Re: [RFC PATCH v7 7/7] hvf: do not merge: enable private ISA

[Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>]

On 2026/03/25 20:21, Mohamed Mediouni wrote:
> 
>> On 25. Mar 2026, at 12:07, Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> wrote:
>>
>> On 2026/03/25 5:48, Mohamed Mediouni wrote:
>>> Booting macOS Tahoe.
>>> There in the series to show that's all it takes, but not
>>> mergable as is. Testing this requires SIP to be disabled
>>> and AMFI to be bypassed to be able to launch the executable.
>>
>>
>> This is interesting. Do you have any idea what is the private ISA?
>>
>> Regards,
>> Akihiko Odaki
> 
> Hello,
> 
> For the macOS vmapple target:
> 
> Apple PAC is paravirtualised and not trappable by the VMM without
> patching the “hvc #0” to something else.
> 
> That’s the only private ISA bit being used there needed for boot.
> 
> The documentation for those HVCs:
> https://github.com/matteyeux/darwin-xnu/blob/master/doc/vmapple_pac.md
> 
> Apple briefly pushed that there, and open-source XNU has that code present.
> 
> When private ISA is disabled, instead of the VMM being able to process those
> HVCs, they return an error code and the guest dutifully goes into a infinite
> loop.
> 
> For the vresearch1 target used for PCC VRE and iOS:
> 
> Bunch of private ISA used there, including GXF. Private ISA level 3 isn’t
> enough to boot those, it wants private ISA level 4.

It’s fascinating to learn about these Apple-specifics. The insight 
regarding the GXF requirement for PCC VRE and iOS is also very 
intriguing. Thanks for sharing the information.

Regards,
Akihiko Odaki