From: "Theo de Raadt" <deraadt@openbsd.org>
Subject: Re: AMD SEV: confidential autoconf whitelist
To: Stefan Fritsch <sf@sfritsch.de>
Cc: Mark Kettenis <mark.kettenis@xs4all.nl>, Hans-Jörg Höxer <hshoexer@genua.de>, tech@openbsd.org
Date: Tue, 09 Sep 2025 13:23:04 -0600

Stefan Fritsch <sf@sfritsch.de> wrote:

> I agree that making ACPI secure means not parsing any AML. So maybe it 
> will involve finding other sources for the information we need from the 
> DSDT/SSDT.

That is not how it works.  The static tables do not contain sufficient
useful information, and you will be using AML.  Meaning, the kernel will
call acpi routes, which execute AML.

> Maybe in the end it will allow us to simply disable acpi(4). 
> SEV-SNP already defines a way to get the APIC IDs of all present CPUs. 
> Knowledge about IO APICs could be replaced by using MSI/MSI-X exclusively 
> or by using some para-virtualized intterupt controller. We will have to 
> see what other pieces we absolutely need. PCI busses come to mind.