-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Interrupt support for confidential VMs #328
Comments
As discussed in the SVSM call on April 24th, we are starting an effort to get IRQ infrastructure into the SVSM code-base.
I don't see a need for vIOAPIC emulation, are there reasons this is absolutely needed? |
Before the detail implementation discussion, can we clarify the usage of APIC in L2 ? I see we may support 2 cases: 1) Enlightened APIC driver in L2 (which can probably fully remove IOAPIC usage, 2) unmodified L2 OSes such as Linux today: should we support unmodified OS kernel on top of coconut? If YES, the unmodified L2 kernel may use both IOAPIC/LAPIC --- Of course, we can emulate IOAPIC in host VMM or in L1 coconut. Personally, I think coconut should support broad usage of L2 OSes including both enlightened kernel and unmodified kernel. Can Joerg calrify? |
I agree that the target is to support enlightened and unenlightened OSes. For now the plan has been to keep the IOAPIC in the host hypervisor, as there will be no separate IOAPIC per partition and the accesses from the L2 to the IOAPIC will be passed through to the host. If there is a good reason to have an emulation in COCONUT, then we can discuss it. |
Thanks @joergroedel for the clarifications on X2APIC driver and the vIOAPIC. Also, I assume for the vLAPIC implementation we are looking at full vLAPIC emulation as we want to support both unenlightened as well as enlightened guests. Is my understanding correct? |
Hi @vijaydhanraj, yes, a full emulation for vX2APIC is deserved. Not sure if we need to support vLAPIC as a fall-back. The specification is currently being worked on, we will share it when it is ready. |
To emulate full vX2APIC, the L1 SVSM and L2 VM interface is naturally following X2APIC spec. But we need to define a hardware neutral interface between L0 and L1. Is this the specification being worked on? If yes, I suggest we build on top of industry standard virtio interface? Any thoughts? |
When you say vLAPIC, I think you are referring to vXAPIC mode right? If so, we may need to enable vXAPIC for the unenlightened guest as default LAPIC mode is XAPIC after reset (please see SDM 11.12.5.1). We can then switch to X2APIC by setting |
Okay, that makes sense. so a vXAPIC emulation is also needed (which in turn needs MMIO emulation). |
Yes correct. I think we are mostly aligned on the requirements. Only open is the hardware neutral interface between L0 and L1. As we wait for the interface, is it fine if can I start with initial LAPIC driver PR? |
Hi @msft-jlange we were planning to add a generic LAPIC driver supporting x2APIC mode in SVSM for IPIs, timer. Is this something you are currently working on as part of restricted injection support? If not, would it be ok for us to send a PR for this feature or should we wait? |
In order to support confidential VMs like a TD partitioned guest the following missing features maybe needed in SVSM. Idea is to try keep the implementation platform agnostic.
Are there any plans to implement these features? If so, happy to collaborate and validate on x86 platform.
If not, is this something that I can help with?
The text was updated successfully, but these errors were encountered: