AMD Posts Linux Patches For New Secure AVIC Guest Feature

Written by Michael Larabel in AMD on 13 September 2024 at 02:46 PM EDT. 1 Comment
AMD
AMD engineers today posted the first "request for comments" patches in enabling support for Secure AVIC guest handling as a new hardware feature with upcoming processors.

Secure AVIC guest support is a new capability for virtual machines (VMs) making use of Secure Encrypted Virtualization (SEV-SNP) with upcoming processors. Given the SEV-SNP mention, it's for EPYC class server processors. Today's patches do not indicate what generation of AMD processors will initially boast this capability.

The RFC Linux kernel patches explain this Secure AVIC guest support as:
"Secure AVIC is a new hardware feature in the AMD64 architecture to allow SEV-SNP guests to prevent hypervisor from generating unexpected interrupts to a vCPU or otherwise violate architectural assumptions around APIC behavior.

One of the significant differences from AVIC or emulated x2APIC is that Secure AVIC uses a guest-owned and managed APIC backing page. It also introduces additional fields in both the VMCB and the Secure AVIC backing page to aid the guest in limiting which interrupt vectors can be injected into the guest.
...
The Secure AVIC feature provides SEV-SNP guests hardware acceleration for performance sensitive APIC accesses while securely managing the guest-owned APIC state through the use of a private APIC backing page. This helps prevent malicious hypervisor from generating unexpected interrupts for a vCPU or otherwise violate architectural assumptions around APIC behavior.

Add a new x2APIC driver that will serve as the base of the Secure AVIC support."

This Secure AVIC guest support depends upon Secure AVIC host support, with those kernel patches currently available via this AMD GitHub tree.

AMD Secure AVIC


Those interested can now find this AMD Secure AVIC guest support under review on the Linux kernel mailing list. As it's just being posted today and under an RFC flag, it's far too late for appearing in the upcoming Linux v6.12 kernel and thus will appear in a kernel release likely at some point in 2025 depending upon how long the review/revision process takes. For some of these core features around VMs/security it has taken quite a bit of time to bake such as SEV-SNP in good shape on the mainline kernel finally with Linux 6.11.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week