{"id":2234490,"url":"http://patchwork.ozlabs.org/api/1.2/covers/2234490/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/cover/20260507152030.48753-1-matthew@pq.io/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.2/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260507152030.48753-1-matthew@pq.io>","list_archive_url":null,"date":"2026-05-07T15:20:28","name":"[v2,0/2] hw/misc/applesmc: fix GET_KEY_BY_INDEX iteration and populate Apple SMC key set","submitter":{"id":93356,"url":"http://patchwork.ozlabs.org/api/1.2/people/93356/?format=json","name":"Matthew Jackson","email":"matthew@pq.io"},"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/cover/20260507152030.48753-1-matthew@pq.io/mbox/","series":[{"id":503233,"url":"http://patchwork.ozlabs.org/api/1.2/series/503233/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=503233","date":"2026-05-07T15:20:28","name":"hw/misc/applesmc: fix GET_KEY_BY_INDEX iteration and populate Apple SMC key set","version":2,"mbox":"http://patchwork.ozlabs.org/series/503233/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/covers/2234490/comments/","headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=pq.io header.i=@pq.io header.a=rsa-sha256\n header.s=protonmail3 header.b=MCL0hsFy;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4gBJwF677mz1y04\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 08 May 2026 03:22:20 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wL2PP-0000tB-Fk; Thu, 07 May 2026 13:21:11 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <matthew@pq.io>) id 1wL0Wq-0004Ad-C4\n for qemu-devel@nongnu.org; Thu, 07 May 2026 11:20:44 -0400","from mail-106113.protonmail.ch ([79.135.106.113])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <matthew@pq.io>) id 1wL0Wm-00046A-HW\n for qemu-devel@nongnu.org; Thu, 07 May 2026 11:20:44 -0400"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=pq.io;\n s=protonmail3; t=1778167234; x=1778426434;\n bh=kI+rXLcmJE1sRrwYK9mQCcJt0sOyvaCCRme5UXRIwrs=;\n h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:From:To:\n Cc:Date:Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector;\n b=MCL0hsFy/RDqnZPriqFfvi60YZ+BYzEZXEr/PyYOIhu8wHJrVQQef3YxI76D0aphz\n m9B/tEbX9vuYkksD0hCb0q4P531armNMxrs/IqH0fbEI82yM691twV/HyCyvTtSDVD\n bnbm9SqdYWMCPPWIBqLT4IfA0xvyX5AFNrSizhWJEAQnEzAfJ5j4ofSY+y1Mb9x+O2\n LJLcdmE6FuOPnBH7z3EfzOw997bVtNkvrKJqXm9iaAz/PyRTzKf799yMvVoFmARRhQ\n iuTFBSO5G26Ruquk5Hhk8R8FjP68pBybBSpy2UQVioiHzrgkA2t3Ffd/f3+j3hZ9iL\n gzVsEKags9x3A==","X-Pm-Submission-Id":"4gBGCj3fDfz1DFFm","From":"Matthew Jackson <matthew@pq.io>","To":"qemu-devel@nongnu.org","Cc":"stefanha@redhat.com,\n\tpeter.maydell@linaro.org","Subject":"[PATCH v2 0/2] hw/misc/applesmc: fix GET_KEY_BY_INDEX iteration and\n populate Apple SMC key set","Date":"Thu,  7 May 2026 08:20:28 -0700","Message-ID":"<20260507152030.48753-1-matthew@pq.io>","X-Mailer":"git-send-email 2.50.1","In-Reply-To":"<20260507040153.14565-1-matthew@pq.io>","References":"<20260507040153.14565-1-matthew@pq.io>","MIME-Version":"1.0","Content-Type":"text/plain; charset=UTF-8","Content-Transfer-Encoding":"8bit","Received-SPF":"pass client-ip=79.135.106.113; envelope-from=matthew@pq.io;\n helo=mail-106113.protonmail.ch","X-Spam_score_int":"-27","X-Spam_score":"-2.8","X-Spam_bar":"--","X-Spam_report":"(-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, SPF_HELO_PASS=-0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-Mailman-Approved-At":"Thu, 07 May 2026 13:21:06 -0400","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"v1: https://lore.kernel.org/qemu-devel/20260507040153.14565-1-matthew@pq.io/\n\nChanges in v2 (all in patch 2/2, applesmc_isa_realize() #KEY block):\n\n  * Add braces around the QLIST_FOREACH() count loop body\n    (qemu coding style: loops always need braces, even single-line).\n    Reported-by: Peter Maydell <peter.maydell@linaro.org>\n\n  * Replace the manual 4-byte big-endian byte-shift packing of\n    `count` into `numkey_buf` with a single stl_be_p() call.\n    Reported-by: Peter Maydell <peter.maydell@linaro.org>\n\nPatch 1/2 is unchanged from v1.\n\nPeter also noted that the static-buffer \"must remain valid forever\"\ncontract that applesmc_add_key() requires is awkward — fair, but\nfixing it (e.g. switching the key table to a glib hashtable that\ncopies values) is independent from this series and not reported as\nperformance-noticeable in profiles. Happy to follow up with a\nhashtable conversion as a separate series if the maintainers\nthink it's worth doing.\n\nOriginal v1 cover letter follows below.\n\n---\n\nThe QEMU applesmc device implements just enough of the Apple SMC PMIO\nprotocol to satisfy the OSK boot check on older macOS versions. On\nmodern macOS guests (x86 10.14+, all of the 15.x series) the real\nAppleSMC kext enumerates the SMC key space at boot via\nAPPLESMC_GET_KEY_BY_INDEX_CMD (0x12). The current device only\nacknowledges APPLESMC_READ_CMD (0x10) at the command port; every\nother command falls through to the default arm of the switch and\nsets ST_1E_BAD_CMD.\n\nThe macOS driver interprets the resulting 0x82 reply as \"spurious\ndata\" and enters a retry loop that floods the kernel log with\nkSMCSpuriousData (0x81) / kSMCKeyNotFound errors at roughly 1800\nevents per second, pegging kernel_task at ~70% CPU and WindowServer\nat ~509% CPU. This reproduces reliably on any recent macOS 15 guest\nbooted with -device isa-applesmc,osk=<valid-OSK>.\n\nThis two-patch series fixes the protocol-level bug and rounds out\nthe SMC key table to a complete iMac20,1 profile.\n\n  Patch 1: protocol-level fix\n    - Accept WRITE_CMD, GET_KEY_BY_INDEX_CMD, GET_KEY_TYPE_CMD at the\n      command port (in addition to READ_CMD).\n    - Implement the indexed-iteration walker (returns real key names\n      from s->data_def, or APPLESMC_ST_1E_BAD_INDEX 0xb8 once the\n      index is past the end so the guest stops iterating).\n    - Implement GET_KEY_TYPE returning a 6-byte type/size/attr\n      response matching VirtualSMC's kern_pmio.cpp behaviour.\n    - Accept and log WRITE_CMD silently.\n    - Replace the unknown-key NOEXIST (0x84) reply with a zeroed\n      payload of the requested length, logged at LOG_UNIMP.\n    - Route the BAD_CMD path through qemu_log_mask(LOG_GUEST_ERROR).\n    - Fix MSSD initialiser typo (\"\\0x3\" -> \"\\x03\"). The original\n      literal was three bytes ('\\0', 'x', '3') truncated to one\n      ('\\0') by the size argument, so MSSD has been silently\n      returning 0 since the device was introduced; the corrected\n      value matches what a real iMac20,1 SMC reports.\n\n  Patch 2: populate the key table\n    - Add 94 keys covering the categories macOS queries on a Sequoia\n      15.7.5 guest: 28 temperature sensors (sp78), 4 fan keys (fpe2),\n      12 power-rail keys, 6 DIMM keys, 11 SMC-internal bookkeeping,\n      13 motion-sensor / wireless, 3 write targets (HE0N/MSDW/NTOK),\n      2 power-management gates (HE2N/WDTC), 8 platform-identity /\n      probe keys, plus the Apple-canonical #KEY total-count.\n    - Sensor values match a real iMac20,1 idle probe published at\n      https://linux-hardware.org/?probe=999fc708a4&log=sensors:\n      CPU 40-51 C, GPU 36-42 C, fan at 1200 RPM (= F0Mn idle), etc.\n\nMeasured impact (macOS 15.7.5 guest, iMac20,1 profile):\n\n   Metric           | Before   | After\n   -----------------|---------:|------:\n   SMC errors / 5s  |   9,225  |     2\n   kernel_task CPU  |    70 %  |  ~2 %\n   WindowServer CPU |   509 %  |  ~6 %\n\nA note for review on the zero-valued keys in patch 2: the 26 keys\ncovering DIMM / SMC bookkeeping / motion-sensor / wireless rails are\nregistered with present-with-zero values rather than omitted. macOS\ndistinguishes \"absent\" (NOEXIST reply, retry-poll) from \"broken\"\n(present, value 0, accepted-and-ignored). Registering these keys\npresent-with-zero stops the retry-poll behaviour without asserting\nany specific value. If the maintainer prefers a tighter scope for\nthis series I am happy to drop any subset and follow up; the\npresent-with-zero approach was driven by which keys macOS observed\nquerying during boot.\n\nBackwards compatibility: legacy macOS guests (10.11-10.13) which do\nnot iterate the key space via GET_KEY_BY_INDEX boot unchanged. The\noriginal six keys (REV/OSK0/OSK1/NATJ/MSSP/MSSD) are still present\nand respond with the same values, modulo the MSSD typo fix in patch\n1 which corrects MSSD to the value a real iMac20,1 SMC reports.\n\nTested against current master (post v11.0.0). Builds clean on\ngcc-13 / clang-17 with --enable-werror. Sequoia 15.7.5 guest boots\nto login screen with the SMC retry storm absent from the kernel\nlog; smoke test recipe in TESTING.md alongside the series.\n\nMatthew Jackson (2):\n  hw/misc/applesmc: fix GET_KEY_BY_INDEX to return real keys, accept\n    WRITE/TYPE commands\n  hw/misc/applesmc: populate Apple SMC key table\n\n hw/misc/applesmc.c | 346 +++++++++++++++++++++++++++++++++++++++++++--\n 1 file changed, 338 insertions(+), 8 deletions(-)"}