1. Patchew
  2. QEMU
  3. [RFC PATCH v7 0/7] vmapple: making it work on the latest macOS host releases
  4. View patch

[RFC PATCH v7 7/7] hvf: do not merge: enable private ISA

Mohamed Mediouni posted 7 patches 1 week, 2 days ago
Maintainers: Roman Bolshakov <rbolshakov@ddn.com>, Phil Dennis-Jordan <phil@philjordan.eu>, Peter Maydell <peter.maydell@linaro.org>, Alexander Graf <agraf@csgraf.de>
[RFC PATCH v7 7/7] hvf: do not merge: enable private ISA
Posted by Mohamed Mediouni 1 week, 2 days ago 
Booting macOS Tahoe.

There in the series to show that's all it takes, but not
mergable as is. Testing this requires SIP to be disabled
and AMFI to be bypassed to be able to launch the executable.

Note that macOS Tahoe uses ISV=0, and the corresponding series
is needed too.

The script to do so:
https://gist.githubusercontent.com/zhaofengli/1df11ae3f0dd4e2c872a12ef849f7371/raw/b0ef43f2168600e8810d35a3e70d9a1eb39929e2/amfid-allow.py

Signed-off-by: Mohamed Mediouni <mohamed@unpredictable.fr>
---
 accel/hvf/entitlements.plist | 2 +-
 target/arm/hvf/hvf.c         | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/accel/hvf/entitlements.plist b/accel/hvf/entitlements.plist
index 154f3308ef..b1a25a2319 100644
--- a/accel/hvf/entitlements.plist
+++ b/accel/hvf/entitlements.plist
@@ -2,7 +2,7 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-    <key>com.apple.security.hypervisor</key>
+    <key>com.apple.private.hypervisor</key>
     <true/>
 </dict>
 </plist>
diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
index 000e54bd16..5d23aa8ae4 100644
--- a/target/arm/hvf/hvf.c
+++ b/target/arm/hvf/hvf.c
@@ -1219,6 +1219,8 @@ void hvf_arch_vcpu_destroy(CPUState *cpu)
     assert_hvf_ok(ret);
 }
 
+hv_return_t _hv_vm_config_set_isa(hv_vm_config_t cfg, int isa);
+
 hv_return_t hvf_arch_vm_create(MachineState *ms, uint32_t pa_range)
 {
     hv_return_t ret;
@@ -1230,6 +1232,12 @@ hv_return_t hvf_arch_vm_create(MachineState *ms, uint32_t pa_range)
     }
     chosen_ipa_bit_size = pa_range;
 
+    ret = _hv_vm_config_set_isa(config, 3);
+    if (ret != HV_SUCCESS) {
+        error_report("error setting private ISA");
+        goto cleanup;
+    }
+
     ret = hv_vm_create(config);
 
 cleanup:
-- 
2.50.1 (Apple Git-155)
Re: [RFC PATCH v7 7/7] hvf: do not merge: enable private ISA
Posted by Akihiko Odaki 1 week, 1 day ago 
On 2026/03/25 5:48, Mohamed Mediouni wrote:
> Booting macOS Tahoe.
> 
> There in the series to show that's all it takes, but not
> mergable as is. Testing this requires SIP to be disabled
> and AMFI to be bypassed to be able to launch the executable.


This is interesting. Do you have any idea what is the private ISA?

Regards,
Akihiko Odaki

> 
> Note that macOS Tahoe uses ISV=0, and the corresponding series
> is needed too.
> 
> The script to do so:
> https://gist.githubusercontent.com/zhaofengli/1df11ae3f0dd4e2c872a12ef849f7371/raw/b0ef43f2168600e8810d35a3e70d9a1eb39929e2/amfid-allow.py
> 
> Signed-off-by: Mohamed Mediouni <mohamed@unpredictable.fr>
> ---
>   accel/hvf/entitlements.plist | 2 +-
>   target/arm/hvf/hvf.c         | 8 ++++++++
>   2 files changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/accel/hvf/entitlements.plist b/accel/hvf/entitlements.plist
> index 154f3308ef..b1a25a2319 100644
> --- a/accel/hvf/entitlements.plist
> +++ b/accel/hvf/entitlements.plist
> @@ -2,7 +2,7 @@
>   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
>   <plist version="1.0">
>   <dict>
> -    <key>com.apple.security.hypervisor</key>
> +    <key>com.apple.private.hypervisor</key>
>       <true/>
>   </dict>
>   </plist>
> diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
> index 000e54bd16..5d23aa8ae4 100644
> --- a/target/arm/hvf/hvf.c
> +++ b/target/arm/hvf/hvf.c
> @@ -1219,6 +1219,8 @@ void hvf_arch_vcpu_destroy(CPUState *cpu)
>       assert_hvf_ok(ret);
>   }
>   
> +hv_return_t _hv_vm_config_set_isa(hv_vm_config_t cfg, int isa);
> +
>   hv_return_t hvf_arch_vm_create(MachineState *ms, uint32_t pa_range)
>   {
>       hv_return_t ret;
> @@ -1230,6 +1232,12 @@ hv_return_t hvf_arch_vm_create(MachineState *ms, uint32_t pa_range)
>       }
>       chosen_ipa_bit_size = pa_range;
>   
> +    ret = _hv_vm_config_set_isa(config, 3);
> +    if (ret != HV_SUCCESS) {
> +        error_report("error setting private ISA");
> +        goto cleanup;
> +    }
> +
>       ret = hv_vm_create(config);
>   
>   cleanup:
Re: [RFC PATCH v7 7/7] hvf: do not merge: enable private ISA
Posted by Mohamed Mediouni 1 week, 1 day ago 
> On 25. Mar 2026, at 12:07, Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> wrote:
> 
> On 2026/03/25 5:48, Mohamed Mediouni wrote:
>> Booting macOS Tahoe.
>> There in the series to show that's all it takes, but not
>> mergable as is. Testing this requires SIP to be disabled
>> and AMFI to be bypassed to be able to launch the executable.
> 
> 
> This is interesting. Do you have any idea what is the private ISA?
> 
> Regards,
> Akihiko Odaki

Hello,

For the macOS vmapple target:

Apple PAC is paravirtualised and not trappable by the VMM without
patching the “hvc #0” to something else.

That’s the only private ISA bit being used there needed for boot.

The documentation for those HVCs:
https://github.com/matteyeux/darwin-xnu/blob/master/doc/vmapple_pac.md

Apple briefly pushed that there, and open-source XNU has that code present.

When private ISA is disabled, instead of the VMM being able to process those
HVCs, they return an error code and the guest dutifully goes into a infinite
loop.

For the vresearch1 target used for PCC VRE and iOS:

Bunch of private ISA used there, including GXF. Private ISA level 3 isn’t
enough to boot those, it wants private ISA level 4.

Thanks,
Re: [RFC PATCH v7 7/7] hvf: do not merge: enable private ISA
Posted by Akihiko Odaki 1 week, 1 day ago 
On 2026/03/25 20:21, Mohamed Mediouni wrote:
> 
>> On 25. Mar 2026, at 12:07, Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> wrote:
>>
>> On 2026/03/25 5:48, Mohamed Mediouni wrote:
>>> Booting macOS Tahoe.
>>> There in the series to show that's all it takes, but not
>>> mergable as is. Testing this requires SIP to be disabled
>>> and AMFI to be bypassed to be able to launch the executable.
>>
>>
>> This is interesting. Do you have any idea what is the private ISA?
>>
>> Regards,
>> Akihiko Odaki
> 
> Hello,
> 
> For the macOS vmapple target:
> 
> Apple PAC is paravirtualised and not trappable by the VMM without
> patching the “hvc #0” to something else.
> 
> That’s the only private ISA bit being used there needed for boot.
> 
> The documentation for those HVCs:
> https://github.com/matteyeux/darwin-xnu/blob/master/doc/vmapple_pac.md
> 
> Apple briefly pushed that there, and open-source XNU has that code present.
> 
> When private ISA is disabled, instead of the VMM being able to process those
> HVCs, they return an error code and the guest dutifully goes into a infinite
> loop.
> 
> For the vresearch1 target used for PCC VRE and iOS:
> 
> Bunch of private ISA used there, including GXF. Private ISA level 3 isn’t
> enough to boot those, it wants private ISA level 4.

It’s fascinating to learn about these Apple-specifics. The insight 
regarding the GXF requirement for PCC VRE and iOS is also very 
intriguing. Thanks for sharing the information.

Regards,
Akihiko Odaki

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.