29-6 Vol. 3C

APIC VIRTUALIZATION AND VIRTUAL INTERRUPTS

all the virtual processors) while giving each virtual processor its own virtual APIC (the VMCS of each 
virtual processor will have a unique virtual-APIC address).

Section 29.4.2 discusses when and how the processor may virtualize read accesses from the APIC-access page. 
Section 29.4.3 does the same for write accesses. When virtualizing a write to the APIC-access page, the processor 
typically takes actions in addition to passing the write through to the virtual-APIC page.
The discussion in those sections uses the concept of an operation within which these memory accesses may occur. 
For those discussions, an “operation” can be an iteration of a REP-prefixed string instruction, an execution of any 
other instruction, or delivery of an event through the IDT.
The 1-setting of the “virtualize APIC accesses” VM-execution control may also affect accesses to the APIC-access 
page that do not result directly from linear addresses. This is discussed in Section 29.4.6.
Special treatment may apply to Intel SGX instructions or if the logical processor is in enclave mode. See Section 
42.5.3 for details.

29.4.1 

Priority of APIC-Access VM Exits

The following items specify the priority of APIC-access VM exits relative to other events.

•

The priority of an APIC-access VM exit due to a memory access is below that of any page fault or EPT violation 
that that access may incur. That is, an access does not cause an APIC-access VM exit if it would cause a page 
fault or an EPT violation.

•

A memory access does not cause an APIC-access VM exit until after the accessed flags are set in the paging 
structures (including EPT paging structures, if enabled).

•

A write access does not cause an APIC-access VM exit until after the dirty flags are set in the appropriate paging 
structure and EPT paging structure (if enabled).

•

With respect to all other events, any APIC-access VM exit due to a memory access has the same priority as any 
page fault or EPT violation that the access could cause. (This item applies to other events that the access may 
generate as well as events that may be generated by other accesses by the same operation.)

These principles imply, among other things, that an APIC-access VM exit may occur during the execution of a 
repeated string instruction (including INS and OUTS). Suppose, for example, that the first n iterations (n may be 
0) of such an instruction do not access the APIC-access page and that the next iteration does access that page. As 
a result, the first n iterations may complete and be followed by an APIC-access VM exit. The instruction pointer 
saved in the VMCS references the repeated string instruction and the values of the general-purpose registers 
reflect the completion of n iterations.

29.4.2 

Virtualizing Reads from the APIC-Access Page

A read access from the APIC-access page causes an APIC-access VM exit if any of the following are true:

•

The “use TPR shadow” VM-execution control is 0.

•

The access is for an instruction fetch.

•

The access is more than 32 bits in size.

•

The access is part of an operation for which the processor has already virtualized a write to the APIC-access 
page.

•

The access is not entirely contained within the low 4 bytes of a naturally aligned 16-byte region. That is, bits 
3:2 of the access’s address are 0, and the same is true of the address of the highest byte accessed.

If none of the above are true, whether a read access is virtualized depends on the setting of the “APIC-register 
virtualization” VM-execution control:

•

If “APIC-register virtualization” is 0, a read access is virtualized if its page offset is 080H (task priority); 
otherwise, the access causes an APIC-access VM exit.

•

If “APIC-register virtualization is 1, a read access is virtualized if it is entirely within one the following ranges of 
offsets: