Changeset
default-configs/ppc-softmmu.mak |   2 +
hw/input/adb-kbd.c              |  29 +-
hw/input/adb-mouse.c            |  41 +-
hw/input/adb.c                  |   7 +
hw/misc/macio/Makefile.objs     |   2 +
hw/misc/macio/gpio.c            | 231 +++++++++++
hw/misc/macio/macio.c           |  89 +++-
hw/misc/macio/pmu.c             | 871 ++++++++++++++++++++++++++++++++++++++++
hw/misc/macio/trace-events      |  28 ++
hw/ppc/mac.h                    |  20 +
hw/ppc/mac_newworld.c           |  84 +++-
include/hw/input/adb.h          |   1 +
include/hw/misc/macio/gpio.h    |  47 +++
include/hw/misc/macio/macio.h   |   7 +
include/hw/misc/macio/pmu.h     | 237 +++++++++++
include/hw/ppc/ppc.h            |   1 +
16 files changed, 1639 insertions(+), 58 deletions(-)
create mode 100644 hw/misc/macio/gpio.c
create mode 100644 hw/misc/macio/pmu.c
create mode 100644 include/hw/misc/macio/gpio.h
create mode 100644 include/hw/misc/macio/pmu.h
Git apply log
Switched to a new branch '20180612164402.28680-1-mark.cave-ayland@ilande.co.uk'
Applying: ppc: introduce Core99MachinesState for the mac99 machine
Applying: mac_newworld: add via machine option to control mac99 VIA/ADB configuration
Applying: mac_newworld: add gpios to macio devices with PMU enabled
Applying: mac_newworld: wire up programmer switch to NMI handler
Applying: adb: fix read reg 3 byte ordering
Applying: adb: add property to disable direct reg 3 writes
Applying: mac_newworld: add PMU device
To https://github.com/patchew-project/qemu
 * [new tag]         patchew/20180612164402.28680-1-mark.cave-ayland@ilande.co.uk -> patchew/20180612164402.28680-1-mark.cave-ayland@ilande.co.uk
Test passed: checkpatch

loading

Test passed: docker-mingw@fedora

loading

Test passed: s390x

loading

Test passed: docker-quick@centos7

loading

[Qemu-devel] [PATCH 0/7] mac99: add via-pmu support
Posted by Mark Cave-Ayland, 1 week ago
This patchset is based upon Ben H's experimental branch which adds PMU
support to the QEMU mac99 machine. Currently mac99 uses the via-cuda
device which works in a lot of cases, but many OSs such as MacOS 10.5
only support via-pmu.

A lot of the work I've been doing on the Mac machines over the past
year or so has been to enable me to remove all the hacks from the PMU
work to enable it to be submitted upstream, and here we are.

The choice of via is controlled with a new "via" machine option which
has 3 values:

  via=cuda
  - Use via-cuda as per the current mac99 machine but largely unsupported

  via=pmu-adb
  - Use via-pmu but attach the mouse and keyboard to the PMU ADB bus
    rather than USB (useful for esoteric OS X images)
    
  via=pmu
  - Use via-pmu with USB mouse and keyboards, as per a real PowerMac3,1
    machine
  
Eventually the aim is to switch the mac99 default option to via=pmu but
there are some minor issues with older OS X related to timer calibration
and USB that means I'm not ready to do that just yet.

Note that the via-pmu device also requires an updated OpenBIOS containing
a suitable PMU driver which have been posted over to the OpenBIOS mailing
list at https://mail.coreboot.org/pipermail/openbios/2018-June/010384.html.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>


Mark Cave-Ayland (7):
  ppc: introduce Core99MachinesState for the mac99 machine
  mac_newworld: add via machine option to control mac99 VIA/ADB
    configuration
  mac_newworld: add gpios to macio devices with PMU enabled
  mac_newworld: wire up programmer switch to NMI handler
  adb: fix read reg 3 byte ordering
  adb: add property to disable direct reg 3 writes
  mac_newworld: add PMU device

 default-configs/ppc-softmmu.mak |   2 +
 hw/input/adb-kbd.c              |  29 +-
 hw/input/adb-mouse.c            |  41 +-
 hw/input/adb.c                  |   7 +
 hw/misc/macio/Makefile.objs     |   2 +
 hw/misc/macio/gpio.c            | 231 +++++++++++
 hw/misc/macio/macio.c           |  89 +++-
 hw/misc/macio/pmu.c             | 871 ++++++++++++++++++++++++++++++++++++++++
 hw/misc/macio/trace-events      |  28 ++
 hw/ppc/mac.h                    |  20 +
 hw/ppc/mac_newworld.c           |  84 +++-
 include/hw/input/adb.h          |   1 +
 include/hw/misc/macio/gpio.h    |  47 +++
 include/hw/misc/macio/macio.h   |   7 +
 include/hw/misc/macio/pmu.h     | 237 +++++++++++
 include/hw/ppc/ppc.h            |   1 +
 16 files changed, 1639 insertions(+), 58 deletions(-)
 create mode 100644 hw/misc/macio/gpio.c
 create mode 100644 hw/misc/macio/pmu.c
 create mode 100644 include/hw/misc/macio/gpio.h
 create mode 100644 include/hw/misc/macio/pmu.h

-- 
2.11.0


Re: [Qemu-devel] [PATCH 0/7] mac99: add via-pmu support
Posted by David Gibson, 1 week ago
On Tue, Jun 12, 2018 at 05:43:55PM +0100, Mark Cave-Ayland wrote:
> This patchset is based upon Ben H's experimental branch which adds PMU
> support to the QEMU mac99 machine. Currently mac99 uses the via-cuda
> device which works in a lot of cases, but many OSs such as MacOS 10.5
> only support via-pmu.
> 
> A lot of the work I've been doing on the Mac machines over the past
> year or so has been to enable me to remove all the hacks from the PMU
> work to enable it to be submitted upstream, and here we are.
> 
> The choice of via is controlled with a new "via" machine option which
> has 3 values:
> 
>   via=cuda
>   - Use via-cuda as per the current mac99 machine but largely unsupported
> 
>   via=pmu-adb
>   - Use via-pmu but attach the mouse and keyboard to the PMU ADB bus
>     rather than USB (useful for esoteric OS X images)
>     
>   via=pmu
>   - Use via-pmu with USB mouse and keyboards, as per a real PowerMac3,1
>     machine
>   
> Eventually the aim is to switch the mac99 default option to via=pmu but
> there are some minor issues with older OS X related to timer calibration
> and USB that means I'm not ready to do that just yet.
> 
> Note that the via-pmu device also requires an updated OpenBIOS containing
> a suitable PMU driver which have been posted over to the OpenBIOS mailing
> list at https://mail.coreboot.org/pipermail/openbios/2018-June/010384.html.
> 
> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>

Applied to ppc-for-3.0, thanks.

> 
> 
> Mark Cave-Ayland (7):
>   ppc: introduce Core99MachinesState for the mac99 machine
>   mac_newworld: add via machine option to control mac99 VIA/ADB
>     configuration
>   mac_newworld: add gpios to macio devices with PMU enabled
>   mac_newworld: wire up programmer switch to NMI handler
>   adb: fix read reg 3 byte ordering
>   adb: add property to disable direct reg 3 writes
>   mac_newworld: add PMU device
> 
>  default-configs/ppc-softmmu.mak |   2 +
>  hw/input/adb-kbd.c              |  29 +-
>  hw/input/adb-mouse.c            |  41 +-
>  hw/input/adb.c                  |   7 +
>  hw/misc/macio/Makefile.objs     |   2 +
>  hw/misc/macio/gpio.c            | 231 +++++++++++
>  hw/misc/macio/macio.c           |  89 +++-
>  hw/misc/macio/pmu.c             | 871 ++++++++++++++++++++++++++++++++++++++++
>  hw/misc/macio/trace-events      |  28 ++
>  hw/ppc/mac.h                    |  20 +
>  hw/ppc/mac_newworld.c           |  84 +++-
>  include/hw/input/adb.h          |   1 +
>  include/hw/misc/macio/gpio.h    |  47 +++
>  include/hw/misc/macio/macio.h   |   7 +
>  include/hw/misc/macio/pmu.h     | 237 +++++++++++
>  include/hw/ppc/ppc.h            |   1 +
>  16 files changed, 1639 insertions(+), 58 deletions(-)
>  create mode 100644 hw/misc/macio/gpio.c
>  create mode 100644 hw/misc/macio/pmu.c
>  create mode 100644 include/hw/misc/macio/gpio.h
>  create mode 100644 include/hw/misc/macio/pmu.h
> 

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson
[Qemu-devel] [PATCH 1/7] ppc: introduce Core99MachinesState for the mac99 machine
Posted by Mark Cave-Ayland, 1 week ago
This is in preparation for adding configuration controlled via machine
options.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
---
 hw/ppc/mac.h          | 11 +++++++++++
 hw/ppc/mac_newworld.c |  7 +++++++
 2 files changed, 18 insertions(+)

diff --git a/hw/ppc/mac.h b/hw/ppc/mac.h
index 89fa8bbed7..8046cd8a2f 100644
--- a/hw/ppc/mac.h
+++ b/hw/ppc/mac.h
@@ -27,6 +27,7 @@
 #define PPC_MAC_H
 
 #include "exec/memory.h"
+#include "hw/boards.h"
 #include "hw/sysbus.h"
 #include "hw/ide/internal.h"
 #include "hw/input/adb.h"
@@ -65,6 +66,16 @@
 #define NEWWORLD_IDE1_IRQ      0xe
 #define NEWWORLD_IDE1_DMA_IRQ  0x3
 
+/* Core99 machine */
+#define TYPE_CORE99_MACHINE MACHINE_TYPE_NAME("mac99")
+#define CORE99_MACHINE(obj) OBJECT_CHECK(Core99MachineState, (obj), \
+                                         TYPE_CORE99_MACHINE)
+
+typedef struct Core99MachineState {
+    /*< private >*/
+    MachineState parent;
+} Core99MachineState;
+
 /* MacIO */
 #define TYPE_MACIO_IDE "macio-ide"
 #define MACIO_IDE(obj) OBJECT_CHECK(MACIOIDEState, (obj), TYPE_MACIO_IDE)
diff --git a/hw/ppc/mac_newworld.c b/hw/ppc/mac_newworld.c
index 744acdfd2e..5331aa002c 100644
--- a/hw/ppc/mac_newworld.c
+++ b/hw/ppc/mac_newworld.c
@@ -515,10 +515,17 @@ static void core99_machine_class_init(ObjectClass *oc, void *data)
 #endif
 }
 
+static void core99_instance_init(Object *obj)
+{
+    return;
+}
+
 static const TypeInfo core99_machine_info = {
     .name          = MACHINE_TYPE_NAME("mac99"),
     .parent        = TYPE_MACHINE,
     .class_init    = core99_machine_class_init,
+    .instance_init = core99_instance_init,
+    .instance_size = sizeof(Core99MachineState)
 };
 
 static void mac_machine_register_types(void)
-- 
2.11.0


[Qemu-devel] [PATCH 2/7] mac_newworld: add via machine option to control mac99 VIA/ADB configuration
Posted by Mark Cave-Ayland, 1 week ago
This option allows the VIA configuration to be controlled between 3
different possible setups: cuda, pmu-adb and pmu with USB rather than ADB
keyboard/mouse.

For the moment we don't do anything with the configuration except to pass
it to the macio device (the via-cuda parent) and also to the firmware via
the fw_cfg interface so that it can present the correct device tree.

The default is cuda which is the current default and so will have no
change in behaviour.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
---
 hw/misc/macio/macio.c         |  7 +++++
 hw/ppc/mac.h                  |  6 ++++
 hw/ppc/mac_newworld.c         | 69 ++++++++++++++++++++++++++++++++++++++-----
 include/hw/misc/macio/macio.h |  2 ++
 include/hw/ppc/ppc.h          |  1 +
 5 files changed, 78 insertions(+), 7 deletions(-)

diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
index f9a40eea81..dddf743bcb 100644
--- a/hw/misc/macio/macio.c
+++ b/hw/misc/macio/macio.c
@@ -399,6 +399,12 @@ static const VMStateDescription vmstate_macio_newworld = {
     }
 };
 
+static Property macio_newworld_properties[] = {
+    DEFINE_PROP_BOOL("has-pmu", NewWorldMacIOState, has_pmu, false),
+    DEFINE_PROP_BOOL("has-adb", NewWorldMacIOState, has_adb, false),
+    DEFINE_PROP_END_OF_LIST()
+};
+
 static void macio_newworld_class_init(ObjectClass *oc, void *data)
 {
     PCIDeviceClass *pdc = PCI_DEVICE_CLASS(oc);
@@ -407,6 +413,7 @@ static void macio_newworld_class_init(ObjectClass *oc, void *data)
     pdc->realize = macio_newworld_realize;
     pdc->device_id = PCI_DEVICE_ID_APPLE_UNI_N_KEYL;
     dc->vmsd = &vmstate_macio_newworld;
+    dc->props = macio_newworld_properties;
 }
 
 static Property macio_properties[] = {
diff --git a/hw/ppc/mac.h b/hw/ppc/mac.h
index 8046cd8a2f..4c08f52b87 100644
--- a/hw/ppc/mac.h
+++ b/hw/ppc/mac.h
@@ -71,9 +71,15 @@
 #define CORE99_MACHINE(obj) OBJECT_CHECK(Core99MachineState, (obj), \
                                          TYPE_CORE99_MACHINE)
 
+#define CORE99_VIA_CONFIG_CUDA     0x0
+#define CORE99_VIA_CONFIG_PMU      0x1
+#define CORE99_VIA_CONFIG_PMU_ADB  0x2
+
 typedef struct Core99MachineState {
     /*< private >*/
     MachineState parent;
+
+    uint8_t via_config;
 } Core99MachineState;
 
 /* MacIO */
diff --git a/hw/ppc/mac_newworld.c b/hw/ppc/mac_newworld.c
index 5331aa002c..ca21d47234 100644
--- a/hw/ppc/mac_newworld.c
+++ b/hw/ppc/mac_newworld.c
@@ -111,6 +111,7 @@ static void ppc_core99_init(MachineState *machine)
     const char *kernel_cmdline = machine->kernel_cmdline;
     const char *initrd_filename = machine->initrd_filename;
     const char *boot_device = machine->boot_order;
+    Core99MachineState *core99_machine = CORE99_MACHINE(machine);
     PowerPCCPU *cpu = NULL;
     CPUPPCState *env = NULL;
     char *filename;
@@ -122,6 +123,7 @@ static void ppc_core99_init(MachineState *machine)
     UNINHostState *uninorth_pci;
     PCIBus *pci_bus;
     NewWorldMacIOState *macio;
+    bool has_pmu, has_adb;
     MACIOIDEState *macio_ide;
     BusState *adb_bus;
     MacIONVRAMState *nvr;
@@ -361,6 +363,9 @@ static void ppc_core99_init(MachineState *machine)
     }
 
     machine->usb |= defaults_enabled() && !machine->usb_disabled;
+    has_pmu = (core99_machine->via_config != CORE99_VIA_CONFIG_CUDA);
+    has_adb = (core99_machine->via_config == CORE99_VIA_CONFIG_CUDA ||
+               core99_machine->via_config == CORE99_VIA_CONFIG_PMU_ADB);
 
     /* Timebase Frequency */
     if (kvm_enabled()) {
@@ -376,6 +381,8 @@ static void ppc_core99_init(MachineState *machine)
     macio = NEWWORLD_MACIO(pci_create(pci_bus, -1, TYPE_NEWWORLD_MACIO));
     dev = DEVICE(macio);
     qdev_prop_set_uint64(dev, "frequency", tbfreq);
+    qdev_prop_set_bit(dev, "has-pmu", has_pmu);
+    qdev_prop_set_bit(dev, "has-adb", has_adb);
     object_property_set_link(OBJECT(macio), OBJECT(pic_dev), "pic",
                              &error_abort);
     qdev_init_nofail(dev);
@@ -391,19 +398,21 @@ static void ppc_core99_init(MachineState *machine)
                                                         "ide[1]"));
     macio_ide_init_drives(macio_ide, &hd[MAX_IDE_DEVS]);
 
-    dev = DEVICE(object_resolve_path_component(OBJECT(macio), "cuda"));
-    adb_bus = qdev_get_child_bus(dev, "adb.0");
-    dev = qdev_create(adb_bus, TYPE_ADB_KEYBOARD);
-    qdev_init_nofail(dev);
-    dev = qdev_create(adb_bus, TYPE_ADB_MOUSE);
-    qdev_init_nofail(dev);
+    if (has_adb) {
+        dev = DEVICE(object_resolve_path_component(OBJECT(macio), "cuda"));
+        adb_bus = qdev_get_child_bus(dev, "adb.0");
+        dev = qdev_create(adb_bus, TYPE_ADB_KEYBOARD);
+        qdev_init_nofail(dev);
+        dev = qdev_create(adb_bus, TYPE_ADB_MOUSE);
+        qdev_init_nofail(dev);
+    }
 
     if (machine->usb) {
         pci_create_simple(pci_bus, -1, "pci-ohci");
 
         /* U3 needs to use USB for input because Linux doesn't support via-cuda
         on PPC64 */
-        if (machine_arch == ARCH_MAC99_U3) {
+        if (!has_adb || machine_arch == ARCH_MAC99_U3) {
             USBBus *usb_bus = usb_bus_find(-1);
 
             usb_create_simple(usb_bus, "usb-kbd");
@@ -459,6 +468,8 @@ static void ppc_core99_init(MachineState *machine)
     fw_cfg_add_i16(fw_cfg, FW_CFG_PPC_HEIGHT, graphic_height);
     fw_cfg_add_i16(fw_cfg, FW_CFG_PPC_DEPTH, graphic_depth);
 
+    fw_cfg_add_i32(fw_cfg, FW_CFG_PPC_VIACONFIG, core99_machine->via_config);
+
     fw_cfg_add_i32(fw_cfg, FW_CFG_PPC_IS_KVM, kvm_enabled());
     if (kvm_enabled()) {
 #ifdef CONFIG_KVM
@@ -515,8 +526,52 @@ static void core99_machine_class_init(ObjectClass *oc, void *data)
 #endif
 }
 
+static char *core99_get_via_config(Object *obj, Error **errp)
+{
+    Core99MachineState *cms = CORE99_MACHINE(obj);
+
+    switch (cms->via_config) {
+    default:
+    case CORE99_VIA_CONFIG_CUDA:
+        return g_strdup("cuda");
+
+    case CORE99_VIA_CONFIG_PMU:
+        return g_strdup("pmu");
+
+    case CORE99_VIA_CONFIG_PMU_ADB:
+        return g_strdup("pmu-adb");
+    }
+}
+
+static void core99_set_via_config(Object *obj, const char *value, Error **errp)
+{
+    Core99MachineState *cms = CORE99_MACHINE(obj);
+
+    if (!strcmp(value, "cuda")) {
+        cms->via_config = CORE99_VIA_CONFIG_CUDA;
+    } else if (!strcmp(value, "pmu")) {
+        cms->via_config = CORE99_VIA_CONFIG_PMU;
+    } else if (!strcmp(value, "pmu-adb")) {
+        cms->via_config = CORE99_VIA_CONFIG_PMU_ADB;
+    } else {
+        error_setg(errp, "Invalid via value");
+        error_append_hint(errp, "Valid values are cuda, pmu, pmu-adb.\n");
+    }
+}
+
 static void core99_instance_init(Object *obj)
 {
+    Core99MachineState *cms = CORE99_MACHINE(obj);
+
+    /* Default via_config is CORE99_VIA_CONFIG_CUDA */
+    cms->via_config = CORE99_VIA_CONFIG_CUDA;
+    object_property_add_str(obj, "via", core99_get_via_config,
+                            core99_set_via_config, NULL);
+    object_property_set_description(obj, "via",
+                                    "Set VIA configuration. "
+                                    "Valid values are cuda, pmu and pmu-adb",
+                                    NULL);
+
     return;
 }
 
diff --git a/include/hw/misc/macio/macio.h b/include/hw/misc/macio/macio.h
index 838eaf1db0..9529073ba8 100644
--- a/include/hw/misc/macio/macio.h
+++ b/include/hw/misc/macio/macio.h
@@ -70,6 +70,8 @@ typedef struct NewWorldMacIOState {
     MacIOState parent_obj;
     /*< public >*/
 
+    bool has_pmu;
+    bool has_adb;
     OpenPICState *pic;
     MACIOIDEState ide[2];
 } NewWorldMacIOState;
diff --git a/include/hw/ppc/ppc.h b/include/hw/ppc/ppc.h
index b18ef3eefb..298ec354a8 100644
--- a/include/hw/ppc/ppc.h
+++ b/include/hw/ppc/ppc.h
@@ -101,6 +101,7 @@ enum {
 #define FW_CFG_PPC_NVRAM_ADDR   (FW_CFG_ARCH_LOCAL + 0x08)
 #define FW_CFG_PPC_BUSFREQ      (FW_CFG_ARCH_LOCAL + 0x09)
 #define FW_CFG_PPC_NVRAM_FLAT   (FW_CFG_ARCH_LOCAL + 0x0a)
+#define FW_CFG_PPC_VIACONFIG    (FW_CFG_ARCH_LOCAL + 0x0b)
 
 #define PPC_SERIAL_MM_BAUDBASE 399193
 
-- 
2.11.0


[Qemu-devel] [PATCH 3/7] mac_newworld: add gpios to macio devices with PMU enabled
Posted by Mark Cave-Ayland, 1 week ago
PMU-enabled New World Macs expose their GPIOs via a separate memory region
within the macio device.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
---
 default-configs/ppc-softmmu.mak |   1 +
 hw/misc/macio/Makefile.objs     |   1 +
 hw/misc/macio/gpio.c            | 218 ++++++++++++++++++++++++++++++++++++++++
 hw/misc/macio/macio.c           |  13 +++
 hw/misc/macio/trace-events      |   7 ++
 hw/ppc/mac.h                    |   2 +
 include/hw/misc/macio/gpio.h    |  47 +++++++++
 include/hw/misc/macio/macio.h   |   3 +
 8 files changed, 292 insertions(+)
 create mode 100644 hw/misc/macio/gpio.c
 create mode 100644 include/hw/misc/macio/gpio.h

diff --git a/default-configs/ppc-softmmu.mak b/default-configs/ppc-softmmu.mak
index 4d7be45ac5..38197e39eb 100644
--- a/default-configs/ppc-softmmu.mak
+++ b/default-configs/ppc-softmmu.mak
@@ -31,6 +31,7 @@ CONFIG_I2C=y
 CONFIG_MAC=y
 CONFIG_ESCC=y
 CONFIG_MACIO=y
+CONFIG_MACIO_GPIO=y
 CONFIG_SUNGEM=y
 CONFIG_MOS6522=y
 CONFIG_CUDA=y
diff --git a/hw/misc/macio/Makefile.objs b/hw/misc/macio/Makefile.objs
index ef7ac249ec..fb9dbf91b5 100644
--- a/hw/misc/macio/Makefile.objs
+++ b/hw/misc/macio/Makefile.objs
@@ -1,3 +1,4 @@
 common-obj-y += macio.o
 common-obj-$(CONFIG_CUDA) += cuda.o
 common-obj-$(CONFIG_MAC_DBDMA) += mac_dbdma.o
+common-obj-$(CONFIG_MACIO_GPIO) += gpio.o
diff --git a/hw/misc/macio/gpio.c b/hw/misc/macio/gpio.c
new file mode 100644
index 0000000000..5630afdf18
--- /dev/null
+++ b/hw/misc/macio/gpio.c
@@ -0,0 +1,218 @@
+/*
+ * PowerMac NewWorld MacIO GPIO emulation
+ *
+ * Copyright (c) 2016 Benjamin Herrenschmidt
+ * Copyright (c) 2018 Mark Cave-Ayland
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "qemu/osdep.h"
+#include "hw/hw.h"
+#include "hw/ppc/mac.h"
+#include "hw/misc/macio/macio.h"
+#include "hw/misc/macio/gpio.h"
+#include "qemu/log.h"
+#include "trace.h"
+
+
+void macio_set_gpio(MacIOGPIOState *s, uint32_t gpio, bool state)
+{
+    uint8_t new_reg;
+
+    trace_macio_set_gpio(gpio, state);
+
+    if (s->gpio_regs[gpio] & 4) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "GPIO: Setting GPIO %d while it's an output\n", gpio);
+    }
+
+    new_reg = s->gpio_regs[gpio] & ~2;
+    if (state) {
+        new_reg |= 2;
+    }
+
+    if (new_reg == s->gpio_regs[gpio]) {
+        return;
+    }
+
+    s->gpio_regs[gpio] = new_reg;
+
+    /* This is will work until we fix the binding between MacIO and
+     * the MPIC properly so we can route all GPIOs and avoid going
+     * via the top level platform code.
+     *
+     * Note that we probably need to get access to the MPIC config to
+     * decode polarity since qemu always use "raise" regardless.
+     *
+     * For now, we hard wire known GPIOs
+     */
+
+    switch (gpio) {
+    case 1:
+        /* Level low */
+        if (!state) {
+            trace_macio_gpio_irq_assert(gpio);
+            qemu_irq_raise(s->gpio_extirqs[gpio]);
+        } else {
+            trace_macio_gpio_irq_deassert(gpio);
+            qemu_irq_lower(s->gpio_extirqs[gpio]);
+        }
+        break;
+
+    case 9:
+        /* Edge, triggered by NMI below */
+        if (state) {
+            trace_macio_gpio_irq_assert(gpio);
+            qemu_irq_raise(s->gpio_extirqs[gpio]);
+        } else {
+            trace_macio_gpio_irq_deassert(gpio);
+            qemu_irq_lower(s->gpio_extirqs[gpio]);
+        }
+        break;
+
+    default:
+        qemu_log_mask(LOG_UNIMP, "GPIO: setting unimplemented GPIO %d", gpio);
+    }
+}
+
+static void macio_gpio_write(void *opaque, hwaddr addr, uint64_t value,
+                             unsigned size)
+{
+    MacIOGPIOState *s = opaque;
+    uint8_t ibit;
+
+    trace_macio_gpio_write(addr, value);
+
+    /* Levels regs are read-only */
+    if (addr < 8) {
+        return;
+    }
+
+    addr -= 8;
+    if (addr < 36) {
+        value &= ~2;
+
+        if (value & 4) {
+            ibit = (value & 1) << 1;
+        } else {
+            ibit = s->gpio_regs[addr] & 2;
+        }
+
+        s->gpio_regs[addr] = value | ibit;
+    }
+}
+
+static uint64_t macio_gpio_read(void *opaque, hwaddr addr, unsigned size)
+{
+    MacIOGPIOState *s = opaque;
+    uint64_t val = 0;
+
+    /* Levels regs */
+    if (addr < 8) {
+        val = s->gpio_levels[addr];
+    } else {
+        addr -= 8;
+
+        if (addr < 36) {
+            val = s->gpio_regs[addr];
+        }
+    }
+
+    trace_macio_gpio_write(addr, val);
+    return val;
+}
+
+static const MemoryRegionOps macio_gpio_ops = {
+    .read = macio_gpio_read,
+    .write = macio_gpio_write,
+    .endianness = DEVICE_LITTLE_ENDIAN,
+    .impl = {
+        .min_access_size = 1,
+        .max_access_size = 1,
+    },
+};
+
+static void macio_gpio_realize(DeviceState *dev, Error **errp)
+{
+    MacIOGPIOState *s = MACIO_GPIO(dev);
+
+    s->gpio_extirqs[1] = qdev_get_gpio_in(DEVICE(s->pic),
+                                          NEWWORLD_EXTING_GPIO1);
+    s->gpio_extirqs[9] = qdev_get_gpio_in(DEVICE(s->pic),
+                                          NEWWORLD_EXTING_GPIO9);
+}
+
+static void macio_gpio_init(Object *obj)
+{
+    SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
+    MacIOGPIOState *s = MACIO_GPIO(obj);
+
+    object_property_add_link(obj, "pic", TYPE_OPENPIC,
+                             (Object **) &s->pic,
+                             qdev_prop_allow_set_link_before_realize,
+                             0, NULL);
+
+    memory_region_init_io(&s->gpiomem, OBJECT(s), &macio_gpio_ops, obj,
+                          "gpio", 0x30);
+    sysbus_init_mmio(sbd, &s->gpiomem);
+}
+
+static const VMStateDescription vmstate_macio_gpio = {
+    .name = "macio_gpio",
+    .version_id = 0,
+    .minimum_version_id = 0,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT8_ARRAY(gpio_levels, MacIOGPIOState, 8),
+        VMSTATE_UINT8_ARRAY(gpio_regs, MacIOGPIOState, 36),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static void macio_gpio_reset(DeviceState *dev)
+{
+    MacIOGPIOState *s = MACIO_GPIO(dev);
+
+    /* GPIO 1 is up by default */
+    macio_set_gpio(s, 1, true);
+}
+
+static void macio_gpio_class_init(ObjectClass *oc, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(oc);
+
+    dc->realize = macio_gpio_realize;
+    dc->reset = macio_gpio_reset;
+    dc->vmsd = &vmstate_macio_gpio;
+}
+
+static const TypeInfo macio_gpio_init_info = {
+    .name          = TYPE_MACIO_GPIO,
+    .parent        = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(MacIOGPIOState),
+    .instance_init = macio_gpio_init,
+    .class_init    = macio_gpio_class_init,
+};
+
+static void macio_gpio_register_types(void)
+{
+    type_register_static(&macio_gpio_init_info);
+}
+
+type_init(macio_gpio_register_types)
diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
index dddf743bcb..8dfcbc3d9b 100644
--- a/hw/misc/macio/macio.c
+++ b/hw/misc/macio/macio.c
@@ -332,6 +332,16 @@ static void macio_newworld_realize(PCIDevice *d, Error **errp)
     memory_region_init_io(timer_memory, OBJECT(s), &timer_ops, NULL, "timer",
                           0x1000);
     memory_region_add_subregion(&s->bar, 0x15000, timer_memory);
+
+    if (ns->has_pmu) {
+        /* GPIOs */
+        sysbus_dev = SYS_BUS_DEVICE(&ns->gpio);
+        object_property_set_link(OBJECT(&ns->gpio), OBJECT(pic_dev), "pic",
+                                 &error_abort);
+        memory_region_add_subregion(&s->bar, 0x50,
+                                    sysbus_mmio_get_region(sysbus_dev, 0));
+        object_property_set_bool(OBJECT(&ns->gpio), true, "realized", &err);
+    }
 }
 
 static void macio_newworld_init(Object *obj)
@@ -345,6 +355,9 @@ static void macio_newworld_init(Object *obj)
                              qdev_prop_allow_set_link_before_realize,
                              0, NULL);
 
+    object_initialize(&ns->gpio, sizeof(ns->gpio), TYPE_MACIO_GPIO);
+    qdev_set_parent_bus(DEVICE(&ns->gpio), sysbus_get_default());
+
     for (i = 0; i < 2; i++) {
         macio_init_ide(s, &ns->ide[i], sizeof(ns->ide[i]), i);
     }
diff --git a/hw/misc/macio/trace-events b/hw/misc/macio/trace-events
index d499d78c99..71c47520eb 100644
--- a/hw/misc/macio/trace-events
+++ b/hw/misc/macio/trace-events
@@ -13,3 +13,10 @@ cuda_packet_send_data(int i, const uint8_t data) "[%d] 0x%02x"
 # hw/misc/macio/macio.c
 macio_timer_write(uint64_t addr, unsigned len, uint64_t val) "write addr 0x%"PRIx64 " len %d val 0x%"PRIx64
 macio_timer_read(uint64_t addr, unsigned len, uint32_t val) "read addr 0x%"PRIx64 " len %d val 0x%"PRIx32
+
+# hw/misc/macio/gpio.c
+macio_set_gpio(int gpio, bool state) "setting GPIO %d to %d"
+macio_gpio_irq_assert(int gpio) "asserting GPIO %d"
+macio_gpio_irq_deassert(int gpio) "deasserting GPIO %d"
+macio_gpio_write(uint64_t addr, uint64_t val) "addr: 0x%"PRIx64" value: 0x%"PRIx64
+macio_gpio_read(uint64_t addr, uint64_t val) "addr: 0x%"PRIx64" value: 0x%"PRIx64
diff --git a/hw/ppc/mac.h b/hw/ppc/mac.h
index 4c08f52b87..b3b7f9d8ae 100644
--- a/hw/ppc/mac.h
+++ b/hw/ppc/mac.h
@@ -65,6 +65,8 @@
 #define NEWWORLD_IDE0_DMA_IRQ  0x2
 #define NEWWORLD_IDE1_IRQ      0xe
 #define NEWWORLD_IDE1_DMA_IRQ  0x3
+#define NEWWORLD_EXTING_GPIO1  0x2f
+#define NEWWORLD_EXTING_GPIO9  0x37
 
 /* Core99 machine */
 #define TYPE_CORE99_MACHINE MACHINE_TYPE_NAME("mac99")
diff --git a/include/hw/misc/macio/gpio.h b/include/hw/misc/macio/gpio.h
new file mode 100644
index 0000000000..2838ae5fde
--- /dev/null
+++ b/include/hw/misc/macio/gpio.h
@@ -0,0 +1,47 @@
+/*
+ * PowerMac NewWorld MacIO GPIO emulation
+ *
+ * Copyright (c) 2016 Benjamin Herrenschmidt
+ * Copyright (c) 2018 Mark Cave-Ayland
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#ifndef MACIO_GPIO_H
+#define MACIO_GPIO_H
+
+#define TYPE_MACIO_GPIO "macio-gpio"
+#define MACIO_GPIO(obj) OBJECT_CHECK(MacIOGPIOState, (obj), TYPE_MACIO_GPIO)
+
+typedef struct MacIOGPIOState {
+    /*< private >*/
+    SysBusDevice parent;
+    /*< public >*/
+
+    OpenPICState *pic;
+
+    MemoryRegion gpiomem;
+    qemu_irq gpio_extirqs[10];
+    uint8_t gpio_levels[8];
+    uint8_t gpio_regs[36]; /* XXX Check count */
+} MacIOGPIOState;
+
+void macio_set_gpio(MacIOGPIOState *s, uint32_t gpio, bool state);
+
+#endif
diff --git a/include/hw/misc/macio/macio.h b/include/hw/misc/macio/macio.h
index 9529073ba8..d43883a893 100644
--- a/include/hw/misc/macio/macio.h
+++ b/include/hw/misc/macio/macio.h
@@ -26,8 +26,10 @@
 #ifndef MACIO_H
 #define MACIO_H
 
+#include "hw/char/escc.h"
 #include "hw/intc/heathrow_pic.h"
 #include "hw/misc/macio/cuda.h"
+#include "hw/misc/macio/gpio.h"
 #include "hw/ppc/mac_dbdma.h"
 #include "hw/ppc/openpic.h"
 
@@ -74,6 +76,7 @@ typedef struct NewWorldMacIOState {
     bool has_adb;
     OpenPICState *pic;
     MACIOIDEState ide[2];
+    MacIOGPIOState gpio;
 } NewWorldMacIOState;
 
 #endif /* MACIO_H */
-- 
2.11.0


[Qemu-devel] [PATCH 4/7] mac_newworld: wire up programmer switch to NMI handler
Posted by Mark Cave-Ayland, 1 week ago
The programmer switch is wired up via an external GPIO pin and can be used
to aid debugging Mac guests.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
---
 hw/misc/macio/gpio.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/hw/misc/macio/gpio.c b/hw/misc/macio/gpio.c
index 5630afdf18..9317df759c 100644
--- a/hw/misc/macio/gpio.c
+++ b/hw/misc/macio/gpio.c
@@ -28,6 +28,7 @@
 #include "hw/ppc/mac.h"
 #include "hw/misc/macio/macio.h"
 #include "hw/misc/macio/gpio.h"
+#include "hw/nmi.h"
 #include "qemu/log.h"
 #include "trace.h"
 
@@ -193,13 +194,21 @@ static void macio_gpio_reset(DeviceState *dev)
     macio_set_gpio(s, 1, true);
 }
 
+static void macio_gpio_nmi(NMIState *n, int cpu_index, Error **errp)
+{
+    macio_set_gpio(MACIO_GPIO(n), 9, true);
+    macio_set_gpio(MACIO_GPIO(n), 9, false);
+}
+
 static void macio_gpio_class_init(ObjectClass *oc, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(oc);
+    NMIClass *nc = NMI_CLASS(oc);
 
     dc->realize = macio_gpio_realize;
     dc->reset = macio_gpio_reset;
     dc->vmsd = &vmstate_macio_gpio;
+    nc->nmi_monitor_handler = macio_gpio_nmi;
 }
 
 static const TypeInfo macio_gpio_init_info = {
@@ -208,6 +217,10 @@ static const TypeInfo macio_gpio_init_info = {
     .instance_size = sizeof(MacIOGPIOState),
     .instance_init = macio_gpio_init,
     .class_init    = macio_gpio_class_init,
+    .interfaces = (InterfaceInfo[]) {
+        { TYPE_NMI },
+        { }
+    },
 };
 
 static void macio_gpio_register_types(void)
-- 
2.11.0


[Qemu-devel] [PATCH 5/7] adb: fix read reg 3 byte ordering
Posted by Mark Cave-Ayland, 1 week ago
According to the Apple ADB documentation, register 3 is a 2-byte register
with the device address in the first byte, and the handler ID in the second
byte.

This is currently the opposite away to which QEMU returns them so switch the
order around.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
---
 hw/input/adb-kbd.c   | 4 ++--
 hw/input/adb-mouse.c | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/input/adb-kbd.c b/hw/input/adb-kbd.c
index 50b62712c8..0ad384dc89 100644
--- a/hw/input/adb-kbd.c
+++ b/hw/input/adb-kbd.c
@@ -290,8 +290,8 @@ static int adb_kbd_request(ADBDevice *d, uint8_t *obuf,
             olen = 2;
             break;
         case 3:
-            obuf[0] = d->handler;
-            obuf[1] = d->devaddr;
+            obuf[0] = d->devaddr;
+            obuf[1] = d->handler;
             olen = 2;
             break;
         }
diff --git a/hw/input/adb-mouse.c b/hw/input/adb-mouse.c
index 3ba6027d33..473045fbac 100644
--- a/hw/input/adb-mouse.c
+++ b/hw/input/adb-mouse.c
@@ -172,8 +172,8 @@ static int adb_mouse_request(ADBDevice *d, uint8_t *obuf,
         case 1:
             break;
         case 3:
-            obuf[0] = d->handler;
-            obuf[1] = d->devaddr;
+            obuf[0] = d->devaddr;
+            obuf[1] = d->handler;
             olen = 2;
             break;
         }
-- 
2.11.0


[Qemu-devel] [PATCH 6/7] adb: add property to disable direct reg 3 writes
Posted by Mark Cave-Ayland, 1 week ago
MacOS 9 has a bug in its PMU driver whereby after configuring the ADB bus
devices it sends another write to reg 3 on both devices resetting them
both back to the same address.

Add a new disable_direct_reg3_writes property to ADBDevice to disable these
direct writes which can enabled just for the upcoming pmu-adb support.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
---
 hw/input/adb-kbd.c     | 25 ++++++++++++++-----------
 hw/input/adb-mouse.c   | 37 ++++++++++++++++++++-----------------
 hw/input/adb.c         |  7 +++++++
 include/hw/input/adb.h |  1 +
 4 files changed, 42 insertions(+), 28 deletions(-)

diff --git a/hw/input/adb-kbd.c b/hw/input/adb-kbd.c
index 0ad384dc89..b026e9d49f 100644
--- a/hw/input/adb-kbd.c
+++ b/hw/input/adb-kbd.c
@@ -261,18 +261,21 @@ static int adb_kbd_request(ADBDevice *d, uint8_t *obuf,
                 trace_adb_kbd_request_change_addr(d->devaddr);
                 break;
             default:
-                d->devaddr = buf[1] & 0xf;
-                /* we support handlers:
-                 * 1: Apple Standard Keyboard
-                 * 2: Apple Extended Keyboard (LShift = RShift)
-                 * 3: Apple Extended Keyboard (LShift != RShift)
-                 */
-                if (buf[2] == 1 || buf[2] == 2 || buf[2] == 3) {
-                    d->handler = buf[2];
+                if (!d->disable_direct_reg3_writes) {
+                    d->devaddr = buf[1] & 0xf;
+
+                    /* we support handlers:
+                     * 1: Apple Standard Keyboard
+                     * 2: Apple Extended Keyboard (LShift = RShift)
+                     * 3: Apple Extended Keyboard (LShift != RShift)
+                     */
+                    if (buf[2] == 1 || buf[2] == 2 || buf[2] == 3) {
+                        d->handler = buf[2];
+                    }
+
+                    trace_adb_kbd_request_change_addr_and_handler(d->devaddr,
+                                                                  d->handler);
                 }
-
-                trace_adb_kbd_request_change_addr_and_handler(d->devaddr,
-                                                              d->handler);
                 break;
             }
         }
diff --git a/hw/input/adb-mouse.c b/hw/input/adb-mouse.c
index 473045fbac..83833b0035 100644
--- a/hw/input/adb-mouse.c
+++ b/hw/input/adb-mouse.c
@@ -142,24 +142,27 @@ static int adb_mouse_request(ADBDevice *d, uint8_t *obuf,
                 trace_adb_mouse_request_change_addr(d->devaddr);
                 break;
             default:
-                d->devaddr = buf[1] & 0xf;
-                /* we support handlers:
-                 * 0x01: Classic Apple Mouse Protocol / 100 cpi operations
-                 * 0x02: Classic Apple Mouse Protocol / 200 cpi operations
-                 * we don't support handlers (at least):
-                 * 0x03: Mouse systems A3 trackball
-                 * 0x04: Extended Apple Mouse Protocol
-                 * 0x2f: Microspeed mouse
-                 * 0x42: Macally
-                 * 0x5f: Microspeed mouse
-                 * 0x66: Microspeed mouse
-                 */
-                if (buf[2] == 1 || buf[2] == 2) {
-                    d->handler = buf[2];
+                if (!d->disable_direct_reg3_writes) {
+                    d->devaddr = buf[1] & 0xf;
+
+                    /* we support handlers:
+                     * 0x01: Classic Apple Mouse Protocol / 100 cpi operations
+                     * 0x02: Classic Apple Mouse Protocol / 200 cpi operations
+                     * we don't support handlers (at least):
+                     * 0x03: Mouse systems A3 trackball
+                     * 0x04: Extended Apple Mouse Protocol
+                     * 0x2f: Microspeed mouse
+                     * 0x42: Macally
+                     * 0x5f: Microspeed mouse
+                     * 0x66: Microspeed mouse
+                     */
+                    if (buf[2] == 1 || buf[2] == 2) {
+                        d->handler = buf[2];
+                    }
+
+                    trace_adb_mouse_request_change_addr_and_handler(
+                        d->devaddr, d->handler);
                 }
-
-                trace_adb_mouse_request_change_addr_and_handler(d->devaddr,
-                                                                d->handler);
                 break;
             }
         }
diff --git a/hw/input/adb.c b/hw/input/adb.c
index 23ae6f0d75..bbb40aeef1 100644
--- a/hw/input/adb.c
+++ b/hw/input/adb.c
@@ -113,11 +113,18 @@ static void adb_device_realizefn(DeviceState *dev, Error **errp)
     bus->devices[bus->nb_devices++] = d;
 }
 
+static Property adb_device_properties[] = {
+    DEFINE_PROP_BOOL("disable-direct-reg3-writes", ADBDevice,
+                     disable_direct_reg3_writes, false),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
 static void adb_device_class_init(ObjectClass *oc, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(oc);
 
     dc->realize = adb_device_realizefn;
+    dc->props = adb_device_properties;
     dc->bus_type = TYPE_ADB_BUS;
 }
 
diff --git a/include/hw/input/adb.h b/include/hw/input/adb.h
index 3ae8445e95..f99d478252 100644
--- a/include/hw/input/adb.h
+++ b/include/hw/input/adb.h
@@ -49,6 +49,7 @@ struct ADBDevice {
 
     int devaddr;
     int handler;
+    bool disable_direct_reg3_writes;
 };
 
 #define ADB_DEVICE_CLASS(cls) \
-- 
2.11.0


[Qemu-devel] [PATCH 7/7] mac_newworld: add PMU device
Posted by Mark Cave-Ayland, 1 week ago
The PMU device supercedes the CUDA device found on older New World Macs and
is supported by a larger number of guest OSs from OS 9 to OS X 10.5.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
---
 default-configs/ppc-softmmu.mak |   1 +
 hw/misc/macio/Makefile.objs     |   1 +
 hw/misc/macio/macio.c           |  69 +++-
 hw/misc/macio/pmu.c             | 871 ++++++++++++++++++++++++++++++++++++++++
 hw/misc/macio/trace-events      |  21 +
 hw/ppc/mac.h                    |   1 +
 hw/ppc/mac_newworld.c           |  10 +-
 include/hw/misc/macio/macio.h   |   2 +
 include/hw/misc/macio/pmu.h     | 237 +++++++++++
 9 files changed, 1193 insertions(+), 20 deletions(-)
 create mode 100644 hw/misc/macio/pmu.c
 create mode 100644 include/hw/misc/macio/pmu.h

diff --git a/default-configs/ppc-softmmu.mak b/default-configs/ppc-softmmu.mak
index 38197e39eb..abeeb0418a 100644
--- a/default-configs/ppc-softmmu.mak
+++ b/default-configs/ppc-softmmu.mak
@@ -38,6 +38,7 @@ CONFIG_CUDA=y
 CONFIG_ADB=y
 CONFIG_MAC_NVRAM=y
 CONFIG_MAC_DBDMA=y
+CONFIG_MAC_PMU=y
 CONFIG_HEATHROW_PIC=y
 CONFIG_GRACKLE_PCI=y
 CONFIG_UNIN_PCI=y
diff --git a/hw/misc/macio/Makefile.objs b/hw/misc/macio/Makefile.objs
index fb9dbf91b5..07fdb320d4 100644
--- a/hw/misc/macio/Makefile.objs
+++ b/hw/misc/macio/Makefile.objs
@@ -1,4 +1,5 @@
 common-obj-y += macio.o
 common-obj-$(CONFIG_CUDA) += cuda.o
+common-obj-$(CONFIG_MAC_PMU) += pmu.o
 common-obj-$(CONFIG_MAC_DBDMA) += mac_dbdma.o
 common-obj-$(CONFIG_MACIO_GPIO) += gpio.o
diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
index 8dfcbc3d9b..d135e3bc2b 100644
--- a/hw/misc/macio/macio.c
+++ b/hw/misc/macio/macio.c
@@ -105,17 +105,6 @@ static void macio_common_realize(PCIDevice *d, Error **errp)
     memory_region_add_subregion(&s->bar, 0x08000,
                                 sysbus_mmio_get_region(sysbus_dev, 0));
 
-    qdev_prop_set_uint64(DEVICE(&s->cuda), "timebase-frequency",
-                         s->frequency);
-    object_property_set_bool(OBJECT(&s->cuda), true, "realized", &err);
-    if (err) {
-        error_propagate(errp, err);
-        return;
-    }
-    sysbus_dev = SYS_BUS_DEVICE(&s->cuda);
-    memory_region_add_subregion(&s->bar, 0x16000,
-                                sysbus_mmio_get_region(sysbus_dev, 0));
-
     qdev_prop_set_uint32(DEVICE(&s->escc), "disabled", 0);
     qdev_prop_set_uint32(DEVICE(&s->escc), "frequency", ESCC_CLOCK);
     qdev_prop_set_uint32(DEVICE(&s->escc), "it_shift", 4);
@@ -163,7 +152,16 @@ static void macio_oldworld_realize(PCIDevice *d, Error **errp)
         return;
     }
 
+    qdev_prop_set_uint64(DEVICE(&s->cuda), "timebase-frequency",
+                         s->frequency);
+    object_property_set_bool(OBJECT(&s->cuda), true, "realized", &err);
+    if (err) {
+        error_propagate(errp, err);
+        return;
+    }
     sysbus_dev = SYS_BUS_DEVICE(&s->cuda);
+    memory_region_add_subregion(&s->bar, 0x16000,
+                                sysbus_mmio_get_region(sysbus_dev, 0));
     sysbus_connect_irq(sysbus_dev, 0, qdev_get_gpio_in(pic_dev,
                                                        OLDWORLD_CUDA_IRQ));
 
@@ -234,6 +232,10 @@ static void macio_oldworld_init(Object *obj)
                              qdev_prop_allow_set_link_before_realize,
                              0, NULL);
 
+    object_initialize(&s->cuda, sizeof(s->cuda), TYPE_CUDA);
+    qdev_set_parent_bus(DEVICE(&s->cuda), sysbus_get_default());
+    object_property_add_child(obj, "cuda", OBJECT(&s->cuda), NULL);
+
     object_initialize(&os->nvram, sizeof(os->nvram), TYPE_MACIO_NVRAM);
     dev = DEVICE(&os->nvram);
     qdev_prop_set_uint32(dev, "size", 0x2000);
@@ -293,10 +295,6 @@ static void macio_newworld_realize(PCIDevice *d, Error **errp)
         return;
     }
 
-    sysbus_dev = SYS_BUS_DEVICE(&s->cuda);
-    sysbus_connect_irq(sysbus_dev, 0, qdev_get_gpio_in(pic_dev,
-                                                       NEWWORLD_CUDA_IRQ));
-
     sysbus_dev = SYS_BUS_DEVICE(&s->escc);
     sysbus_connect_irq(sysbus_dev, 0, qdev_get_gpio_in(pic_dev,
                                                        NEWWORLD_ESCCB_IRQ));
@@ -341,6 +339,43 @@ static void macio_newworld_realize(PCIDevice *d, Error **errp)
         memory_region_add_subregion(&s->bar, 0x50,
                                     sysbus_mmio_get_region(sysbus_dev, 0));
         object_property_set_bool(OBJECT(&ns->gpio), true, "realized", &err);
+
+        /* PMU */
+        object_initialize(&s->pmu, sizeof(s->pmu), TYPE_VIA_PMU);
+        object_property_set_link(OBJECT(&s->pmu), OBJECT(sysbus_dev), "gpio",
+                                 &error_abort);
+        qdev_prop_set_bit(DEVICE(&s->pmu), "has-adb", ns->has_adb);
+        qdev_set_parent_bus(DEVICE(&s->pmu), sysbus_get_default());
+        object_property_add_child(OBJECT(s), "pmu", OBJECT(&s->pmu), NULL);
+
+        object_property_set_bool(OBJECT(&s->pmu), true, "realized", &err);
+        if (err) {
+            error_propagate(errp, err);
+            return;
+        }
+        sysbus_dev = SYS_BUS_DEVICE(&s->pmu);
+        sysbus_connect_irq(sysbus_dev, 0, qdev_get_gpio_in(pic_dev,
+                                                           NEWWORLD_PMU_IRQ));
+        memory_region_add_subregion(&s->bar, 0x16000,
+                                    sysbus_mmio_get_region(sysbus_dev, 0));
+    } else {
+        /* CUDA */
+        object_initialize(&s->cuda, sizeof(s->cuda), TYPE_CUDA);
+        qdev_set_parent_bus(DEVICE(&s->cuda), sysbus_get_default());
+        object_property_add_child(OBJECT(s), "cuda", OBJECT(&s->cuda), NULL);
+        qdev_prop_set_uint64(DEVICE(&s->cuda), "timebase-frequency",
+                             s->frequency);
+
+        object_property_set_bool(OBJECT(&s->cuda), true, "realized", &err);
+        if (err) {
+            error_propagate(errp, err);
+            return;
+        }
+        sysbus_dev = SYS_BUS_DEVICE(&s->cuda);
+        sysbus_connect_irq(sysbus_dev, 0, qdev_get_gpio_in(pic_dev,
+                                                           NEWWORLD_CUDA_IRQ));
+        memory_region_add_subregion(&s->bar, 0x16000,
+                                    sysbus_mmio_get_region(sysbus_dev, 0));
     }
 }
 
@@ -369,10 +404,6 @@ static void macio_instance_init(Object *obj)
 
     memory_region_init(&s->bar, obj, "macio", 0x80000);
 
-    object_initialize(&s->cuda, sizeof(s->cuda), TYPE_CUDA);
-    qdev_set_parent_bus(DEVICE(&s->cuda), sysbus_get_default());
-    object_property_add_child(obj, "cuda", OBJECT(&s->cuda), NULL);
-
     object_initialize(&s->dbdma, sizeof(s->dbdma), TYPE_MAC_DBDMA);
     qdev_set_parent_bus(DEVICE(&s->dbdma), sysbus_get_default());
     object_property_add_child(obj, "dbdma", OBJECT(&s->dbdma), NULL);
diff --git a/hw/misc/macio/pmu.c b/hw/misc/macio/pmu.c
new file mode 100644
index 0000000000..e246b0fd41
--- /dev/null
+++ b/hw/misc/macio/pmu.c
@@ -0,0 +1,871 @@
+/*
+ * QEMU PowerMac PMU device support
+ *
+ * Copyright (c) 2016 Benjamin Herrenschmidt, IBM Corp.
+ * Copyright (c) 2018 Mark Cave-Ayland
+ *
+ * Based on the CUDA device by:
+ *
+ * Copyright (c) 2004-2007 Fabrice Bellard
+ * Copyright (c) 2007 Jocelyn Mayer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "qemu/osdep.h"
+#include "hw/hw.h"
+#include "hw/ppc/mac.h"
+#include "hw/input/adb.h"
+#include "hw/misc/mos6522.h"
+#include "hw/misc/macio/gpio.h"
+#include "hw/misc/macio/pmu.h"
+#include "qemu/timer.h"
+#include "sysemu/sysemu.h"
+#include "qemu/cutils.h"
+#include "qemu/log.h"
+#include "trace.h"
+
+
+/* Bits in B data register: all active low */
+#define TACK    0x08    /* Transfer request (input) */
+#define TREQ    0x10    /* Transfer acknowledge (output) */
+
+/* PMU returns time_t's offset from Jan 1, 1904, not 1970 */
+#define RTC_OFFSET                      2082844800
+
+#define VIA_TIMER_FREQ (4700000 / 6)
+
+static void via_update_irq(PMUState *s)
+{
+    MOS6522PMUState *mps = MOS6522_PMU(&s->mos6522_pmu);
+    MOS6522State *ms = MOS6522(mps);
+
+    bool new_state = !!(ms->ifr & ms->ier & (SR_INT | T1_INT | T2_INT));
+
+    if (new_state != s->via_irq_state) {
+        s->via_irq_state = new_state;
+        qemu_set_irq(s->via_irq, new_state);
+    }
+}
+
+static void via_set_sr_int(void *opaque)
+{
+    PMUState *s = opaque;
+    MOS6522PMUState *mps = MOS6522_PMU(&s->mos6522_pmu);
+    MOS6522State *ms = MOS6522(mps);
+    MOS6522DeviceClass *mdc = MOS6522_DEVICE_GET_CLASS(ms);
+
+    mdc->set_sr_int(ms);
+}
+
+static void pmu_update_extirq(PMUState *s)
+{
+    if ((s->intbits & s->intmask) != 0) {
+        macio_set_gpio(s->gpio, 1, false);
+    } else {
+        macio_set_gpio(s->gpio, 1, true);
+    }
+}
+
+static void pmu_adb_poll(void *opaque)
+{
+    PMUState *s = opaque;
+    int olen;
+
+    if (!(s->intbits & PMU_INT_ADB)) {
+        olen = adb_poll(&s->adb_bus, s->adb_reply, s->adb_poll_mask);
+        trace_pmu_adb_poll(olen);
+
+        if (olen > 0) {
+            s->adb_reply_size = olen;
+            s->intbits |= PMU_INT_ADB | PMU_INT_ADB_AUTO;
+            pmu_update_extirq(s);
+        }
+    }
+
+    timer_mod(s->adb_poll_timer,
+              qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) + 30);
+}
+
+static void pmu_one_sec_timer(void *opaque)
+{
+    PMUState *s = opaque;
+
+    trace_pmu_one_sec_timer();
+
+    s->intbits |= PMU_INT_TICK;
+    pmu_update_extirq(s);
+    s->one_sec_target += 1000;
+
+    timer_mod(s->one_sec_timer, s->one_sec_target);
+}
+
+static void pmu_cmd_int_ack(PMUState *s,
+                            const uint8_t *in_data, uint8_t in_len,
+                            uint8_t *out_data, uint8_t *out_len)
+{
+    if (in_len != 0) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "PMU: INT_ACK command, invalid len: %d want: 0\n",
+                      in_len);
+        return;
+    }
+
+    /* Make appropriate reply packet */
+    if (s->intbits & PMU_INT_ADB) {
+        if (!s->adb_reply_size) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "Odd, PMU_INT_ADB set with no reply in buffer\n");
+        }
+
+        memcpy(out_data + 1, s->adb_reply, s->adb_reply_size);
+        out_data[0] = s->intbits & (PMU_INT_ADB | PMU_INT_ADB_AUTO);
+        *out_len = s->adb_reply_size + 1;
+        s->intbits &= ~(PMU_INT_ADB | PMU_INT_ADB_AUTO);
+        s->adb_reply_size = 0;
+    } else {
+        out_data[0] = s->intbits;
+        s->intbits = 0;
+        *out_len = 1;
+    }
+
+    pmu_update_extirq(s);
+}
+
+static void pmu_cmd_set_int_mask(PMUState *s,
+                                 const uint8_t *in_data, uint8_t in_len,
+                                 uint8_t *out_data, uint8_t *out_len)
+{
+    if (in_len != 1) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "PMU: SET_INT_MASK command, invalid len: %d want: 1\n",
+                      in_len);
+        return;
+    }
+
+    trace_pmu_cmd_set_int_mask(s->intmask);
+    s->intmask = in_data[0];
+
+    pmu_update_extirq(s);
+}
+
+static void pmu_cmd_set_adb_autopoll(PMUState *s, uint16_t mask)
+{
+    trace_pmu_cmd_set_adb_autopoll(mask);
+
+    if (s->autopoll_mask == mask) {
+        return;
+    }
+
+    s->autopoll_mask = mask;
+    if (mask) {
+        timer_mod(s->adb_poll_timer,
+                  qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) + 30);
+    } else {
+        timer_del(s->adb_poll_timer);
+    }
+}
+
+static void pmu_cmd_adb(PMUState *s,
+                        const uint8_t *in_data, uint8_t in_len,
+                        uint8_t *out_data, uint8_t *out_len)
+{
+    int len, adblen;
+    uint8_t adb_cmd[255];
+
+    if (in_len < 2) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "PMU: ADB PACKET, invalid len: %d want at least 2\n",
+                      in_len);
+        return;
+    }
+
+    *out_len = 0;
+
+    if (!s->has_adb) {
+        trace_pmu_cmd_adb_nobus();
+        return;
+    }
+
+    /* Set autopoll is a special form of the command */
+    if (in_data[0] == 0 && in_data[1] == 0x86) {
+        uint16_t mask = in_data[2];
+        mask = (mask << 8) | in_data[3];
+        if (in_len != 4) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "PMU: ADB Autopoll requires 4 bytes, got %d\n",
+                          in_len);
+            return;
+        }
+
+        pmu_cmd_set_adb_autopoll(s, mask);
+        return;
+    }
+
+    trace_pmu_cmd_adb_request(in_len, in_data[0], in_data[1], in_data[2],
+                              in_data[3], in_data[4]);
+
+    *out_len = 0;
+
+    /* Check ADB len */
+    adblen = in_data[2];
+    if (adblen > (in_len - 3)) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "PMU: ADB len is %d > %d (in_len -3)...erroring\n",
+                      adblen, in_len - 3);
+        len = -1;
+    } else if (adblen > 252) {
+        qemu_log_mask(LOG_GUEST_ERROR, "PMU: ADB command too big!\n");
+        len = -1;
+    } else {
+        /* Format command */
+        adb_cmd[0] = in_data[0];
+        memcpy(&adb_cmd[1], &in_data[3], in_len - 3);
+        len = adb_request(&s->adb_bus, s->adb_reply + 2, adb_cmd, in_len - 2);
+
+        trace_pmu_cmd_adb_reply(len);
+    }
+
+    if (len > 0) {
+        /* XXX Check this */
+        s->adb_reply_size = len + 2;
+        s->adb_reply[0] = 0x01;
+        s->adb_reply[1] = len;
+    } else {
+        /* XXX Check this */
+        s->adb_reply_size = 1;
+        s->adb_reply[0] = 0x00;
+    }
+
+    s->intbits |= PMU_INT_ADB;
+    pmu_update_extirq(s);
+}
+
+static void pmu_cmd_adb_poll_off(PMUState *s,
+                                 const uint8_t *in_data, uint8_t in_len,
+                                 uint8_t *out_data, uint8_t *out_len)
+{
+    if (in_len != 0) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "PMU: ADB POLL OFF command, invalid len: %d want: 0\n",
+                      in_len);
+        return;
+    }
+
+    if (s->has_adb && s->autopoll_mask) {
+        timer_del(s->adb_poll_timer);
+        s->autopoll_mask = false;
+    }
+}
+
+static void pmu_cmd_shutdown(PMUState *s,
+                             const uint8_t *in_data, uint8_t in_len,
+                             uint8_t *out_data, uint8_t *out_len)
+{
+    if (in_len != 4) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "PMU: SHUTDOWN command, invalid len: %d want: 4\n",
+                      in_len);
+        return;
+    }
+
+    *out_len = 1;
+    out_data[0] = 0;
+
+    if (in_data[0] != 'M' || in_data[1] != 'A' || in_data[2] != 'T' ||
+        in_data[3] != 'T') {
+
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "PMU: SHUTDOWN command, Bad MATT signature\n");
+        return;
+    }
+
+    qemu_system_shutdown_request(SHUTDOWN_CAUSE_GUEST_SHUTDOWN);
+}
+
+static void pmu_cmd_reset(PMUState *s,
+                          const uint8_t *in_data, uint8_t in_len,
+                          uint8_t *out_data, uint8_t *out_len)
+{
+    if (in_len != 0) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "PMU: RESET command, invalid len: %d want: 0\n",
+                      in_len);
+        return;
+    }
+
+    qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
+}
+
+static void pmu_cmd_get_rtc(PMUState *s,
+                            const uint8_t *in_data, uint8_t in_len,
+                            uint8_t *out_data, uint8_t *out_len)
+{
+    uint32_t ti;
+
+    if (in_len != 0) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "PMU: GET_RTC command, invalid len: %d want: 0\n",
+                      in_len);
+        return;
+    }
+
+    ti = s->tick_offset + (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
+                           / NANOSECONDS_PER_SECOND);
+    out_data[0] = ti >> 24;
+    out_data[1] = ti >> 16;
+    out_data[2] = ti >> 8;
+    out_data[3] = ti;
+    *out_len = 4;
+}
+
+static void pmu_cmd_set_rtc(PMUState *s,
+                            const uint8_t *in_data, uint8_t in_len,
+                            uint8_t *out_data, uint8_t *out_len)
+{
+    uint32_t ti;
+
+    if (in_len != 4) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "PMU: SET_RTC command, invalid len: %d want: 4\n",
+                      in_len);
+        return;
+    }
+
+    ti = (((uint32_t)in_data[0]) << 24) + (((uint32_t)in_data[1]) << 16)
+         + (((uint32_t)in_data[2]) << 8) + in_data[3];
+
+    s->tick_offset = ti - (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
+                           / NANOSECONDS_PER_SECOND);
+}
+
+static void pmu_cmd_system_ready(PMUState *s,
+                                 const uint8_t *in_data, uint8_t in_len,
+                                 uint8_t *out_data, uint8_t *out_len)
+{
+    /* Do nothing */
+}
+
+static void pmu_cmd_get_version(PMUState *s,
+                                const uint8_t *in_data, uint8_t in_len,
+                                uint8_t *out_data, uint8_t *out_len)
+{
+    *out_len = 1;
+    *out_data = 1; /* ??? Check what Apple does */
+}
+
+static void pmu_cmd_power_events(PMUState *s,
+                                 const uint8_t *in_data, uint8_t in_len,
+                                 uint8_t *out_data, uint8_t *out_len)
+{
+    if (in_len < 1) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "PMU: POWER EVENTS command, invalid len %d, want at least 1\n",
+                      in_len);
+        return;
+    }
+
+    switch (in_data[0]) {
+    /* Dummies for now */
+    case PMU_PWR_GET_POWERUP_EVENTS:
+        *out_len = 2;
+        out_data[0] = 0;
+        out_data[1] = 0;
+        break;
+    case PMU_PWR_SET_POWERUP_EVENTS:
+    case PMU_PWR_CLR_POWERUP_EVENTS:
+        break;
+    case PMU_PWR_GET_WAKEUP_EVENTS:
+        *out_len = 2;
+        out_data[0] = 0;
+        out_data[1] = 0;
+        break;
+    case PMU_PWR_SET_WAKEUP_EVENTS:
+    case PMU_PWR_CLR_WAKEUP_EVENTS:
+        break;
+    default:
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "PMU: POWER EVENTS unknown subcommand 0x%02x\n",
+                      in_data[0]);
+    }
+}
+
+static void pmu_cmd_get_cover(PMUState *s,
+                              const uint8_t *in_data, uint8_t in_len,
+                              uint8_t *out_data, uint8_t *out_len)
+{
+    /* Not 100% sure here, will have to check what a real Mac
+     * returns other than byte 0 bit 0 is LID closed on laptops
+     */
+    *out_len = 1;
+    *out_data = 0x00;
+}
+
+static void pmu_cmd_download_status(PMUState *s,
+                                    const uint8_t *in_data, uint8_t in_len,
+                                    uint8_t *out_data, uint8_t *out_len)
+{
+    /* This has to do with PMU firmware updates as far as I can tell.
+     *
+     * We return 0x62 which is what OpenPMU expects
+     */
+    *out_len = 1;
+    *out_data = 0x62;
+}
+
+static void pmu_cmd_read_pmu_ram(PMUState *s,
+                                 const uint8_t *in_data, uint8_t in_len,
+                                 uint8_t *out_data, uint8_t *out_len)
+{
+    if (in_len < 3) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "PMU: READ_PMU_RAM command, invalid len %d, expected 3\n",
+                      in_len);
+        return;
+    }
+
+    qemu_log_mask(LOG_GUEST_ERROR,
+                  "PMU: Unsupported READ_PMU_RAM, args: %02x %02x %02x\n",
+                  in_data[0], in_data[1], in_data[2]);
+
+    *out_len = 0;
+}
+
+/* description of commands */
+typedef struct PMUCmdHandler {
+    uint8_t command;
+    const char *name;
+    void (*handler)(PMUState *s,
+                    const uint8_t *in_args, uint8_t in_len,
+                    uint8_t *out_args, uint8_t *out_len);
+} PMUCmdHandler;
+
+static const PMUCmdHandler PMUCmdHandlers[] = {
+    { PMU_INT_ACK, "INT ACK", pmu_cmd_int_ack },
+    { PMU_SET_INTR_MASK, "SET INT MASK", pmu_cmd_set_int_mask },
+    { PMU_ADB_CMD, "ADB COMMAND", pmu_cmd_adb },
+    { PMU_ADB_POLL_OFF, "ADB POLL OFF", pmu_cmd_adb_poll_off },
+    { PMU_RESET, "REBOOT", pmu_cmd_reset },
+    { PMU_SHUTDOWN, "SHUTDOWN", pmu_cmd_shutdown },
+    { PMU_READ_RTC, "GET RTC", pmu_cmd_get_rtc },
+    { PMU_SET_RTC, "SET RTC", pmu_cmd_set_rtc },
+    { PMU_SYSTEM_READY, "SYSTEM READY", pmu_cmd_system_ready },
+    { PMU_GET_VERSION, "GET VERSION", pmu_cmd_get_version },
+    { PMU_POWER_EVENTS, "POWER EVENTS", pmu_cmd_power_events },
+    { PMU_GET_COVER, "GET_COVER", pmu_cmd_get_cover },
+    { PMU_DOWNLOAD_STATUS, "DOWNLOAD STATUS", pmu_cmd_download_status },
+    { PMU_READ_PMU_RAM, "READ PMGR RAM", pmu_cmd_read_pmu_ram },
+};
+
+static void pmu_dispatch_cmd(PMUState *s)
+{
+    unsigned int i;
+
+    /* No response by default */
+    s->cmd_rsp_sz = 0;
+
+    for (i = 0; i < ARRAY_SIZE(PMUCmdHandlers); i++) {
+        const PMUCmdHandler *desc = &PMUCmdHandlers[i];
+
+        if (desc->command != s->cmd) {
+            continue;
+        }
+
+        trace_pmu_dispatch_cmd(desc->name);
+        desc->handler(s, s->cmd_buf, s->cmd_buf_pos,
+                      s->cmd_rsp, &s->cmd_rsp_sz);
+
+        if (s->rsplen != -1 && s->rsplen != s->cmd_rsp_sz) {
+            trace_pmu_debug_protocol_string("QEMU internal cmd resp mismatch!");
+        } else {
+            trace_pmu_debug_protocol_resp_size(s->cmd_rsp_sz);
+        }
+
+        return;
+    }
+
+    trace_pmu_dispatch_unknown_cmd(s->cmd);
+
+    /* Manufacture fake response with 0's */
+    if (s->rsplen == -1) {
+        s->cmd_rsp_sz = 0;
+    } else {
+        s->cmd_rsp_sz = s->rsplen;
+        memset(s->cmd_rsp, 0, s->rsplen);
+    }
+}
+
+static void pmu_update(PMUState *s)
+{
+    MOS6522PMUState *mps = &s->mos6522_pmu;
+    MOS6522State *ms = MOS6522(mps);
+
+    /* Only react to changes in reg B */
+    if (ms->b == s->last_b) {
+        return;
+    }
+    s->last_b = ms->b;
+
+    /* Check the TREQ / TACK state */
+    switch (ms->b & (TREQ | TACK)) {
+    case TREQ:
+        /* This is an ack release, handle it and bail out */
+        ms->b |= TACK;
+        s->last_b = ms->b;
+
+        trace_pmu_debug_protocol_string("handshake: TREQ high, setting TACK");
+        return;
+    case TACK:
+        /* This is a valid request, handle below */
+        break;
+    case TREQ | TACK:
+        /* This is an idle state */
+        return;
+    default:
+        /* Invalid state, log and ignore */
+        trace_pmu_debug_protocol_error(ms->b);
+        return;
+    }
+
+    /* If we wanted to handle commands asynchronously, this is where
+     * we would delay the clearing of TACK until we are ready to send
+     * the response
+     */
+
+    /* We have a request, handshake TACK so we don't stay in
+     * an invalid state. If we were concurrent with the OS we
+     * should only do this after we grabbed the SR but that isn't
+     * a problem here.
+     */
+
+    trace_pmu_debug_protocol_clear_treq(s->cmd_state);
+
+    ms->b &= ~TACK;
+    s->last_b = ms->b;
+
+    /* Act according to state */
+    switch (s->cmd_state) {
+    case pmu_state_idle:
+        if (!(ms->acr & SR_OUT)) {
+            trace_pmu_debug_protocol_string("protocol error! "
+                                            "state idle, ACR reading");
+            break;
+        }
+
+        s->cmd = ms->sr;
+        via_set_sr_int(s);
+        s->cmdlen = pmu_data_len[s->cmd][0];
+        s->rsplen = pmu_data_len[s->cmd][1];
+        s->cmd_buf_pos = 0;
+        s->cmd_rsp_pos = 0;
+        s->cmd_state = pmu_state_cmd;
+
+        trace_pmu_debug_protocol_cmd(s->cmd, s->cmdlen, s->rsplen);
+        break;
+
+    case pmu_state_cmd:
+        if (!(ms->acr & SR_OUT)) {
+            trace_pmu_debug_protocol_string("protocol error! "
+                                            "state cmd, ACR reading");
+            break;
+        }
+
+        if (s->cmdlen == -1) {
+            trace_pmu_debug_protocol_cmdlen(ms->sr);
+
+            s->cmdlen = ms->sr;
+            if (s->cmdlen > sizeof(s->cmd_buf)) {
+                trace_pmu_debug_protocol_cmd_toobig(s->cmdlen);
+            }
+        } else if (s->cmd_buf_pos < sizeof(s->cmd_buf)) {
+            s->cmd_buf[s->cmd_buf_pos++] = ms->sr;
+        }
+
+        via_set_sr_int(s);
+        break;
+
+    case pmu_state_rsp:
+        if (ms->acr & SR_OUT) {
+            trace_pmu_debug_protocol_string("protocol error! "
+                                            "state resp, ACR writing");
+            break;
+        }
+
+        if (s->rsplen == -1) {
+            trace_pmu_debug_protocol_cmd_send_resp_size(s->cmd_rsp_sz);
+
+            ms->sr = s->cmd_rsp_sz;
+            s->rsplen = s->cmd_rsp_sz;
+        } else if (s->cmd_rsp_pos < s->cmd_rsp_sz) {
+            trace_pmu_debug_protocol_cmd_send_resp(s->cmd_rsp_pos, s->rsplen);
+
+            ms->sr = s->cmd_rsp[s->cmd_rsp_pos++];
+        }
+
+        via_set_sr_int(s);
+        break;
+    }
+
+    /* Check for state completion */
+    if (s->cmd_state == pmu_state_cmd && s->cmdlen == s->cmd_buf_pos) {
+        trace_pmu_debug_protocol_string("Command reception complete, "
+                                        "dispatching...");
+
+        pmu_dispatch_cmd(s);
+        s->cmd_state = pmu_state_rsp;
+    }
+
+    if (s->cmd_state == pmu_state_rsp && s->rsplen == s->cmd_rsp_pos) {
+        trace_pmu_debug_protocol_cmd_resp_complete(ms->ier);
+
+        s->cmd_state = pmu_state_idle;
+    }
+}
+
+static uint64_t mos6522_pmu_read(void *opaque, hwaddr addr, unsigned size)
+{
+    PMUState *s = opaque;
+    MOS6522PMUState *mps = &s->mos6522_pmu;
+    MOS6522State *ms = MOS6522(mps);
+
+    addr = (addr >> 9) & 0xf;
+    return mos6522_read(ms, addr, size);
+}
+
+static void mos6522_pmu_write(void *opaque, hwaddr addr, uint64_t val,
+                              unsigned size)
+{
+    PMUState *s = opaque;
+    MOS6522PMUState *mps = &s->mos6522_pmu;
+    MOS6522State *ms = MOS6522(mps);
+
+    addr = (addr >> 9) & 0xf;
+    mos6522_write(ms, addr, val, size);
+}
+
+static const MemoryRegionOps mos6522_pmu_ops = {
+    .read = mos6522_pmu_read,
+    .write = mos6522_pmu_write,
+    .endianness = DEVICE_BIG_ENDIAN,
+    .impl = {
+        .min_access_size = 1,
+        .max_access_size = 1,
+    },
+};
+
+static bool pmu_adb_state_needed(void *opaque)
+{
+    PMUState *s = opaque;
+
+    return s->has_adb;
+}
+
+static const VMStateDescription vmstate_pmu_adb = {
+    .name = "pmu/adb",
+    .version_id = 0,
+    .minimum_version_id = 0,
+    .needed = pmu_adb_state_needed,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT16(adb_poll_mask, PMUState),
+        VMSTATE_TIMER_PTR(adb_poll_timer, PMUState),
+        VMSTATE_UINT8(adb_reply_size, PMUState),
+        VMSTATE_BUFFER(adb_reply, PMUState),
+    }
+};
+
+static const VMStateDescription vmstate_pmu = {
+    .name = "pmu",
+    .version_id = 0,
+    .minimum_version_id = 0,
+    .fields = (VMStateField[]) {
+        VMSTATE_STRUCT(mos6522_pmu.parent_obj, PMUState, 0, vmstate_mos6522,
+                       MOS6522State),
+        VMSTATE_UINT8(last_b, PMUState),
+        VMSTATE_UINT8(cmd, PMUState),
+        VMSTATE_UINT32(cmdlen, PMUState),
+        VMSTATE_UINT32(rsplen, PMUState),
+        VMSTATE_UINT8(cmd_buf_pos, PMUState),
+        VMSTATE_BUFFER(cmd_buf, PMUState),
+        VMSTATE_UINT8(cmd_rsp_pos, PMUState),
+        VMSTATE_UINT8(cmd_rsp_sz, PMUState),
+        VMSTATE_BUFFER(cmd_rsp, PMUState),
+        VMSTATE_UINT8(intbits, PMUState),
+        VMSTATE_UINT8(intmask, PMUState),
+        VMSTATE_UINT8(autopoll_rate_ms, PMUState),
+        VMSTATE_UINT8(autopoll_mask, PMUState),
+        VMSTATE_UINT32(tick_offset, PMUState),
+        VMSTATE_TIMER_PTR(one_sec_timer, PMUState),
+        VMSTATE_INT64(one_sec_target, PMUState),
+        VMSTATE_END_OF_LIST()
+    },
+    .subsections = (const VMStateDescription * []) {
+        &vmstate_pmu_adb,
+    }
+};
+
+static void pmu_reset(DeviceState *dev)
+{
+    PMUState *s = VIA_PMU(dev);
+
+    /* OpenBIOS needs to do this? MacOS 9 needs it */
+    s->intmask = PMU_INT_ADB | PMU_INT_TICK;
+    s->intbits = 0;
+
+    s->cmd_state = pmu_state_idle;
+    s->autopoll_mask = 0;
+}
+
+static void pmu_realize(DeviceState *dev, Error **errp)
+{
+    PMUState *s = VIA_PMU(dev);
+    SysBusDevice *sbd;
+    MOS6522State *ms;
+    DeviceState *d;
+    struct tm tm;
+
+    /* Pass IRQ from 6522 */
+    d = DEVICE(&s->mos6522_pmu);
+    ms = MOS6522(d);
+    sbd = SYS_BUS_DEVICE(s);
+    sysbus_pass_irq(sbd, SYS_BUS_DEVICE(ms));
+
+    qemu_get_timedate(&tm, 0);
+    s->tick_offset = (uint32_t)mktimegm(&tm) + RTC_OFFSET;
+    s->one_sec_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, pmu_one_sec_timer, s);
+    s->one_sec_target = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) + 1000;
+    timer_mod(s->one_sec_timer, s->one_sec_target);
+
+    if (s->has_adb) {
+        qbus_create_inplace(&s->adb_bus, sizeof(s->adb_bus), TYPE_ADB_BUS,
+                            DEVICE(dev), "adb.0");
+        s->adb_poll_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, pmu_adb_poll, s);
+        s->adb_poll_mask = 0xffff;
+        s->autopoll_rate_ms = 20;
+    }
+}
+
+static void pmu_init(Object *obj)
+{
+    SysBusDevice *d = SYS_BUS_DEVICE(obj);
+    PMUState *s = VIA_PMU(obj);
+
+    object_property_add_link(obj, "gpio", TYPE_MACIO_GPIO,
+                             (Object **) &s->gpio,
+                             qdev_prop_allow_set_link_before_realize,
+                             0, NULL);
+
+    object_initialize(&s->mos6522_pmu, sizeof(s->mos6522_pmu),
+                      TYPE_MOS6522_PMU);
+    qdev_set_parent_bus(DEVICE(&s->mos6522_pmu), sysbus_get_default());
+
+    memory_region_init_io(&s->mem, obj, &mos6522_pmu_ops, s, "via-pmu",
+                          0x2000);
+    sysbus_init_mmio(d, &s->mem);
+}
+
+static Property pmu_properties[] = {
+    DEFINE_PROP_BOOL("has-adb", PMUState, has_adb, true),
+    DEFINE_PROP_END_OF_LIST()
+};
+
+static void pmu_class_init(ObjectClass *oc, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(oc);
+
+    dc->realize = pmu_realize;
+    dc->reset = pmu_reset;
+    dc->vmsd = &vmstate_pmu;
+    dc->props = pmu_properties;
+    set_bit(DEVICE_CATEGORY_BRIDGE, dc->categories);
+}
+
+static const TypeInfo pmu_type_info = {
+    .name = TYPE_VIA_PMU,
+    .parent = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(PMUState),
+    .instance_init = pmu_init,
+    .class_init = pmu_class_init,
+};
+
+static void mos6522_pmu_portB_write(MOS6522State *s)
+{
+    MOS6522PMUState *mps = container_of(s, MOS6522PMUState, parent_obj);
+    PMUState *ps = container_of(mps, PMUState, mos6522_pmu);
+
+    if ((s->pcr & 0xe0) == 0x20 || (s->pcr & 0xe0) == 0x60) {
+        s->ifr &= ~CB2_INT;
+    }
+    s->ifr &= ~CB1_INT;
+
+    via_update_irq(ps);
+    pmu_update(ps);
+}
+
+static void mos6522_pmu_portA_write(MOS6522State *s)
+{
+    MOS6522PMUState *mps = container_of(s, MOS6522PMUState, parent_obj);
+    PMUState *ps = container_of(mps, PMUState, mos6522_pmu);
+
+    if ((s->pcr & 0x0e) == 0x02 || (s->pcr & 0x0e) == 0x06) {
+        s->ifr &= ~CA2_INT;
+    }
+    s->ifr &= ~CA1_INT;
+
+    via_update_irq(ps);
+}
+
+static void mos6522_pmu_reset(DeviceState *dev)
+{
+    MOS6522State *ms = MOS6522(dev);
+    MOS6522PMUState *mps = container_of(ms, MOS6522PMUState, parent_obj);
+    PMUState *s = container_of(mps, PMUState, mos6522_pmu);
+    MOS6522DeviceClass *mdc = MOS6522_DEVICE_GET_CLASS(ms);
+
+    mdc->parent_reset(dev);
+
+    ms->timers[0].frequency = VIA_TIMER_FREQ;
+    ms->timers[1].frequency = (SCALE_US * 6000) / 4700;
+
+    s->last_b = ms->b = TACK | TREQ;
+}
+
+static void mos6522_pmu_class_init(ObjectClass *oc, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(oc);
+    MOS6522DeviceClass *mdc = MOS6522_DEVICE_CLASS(oc);
+
+    dc->reset = mos6522_pmu_reset;
+    mdc->portB_write = mos6522_pmu_portB_write;
+    mdc->portA_write = mos6522_pmu_portA_write;
+}
+
+static const TypeInfo mos6522_pmu_type_info = {
+    .name = TYPE_MOS6522_PMU,
+    .parent = TYPE_MOS6522,
+    .instance_size = sizeof(MOS6522PMUState),
+    .class_init = mos6522_pmu_class_init,
+};
+
+static void pmu_register_types(void)
+{
+    type_register_static(&pmu_type_info);
+    type_register_static(&mos6522_pmu_type_info);
+}
+
+type_init(pmu_register_types)
diff --git a/hw/misc/macio/trace-events b/hw/misc/macio/trace-events
index 71c47520eb..05019262fa 100644
--- a/hw/misc/macio/trace-events
+++ b/hw/misc/macio/trace-events
@@ -20,3 +20,24 @@ macio_gpio_irq_assert(int gpio) "asserting GPIO %d"
 macio_gpio_irq_deassert(int gpio) "deasserting GPIO %d"
 macio_gpio_write(uint64_t addr, uint64_t val) "addr: 0x%"PRIx64" value: 0x%"PRIx64
 macio_gpio_read(uint64_t addr, uint64_t val) "addr: 0x%"PRIx64" value: 0x%"PRIx64
+
+# hw/misc/macio/pmu.c
+pmu_adb_poll(int olen) "ADB autopoll, olen=%d"
+pmu_one_sec_timer(void) "PMU one sec..."
+pmu_cmd_set_int_mask(int intmask) "Setting PMU int mask to 0x%02x"
+pmu_cmd_set_adb_autopoll(int mask) "ADB set autopoll, mask=0x%04x"
+pmu_cmd_adb_nobus(void) "ADB PACKET with no ADB bus!"
+pmu_cmd_adb_request(int inlen, int indata0, int indata1, int indata2, int indata3, int indata4) "ADB request: len=%d, cmd=0x%02x, pflags=0x%02x, adblen=%d: 0x%02x 0x%02x..."
+pmu_cmd_adb_reply(int len) "ADB reply is %d bytes"
+pmu_dispatch_cmd(const char *name) "handling command %s"
+pmu_dispatch_unknown_cmd(int cmd) "Unknown PMU command 0x%02x"
+pmu_debug_protocol_string(const char *str) "%s"
+pmu_debug_protocol_resp_size(int size) "sending %d resp bytes"
+pmu_debug_protocol_error(int portB) "protocol error! portB=0x%02x"
+pmu_debug_protocol_clear_treq(int state) "TREQ cleared, clearing TACK, state: %d"
+pmu_debug_protocol_cmd(int cmd, int cmdlen, int rsplen) "Got command byte 0x%02x, clen=%d, rlen=%d"
+pmu_debug_protocol_cmdlen(int len) "got cmd length byte: %d"
+pmu_debug_protocol_cmd_toobig(int len) "command too big (%d bytes)"
+pmu_debug_protocol_cmd_send_resp_size(int len) "sending length byte: %d"
+pmu_debug_protocol_cmd_send_resp(int pos, int len) "sending byte: %d/%d"
+pmu_debug_protocol_cmd_resp_complete(int ier) "Response send complete. IER=0x%02x"
diff --git a/hw/ppc/mac.h b/hw/ppc/mac.h
index b3b7f9d8ae..c0217e66f2 100644
--- a/hw/ppc/mac.h
+++ b/hw/ppc/mac.h
@@ -59,6 +59,7 @@
 
 /* New World IRQs */
 #define NEWWORLD_CUDA_IRQ      0x19
+#define NEWWORLD_PMU_IRQ       0x19
 #define NEWWORLD_ESCCB_IRQ     0x24
 #define NEWWORLD_ESCCA_IRQ     0x25
 #define NEWWORLD_IDE0_IRQ      0xd
diff --git a/hw/ppc/mac_newworld.c b/hw/ppc/mac_newworld.c
index ca21d47234..ff715ffffd 100644
--- a/hw/ppc/mac_newworld.c
+++ b/hw/ppc/mac_newworld.c
@@ -399,11 +399,19 @@ static void ppc_core99_init(MachineState *machine)
     macio_ide_init_drives(macio_ide, &hd[MAX_IDE_DEVS]);
 
     if (has_adb) {
-        dev = DEVICE(object_resolve_path_component(OBJECT(macio), "cuda"));
+        if (has_pmu) {
+            dev = DEVICE(object_resolve_path_component(OBJECT(macio), "pmu"));
+        } else {
+            dev = DEVICE(object_resolve_path_component(OBJECT(macio), "cuda"));
+        }
+
         adb_bus = qdev_get_child_bus(dev, "adb.0");
         dev = qdev_create(adb_bus, TYPE_ADB_KEYBOARD);
+        qdev_prop_set_bit(dev, "disable-direct-reg3-writes", has_pmu);
         qdev_init_nofail(dev);
+
         dev = qdev_create(adb_bus, TYPE_ADB_MOUSE);
+        qdev_prop_set_bit(dev, "disable-direct-reg3-writes", has_pmu);
         qdev_init_nofail(dev);
     }
 
diff --git a/include/hw/misc/macio/macio.h b/include/hw/misc/macio/macio.h
index d43883a893..cfaa145500 100644
--- a/include/hw/misc/macio/macio.h
+++ b/include/hw/misc/macio/macio.h
@@ -30,6 +30,7 @@
 #include "hw/intc/heathrow_pic.h"
 #include "hw/misc/macio/cuda.h"
 #include "hw/misc/macio/gpio.h"
+#include "hw/misc/macio/pmu.h"
 #include "hw/ppc/mac_dbdma.h"
 #include "hw/ppc/openpic.h"
 
@@ -43,6 +44,7 @@ typedef struct MacIOState {
 
     MemoryRegion bar;
     CUDAState cuda;
+    PMUState pmu;
     DBDMAState dbdma;
     ESCCState escc;
     uint64_t frequency;
diff --git a/include/hw/misc/macio/pmu.h b/include/hw/misc/macio/pmu.h
new file mode 100644
index 0000000000..d10895ba5f
--- /dev/null
+++ b/include/hw/misc/macio/pmu.h
@@ -0,0 +1,237 @@
+/*
+ * Definitions for talking to the PMU.  The PMU is a microcontroller
+ * which controls battery charging and system power on PowerBook 3400
+ * and 2400 models as well as the RTC and various other things.
+ *
+ * Copyright (C) 1998 Paul Mackerras.
+ * Copyright (C) 2016 Ben Herrenschmidt
+ */
+
+#ifndef PMU_H
+#define PMU_H
+
+/*
+ * PMU commands
+ */
+
+#define PMU_POWER_CTRL0            0x10  /* control power of some devices */
+#define PMU_POWER_CTRL             0x11  /* control power of some devices */
+#define PMU_ADB_CMD                0x20  /* send ADB packet */
+#define PMU_ADB_POLL_OFF           0x21  /* disable ADB auto-poll */
+#define PMU_WRITE_NVRAM            0x33  /* write non-volatile RAM */
+#define PMU_READ_NVRAM             0x3b  /* read non-volatile RAM */
+#define PMU_SET_RTC                0x30  /* set real-time clock */
+#define PMU_READ_RTC               0x38  /* read real-time clock */
+#define PMU_SET_VOLBUTTON          0x40  /* set volume up/down position */
+#define PMU_BACKLIGHT_BRIGHT       0x41  /* set backlight brightness */
+#define PMU_GET_VOLBUTTON          0x48  /* get volume up/down position */
+#define PMU_PCEJECT                0x4c  /* eject PC-card from slot */
+#define PMU_BATTERY_STATE          0x6b  /* report battery state etc. */
+#define PMU_SMART_BATTERY_STATE    0x6f  /* report battery state (new way) */
+#define PMU_SET_INTR_MASK          0x70  /* set PMU interrupt mask */
+#define PMU_INT_ACK                0x78  /* read interrupt bits */
+#define PMU_SHUTDOWN               0x7e  /* turn power off */
+#define PMU_CPU_SPEED              0x7d  /* control CPU speed on some models */
+#define PMU_SLEEP                  0x7f  /* put CPU to sleep */
+#define PMU_POWER_EVENTS           0x8f  /* Send power-event commands to PMU */
+#define PMU_I2C_CMD                0x9a  /* I2C operations */
+#define PMU_RESET                  0xd0  /* reset CPU */
+#define PMU_GET_BRIGHTBUTTON       0xd9  /* report brightness up/down pos */
+#define PMU_GET_COVER              0xdc  /* report cover open/closed */
+#define PMU_SYSTEM_READY           0xdf  /* tell PMU we are awake */
+#define PMU_DOWNLOAD_STATUS        0xe2  /* Called by MacOS during boot... */
+#define PMU_READ_PMU_RAM           0xe8  /* read the PMU RAM... ??? */
+#define PMU_GET_VERSION            0xea  /* read the PMU version */
+
+/* Bits to use with the PMU_POWER_CTRL0 command */
+#define PMU_POW0_ON            0x80    /* OR this to power ON the device */
+#define PMU_POW0_OFF           0x00    /* leave bit 7 to 0 to power it OFF */
+#define PMU_POW0_HARD_DRIVE    0x04    /* Hard drive power
+                                        * (on wallstreet/lombard ?) */
+
+/* Bits to use with the PMU_POWER_CTRL command */
+#define PMU_POW_ON             0x80    /* OR this to power ON the device */
+#define PMU_POW_OFF            0x00    /* leave bit 7 to 0 to power it OFF */
+#define PMU_POW_BACKLIGHT      0x01    /* backlight power */
+#define PMU_POW_CHARGER        0x02    /* battery charger power */
+#define PMU_POW_IRLED          0x04    /* IR led power (on wallstreet) */
+#define PMU_POW_MEDIABAY       0x08    /* media bay power
+                                        * (wallstreet/lombard ?) */
+
+/* Bits in PMU interrupt and interrupt mask bytes */
+#define PMU_INT_PCEJECT        0x04    /* PC-card eject buttons */
+#define PMU_INT_SNDBRT         0x08    /* sound/brightness up/down buttons */
+#define PMU_INT_ADB            0x10    /* ADB autopoll or reply data */
+#define PMU_INT_BATTERY        0x20    /* Battery state change */
+#define PMU_INT_ENVIRONMENT    0x40    /* Environment interrupts */
+#define PMU_INT_TICK           0x80    /* 1-second tick interrupt */
+
+/* Other bits in PMU interrupt valid when PMU_INT_ADB is set */
+#define PMU_INT_ADB_AUTO           0x04    /* ADB autopoll, when PMU_INT_ADB */
+#define PMU_INT_WAITING_CHARGER    0x01    /* ??? */
+#define PMU_INT_AUTO_SRQ_POLL      0x02    /* ??? */
+
+/* Bits in the environement message (either obtained via PMU_GET_COVER,
+ * or via PMU_INT_ENVIRONMENT on core99 */
+#define PMU_ENV_LID_CLOSED     0x01    /* The lid is closed */
+
+/* I2C related definitions */
+#define PMU_I2C_MODE_SIMPLE    0
+#define PMU_I2C_MODE_STDSUB    1
+#define PMU_I2C_MODE_COMBINED  2
+
+#define PMU_I2C_BUS_STATUS     0
+#define PMU_I2C_BUS_SYSCLK     1
+#define PMU_I2C_BUS_POWER      2
+
+#define PMU_I2C_STATUS_OK          0
+#define PMU_I2C_STATUS_DATAREAD    1
+#define PMU_I2C_STATUS_BUSY        0xfe
+
+/* Kind of PMU (model) */
+enum {
+    PMU_UNKNOWN,
+    PMU_OHARE_BASED,        /* 2400, 3400, 3500 (old G3 powerbook) */
+    PMU_HEATHROW_BASED,     /* PowerBook G3 series */
+    PMU_PADDINGTON_BASED,   /* 1999 PowerBook G3 */
+    PMU_KEYLARGO_BASED,     /* Core99 motherboard (PMU99) */
+    PMU_68K_V1,             /* 68K PMU, version 1 */
+    PMU_68K_V2,             /* 68K PMU, version 2 */
+};
+
+/* PMU PMU_POWER_EVENTS commands */
+enum {
+    PMU_PWR_GET_POWERUP_EVENTS = 0x00,
+    PMU_PWR_SET_POWERUP_EVENTS = 0x01,
+    PMU_PWR_CLR_POWERUP_EVENTS = 0x02,
+    PMU_PWR_GET_WAKEUP_EVENTS = 0x03,
+    PMU_PWR_SET_WAKEUP_EVENTS = 0x04,
+    PMU_PWR_CLR_WAKEUP_EVENTS = 0x05,
+};
+
+/* Power events wakeup bits */
+enum {
+    PMU_PWR_WAKEUP_KEY = 0x01,           /* Wake on key press */
+    PMU_PWR_WAKEUP_AC_INSERT = 0x02,     /* Wake on AC adapter plug */
+    PMU_PWR_WAKEUP_AC_CHANGE = 0x04,
+    PMU_PWR_WAKEUP_LID_OPEN = 0x08,
+    PMU_PWR_WAKEUP_RING = 0x10,
+};
+
+/*
+ * This table indicates for each PMU opcode:
+ * - the number of data bytes to be sent with the command, or -1
+ *   if a length byte should be sent,
+ * - the number of response bytes which the PMU will return, or
+ *   -1 if it will send a length byte.
+ */
+
+static const int8_t pmu_data_len[256][2] = {
+/*  0        1        2        3        4        5        6        7  */
+    {-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},
+    {-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},
+    { 1,  0},{ 1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},
+    { 0,  1},{ 0,  1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{ 0,  0},
+    {-1,  0},{ 0,  0},{ 2,  0},{ 1,  0},{ 1,  0},{-1,  0},{-1,  0},{-1,  0},
+    { 0, -1},{ 0, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{ 0, -1},
+    { 4,  0},{20,  0},{-1,  0},{ 3,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},
+    { 0,  4},{ 0, 20},{ 2, -1},{ 2,  1},{ 3, -1},{-1, -1},{-1, -1},{ 4,  0},
+    { 1,  0},{ 1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},
+    { 0,  1},{ 0,  1},{-1, -1},{ 1,  0},{ 1,  0},{-1, -1},{-1, -1},{-1, -1},
+    { 1,  0},{ 0,  0},{ 2,  0},{ 2,  0},{-1,  0},{ 1,  0},{ 3,  0},{ 1,  0},
+    { 0,  1},{ 1,  0},{ 0,  2},{ 0,  2},{ 0, -1},{-1, -1},{-1, -1},{-1, -1},
+    { 2,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},
+    { 0,  3},{ 0,  3},{ 0,  2},{ 0,  8},{ 0, -1},{ 0, -1},{-1, -1},{-1, -1},
+    { 1,  0},{ 1,  0},{ 1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},
+    { 0, -1},{ 0, -1},{-1, -1},{-1, -1},{-1, -1},{ 5,  1},{ 4,  1},{ 4,  1},
+    { 4,  0},{-1,  0},{ 0,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},
+    { 0,  5},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},
+    { 1,  0},{ 2,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},
+    { 0,  1},{ 0,  1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},
+    { 2,  0},{ 2,  0},{ 2,  0},{ 4,  0},{-1,  0},{ 0,  0},{-1,  0},{-1,  0},
+    { 1,  1},{ 1,  0},{ 3,  0},{ 2,  0},{-1, -1},{-1, -1},{-1, -1},{-1, -1},
+    {-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},
+    {-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},
+    {-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},
+    {-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},
+    { 0,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},
+    { 1,  1},{ 1,  1},{-1, -1},{-1, -1},{ 0,  1},{ 0, -1},{-1, -1},{-1, -1},
+    {-1,  0},{ 4,  0},{ 0,  1},{-1,  0},{-1,  0},{ 4,  0},{-1,  0},{-1,  0},
+    { 3, -1},{-1, -1},{ 0,  1},{-1, -1},{ 0, -1},{-1, -1},{-1, -1},{ 0,  0},
+    {-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},{-1,  0},
+    {-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},{-1, -1},
+};
+
+/* Command protocol state machine */
+typedef enum {
+    pmu_state_idle, /* Waiting for command */
+    pmu_state_cmd,  /* Receiving command */
+    pmu_state_rsp,  /* Responding to command */
+} PMUCmdState;
+
+/* MOS6522 PMU */
+typedef struct MOS6522PMUState {
+    /*< private >*/
+    MOS6522State parent_obj;
+} MOS6522PMUState;
+
+#define TYPE_MOS6522_PMU "mos6522-pmu"
+#define MOS6522_PMU(obj) OBJECT_CHECK(MOS6522PMUState, (obj), \
+                                      TYPE_MOS6522_PMU)
+/**
+ * PMUState:
+ * @last_b: last value of B register
+ */
+
+typedef struct PMUState {
+    /*< private >*/
+    SysBusDevice parent_obj;
+    /*< public >*/
+
+    MemoryRegion mem;
+    uint64_t frequency;
+    qemu_irq via_irq;
+    bool via_irq_state;
+
+    /* PMU state */
+    MOS6522PMUState mos6522_pmu;
+
+    /* PMU low level protocol state */
+    PMUCmdState cmd_state;
+    uint8_t last_b;
+    uint8_t cmd;
+    uint32_t cmdlen;
+    uint32_t rsplen;
+    uint8_t cmd_buf_pos;
+    uint8_t cmd_buf[128];
+    uint8_t cmd_rsp_pos;
+    uint8_t cmd_rsp_sz;
+    uint8_t cmd_rsp[128];
+
+    /* PMU events/interrupts */
+    uint8_t intbits;
+    uint8_t intmask;
+
+    /* ADB */
+    bool has_adb;
+    ADBBusState adb_bus;
+    uint16_t adb_poll_mask;
+    uint8_t autopoll_rate_ms;
+    uint8_t autopoll_mask;
+    QEMUTimer *adb_poll_timer;
+    uint8_t adb_reply_size;
+    uint8_t adb_reply[ADB_MAX_OUT_LEN];
+
+    /* RTC */
+    uint32_t tick_offset;
+    QEMUTimer *one_sec_timer;
+    int64_t one_sec_target;
+
+    /* GPIO */
+    MacIOGPIOState *gpio;
+} PMUState;
+
+#define TYPE_VIA_PMU "via-pmu"
+#define VIA_PMU(obj) OBJECT_CHECK(PMUState, (obj), TYPE_VIA_PMU)
+
+#endif /* PMU_H */
-- 
2.11.0