Re: [Qemu-devel] How does the QEMU load the binary files bios.bin and vgabios-cirrus.bin?

[Gleb Natapov <gleb@redhat.com>]

On Thu, Apr 07, 2011 at 10:42:56AM -0500, Anthony Liguori wrote:
> On 04/07/2011 10:31 AM, Gleb Natapov wrote:
> >On Thu, Apr 07, 2011 at 08:28:37AM -0500, Anthony Liguori wrote:
> >>On 04/07/2011 03:22 AM, Bei Guan wrote:
> >>>Hi,
> >>>
> >>>I have some questions about the qemu's bios. How does the QEMU
> >>>load the binary files bios.bin and vgabios-cirrus.bin? Which
> >>>function or code file need I to pay more attention to?
> >>>
> >>>For the loading of vgabios-cirrus.bin and bios.bin, I just trace
> >>>them into the same funciton rom_add_file() in hw/loader.c. Is it
> >>>the right function, which loads the bioses?
> >>>
> >>>And then another question, how qemu give the control to bios when
> >>>the bios file is loaded? Maybe this question is not in the scope
> >>>of qemu, however, can you give me some cue point.
> >>I had some stuff written up locally so I posted it to the wiki at
> >>http://wiki.qemu.org/Documentation/Platforms/PC
> >>
> >>The x86 architecture defines the initial state of the chip to have
> >>the CS register have a base of 0xF000 and an IP of 0xFFF0.  The
> >>result is that the actual memory address of the first instruction
> >>falls at the end of the BIOS ROM segment.  This is the entry point
> >>to the BIOS.
> >>
> >Actually after reset on x86 IP=0x0000fff0, CS=0xf000, CS.BASE= 0xffff0000,
> >CS.LIMIT=0xffff. So the execution begins at 0xfffffff0 where ROM is
> >mapped initially.
> 
> That impossible because 1) the processor starts in 16 bit mode so
> such an address cannot be generated 2) the processor has a20 held to
> zero which makes that the processor cannot generate a load to an
> address with the 20th bit set to anything but zero.
> 
That may seams to be impossible but it is how HW works. And this is how
QEMU emulates it. Look at target-i386/helper.c:cpu_reset()

    cpu_x86_load_seg_cache(env, R_CS, 0xf000, 0xffff0000, 0xffff,
                           DESC_P_MASK | DESC_S_MASK | DESC_CS_MASK |
                           DESC_R_MASK | DESC_A_MASK);

    env->eip = 0xfff0;

Don't know how a20 gate is handled btw.

> The CS base starts out at 0xf0000 and IP is 0xfff0.  That gives a
> real address of 0xffff0.  This is usually a trampoline to somewhere
> else in the space.
CS descriptor and CS selector don't have to be in sync (big real mode).

> 
> The mapping of BIOS to the top of 4GB is just a convention that
> modern BIOSes use because the legacy space isn't big enough for most
> modern BIOSes.
> 
> Regards,
> 
> Anthony Liguori
> 
> >>The VGABIOS is treated like any other option ROM and is initialized
> >>during option ROM scanning.
> >>
> >>Regards,
> >>
> >>Anthony Liguori
> >>
> >>>Any reply are appreciated. Thanks.
> >>>
> >>>Gavin
> >>>
> >>>
> >>>
> >>>
> >--
> >			Gleb.
> >

--
			Gleb.