added VPICD x2APIC fix (NOPs APIC-disable WRMSRs that #GP on x2APIC-locked Intel CPUs)

[Mintsuki]

VPICD.VXD reads IA32_APIC_BASE (MSR 0x1B), clears bit 11 (EN, the APIC global-enable bit), and writes it back. It does this on Intel CPUs whenever CPUID.01h:EDX reports APIC and MSR support, both at APIC detection and again before each legacy 8259 reinit.

On CPUs that support IA32_XAPIC_DISABLE_STATUS (architecturally enumerated by IA32_ARCH_CAPABILITIES bit 21), firmware may set LEGACY_XAPIC_DISABLED, which locks the LAPIC into x2APIC mode. In that state bit 10 (EXTD) of IA32_APIC_BASE is set, and clearing EN while EXTD is set raises #GP per the Intel SDM. Windows reports this as "While initializing device VPICD: Windows protection error. You will need to restart your computer." and stops, without identifying the actual cause.

The lock is the default firmware state on Intel Core Ultra (code-named Meteor Lake) and later, where x2APIC is the default APIC mode and xAPIC fall-back is no longer recommended. On earlier CPUs that have the MSR (Sapphire Rapids and later, plus client CPUs with the CVE-2022-21233 microcode update) the lock is typically only set when SGX or TDX is enabled in firmware.

This patch turns each of the two WRMSR opcodes in VPICD.VXD into two NOPs. The APIC is left in whatever mode firmware (or a UEFI legacy-boot wrapper such as CSMWrap) configured - typically LINT0 = ExtINT, LINT1 = NMI, which is exactly the routing the legacy 8259 needs. The detection-time flag VPICD sets is left intact so the rest of its internal state stays consistent.

This finding and fix was AI-assisted (Claude, Opus 4.7).

[JHRobotics]

Thanks, nice work! I'll do some test and if where not any problems (ok, not obvious ones), I’ll merge it and create new release.