Phew. I honestly have no idea how this would work at all even on Apple HW. Linux simply handles everything from real mode (disable paging) when going into anything firmware related. I have no idea what OpenBSD does. If you could try to find out and summarize it, I might be able to reconstruct how it could work :).
Perhaps the OpenBSD code did not flush the TLB yet? Or does QEMU emulate the TLB properly? I seriously doubt that :-)
Hm, s/OpenBSD/FreeBSD. :)
I have no idea :-)
How do I flush the TLB?
tlbie, and perhaps tlbsync.
Then I can look up in the code and see where it is done. I guess we do that but the place/time might be the question. (Otherwise it wouldn't work on real HW, right?)
That is my theory, yes.
The logs do not show whether segment x'f is still mapped in the SRs (or I missed it). Is it?
How can I enable this log or make it visible?
I have no idea.
Segher