2 ;; -----------------------------------------------------------------------
4 ;; Copyright 1994-2008 H. Peter Anvin - All Rights Reserved
6 ;; This program is free software; you can redistribute it and/or modify
7 ;; it under the terms of the GNU General Public License as published by
8 ;; the Free Software Foundation, Inc., 53 Temple Place Ste 330,
9 ;; Boston MA 02111-1307, USA; either version 2 of the License, or
10 ;; (at your option) any later version; incorporated herein by reference.
12 ;; -----------------------------------------------------------------------
17 ;; Routine to initialize and to trampoline into 32-bit
18 ;; protected memory. This code is derived from bcopy32.inc and
19 ;; com32.inc in the main SYSLINUX distribution.
22 %include '../version.gen'
24 MY_CS equ 0x0800 ; Segment address to use
25 CS_BASE equ (MY_CS << 4) ; Corresponding address
27 ; Low memory bounce buffer
28 BOUNCE_SEG equ (MY_CS+0x1000)
32 %define STACK_HEAP_SIZE (128*1024)
34 section .rodata align=16
35 section .data align=16
38 ;; -----------------------------------------------------------------------
39 ;; Kernel image header
40 ;; -----------------------------------------------------------------------
42 section .text ; Must be first in image
45 cmdline times 497 db 0 ; We put the command line here
55 _start: jmp short start
57 db "HdrS" ; Header signature
58 dw 0x0203 ; Header version number
60 realmode_swtch dw 0, 0 ; default_switch, SETUPSEG
61 start_sys_seg dw 0x1000 ; obsolete
62 version_ptr dw memdisk_version-0x200 ; version string ptr
63 type_of_loader db 0 ; Filled in by boot loader
64 loadflags db 1 ; Please load high
65 setup_move_size dw 0 ; Unused
66 code32_start dd 0x100000 ; 32-bit start address
67 ramdisk_image dd 0 ; Loaded ramdisk image address
68 ramdisk_size dd 0 ; Size of loaded ramdisk
69 bootsect_kludge dw 0, 0
72 cmd_line_ptr dd 0 ; Command line
73 ramdisk_max dd 0xffffffff ; Highest allowed ramdisk address
76 ; These fields aren't real setup fields, they're poked in by the
79 b_esdi dd 0 ; ES:DI for boot sector invocation
80 b_edx dd 0 ; EDX for boot sector invocation
81 b_sssp dd 0 ; SS:SP on boot sector invocation
82 b_csip dd 0 ; CS:IP on boot sector invocation
86 db "MEMDISK ", VERSION_STR, " ", DATE, 0
88 ;; -----------------------------------------------------------------------
89 ;; End kernel image header
90 ;; -----------------------------------------------------------------------
93 ; Move ourselves down into memory to reduce the risk of conflicts;
94 ; then canonicalize CS to match the other segments.
101 movzx cx,byte [setup_sects]
102 inc cx ; Add one for the boot sector
103 shl cx,7 ; Convert to dwords
111 xor esp,esp ; Stack at top of 64K segment
116 ; Copy the command line, if there is one
119 xor di,di ; Bottom of our own segment (= "boot sector")
120 mov eax,[cmd_line_ptr]
122 jz .endcmd ; No command line
124 shr eax,4 ; Convert to segment
125 and si,0x000F ; Starting offset only
127 mov cx,496 ; Max number of bytes
139 ; Now jump to 32-bit code
144 ; When init32 returns, we have been set up, the new boot sector loaded,
145 ; and we should go and and run the newly loaded boot sector.
147 ; The setup function will have poked values into the setup area.
149 movzx edi,word [cs:b_esdi]
150 mov es,word [cs:b_esdi+2]
154 xor esi,esi ; No partition table involved
155 mov ds,si ; Make all the segments consistent
161 int 18h ; A far return -> INT 18h
164 ; We enter protected mode, set up a flat 32-bit environment, run rep movsd
165 ; and then exit. IMPORTANT: This code assumes cs == MY_CS.
167 ; This code is probably excessively anal-retentive in its handling of
168 ; segments, but this stuff is painful enough as it is without having to rely
169 ; on everything happening "as it ought to."
173 ; desc base, limit, flags
175 dd (%2 & 0xffff) | ((%1 & 0xffff) << 16)
176 dd (%1 & 0xff000000) | (%2 & 0xf0000) | ((%3 & 0xf0ff) << 8) | ((%1 & 0x00ff0000) >> 16)
180 call32_gdt: dw call32_gdt_size-1 ; Null descriptor - contains GDT
181 .adj1: dd call32_gdt+CS_BASE ; pointer for LGDT instruction
184 ; 0008: Code segment, use16, readable, dpl 0, base CS_BASE, 64K
185 desc CS_BASE, 0xffff, 0x009b
187 ; 0010: Data segment, use16, read/write, dpl 0, base CS_BASE, 64K
188 desc CS_BASE, 0xffff, 0x0093
190 ; 0018: Data segment, use16, read/write, dpl 0, base 0, 4G
191 desc 0, 0xfffff, 0x809b
193 ; 0020: Code segment, use32, read/write, dpl 0, base 0, 4G
194 desc 0, 0xfffff, 0xc09b
196 ; 0028: Data segment, use32, read/write, dpl 0, base 0, 4G
197 desc 0, 0xfffff, 0xc093
199 call32_gdt_size: equ $-call32_gdt
201 err_a20: db 'ERROR: A20 gate not responding!',13,10,0
205 SavedSSSP resd 1 ; Place to save SS:SP
206 Return resd 1 ; Return value
207 A20Test resw 1 ; Space to test A20
212 Target dd 0 ; Target address
213 Target_Seg dw 20h ; Target CS
215 A20Type dw 0 ; Default = unknown
220 ; Routines to enable and disable (yuck) A20. These routines are gathered
221 ; from tips from a couple of sources, including the Linux kernel and
222 ; http://www.x86.org/. The need for the delay to be as large as given here
223 ; is indicated by Donnie Barnes of RedHat, the problematic system being an
224 ; IBM ThinkPad 760EL.
226 ; We typically toggle A20 twice for every 64K transferred.
228 %define io_delay call _io_delay
229 %define IO_DELAY_PORT 80h ; Invalid port (we hope!)
230 %define disable_wait 32 ; How long to wait for a disable
232 %define A20_DUNNO 0 ; A20 type unknown
233 %define A20_NONE 1 ; A20 always on?
234 %define A20_BIOS 2 ; A20 BIOS enable
235 %define A20_KBC 3 ; A20 through KBC
236 %define A20_FAST 4 ; A20 through port 92h
239 A20List dw a20_dunno, a20_none, a20_bios, a20_kbc, a20_fast
240 A20DList dw a20d_dunno, a20d_none, a20d_bios, a20d_kbc, a20d_fast
241 a20_adjust_cnt equ ($-A20List)/2
243 slow_out: out dx, al ; Fall through
245 _io_delay: out IO_DELAY_PORT,al
251 mov byte [A20Tries],255 ; Times to try to make this work
263 ; If the A20 type is known, jump straight to type
266 add bp,bp ; Convert to word offset
267 .adj4: jmp word [bp+A20List]
270 ; First, see if we are on a system with no A20 gate
274 mov byte [A20Type], A20_NONE
279 ; Next, try the BIOS (INT 15h AX=2401h)
282 mov byte [A20Type], A20_BIOS
284 pushf ; Some BIOSes muck with IF
292 ; Enable the keyboard controller A20 gate
295 mov dl, 1 ; Allow early exit
297 jnz a20_done ; A20 live, no need to use KBC
299 mov byte [A20Type], A20_KBC ; Starting KBC command sequence
301 mov al,0D1h ; Write output port
303 call empty_8042_uncond
307 call empty_8042_uncond
309 ; Apparently the UHCI spec assumes that A20 toggle
310 ; ends with a null command (assumed to be for sychronization?)
311 ; Put it here to see if it helps anything...
312 mov al,0FFh ; Null command
314 call empty_8042_uncond
316 ; Verify that A20 actually is enabled. Do that by
317 ; observing a word in low memory and the same word in
318 ; the HMA until they are no longer coherent. Note that
319 ; we don't do the same check in the disable case, because
320 ; we don't want to *require* A20 masking (SYSLINUX should
321 ; work fine without it, if the BIOS does.)
331 ; Running out of options here. Final attempt: enable the "fast A20 gate"
334 mov byte [A20Type], A20_FAST ; Haven't used the KBC yet
337 and al,~01h ; Don't accidentally reset the machine!
350 ; Oh bugger. A20 is not responding. Try frobbing it again; eventually give up
351 ; and report failure to the user.
376 ; A20 unmasked, proceed...
383 ; This routine tests if A20 is enabled (ZF = 0). This routine
384 ; must not destroy any register contents.
390 mov cx,0FFFFh ; HMA = segment 0FFFFh
392 mov cx,32 ; Loop count
396 io_delay ; Serialize, and fix delay
397 cmp ax,[es:A20Test+CS_BASE+10h]
414 add bp,bp ; Convert to word offset
415 .adj5: jmp word [bp+A20DList]
419 pushf ; Some BIOSes muck with IF
422 jmp short a20d_snooze
425 ; Disable the "fast A20 gate"
431 jmp short a20d_snooze
434 ; Disable the keyboard controller A20 gate
437 call empty_8042_uncond
440 out 064h, al ; Write output port
441 call empty_8042_uncond
443 mov al,0DDh ; A20 off
445 call empty_8042_uncond
447 mov al,0FFh ; Null command/synchronization
449 call empty_8042_uncond
451 ; Wait a bit for it to take effect
455 .delayloop: call a20_test
465 ; Routine to empty the 8042 KBC controller. If dl != 0
466 ; then we will test A20 in the loop and exit if A20 is
477 in al, 064h ; Status port
481 in al, 060h ; Read input
490 ; Execute a WBINVD instruction if possible on this CPU
500 PMESP resd 1 ; Protected mode %esp
502 section .idt nobits align=4096
504 pm_idt resb 4096 ; Protected-mode IDT, followed by interrupt stubs
509 pm_entry: equ 0x100000
515 dd pm_idt+CS_BASE ; Address
523 ; This is the main entrypoint in this function
526 mov ebx,call32_call_start+CS_BASE ; Where to go in PM
540 lgdt [call32_gdt] ; Set up GDT
541 lidt [call32_pmidt] ; Set up the IDT
544 mov cr0,eax ; Enter protected mode
545 jmp 20h:dword .in_pm+CS_BASE
549 xor eax,eax ; Available for future use...
553 mov al,28h ; Set up data segments
558 mov esp,[PMESP+CS_BASE] ; Load protmode %esp if available
559 jmp ebx ; Go to where we need to go
562 ; This is invoked before first dispatch of the 32-bit code, in 32-bit mode
566 ; Point the stack into low memory
567 ; We have: this segment, bounce buffer, then stack+heap
569 mov esp, CS_BASE + 0x20000 + STACK_HEAP_SIZE
573 ; Set up the protmode IDT and the interrupt jump buffers
575 mov edi,pm_idt+CS_BASE
577 ; Form an interrupt gate descriptor
578 ; WARNING: This is broken if pm_idt crosses a 64K boundary;
579 ; however, it can't because of the alignment constraints.
580 mov ebx,pm_idt+CS_BASE+8*256
597 ; Each entry in the interrupt jump buffer contains
598 ; the following instructions:
601 ; 00000001 B0xx mov al,<interrupt#>
602 ; 00000003 E9xxxxxxxx jmp call32_handle_interrupt
605 mov ebx,call32_handle_interrupt+CS_BASE
610 sub [edi-2],cl ; Interrupt #
617 ; Now everything is set up for interrupts...
619 push dword CS_BASE ; Segment base
620 push dword (BOUNCE_SEG << 4) ; Bounce buffer address
621 push dword call32_syscall+CS_BASE ; Syscall entry point
622 sti ; Interrupts OK now
623 call pm_entry-CS_BASE ; Run the program...
626 mov [Return+CS_BASE],eax
628 ; ... fall through to call32_exit ...
631 mov bx,call32_done ; Return to command loop
636 mov [PMESP+CS_BASE],esp ; Save exit %esp
637 xor esp,esp ; Make sure the high bits are zero
638 jmp 08h:.in_pm16 ; Return to 16-bit mode first
642 mov ax,10h ; Real-mode-like segment
649 lidt [call32_rmidt] ; Real-mode IDT (rm needs no GDT)
655 .in_rm: ; Back in real mode
656 mov ax,cs ; Set up sane segments
661 lss sp,[SavedSSSP] ; Restore stack
662 jmp bx ; Go to whereever we need to go...
671 ; 16-bit support code
676 ; 16-bit interrupt-handling code
679 pushf ; Flags on stack
680 push cs ; Return segment
681 push word .cont ; Return address
682 push dword edx ; Segment:offset of IVT entry
683 retf ; Invoke IVT routine
684 .cont: ; ... on resume ...
685 mov ebx,call32_int_resume+CS_BASE
686 jmp call32_enter_pm ; Go back to PM
689 ; 16-bit system call handling code
698 retf ; Invoke routine
706 mov ebx,call32_sys_resume+CS_BASE
710 ; 32-bit support code
715 ; This is invoked on getting an interrupt in protected mode. At
716 ; this point, we need to context-switch to real mode and invoke
717 ; the interrupt routine.
719 ; When this gets invoked, the registers are saved on the stack and
720 ; AL contains the register number.
722 call32_handle_interrupt:
724 xor ebx,ebx ; Actually makes the code smaller
725 mov edx,[ebx+eax*4] ; Get the segment:offset of the routine
727 jmp call32_enter_rm ; Go to real mode
734 ; Syscall invocation. We manifest a structure on the real-mode stack,
735 ; containing the call32sys_t structure from <call32.h> as well as
736 ; the following entries (from low to high address):
740 ; - Return segment (== real mode cs)
744 pushfd ; Save IF among other things...
745 pushad ; We only need to save some, but...
748 movzx edi,word [SavedSSSP+CS_BASE]
749 movzx eax,word [SavedSSSP+CS_BASE+2]
750 sub edi,54 ; Allocate 54 bytes
751 mov [SavedSSSP+CS_BASE],di
753 add edi,eax ; Create linear address
755 mov esi,[esp+11*4] ; Source regs
757 mov cl,11 ; 44 bytes to copy
760 movzx eax,byte [esp+10*4] ; Interrupt number
761 ; ecx == 0 here; adding it to the EA makes the
763 mov eax,[ecx+eax*4] ; Get IVT entry
764 stosd ; Save in stack frame
765 mov eax,call32_sys_rm.return + (MY_CS << 16) ; Return seg:offs
766 stosd ; Save in stack frame
767 mov eax,[edi-12] ; Return flags
768 and eax,0x200cd7 ; Mask (potentially) unsafe flags
769 mov [edi-12],eax ; Primary flags entry
773 jmp call32_enter_rm ; Go to real mode
775 ; On return, the 44-byte return structure is on the
778 movzx esi,word [SavedSSSP+CS_BASE]
779 movzx eax,word [SavedSSSP+CS_BASE+2]
780 mov edi,[esp+12*4] ; Dest regs
782 add esi,eax ; Create linear address
783 and edi,edi ; NULL pointer?
785 .no_copy: mov edi,esi ; Do a dummy copy-to-self
786 .do_copy: xor ecx,ecx
788 rep movsd ; Copy register block
790 add dword [SavedSSSP+CS_BASE],44 ; Remove from stack
794 ret ; Return to 32-bit program