[marcan_42]

It still needs to trap to somewhere - e.g. a hypervisor at EL2. But then PSCI can run over HVC anyway, so it doesn't make much of a difference, though being able to pretend EL3 exists from EL2 is nifty. We still lose VM functionality if we run all this at EL2 and the OS at EL1.

I do think the HID register naming scheme comes straight from PowerPC. So does their "DART" IOMMU (again just a name thing, unrelated to the old PowerPC DART IOMMU). A much more interesting question is how much the M1 design directly derives from those older PASemi PPC cores (beyond names and such which could just be a little nod); that's much harder to know, but I'm interested in any hints that might point in that direction :)

[monocasa]

WRT SMC, I guess I figured it'd be used to put some firmware code in EL2, but not be the exclusive owner of EL2 if that's possible. Cut out a reserved region of mem in m1n1 or u-boot, and an EL2 SMC call would simply be a jump to that code without a mode switch. You'd see that kinda thing in some older ARM RTOSes which would run everything at the same privilege level, but use SWI as a core executive invoke. Of course now that I've typed this all out I realize that I was kinda assuming that there'd be some SMC-hack specific vector table that it could own, but it probably traps to the normal EL2 one which I think is what you're hinting at...

Anyways, is there anything that a systems engineer with RE experience and isn't looking for any of y'all's donations can do to help out? I'm between jobs and it seems like fun.