From: Gianni Tedesco <gianni@scaramanga.co.uk>
To: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] BIOS checksums?
Date: Tue, 22 Jun 2004 18:35:53 +0100 [thread overview]
Message-ID: <1087925753.30448.15.camel@sherbert> (raw)
In-Reply-To: <20040621221005.40221.qmail@web60201.mail.yahoo.com>
[-- Attachment #1: Type: text/plain, Size: 4337 bytes --]
On Mon, 2004-06-21 at 15:10 -0700, Piotr Krysik wrote:
> Hi,
>
> A few words about the architecture.
>
> As I mentioned, I'm trying to use QEMU to monitor
> interactions between guest OS and real hardware.
>
> To avoid interactions between guest and host OS, I
> decided to run QEMU _without_ OS. It's started by boot
> loader. The QEMU log is send to another machine. The
> other machine can also be used to run remote gdb.
Nice approach :)
> 1. IO
>
> QEMU uses serial port to communicate with the other
> machine. There are also some other ports that should
> be protected from access by code executed in the
> emulator, as they may interact with QEMU (e.g. CPU
> reset, DRAM Controller reprogramming). All the other
> emulated IO ports are hooked to real machine.
>
> I'm emulating some of the protected IO ports.
With you.
> 2. Memory
>
> I have to reserve some memory for QEMU. I'm allocating
> some MB of top of RAM. The rest is visible to guest OS
> with it's real address (addresses used by emulated CPU
> is identical to addresses used by hardware), so it
> should be possible to use DMA without translating
> addresses. Also I don't have to treat memory mapped
> hardware in any special way.
How is e820 map obtained, would it be possible to intercept that to
setup a new reserved area I wonder? ;)
An uglier approach would be adding to the e820 map which is presumably
stored in the ROM, and fixup the checksum...
I wonder if this patch could be made to live inside the qemu tree,
sounds invasive?
> The QEMU area is not visible to emulated CPU, so it's
> protected from direct access by guest OS. It could be
> accessed by DMA (e.g. broken drivers). If such
> (unlikely) case is discovered, it can be handled by
> intercepting and modifying IO or memory access used to
> setup that DMA.
>
> To run BIOS, I had to intercept some IO that tried to
> reprogram RAM Controller.
Is this because of the way you reserve RAM?
> 3. CPU
>
> QEMU runs in real mode with 32-bit addressing. All the
> interrupts are redirected from host hardware to QEMU
> by IRQ handler calling cpu_interrupt. Guest OS uses
> emulated CPU provided by QEMU:-)
>
> I'm protecting real CPU from switching A20 and reset,
> and redirect them to emulated CPU.
>
> To run BIOS, I had to disable SMM (System Management
> Mode) by reprogramming ACPI, emulate self-test of
> Keyboard Controller and intercept IO access to ACPI
> and an unknown device at 0x03fX.
sounds like deep dark stuff, but potentially very useful for reverse
engineering purposes such as is needed to create free BIOSes.
> After QEMU is started it's possible to:
> * reset some hardware and restart BIOS or
> * reload boot sector and start guest OS.
>
> It's not possible to build generic emulator capable of
> restating BIOS. My prototype runs 440BX-based PC with
> Award-based BIOS. The BIOS successfully reprograms
> emulated DRAM Controller, test interrupts, initializes
> PCI, etc. It's stating to test RAM and then goes into
> BIOS setup (I didn't discover the reason yet, but
> suspect timing). Emulating BIOS restart can be used to
> monitor interactions between BIOS and hardware during
> system start-up. And the mechanism is not limited to
> PC.
>
> Reloading boot sector and starting guest OS without
> restarting BIOS should remove most of chipset and BIOS
> dependencies. My prototype is capable to run Linux up
> to the point of login prompt, but keyboard is not
> functioning (my interrupt handler is not 100%
> correct). This mode was tested only with QEMU emulated
> hardware -- I run Linux inside my prototype inside
> QEMU inside Linux.
So when do we see the patches? ;))
> BTW. What is "PMC config space"? Did you mean DIMM
> Serial Presence Detect?
In the PCI configuration space of the PCI controller itself (0:0.0) are
contained registers such as:
DRAM Row Type
DRAM Control
DRAM Timing
DRAM Row Boundary
Fixed DRAM Hole Control
SMRAM Control
But as I see now, these values are programmed in to the PMC by the BIOS,
duh.
--
// Gianni Tedesco (gianni at scaramanga dot co dot uk)
lynx --source www.scaramanga.co.uk/scaramanga.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2004-06-22 17:38 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-21 15:04 [Qemu-devel] BIOS checksums? Hetz Ben Hamo
2004-06-21 14:29 ` Piotr Krysik
2004-06-21 14:33 ` Gianni Tedesco
2004-06-21 22:10 ` Piotr Krysik
2004-06-22 17:35 ` Gianni Tedesco [this message]
2004-06-22 23:31 ` Piotr Krysik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1087925753.30448.15.camel@sherbert \
--to=gianni@scaramanga.co.uk \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.