Re: [PATCH 4/4] KVM: x86: lapic: don't allow to set non default apic id when not using x2apic api

[Sean Christopherson]

On Wed, Mar 02, 2022, Maxim Levitsky wrote:
> When APIC state is loading while APIC is in *x2apic* mode it does enforce that
> value in this 0x20 offset is initial apic id if KVM_CAP_X2APIC_API.
>  
> I think that it is fair to also enforce this when KVM_CAP_X2APIC_API is not used,
> especially if we make apic id read-only.

I don't disagree in principle.  But, (a) this loophole as existing for nearly 6
years, (b) closing the loophole could break userspace, (c) false positive are
possible due to truncation, and (d) KVM gains nothing meaningful by closing the
loophole.

(d) changes when we add a knob to make xAPIC ID read-only, but we can simply
require userspace to enable KVM_CAP_X2APIC_API (or force it).  That approach
avoids (c) by eliminating truncation, and avoids (b) by virtue of being opt-in.