沒營養又愛吃餌的閒聊仔又來啦
這次來聊聊 Reset Vector 跟 Security Entry, 透過 UEFITool[1] 知道該 BIOS[2]
大小是13MB/32MB, 所以映射圖如下 (三個圖的比例不一致).
0 0 0
+-------+ +-------+ +-------+
| . | | . | | . |
| . | | . | | . |
| . | | . | | . |
| . | | . | | . |
+-------+ ------ +-------+ --- +-------+
| 13MB | | 13MB | / | 128KB |
+-------+ ------ +-------+ ------ +-------+
4GB 32MB 1MB
32Bit mem. ROM 16bit mem.
CPU一上電後內部兩個暫存器的初始值是 CS:IP = 0xf000:0xfff0, 意思就 CPU 是會到
1MB-16B 的地方跑程式, 所以 PCH 會故意 把 SPI ROM 最末端 128KB 的地方映射到該
處如右圖. 同時也會將整個 BISO 區域映射到 4GB 的末端如左圖.
算法: 0xFFFF0 = CS*16+IP = 0xf000<<4+0xfff0 = 1MB-16B
再來燒好 BIOS, 設定好除錯器後, 開啟電源後會看到 CPU 待在 0xFFFF0 的地方
https://github.com/tianocore/edk2/blob/master/UefiCpuPkg/SecCore/Ia32/ResetVec.nasmb
Address 0 1 2 3 4 5 6 7 8 9 A B C D E F
000FFFC0 00 01 36 FF 00 00 00 00 00 00 00 00 00 00 00 00
000FFFD0 BF 50 41 EB 1D 00 00 00 00 00 00 00 00 00 00 00
000FFFE0 94 13 F0 FF EB FE CF 00 00 00 00 00 00 00 00 00
000FFFF0 90 90 E9 9B F2 00 00 00 EF 00 00 00 00 00 F0 FF
0x000ffff0: 0x00000000000090 nop
0x000ffff1: 0x00000000000090 nop
0x000ffff2: 0x00000000f29be9 jmp 0xf290
0xF29B (2's complement) = -0x0D65
0xfff2 + 3 -0x0D65 = 0xF290
這段 code 就是往上跳, 跳多少? 我已經列了算式. 這裡就是俗稱的 Reset vector.
跟著除錯器來到 0xFF290 的地方, 這裡就是所謂的 Security Entry (Flat32).
這裡開始各個晶片供應商會開始有些大同小異. 所以會跟UEFI code有些出入.
https://github.com/tianocore/edk2/blob/master/IntelFsp2WrapperPkg/Library/SecFspWrapperPlatformSecLibSample/Ia32/SecEntry.nasm
Address 0 1 2 3 4 5 6 7 8 9 A B C D E F
000FF290 DB E3 0F 6E C0 FA 66 33 C0 8E C0 8C C8 8E D8 B8
0x000ff290: 0x0000000000e3db fninit
0x000ff292: 0x00000000c06e0f movd mm0,eax
中間是一些廠商添加的功能就不反組譯了
Address 0 1 2 3 4 5 6 7 8 9 A B C D E F
000FF2D0 31 0F 6E
000FF2E0 EA 0F 6E F0 66 BE 50 F4 FF FF 66 2E 0F 01 14 0F
000FF2F0 20 C0 66 83 C8 03 0F 22 C0 0F 20 E0 66 0D 00 06
000FF300 00 00 0F 22 E0 B8 18 00 8E D8 8E C0 8E E0 8E E8
000FF310 8E D0 66 BE 56 F4 FF FF 66 2E FF 2C
0x000ff2dc: 0x0000000000310f rdtsc
0x000ff2de: 0x00000000ea6e0f movd mm5,edx
0x000ff2e1: 0x00000000f06e0f movd mm6,eax
0x000ff2e4: 0x00fffff450be66 mov esi,0xfffff450
0x000ff2ea: 0x000014010f2e66 lgdt cs:[si]
0x000ff2ef: 0x00000000c0200f mov eax,cr0
0x000ff2f2: 0x00000003c88366 or eax,0x3
0x000ff2f6: 0x00000000c0220f mov cr0,eax
0x000ff2f9: 0x00000000e0200f mov eax,cr4
0x000ff2fc: 0x00000006000d66 or eax,0x600
0x000ff302: 0x00000000e0220f mov cr4,eax
0x000ff305: 0x000000000018b8 mov ax,0x18
0x000ff308: 0x0000000000d88e mov ds,ax
0x000ff30a: 0x0000000000c08e mov es,ax
0x000ff30c: 0x0000000000e08e mov fs,ax
0x000ff30e: 0x0000000000e88e mov gs,ax
0x000ff310: 0x0000000000d08e mov ss,ax
0x000ff312: 0x00fffff456be66 mov esi,0xfffff456
0x000ff318: 0x0000002cff2e66 jmp far cs:[si]
到這裡之後 CPU 的所有暫存器就被設定好準備跑 32 bit 模式的 code.
也就是不再受到 128KB 限制. 整顆 ROM 13MB 的 code 都能隨時跳到哪就跑哪.
至於速度嘛 從SPI讀是鐵定比記憶體慢的,等到DXE階段就會用解壓縮方式把 code
搬到記憶體上再跳過去跑就會快了.
PS:
[1] https://github.com/LongSoft/UEFITool
[2] https://dlcdnets.asus.com/pub/ASUS/mb/socket1151/WS-C246-PRO/BIOS/WS-C246-PRO-ASUS-0904.zip
--
這次來聊聊 Reset Vector 跟 Security Entry, 透過 UEFITool[1] 知道該 BIOS[2]
大小是13MB/32MB, 所以映射圖如下 (三個圖的比例不一致).
0 0 0
+-------+ +-------+ +-------+
| . | | . | | . |
| . | | . | | . |
| . | | . | | . |
| . | | . | | . |
+-------+ ------ +-------+ --- +-------+
| 13MB | | 13MB | / | 128KB |
+-------+ ------ +-------+ ------ +-------+
4GB 32MB 1MB
32Bit mem. ROM 16bit mem.
CPU一上電後內部兩個暫存器的初始值是 CS:IP = 0xf000:0xfff0, 意思就 CPU 是會到
1MB-16B 的地方跑程式, 所以 PCH 會故意 把 SPI ROM 最末端 128KB 的地方映射到該
處如右圖. 同時也會將整個 BISO 區域映射到 4GB 的末端如左圖.
算法: 0xFFFF0 = CS*16+IP = 0xf000<<4+0xfff0 = 1MB-16B
再來燒好 BIOS, 設定好除錯器後, 開啟電源後會看到 CPU 待在 0xFFFF0 的地方
https://github.com/tianocore/edk2/blob/master/UefiCpuPkg/SecCore/Ia32/ResetVec.nasmb
Address 0 1 2 3 4 5 6 7 8 9 A B C D E F
000FFFC0 00 01 36 FF 00 00 00 00 00 00 00 00 00 00 00 00
000FFFD0 BF 50 41 EB 1D 00 00 00 00 00 00 00 00 00 00 00
000FFFE0 94 13 F0 FF EB FE CF 00 00 00 00 00 00 00 00 00
000FFFF0 90 90 E9 9B F2 00 00 00 EF 00 00 00 00 00 F0 FF
0x000ffff0: 0x00000000000090 nop
0x000ffff1: 0x00000000000090 nop
0x000ffff2: 0x00000000f29be9 jmp 0xf290
0xF29B (2's complement) = -0x0D65
0xfff2 + 3 -0x0D65 = 0xF290
這段 code 就是往上跳, 跳多少? 我已經列了算式. 這裡就是俗稱的 Reset vector.
跟著除錯器來到 0xFF290 的地方, 這裡就是所謂的 Security Entry (Flat32).
這裡開始各個晶片供應商會開始有些大同小異. 所以會跟UEFI code有些出入.
https://github.com/tianocore/edk2/blob/master/IntelFsp2WrapperPkg/Library/SecFspWrapperPlatformSecLibSample/Ia32/SecEntry.nasm
Address 0 1 2 3 4 5 6 7 8 9 A B C D E F
000FF290 DB E3 0F 6E C0 FA 66 33 C0 8E C0 8C C8 8E D8 B8
0x000ff290: 0x0000000000e3db fninit
0x000ff292: 0x00000000c06e0f movd mm0,eax
中間是一些廠商添加的功能就不反組譯了
Address 0 1 2 3 4 5 6 7 8 9 A B C D E F
000FF2D0 31 0F 6E
000FF2E0 EA 0F 6E F0 66 BE 50 F4 FF FF 66 2E 0F 01 14 0F
000FF2F0 20 C0 66 83 C8 03 0F 22 C0 0F 20 E0 66 0D 00 06
000FF300 00 00 0F 22 E0 B8 18 00 8E D8 8E C0 8E E0 8E E8
000FF310 8E D0 66 BE 56 F4 FF FF 66 2E FF 2C
0x000ff2dc: 0x0000000000310f rdtsc
0x000ff2de: 0x00000000ea6e0f movd mm5,edx
0x000ff2e1: 0x00000000f06e0f movd mm6,eax
0x000ff2e4: 0x00fffff450be66 mov esi,0xfffff450
0x000ff2ea: 0x000014010f2e66 lgdt cs:[si]
0x000ff2ef: 0x00000000c0200f mov eax,cr0
0x000ff2f2: 0x00000003c88366 or eax,0x3
0x000ff2f6: 0x00000000c0220f mov cr0,eax
0x000ff2f9: 0x00000000e0200f mov eax,cr4
0x000ff2fc: 0x00000006000d66 or eax,0x600
0x000ff302: 0x00000000e0220f mov cr4,eax
0x000ff305: 0x000000000018b8 mov ax,0x18
0x000ff308: 0x0000000000d88e mov ds,ax
0x000ff30a: 0x0000000000c08e mov es,ax
0x000ff30c: 0x0000000000e08e mov fs,ax
0x000ff30e: 0x0000000000e88e mov gs,ax
0x000ff310: 0x0000000000d08e mov ss,ax
0x000ff312: 0x00fffff456be66 mov esi,0xfffff456
0x000ff318: 0x0000002cff2e66 jmp far cs:[si]
到這裡之後 CPU 的所有暫存器就被設定好準備跑 32 bit 模式的 code.
也就是不再受到 128KB 限制. 整顆 ROM 13MB 的 code 都能隨時跳到哪就跑哪.
至於速度嘛 從SPI讀是鐵定比記憶體慢的,等到DXE階段就會用解壓縮方式把 code
搬到記憶體上再跳過去跑就會快了.
PS:
[1] https://github.com/LongSoft/UEFITool
[2] https://dlcdnets.asus.com/pub/ASUS/mb/socket1151/WS-C246-PRO/BIOS/WS-C246-PRO-ASUS-0904.zip
--
All Comments