2]the Linux kernel mailing list . As it's just being posted today and under an RFC flag, it's far too late for appearing in the upcoming Linux v6.12 kernel and thus will appear in a kernel release likely at some point in 2025 depending upon how long the review/revision process takes. For some of these core features around VMs/security it has taken quite a bit of time to bake such as [3]SEV-SNP in good shape on the mainline kernel finally with Linux 6.11 .
[1] https://github.com/AMDESE/linux-kvm/tree/savic-host
[2] https://lore.kernel.org/lkml/20240913113705.419146-1-Neeraj.Upadhyay@amd.com/
[3] https://www.phoronix.com/news/AMD-SEV-SNP-SVSM-Linux-6.11
phoronix