> From: "Theo de Raadt" <deraadt@openbsd.org>
> Date: Tue, 09 Sep 2025 13:23:04 -0600
> 
> Stefan Fritsch <sf@sfritsch.de> wrote:
> 
> > I agree that making ACPI secure means not parsing any AML. So maybe it 
> > will involve finding other sources for the information we need from the 
> > DSDT/SSDT.
> 
> That is not how it works.  The static tables do not contain sufficient
> useful information, and you will be using AML.  Meaning, the kernel will
> call acpi routes, which execute AML.

Actually, I think the static tables would get you a very long way.
It'd require a bit of surgery to acpi(4) to only do the tables without
turning it into spaghetti.

> > Maybe in the end it will allow us to simply disable acpi(4). 
> > SEV-SNP already defines a way to get the APIC IDs of all present CPUs. 
> > Knowledge about IO APICs could be replaced by using MSI/MSI-X exclusively 
> > or by using some para-virtualized intterupt controller. We will have to 
> > see what other pieces we absolutely need. PCI busses come to mind.

The CPUs are defined in the MADT table anyway.  The IO APICs are there
as well, but you might still need PCI interrupt routing info to make
them actually work.  So yes MSI/MSI-X would be better.  The MCFG table
should be anough for PCI.