2 ;; -----------------------------------------------------------------------
4 ;; Copyright 1994-2008 H. Peter Anvin - All Rights Reserved
5 ;; Copyright 2009 Intel Corporation; author: H. Peter Anvin
7 ;; This program is free software; you can redistribute it and/or modify
8 ;; it under the terms of the GNU General Public License as published by
9 ;; the Free Software Foundation, Inc., 53 Temple Place Ste 330,
10 ;; Boston MA 02111-1307, USA; either version 2 of the License, or
11 ;; (at your option) any later version; incorporated herein by reference.
13 ;; -----------------------------------------------------------------------
18 ;; Routine to initialize and to trampoline into 32-bit
19 ;; protected memory. This code is derived from bcopy32.inc and
20 ;; com32.inc in the main SYSLINUX distribution.
23 %include '../version.gen'
25 MY_CS equ 0x0800 ; Segment address to use
26 CS_BASE equ (MY_CS << 4) ; Corresponding address
28 ; Low memory bounce buffer
29 BOUNCE_SEG equ (MY_CS+0x1000)
33 section .rodata align=16
34 section .data align=16
36 section .stack align=16 nobits
40 ;; -----------------------------------------------------------------------
41 ;; Kernel image header
42 ;; -----------------------------------------------------------------------
44 section .text ; Must be first in image
47 cmdline times 497 db 0 ; We put the command line here
57 _start: jmp short start
59 db "HdrS" ; Header signature
60 dw 0x0203 ; Header version number
62 realmode_swtch dw 0, 0 ; default_switch, SETUPSEG
63 start_sys_seg dw 0x1000 ; obsolete
64 version_ptr dw memdisk_version-0x200 ; version string ptr
65 type_of_loader db 0 ; Filled in by boot loader
66 loadflags db 1 ; Please load high
67 setup_move_size dw 0 ; Unused
68 code32_start dd 0x100000 ; 32-bit start address
69 ramdisk_image dd 0 ; Loaded ramdisk image address
70 ramdisk_size dd 0 ; Size of loaded ramdisk
71 bootsect_kludge dw 0, 0
74 cmd_line_ptr dd 0 ; Command line
75 ramdisk_max dd 0xffffffff ; Highest allowed ramdisk address
78 ; These fields aren't real setup fields, they're poked in by the
81 b_esdi dd 0 ; ES:DI for boot sector invocation
82 b_edx dd 0 ; EDX for boot sector invocation
83 b_sssp dd 0 ; SS:SP on boot sector invocation
84 b_csip dd 0 ; CS:IP on boot sector invocation
88 db "MEMDISK ", VERSION_STR, " ", DATE, 0
90 ;; -----------------------------------------------------------------------
91 ;; End kernel image header
92 ;; -----------------------------------------------------------------------
95 ; Move ourselves down into memory to reduce the risk of conflicts;
96 ; then canonicalize CS to match the other segments.
103 movzx cx,byte [setup_sects]
104 inc cx ; Add one for the boot sector
105 shl cx,7 ; Convert to dwords
118 ; Copy the command line, if there is one
121 xor di,di ; Bottom of our own segment (= "boot sector")
122 mov eax,[cmd_line_ptr]
124 jz .endcmd ; No command line
126 shr eax,4 ; Convert to segment
127 and si,0x000F ; Starting offset only
129 mov cx,496 ; Max number of bytes
141 ; Now jump to 32-bit code
146 ; When init32 returns, we have been set up, the new boot sector loaded,
147 ; and we should go and and run the newly loaded boot sector.
149 ; The setup function will have poked values into the setup area.
151 movzx edi,word [cs:b_esdi]
152 mov es,word [cs:b_esdi+2]
156 xor esi,esi ; No partition table involved
157 mov ds,si ; Make all the segments consistent
163 int 18h ; A far return -> INT 18h
166 ; We enter protected mode, set up a flat 32-bit environment, run rep movsd
167 ; and then exit. IMPORTANT: This code assumes cs == MY_CS.
169 ; This code is probably excessively anal-retentive in its handling of
170 ; segments, but this stuff is painful enough as it is without having to rely
171 ; on everything happening "as it ought to."
173 DummyTSS equ 0x580 ; Hopefully safe place in low mmoery
177 ; desc base, limit, flags
179 dd (%2 & 0xffff) | ((%1 & 0xffff) << 16)
180 dd (%1 & 0xff000000) | (%2 & 0xf0000) | ((%3 & 0xf0ff) << 8) | ((%1 & 0x00ff0000) >> 16)
184 call32_gdt: dw call32_gdt_size-1 ; Null descriptor - contains GDT
185 .adj1: dd call32_gdt+CS_BASE ; pointer for LGDT instruction
188 ; 0008: Dummy TSS to make Intel VT happy
189 ; Should never be actually accessed...
190 desc DummyTSS, 103, 0x8089
192 ; 0010: Code segment, use16, readable, dpl 0, base CS_BASE, 64K
193 desc CS_BASE, 0xffff, 0x009b
195 ; 0018: Data segment, use16, read/write, dpl 0, base CS_BASE, 64K
196 desc CS_BASE, 0xffff, 0x0093
198 ; 0020: Code segment, use32, read/write, dpl 0, base 0, 4G
199 desc 0, 0xfffff, 0xc09b
201 ; 0028: Data segment, use32, read/write, dpl 0, base 0, 4G
202 desc 0, 0xfffff, 0xc093
204 call32_gdt_size: equ $-call32_gdt
206 err_a20: db 'ERROR: A20 gate not responding!',13,10,0
210 Return resd 1 ; Return value
211 SavedSP resw 1 ; Place to save SP
216 Target dd 0 ; Target address
217 Target_Seg dw 20h ; Target CS
219 A20Type dw 0 ; Default = unknown
224 ; Routines to enable and disable (yuck) A20. These routines are gathered
225 ; from tips from a couple of sources, including the Linux kernel and
226 ; http://www.x86.org/. The need for the delay to be as large as given here
227 ; is indicated by Donnie Barnes of RedHat, the problematic system being an
228 ; IBM ThinkPad 760EL.
230 ; We typically toggle A20 twice for every 64K transferred.
232 %define io_delay call _io_delay
233 %define IO_DELAY_PORT 80h ; Invalid port (we hope!)
234 %define disable_wait 32 ; How long to wait for a disable
236 %define A20_DUNNO 0 ; A20 type unknown
237 %define A20_NONE 1 ; A20 always on?
238 %define A20_BIOS 2 ; A20 BIOS enable
239 %define A20_KBC 3 ; A20 through KBC
240 %define A20_FAST 4 ; A20 through port 92h
243 A20List dw a20_dunno, a20_none, a20_bios, a20_kbc, a20_fast
244 A20DList dw a20d_dunno, a20d_none, a20d_bios, a20d_kbc, a20d_fast
245 a20_adjust_cnt equ ($-A20List)/2
247 slow_out: out dx, al ; Fall through
249 _io_delay: out IO_DELAY_PORT,al
255 mov byte [A20Tries],255 ; Times to try to make this work
267 ; If the A20 type is known, jump straight to type
270 add bp,bp ; Convert to word offset
271 .adj4: jmp word [bp+A20List]
274 ; First, see if we are on a system with no A20 gate
278 mov byte [A20Type], A20_NONE
283 ; Next, try the BIOS (INT 15h AX=2401h)
286 mov byte [A20Type], A20_BIOS
288 pushf ; Some BIOSes muck with IF
296 ; Enable the keyboard controller A20 gate
299 mov dl, 1 ; Allow early exit
301 jnz a20_done ; A20 live, no need to use KBC
303 mov byte [A20Type], A20_KBC ; Starting KBC command sequence
305 mov al,0D1h ; Write output port
307 call empty_8042_uncond
311 call empty_8042_uncond
313 ; Apparently the UHCI spec assumes that A20 toggle
314 ; ends with a null command (assumed to be for sychronization?)
315 ; Put it here to see if it helps anything...
316 mov al,0FFh ; Null command
318 call empty_8042_uncond
320 ; Verify that A20 actually is enabled. Do that by
321 ; observing a word in low memory and the same word in
322 ; the HMA until they are no longer coherent. Note that
323 ; we don't do the same check in the disable case, because
324 ; we don't want to *require* A20 masking (SYSLINUX should
325 ; work fine without it, if the BIOS does.)
335 ; Running out of options here. Final attempt: enable the "fast A20 gate"
338 mov byte [A20Type], A20_FAST ; Haven't used the KBC yet
341 and al,~01h ; Don't accidentally reset the machine!
354 ; Oh bugger. A20 is not responding. Try frobbing it again; eventually give up
355 ; and report failure to the user.
380 ; A20 unmasked, proceed...
387 ; This routine tests if A20 is enabled (ZF = 0). This routine
388 ; must not destroy any register contents.
391 ; This is the INT 1Fh vector, which is standard PCs is used by the
392 ; BIOS when the screen is in graphics mode. Even if it is, it points to
393 ; data, not code, so it should be safe enough to fiddle with.
404 mov es,ax ; ES == 0FFFFh
405 mov cx,32 ; Loop count
407 cmp eax,[es:A20Test+10h]
414 cmp eax,[es:A20Test+10h]
416 pop dword [A20Test] ; Restore original value
434 add bp,bp ; Convert to word offset
435 .adj5: jmp word [bp+A20DList]
439 pushf ; Some BIOSes muck with IF
442 jmp short a20d_snooze
445 ; Disable the "fast A20 gate"
451 jmp short a20d_snooze
454 ; Disable the keyboard controller A20 gate
457 call empty_8042_uncond
460 out 064h, al ; Write output port
461 call empty_8042_uncond
463 mov al,0DDh ; A20 off
465 call empty_8042_uncond
467 mov al,0FFh ; Null command/synchronization
469 call empty_8042_uncond
471 ; Wait a bit for it to take effect
475 .delayloop: call a20_test
485 ; Routine to empty the 8042 KBC controller. If dl != 0
486 ; then we will test A20 in the loop and exit if A20 is
497 in al, 064h ; Status port
501 in al, 060h ; Read input
510 ; Execute a WBINVD instruction if possible on this CPU
520 PMESP resd 1 ; Protected mode %esp
522 section .idt nobits align=4096
524 pm_idt resb 4096 ; Protected-mode IDT, followed by interrupt stubs
529 pm_entry: equ 0x100000
541 dd 0 ; Address (entered later)
545 ; This is the main entrypoint in this function
548 mov bx,call32_call_start ; Where to go in PM
551 ; Enter protected mode. BX contains the entry point relative to the
558 shl ebp,4 ; EBP <- CS_BASE
560 add ebx,ebp ; entry point += CS_BASE
566 mov [.pm_jmp+2],eax ; Patch the PM jump
569 mov byte [call32_gdt+8+5],89h ; Mark TSS unbusy
570 o32 lgdt [call32_gdt] ; Set up GDT
571 o32 lidt [call32_pmidt] ; Set up IDT
574 mov cr0,eax ; Enter protected mode
575 .pm_jmp: jmp 20h:strict dword 0
580 xor eax,eax ; Available for future use...
585 mov al,28h ; Set up data segments
593 mov esp,[ebp+PMESP] ; Load protmode %esp if available
594 jmp ebx ; Go to where we need to go
597 ; This is invoked before first dispatch of the 32-bit code, in 32-bit mode
601 ; Set up a temporary stack in the bounce buffer;
602 ; start32.S will override this to point us to the real
605 mov esp, (BOUNCE_SEG << 4) + 0x10000
607 push dword stack_end ; RM size
608 push dword call32_gdt+CS_BASE
609 push dword call32_handle_interrupt+CS_BASE
610 push dword CS_BASE ; Segment base
611 push dword (BOUNCE_SEG << 4) ; Bounce buffer address
612 push dword call32_syscall+CS_BASE ; Syscall entry point
614 call pm_entry-CS_BASE ; Run the program...
616 ; ... fall through to call32_exit ...
619 mov bx,call32_done ; Return to command loop
622 ; Careful here... the PM code may have relocated the
623 ; entire RM code, so we need to figure out exactly
624 ; where we are executing from. If the PM code has
625 ; relocated us, it *will* have adjusted the GDT to
632 mov [ebp+.rm_jmp+3],cx ; Set segment
635 o32 sidt [ebp+call32_pmidt]
638 mov [ebp+PMESP],esp ; Save exit %esp
639 xor esp,esp ; Make sure the high bits are zero
640 jmp 10h:.in_pm16 ; Return to 16-bit mode first
644 mov ax,18h ; Real-mode-like segment
651 lidt [call32_rmidt] ; Real-mode IDT (rm needs no GDT)
655 .rm_jmp: jmp MY_CS:.in_rm
657 .in_rm: ; Back in real mode
663 mov sp,[SavedSP] ; Restore stack
664 jmp bx ; Go to whereever we need to go...
672 ; 16-bit support code
677 ; 16-bit interrupt-handling code
680 pushf ; Flags on stack
681 push cs ; Return segment
682 push word .cont ; Return address
683 push dword edx ; Segment:offset of IVT entry
684 retf ; Invoke IVT routine
685 .cont: ; ... on resume ...
686 mov bx,call32_int_resume
687 jmp call32_enter_pm ; Go back to PM
690 ; 16-bit system call handling code
699 retf ; Invoke routine
707 mov bx,call32_sys_resume
711 ; 32-bit support code
716 ; This is invoked on getting an interrupt in protected mode. At
717 ; this point, we need to context-switch to real mode and invoke
718 ; the interrupt routine.
720 ; When this gets invoked, the registers are saved on the stack and
721 ; AL contains the register number.
723 call32_handle_interrupt:
725 xor ebx,ebx ; Actually makes the code smaller
726 mov edx,[ebx+eax*4] ; Get the segment:offset of the routine
728 jmp call32_enter_rm ; Go to real mode
735 ; Syscall invocation. We manifest a structure on the real-mode stack,
736 ; containing the call32sys_t structure from <call32.h> as well as
737 ; the following entries (from low to high address):
741 ; - Return segment (== real mode cs)
745 pushfd ; Save IF among other things...
746 pushad ; We only need to save some, but...
752 movzx edi,word [ebp+SavedSP]
753 sub edi,54 ; Allocate 54 bytes
755 add edi,ebp ; Create linear address
757 mov esi,[esp+11*4] ; Source regs
759 mov cl,11 ; 44 bytes to copy
762 movzx eax,byte [esp+10*4] ; Interrupt number
763 ; ecx == 0 here; adding it to the EA makes the
765 mov eax,[ecx+eax*4] ; Get IVT entry
766 stosd ; Save in stack frame
767 mov ax,call32_sys_rm.return ; Return offset
768 stosw ; Save in stack frame
770 shr eax,4 ; Return segment
771 stosw ; Save in stack frame
772 mov eax,[edi-12] ; Return flags
773 and eax,0x200cd7 ; Mask (potentially) unsafe flags
774 mov [edi-12],eax ; Primary flags entry
778 jmp call32_enter_rm ; Go to real mode
780 ; On return, the 44-byte return structure is on the
781 ; real-mode stack. call32_enter_pm will leave ebp
782 ; pointing to the real-mode base.
784 movzx esi,word [ebp+SavedSP]
785 mov edi,[esp+12*4] ; Dest regs
786 add esi,ebp ; Create linear address
787 and edi,edi ; NULL pointer?
789 .no_copy: mov edi,esi ; Do a dummy copy-to-self
790 .do_copy: xor ecx,ecx
792 rep movsd ; Copy register block
794 add word [ebp+SavedSP],44 ; Remove from stack
798 ret ; Return to 32-bit program
projects / profile / ivi / syslinux.git / blob