Re: kern/59721: qemu VM's blackscreen over VNC wth -machine q35

["Taylor R Campbell via gnats" <gnats-admin%NetBSD.org@localhost>]

The following reply was made to PR kern/59721; it has been noted by GNATS.

From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
To: Roy Marples <roy%marples.name@localhost>,
	Michael van Elst <mlelstv%serpens.de@localhost>,
	Martin Husemann <martin%duskware.de@localhost>
Cc: gnats-bugs%NetBSD.org@localhost, netbsd-bugs%NetBSD.org@localhost
Subject: Re: kern/59721: qemu VM's blackscreen over VNC wth -machine q35
Date: Sun, 26 Oct 2025 21:56:17 +0000

 Following https://www.seabios.org/Debugging.html I tried building my
 own SeaBIOS with extra debugging output, and diffed the output of
 
 qemu-system-x86_64 \
   -machine q35 \
   -chardev stdio,id=3Dseabios \
   -device isa-debugcon,iobase=3D0x402,chardev=3Dseabios
 
 with and without `-accel nvmm'.  Here are the main differences
 (skipping a profusion of probably-insignificant hypervisor-section
 cpuid queries), with - bad (-accel nvmm) and + good (no -accel nvmm):
 
  No Xen hypervisor found.
  enabling shadow ram
  Running on QEMU (q35)
 -physbits: signature=3D"GenuineIntel", pae=3Dyes, lm=3Dyes, phys-bits=3D39,=
  valid=3Dyes
 -cpuid 0x40000000: eax 40000000, signature '___ NVMM ___'
 +physbits: signature=3D"AuthenticAMD", pae=3Dyes, lm=3Dyes, phys-bits=3D40,=
  valid=3Dyes
 +cpuid 0x40000000: eax 40000001, signature 'TCGTCGTCGTCG'
  Found QEMU fw_cfg
  QEMU fw_cfg DMA interface supported
 +Add to e820 map: fd00000000 300000000 2
 +qemu/e820: addr 0x000000fd00000000 len 0x0000000300000000 [reserved]
  Add to e820 map: 00000000 08000000 1
  qemu/e820: addr 0x0000000000000000 len 0x0000000008000000 [RAM]
  qemu/e820: RamSize: 0x08000000
 @@ -297,7 +298,7 @@
  phys_alloc zone=3D0x06fffe78 size=3D148 align=3D10 ret=3D6fea500 (detail=
 =3D0x06fea4d0)
  Add romfile: etc/boot-fail-wait (size=3D4)
  phys_alloc zone=3D0x06fffe78 size=3D148 align=3D10 ret=3D6fea430 (detail=
 =3D0x06fea400)
 -Add romfile: etc/e820 (size=3D20)
 +Add romfile: etc/e820 (size=3D40)
  phys_alloc zone=3D0x06fffe78 size=3D148 align=3D10 ret=3D6fea360 (detail=
 =3D0x06fea330)
  Add romfile: etc/smbios/smbios-anchor (size=3D31)
  phys_alloc zone=3D0x06fffe78 size=3D148 align=3D10 ret=3D6fea290 (detail=
 =3D0x06fea260)
 @@ -398,6 +399,7 @@
  phys_free 6fe9aa0 (detail=3D0x06fe9a70)
  PCI: Using 00:01.0 for primary VGA
  init smm
 +handle_smi cmd=3D0 smbase=3D0x00030000
  init mtrr
  Found 1 cpu(s) max supported 1 cpu(s)
  init PIR table
 @@ -787,9 +789,13 @@
     a=3D00000008  b=3D0000ffff  c=3D00000000  d=3D0000ffff ds=3D0000 es=3Df=
 000 ss=3D0000
    si=3D00000000 di=3D00004c00 bp=3D00000000 sp=3D00006d52 cs=3Df000 ip=3Dc=
 7eb  f=3D0000
  Attempting to allocate 512 bytes lowmem via pmm call to f000:c89f
 +call32_smm 0x06ffee31 6cf8
 +handle_smi cmd=3Db5 smbase=3D0x000a0000
  pmm call arg1=3D0
  pmm00: length=3D20 handle=3Dffffffff flags=3D9
  phys_alloc zone=3D0x06fffe88 size=3D512 align=3D10 ret=3De6120 (detail=3D0=
 x06fe8cd0)
 +handle_smi cmd=3Db5 smbase=3D0x000a0000
 +call32_smm done 0x06ffee31 e6120
  VGA stack allocated at e6120
  Turning on vga text mode console
 
 I also inserted a sleep in enable_vga_console, and confirmed that the
 first difference happens immediately after the first INT 10h(ax=3D0003)
 call: in the good case, there's a blinking cursor after that; in the
 bad case, there's none.
 
 The missing handle_smi and call32_smm lines look suspicious.