[m132]

> instead of trapping to the hypervisor

My bad! I mean, ehh, I guess you could maintain a breakpoint in the guest kernel's exception vector table or have QEMU inject its own "zero-level exception handler" whose only purpose would be to capture those HVCs, but that's not as straightforward as I originally thought. And since those PAC calls are expected to set a few Apple-specific registers anyway, using the entitlement or skipping Hypervisor.framework and talking straight to the kernel seem like the only viable options when macOS is the guest.

> There are some nightmare cases that SEPOS specifically triggers, such as doing isv=0 accesses to GICR... when using the Apple vGIC handling _that_ becomes truly bizarre.

Interesting! Are there any resources out there about virtualizing sepOS?

[my123]

Not much public yet about VRE virtualisation (which includes SEP) at this point.

> whose only purpose would be to capture those HVCs

quite expensive because you get to trap ~ all EL0 -> EL1 priv transitions through the virtualisation infrastructure as the sync handler has a lot going through it

[m132]

Only if you used a breakpoint or something similar. I believe a "shadow" exception vector like that can run entirely in the guest context with the guest not even being aware of this (MRS is generally always trapped so you can return the address of the real one while still taking exceptions to the injected one).

Figuring out where to put it and how to keep it mapped is another problem, though!