Now I have to find out about why the OpwnBIOS area is not mapped. Is it the case that the 'of' code on Apple HW is located elsewhere, not on such high address like 0xfff00000?
Apple OF normally sits at the top of the address space, too.
Or should that not matter?
Phew. I honestly have no idea how this would work at all even on Apple HW. Linux simply handles everything from real mode (disable paging) when going into anything firmware related. I have no idea what OpenBSD does. If you could try to find out and summarize it, I might be able to reconstruct how it could work :).
Perhaps the OpenBSD code did not flush the TLB yet? Or does QEMU emulate the TLB properly? I seriously doubt that :-)
The logs do not show whether segment x'f is still mapped in the SRs (or I missed it). Is it?
Segher