My initial understanding was that with LRENPIE set, any EOI coming from the guest on IRQs that are not in any LRs, will result in a maintenance interrupt and the hypervisor can check which IRQ was deactivated.
Upon taking a closer look though, I can't understand how this can be done. Since such an event will cause an asynchronous exception and not a data abort (like a regular trap), you cannot use the ESR to get the register number that the guest used for the EOI/DIR. The manual only mentions EOIcount, but that's just a counter of how many EOIs occured without a relevant LR.
So my question is, how can you tell which IRQ the guest EOIed, by using the LRENPIE maintenance interrupt and without trapping all EOI guest accesses?
Fair enough about the IAR/EOIR ordering, although I think in some targets at least, EOIR without IAR first works (but I guess it doesn't matter, spec says unpredictable so it cannot be relied upon anyway).
I still think though that I am missing something regarding EOIcount, because the same example can happen with a normal IRQ life cycle.
So 32 IRQs of the same priority trigger at the same time, we put 16 into LRs, the rest pending in memory. Guest sees and ACKs all 16 of them (no EOIs yet), now IRQs are in active state and we can unlist them from the LRs (NPIE maintenance IRQ) and store them as active in memory. Next we load the other 16 IRQs (pending) into the LRs where the guest can ACK all of them. According to the rules above the guest now has to start ending the interrupts in the opposite order. With the underflow maintenance IRQ we know when all these IRQs are finalized and can load into LRs the previous batch that remained active in memory.
In the above example when does EOIcount come into play at all? Do you have a simple example for LRENPIE/EOIcount (as far as I know this maintenance interrupt is not used at all in KVM). What if the guest EOIs in different order, do we just ignore the wrong ordered EOIs? Does that mean that the hypervisor is expected to track not only the state of virtual IRQs but also the order that they were injected (and I am not talking about priorities here let's just assume that all IRQs have the same priority)?
Thank you again for the detailed responses, and sorry for my many questions. I am going back and forth through the spec, yet I still feel that I have some crucial misunderstanding about EOIcount and how it can hint to the hypervisor which unlisted IRQ was EOIed.