microsoft
cvm: evaluate protecting the event_inject (and TDX-equivalent) VMSA field
The concern is that we might lose events, or not correctly inject a double-fault, if code just simply overwrites the event_inject field without first evaluating what's in it. Consider adding a wrapper around the event_inject VMSA field or something similar to protect the field.
Perhaps we don't need a wrapper, but just assertions that the field is empty before we put something in it.
Previously tracked in VSO as interrupt rewind, with this context:
When VTL 1 wants to inject a pending event into VTL 0, we need to make sure that:
-
If there are any interrupts that we already injected into the guest, that these get rewound. An exception takes precedence over an interrupt, which by definition can be delivered at any time.
-
No further interrupts from the apic are injected.
-
If an event (including any interruption) was already injected into the guest (e.g., for SNP, this would be in the EXITINTINFO field on exit from the guest/entry into VTL 2), that this gets preserved. We already have code that moves it into the EVENTINJ field for SNP, so really this means that if we then decide to inject a pending event, we need to determine if a double fault is more appropriate.
-
Any halts or idles are ignored if there was a pending event injected into the guest.
