1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
|
;; -*- fundamental -*-
;; -----------------------------------------------------------------------
;;
;; Copyright 1994-2008 H. Peter Anvin - All Rights Reserved
;;
;; This program is free software; you can redistribute it and/or modify
;; it under the terms of the GNU General Public License as published by
;; the Free Software Foundation, Inc., 53 Temple Place Ste 330,
;; Boston MA 02111-1307, USA; either version 2 of the License, or
;; (at your option) any later version; incorporated herein by reference.
;;
;; -----------------------------------------------------------------------
;;
;; init16.asm
;;
;; Routine to initialize and to trampoline into 32-bit
;; protected memory. This code is derived from bcopy32.inc and
;; com32.inc in the main SYSLINUX distribution.
;;
%include '../version.gen'
MY_CS equ 0x0800 ; Segment address to use
CS_BASE equ (MY_CS << 4) ; Corresponding address
; Low memory bounce buffer
BOUNCE_SEG equ (MY_CS+0x1000)
%define DO_WBINVD 0
%define STACK_HEAP_SIZE (128*1024)
section .rodata align=16
section .data align=16
section .bss align=16
;; -----------------------------------------------------------------------
;; Kernel image header
;; -----------------------------------------------------------------------
section .text ; Must be first in image
bits 16
cmdline times 497 db 0 ; We put the command line here
setup_sects db 0
root_flags dw 0
syssize dw 0
swap_dev dw 0
ram_size dw 0
vid_mode dw 0
root_dev dw 0
boot_flag dw 0xAA55
_start: jmp short start
db "HdrS" ; Header signature
dw 0x0203 ; Header version number
realmode_swtch dw 0, 0 ; default_switch, SETUPSEG
start_sys_seg dw 0x1000 ; obsolete
version_ptr dw memdisk_version-0x200 ; version string ptr
type_of_loader db 0 ; Filled in by boot loader
loadflags db 1 ; Please load high
setup_move_size dw 0 ; Unused
code32_start dd 0x100000 ; 32-bit start address
ramdisk_image dd 0 ; Loaded ramdisk image address
ramdisk_size dd 0 ; Size of loaded ramdisk
bootsect_kludge dw 0, 0
heap_end_ptr dw 0
pad1 dw 0
cmd_line_ptr dd 0 ; Command line
ramdisk_max dd 0xffffffff ; Highest allowed ramdisk address
;
; These fields aren't real setup fields, they're poked in by the
; 32-bit code.
;
b_esdi dd 0 ; ES:DI for boot sector invocation
b_edx dd 0 ; EDX for boot sector invocation
section .rodata
memdisk_version:
db "MEMDISK ", VERSION_STR, " ", DATE, 0
;; -----------------------------------------------------------------------
;; End kernel image header
;; -----------------------------------------------------------------------
;
; Move ourselves down into memory to reduce the risk of conflicts;
; then canonicalize CS to match the other segments.
;
section .text
bits 16
start:
mov ax,MY_CS
mov es,ax
movzx cx,byte [setup_sects]
inc cx ; Add one for the boot sector
shl cx,7 ; Convert to dwords
xor si,si
xor di,di
mov fs,si ; fs <- 0
cld
rep movsd
mov ds,ax
mov ss,ax
xor esp,esp ; Stack at top of 64K segment
jmp MY_CS:.next
.next:
;
; Copy the command line, if there is one
;
copy_cmdline:
xor di,di ; Bottom of our own segment (= "boot sector")
mov eax,[cmd_line_ptr]
and eax,eax
jz .endcmd ; No command line
mov si,ax
shr eax,4 ; Convert to segment
and si,0x000F ; Starting offset only
mov gs,ax
mov cx,496 ; Max number of bytes
.copycmd:
gs lodsb
and al,al
jz .endcmd
stosb
loop .copycmd
.endcmd:
xor al,al
stosb
;
; Now jump to 32-bit code
;
sti
call init32
;
; When init32 returns, we have been set up, the new boot sector loaded,
; and we should go and and run the newly loaded boot sector.
;
; The setup function will have poked values into the setup area.
;
movzx edi,word [cs:b_esdi]
mov es,word [cs:b_esdi+2]
mov edx,[cs:b_edx]
cli
xor esi,esi ; No partition table involved
mov ds,si ; Make all the segments consistent
mov fs,si
mov gs,si
mov ss,si
mov esp,0x7C00 ; Good place for SP to start out
call 0:0x7C00
int 18h ; A far return -> INT 18h
;
; We enter protected mode, set up a flat 32-bit environment, run rep movsd
; and then exit. IMPORTANT: This code assumes cs == MY_CS.
;
; This code is probably excessively anal-retentive in its handling of
; segments, but this stuff is painful enough as it is without having to rely
; on everything happening "as it ought to."
;
section .rodata
; desc base, limit, flags
%macro desc 3
dd (%2 & 0xffff) | ((%1 & 0xffff) << 16)
dd (%1 & 0xff000000) | (%2 & 0xf0000) | ((%3 & 0xf0ff) << 8) | ((%1 & 0x00ff0000) >> 16)
%endmacro
align 8, db 0
call32_gdt: dw call32_gdt_size-1 ; Null descriptor - contains GDT
.adj1: dd call32_gdt+CS_BASE ; pointer for LGDT instruction
dw 0
; 0008: Code segment, use16, readable, dpl 0, base CS_BASE, 64K
desc CS_BASE, 0xffff, 0x009b
; 0010: Data segment, use16, read/write, dpl 0, base CS_BASE, 64K
desc CS_BASE, 0xffff, 0x0093
; 0018: Data segment, use16, read/write, dpl 0, base 0, 4G
desc 0, 0xfffff, 0x809b
; 0020: Code segment, use32, read/write, dpl 0, base 0, 4G
desc 0, 0xfffff, 0xc09b
; 0028: Data segment, use32, read/write, dpl 0, base 0, 4G
desc 0, 0xfffff, 0xc093
call32_gdt_size: equ $-call32_gdt
err_a20: db 'ERROR: A20 gate not responding!',13,10,0
section .bss
alignb 4
SavedSSSP resd 1 ; Place to save SS:SP
Return resd 1 ; Return value
A20Test resw 1 ; Space to test A20
A20Tries resb 1
section .data
alignb 4
Target dd 0 ; Target address
Target_Seg dw 20h ; Target CS
A20Type dw 0 ; Default = unknown
section .text
bits 16
;
; Routines to enable and disable (yuck) A20. These routines are gathered
; from tips from a couple of sources, including the Linux kernel and
; http://www.x86.org/. The need for the delay to be as large as given here
; is indicated by Donnie Barnes of RedHat, the problematic system being an
; IBM ThinkPad 760EL.
;
; We typically toggle A20 twice for every 64K transferred.
;
%define io_delay call _io_delay
%define IO_DELAY_PORT 80h ; Invalid port (we hope!)
%define disable_wait 32 ; How long to wait for a disable
%define A20_DUNNO 0 ; A20 type unknown
%define A20_NONE 1 ; A20 always on?
%define A20_BIOS 2 ; A20 BIOS enable
%define A20_KBC 3 ; A20 through KBC
%define A20_FAST 4 ; A20 through port 92h
align 2, db 0
A20List dw a20_dunno, a20_none, a20_bios, a20_kbc, a20_fast
A20DList dw a20d_dunno, a20d_none, a20d_bios, a20d_kbc, a20d_fast
a20_adjust_cnt equ ($-A20List)/2
slow_out: out dx, al ; Fall through
_io_delay: out IO_DELAY_PORT,al
out IO_DELAY_PORT,al
ret
enable_a20:
pushad
mov byte [A20Tries],255 ; Times to try to make this work
try_enable_a20:
;
; Flush the caches
;
%if DO_WBINVD
call try_wbinvd
%endif
;
; If the A20 type is known, jump straight to type
;
mov bp,[A20Type]
add bp,bp ; Convert to word offset
.adj4: jmp word [bp+A20List]
;
; First, see if we are on a system with no A20 gate
;
a20_dunno:
a20_none:
mov byte [A20Type], A20_NONE
call a20_test
jnz a20_done
;
; Next, try the BIOS (INT 15h AX=2401h)
;
a20_bios:
mov byte [A20Type], A20_BIOS
mov ax,2401h
pushf ; Some BIOSes muck with IF
int 15h
popf
call a20_test
jnz a20_done
;
; Enable the keyboard controller A20 gate
;
a20_kbc:
mov dl, 1 ; Allow early exit
call empty_8042
jnz a20_done ; A20 live, no need to use KBC
mov byte [A20Type], A20_KBC ; Starting KBC command sequence
mov al,0D1h ; Write output port
out 064h, al
call empty_8042_uncond
mov al,0DFh ; A20 on
out 060h, al
call empty_8042_uncond
; Apparently the UHCI spec assumes that A20 toggle
; ends with a null command (assumed to be for sychronization?)
; Put it here to see if it helps anything...
mov al,0FFh ; Null command
out 064h, al
call empty_8042_uncond
; Verify that A20 actually is enabled. Do that by
; observing a word in low memory and the same word in
; the HMA until they are no longer coherent. Note that
; we don't do the same check in the disable case, because
; we don't want to *require* A20 masking (SYSLINUX should
; work fine without it, if the BIOS does.)
.kbc_wait: push cx
xor cx,cx
.kbc_wait_loop:
call a20_test
jnz a20_done_pop
loop .kbc_wait_loop
pop cx
;
; Running out of options here. Final attempt: enable the "fast A20 gate"
;
a20_fast:
mov byte [A20Type], A20_FAST ; Haven't used the KBC yet
in al, 092h
or al,02h
and al,~01h ; Don't accidentally reset the machine!
out 092h, al
.fast_wait: push cx
xor cx,cx
.fast_wait_loop:
call a20_test
jnz a20_done_pop
loop .fast_wait_loop
pop cx
;
; Oh bugger. A20 is not responding. Try frobbing it again; eventually give up
; and report failure to the user.
;
dec byte [A20Tries]
jnz try_enable_a20
; Error message time
mov si,err_a20
print_err:
lodsb
and al,al
jz die
mov bx,7
mov ah,0xe
int 10h
jmp print_err
die:
sti
.hlt: hlt
jmp short .hlt
;
; A20 unmasked, proceed...
;
a20_done_pop: pop cx
a20_done: popad
ret
;
; This routine tests if A20 is enabled (ZF = 0). This routine
; must not destroy any register contents.
;
a20_test:
push es
push cx
push ax
mov cx,0FFFFh ; HMA = segment 0FFFFh
mov es,cx
mov cx,32 ; Loop count
mov ax,[A20Test]
.a20_wait: inc ax
mov [A20Test],ax
io_delay ; Serialize, and fix delay
cmp ax,[es:A20Test+CS_BASE+10h]
loopz .a20_wait
.a20_done: pop ax
pop cx
pop es
ret
disable_a20:
pushad
;
; Flush the caches
;
%if DO_WBINVD
call try_wbinvd
%endif
mov bp,[A20Type]
add bp,bp ; Convert to word offset
.adj5: jmp word [bp+A20DList]
a20d_bios:
mov ax,2400h
pushf ; Some BIOSes muck with IF
int 15h
popf
jmp short a20d_snooze
;
; Disable the "fast A20 gate"
;
a20d_fast:
in al, 092h
and al,~03h
out 092h, al
jmp short a20d_snooze
;
; Disable the keyboard controller A20 gate
;
a20d_kbc:
call empty_8042_uncond
mov al,0D1h
out 064h, al ; Write output port
call empty_8042_uncond
mov al,0DDh ; A20 off
out 060h, al
call empty_8042_uncond
mov al,0FFh ; Null command/synchronization
out 064h, al
call empty_8042_uncond
; Wait a bit for it to take effect
a20d_snooze:
push cx
mov cx, disable_wait
.delayloop: call a20_test
jz .disabled
loop .delayloop
.disabled: pop cx
a20d_dunno:
a20d_none:
popad
ret
;
; Routine to empty the 8042 KBC controller. If dl != 0
; then we will test A20 in the loop and exit if A20 is
; suddenly enabled.
;
empty_8042_uncond:
xor dl,dl
empty_8042:
call a20_test
jz .a20_on
and dl,dl
jnz .done
.a20_on: io_delay
in al, 064h ; Status port
test al,1
jz .no_output
io_delay
in al, 060h ; Read input
jmp short empty_8042
.no_output:
test al,2
jnz empty_8042
io_delay
.done: ret
;
; Execute a WBINVD instruction if possible on this CPU
;
%if DO_WBINVD
try_wbinvd:
wbinvd
ret
%endif
section .bss
alignb 4
PMESP resd 1 ; Protected mode %esp
section .idt nobits align=4096
alignb 4096
pm_idt resb 4096 ; Protected-mode IDT, followed by interrupt stubs
pm_entry: equ 0x100000
section .rodata
align 4, db 0
call32_pmidt:
dw 8*256 ; Limit
dd pm_idt+CS_BASE ; Address
call32_rmidt:
dw 0ffffh ; Limit
dd 0 ; Address
section .text
;
; This is the main entrypoint in this function
;
init32:
mov ebx,call32_call_start+CS_BASE ; Where to go in PM
call32_enter_pm:
mov ax,cs
mov ds,ax
cli
mov [SavedSSSP],sp
mov [SavedSSSP+2],ss
cld
call a20_test
jnz .a20ok
call enable_a20
.a20ok:
lgdt [call32_gdt] ; Set up GDT
lidt [call32_pmidt] ; Set up the IDT
mov eax,cr0
or al,1
mov cr0,eax ; Enter protected mode
jmp 20h:dword .in_pm+CS_BASE
bits 32
.in_pm:
xor eax,eax ; Available for future use...
mov fs,eax
mov gs,eax
mov al,28h ; Set up data segments
mov es,eax
mov ds,eax
mov ss,eax
mov esp,[PMESP+CS_BASE] ; Load protmode %esp if available
jmp ebx ; Go to where we need to go
;
; This is invoked before first dispatch of the 32-bit code, in 32-bit mode
;
call32_call_start:
;
; Point the stack into low memory
; We have: this segment, bounce buffer, then stack+heap
;
mov esp, CS_BASE + 0x20000 + STACK_HEAP_SIZE
and esp, ~0xf
;
; Set up the protmode IDT and the interrupt jump buffers
;
mov edi,pm_idt+CS_BASE
; Form an interrupt gate descriptor
; WARNING: This is broken if pm_idt crosses a 64K boundary;
; however, it can't because of the alignment constraints.
mov ebx,pm_idt+CS_BASE+8*256
mov eax,0x0020ee00
xchg ax,bx
xor ecx,ecx
inc ch ; ecx <- 256
push ecx
.make_idt:
stosd
add eax,8
xchg eax,ebx
stosd
xchg eax,ebx
loop .make_idt
pop ecx
; Each entry in the interrupt jump buffer contains
; the following instructions:
;
; 00000000 60 pushad
; 00000001 B0xx mov al,<interrupt#>
; 00000003 E9xxxxxxxx jmp call32_handle_interrupt
mov eax,0xe900b060
mov ebx,call32_handle_interrupt+CS_BASE
sub ebx,edi
.make_ijb:
stosd
sub [edi-2],cl ; Interrupt #
xchg eax,ebx
sub eax,8
stosd
xchg eax,ebx
loop .make_ijb
; Now everything is set up for interrupts...
push dword (BOUNCE_SEG << 4) ; Bounce buffer address
push dword call32_syscall+CS_BASE ; Syscall entry point
sti ; Interrupts OK now
call pm_entry-CS_BASE ; Run the program...
; ... on return ...
mov [Return+CS_BASE],eax
; ... fall through to call32_exit ...
call32_exit:
mov bx,call32_done ; Return to command loop
call32_enter_rm:
cli
cld
mov [PMESP+CS_BASE],esp ; Save exit %esp
xor esp,esp ; Make sure the high bits are zero
jmp 08h:.in_pm16 ; Return to 16-bit mode first
bits 16
.in_pm16:
mov ax,10h ; Real-mode-like segment
mov es,ax
mov ds,ax
mov ss,ax
mov fs,ax
mov gs,ax
lidt [call32_rmidt] ; Real-mode IDT (rm needs no GDT)
mov eax,cr0
and al,~1
mov cr0,eax
jmp MY_CS:.in_rm
.in_rm: ; Back in real mode
mov ax,cs ; Set up sane segments
mov ds,ax
mov es,ax
mov fs,ax
mov gs,ax
lss sp,[SavedSSSP] ; Restore stack
jmp bx ; Go to whereever we need to go...
call32_done:
call disable_a20
sti
mov ax,[Return]
ret
;
; 16-bit support code
;
bits 16
;
; 16-bit interrupt-handling code
;
call32_int_rm:
pushf ; Flags on stack
push cs ; Return segment
push word .cont ; Return address
push dword edx ; Segment:offset of IVT entry
retf ; Invoke IVT routine
.cont: ; ... on resume ...
mov ebx,call32_int_resume+CS_BASE
jmp call32_enter_pm ; Go back to PM
;
; 16-bit system call handling code
;
call32_sys_rm:
pop gs
pop fs
pop es
pop ds
popad
popfd
retf ; Invoke routine
.return:
pushfd
pushad
push ds
push es
push fs
push gs
mov ebx,call32_sys_resume+CS_BASE
jmp call32_enter_pm
;
; 32-bit support code
;
bits 32
;
; This is invoked on getting an interrupt in protected mode. At
; this point, we need to context-switch to real mode and invoke
; the interrupt routine.
;
; When this gets invoked, the registers are saved on the stack and
; AL contains the register number.
;
call32_handle_interrupt:
movzx eax,al
xor ebx,ebx ; Actually makes the code smaller
mov edx,[ebx+eax*4] ; Get the segment:offset of the routine
mov bx,call32_int_rm
jmp call32_enter_rm ; Go to real mode
call32_int_resume:
popad
iret
;
; Syscall invocation. We manifest a structure on the real-mode stack,
; containing the call32sys_t structure from <call32.h> as well as
; the following entries (from low to high address):
; - Target offset
; - Target segment
; - Return offset
; - Return segment (== real mode cs)
; - Return flags
;
call32_syscall:
pushfd ; Save IF among other things...
pushad ; We only need to save some, but...
cld
movzx edi,word [SavedSSSP+CS_BASE]
movzx eax,word [SavedSSSP+CS_BASE+2]
sub edi,54 ; Allocate 54 bytes
mov [SavedSSSP+CS_BASE],di
shl eax,4
add edi,eax ; Create linear address
mov esi,[esp+11*4] ; Source regs
xor ecx,ecx
mov cl,11 ; 44 bytes to copy
rep movsd
movzx eax,byte [esp+10*4] ; Interrupt number
; ecx == 0 here; adding it to the EA makes the
; encoding smaller
mov eax,[ecx+eax*4] ; Get IVT entry
stosd ; Save in stack frame
mov eax,call32_sys_rm.return + (MY_CS << 16) ; Return seg:offs
stosd ; Save in stack frame
mov eax,[edi-12] ; Return flags
and eax,0x200cd7 ; Mask (potentially) unsafe flags
mov [edi-12],eax ; Primary flags entry
stosw ; Return flags
mov bx,call32_sys_rm
jmp call32_enter_rm ; Go to real mode
; On return, the 44-byte return structure is on the
; real-mode stack.
call32_sys_resume:
movzx esi,word [SavedSSSP+CS_BASE]
movzx eax,word [SavedSSSP+CS_BASE+2]
mov edi,[esp+12*4] ; Dest regs
shl eax,4
add esi,eax ; Create linear address
and edi,edi ; NULL pointer?
jnz .do_copy
.no_copy: mov edi,esi ; Do a dummy copy-to-self
.do_copy: xor ecx,ecx
mov cl,11 ; 44 bytes
rep movsd ; Copy register block
add dword [SavedSSSP+CS_BASE],44 ; Remove from stack
popad
popfd
ret ; Return to 32-bit program
|
