"McMechan, James W CIV" james.mcmechan@navy.mil writes:
Here is what I wrote while trying to catch up to list, though there is a FAQ I produced this while working my way through the emails perhaps some of it could be added to the FAQ
Would you be interested in maintaining or helping to maintain the FAQ? You seem to have a nack for putting the information together.
LinuxBIOS is a project to replace the original BIOS on motherboards with open source.
It appears that the two most common uses for LinuxBIOS are for Supercomputer clusters and embedded systems.
LinuxBIOS no longer always uses a real OS to load the OS.
That is not quite correct.
LinuxBIOS requires a real OS, or at least a piece of software that can run standalone without any OS or BIOS services on the bare hardware. Which is essentially the definition of a real OS though it is not the definition of a general purpose OS.
In the case of ADLO, ADLO can be considered a special purpose OS that mimics the syscall interface of a standard BIOS.
LinuxBIOS currently can boot several payloads including: 1 Linux which is what started all this, hence the name. 2 Plan9 Ron Minnich seems to like this one. 3 VxWorks Felix Radensky said he had success with a older boot method 4 EtherBoot which despite its name can also boot from IDE hard disks with a patch or the dev branch
5 ADLO is a shim to allow the Boch emulator's BIOS to be used on top of LinuxBIOS to boot some versions of that other OS or to run VGA controller ROMs which seem to assume that a BIOS is present.
?
The Supercomputer people appear to want remote control, remote booting and fast boot times without user interaction. For example "Press F2" is a very inconvenient task on a system with 100 computers
The embedded people appear to want full control of the boot process and very fast boot times. For example who wants to watch a memory test go by on their VCR/MP3 player or see "Press F2" without a keyboard.
In addition there is some background work on secure/trusted booting. I don't know if anything has really happened with that yet, but ADLO grow out of the interest in trusted booting.
LinuxBIOS is installed into the flash ROM in place of the original BIOS.
Most flash ROMs are currently 2 Megabits in size, i.e. a 29SF020 which is only 256 Kilobytes of storage, or some might be 4 Mbit ROM which provides 512 Kbytes and so could allow for very squeezed down Linux kernel to also be included in the ROM, though I don't know of a useful kernel that small.
It would be nice to add a larger flash ROM but many motherboards do not connect enough address lines to the Flash ROM socket, for even the 4 Mbit part or they solder the chip down.
For LPC flash parts the address line count is not a real issue, new boards have them and they current are up to 8Mbit in size, but do not have a theoretical limit.
Another popular if grumbled about option is the disk on a chip the DoC Millennium which is a paged flash part that can have LinuxBIOS in the first part and up to 8 Mbytes of other data on other pages of the chip. Very short ~3-10 seconds boot times should be possible with this method.
The BIOS Flash can usually be programmed in place by either just reflashing the original BIOS or by the hotswap method also known as the dental floss method, referring to putting dental floss under a PLCC chip to make it easy to remove without requiring metal tools in a powered on system. The hotswap method is not for the faint of heart but not all that difficult either, the system is booted with a working ROM which is then pulled out and the ROM to be programmed inserted in its place, then the ROM flashing program is run, and when done a reboot can be tried, this does not require a programmer as it uses the motherboards ability to update its BIOS as the programmer, if the reboot fails the original ROM is reinserted and the system rebooted again, all this requires, is some spare flash ROMs it is a good idea to make and label a couple backups incase something goes wrong, I have put ROMs in DIP sockets backwards destroying the ROMs, and ESD is a worry even if it is not a commo!
n problem.
Some people also use a very nice device called the BIOS savior which allows for two BIOS ROMS to be switched by the user with a switch.
Compact Flash IDE adaptors appear to be popular as the CF does not need the spin up time of a real hard disk. Very short boot times of ~3-10 seconds are claimed for this configuration also.
Each model of motherboard currently needs its own build information due to a lack of standards in how the circuitboards are laid out between models and manufactures.
If you have a motherboard that is not listed, a "lspci" will show what chipsets are in use and you can then check to see if they are in the LinuxBIOS tree, if not some research may be needed to get the documentation for that chipset.
The kexec patches date back to the original LinuxBIOS with the Linux kernel in the BIOS ROM and allowed for new kernels to be loaded and executed without rebooting back to the BIOS this would allow for a minimal kernel in the BIOS and a full featured kernel to be loaded by the first kernel. Also the BIOS ROMs have a limited programming life and limited space so a small unchanging kernel that then loads the final kernel from something else prolongs the useful life of the ROMs.
Ron Minnich at LANL uses similar feature called "two kernel monte" http://sourceforge.net/projects/monte/
LinuxBIOS now has the ability to make use of the CMOS space for fallback/normal boot image selection, serial port baud rates, and boot order for Etherboot, Ron Minnich also used it authentication information for a Plan9 cluster. See the cmos.layout files for information.
Steven James had nice comments on Normal/Fallback images: LinuxBIOS for that board (and many others) supports two copies of LinuxBIOS, fallback and primary. The fallback image is intended to be old and stable and it's purpose is to act as a sort of rescue image. The primary image is the one that gets updated to the latest and greatest, and is meant to be more versatile and complete.
And after the most recent update the ``hair trigger'' problem has been solved. In particular it now requires several boot failures in a row before LinuxBIOS switches into fallback mode. Generally this is 3 successive failures.
The fallback image is loaded at the top of the flash, and always receives control at power on or reset. It does very minimal setup (switch to 32bit flat memory protected mode), checks and clears the CMOS boot bit, and if it was set, jumps to the primary image. This way, if the primary fails, hitting reset will boot from the fallback image alone.
The mechanism has been updated to keep a failure count in the CMOS and only when the failure count crosses a threshold is the boot bit cleared. The counter is reset after LinuxBIOS has successfully loaded an image like etherboot.
Etherboot now implements a similar scheme to allow two images on the disk. One at the start one at the end, but installing an image at the end of the disk still requires some work.
From your config, you were building a primary image. the missing bytes are
for the fallback image to be appended. It didn't work because you didn't have a fallback image at the top of the flash (the end of the image file).
Ron Minnich expanded on fallback vs. primary:
You need to build TWO linuxbioses, a fallback and a primary. The fallback is 64k. The primary is (romsize-64k).
To build a romimage, you build the fallback, build the primary, then:
cat primary/romimage fallback/romimage > final_romimage
flash_rom final_romimage
Steve Gehlbach wrote about using BOOT_IDE: See pcchips787.config in util/config for complete configuration.
Note significant pieces of this information are not using the ELF bootloader, and so describes a deprecated feature. But it will not be removed in the 1.0.x stable series. In the development series the code will not be added.
option BOOT_IDE=1 This enables booting from IDE, the file to use is linux.bin.gz:
option IDE_BOOT_DRIVE=2 If you do not use drive 0 (default), then you can set which drive to boot; (0,1,2,3) are the four standard PC drives:
option ONE_TRACK=32 The linux.bin.gz file is put in raw form at partition 1, ie, the first partition on the disk. This is located just past the partition table. The partition table size varies, it is "one track" from the beginning of the disk. "one track" in c/h/s notation is "s" or the number of sectors per track. ONE_TRACK is in sectors, the software multiplies by 512. Most disks are 63 sectors per track (the default), but my CF is 32 sectors per track. eg, the partion table is 63x512 or 32x512 bytes.
You can partition your disk as you want, but Linux goes raw in partition 1; just make sure partition 1 is big enough, not a problem on today's disks. You could put the Linux root file system on partition 2, for example. In pcchips787.config, I put the Linux root file system on IDE 0, partition 2 (I was experimenting with Linux in partition 1), but I eventually put Linux on drive 2 using CF. You are right, copying of linux.bin.gz raw to the partition is dangerous, and something like "cat linux.bin.gz > /dev/hda1" will definitely screw the disk if you put the wrong disk or partition. I recommend a shell script, fingers cannot be trusted. You can also use "dd" but "cat" works.
Greg Watsons had some good comments on on the boot process and file layout: There seem to be two main parts to linuxbios. The first is arch/{arch}/config/ctr0.base which does the very low level initialization, like turning on memory, etc. The second is arch/{arch}/lib/c_start.S which does whatever else is necessary to call the C function hardwaremain(). hardwaremain() then does whatever else is necessary to load Linux.
c_start.S is linked with linuxbios.a, a library containing generic support routines (those found in the lib directory) and anything specified using the 'object' directive in a Config file (and other stuff). The resultant 'executable' is called linuxbios_c. The loader script used to link linuxbios_c is config/linuxbios_c.ld, and is configured to be loaded relative to _RAMBASE.
crt0.base is not linked against anything. Any additional assembly routines you need must be specified using the 'mainboardinit' directive in a Config file. This causes the specified assembly file to be added to "crt0_includes.h" which is in turn included at the start of crt0.base (or at the end in the case of the ppc version). The loader script used to link crt0.base is in arch/{arch}/config/ldscript.base. The resultant 'executable' is called linuxbios and will be loaded at _ROMBASE. The tricky thing is that this loader script will also load the linuxbios_c 'executable' at a location called _payload in this file. The main task of crt0.base is then to initialize enough hardware so that this payload can be copied from ROM into ram (which may also involve uncompressing code). Then control is transferred to _start, which is the first location in linuxbios_c.
To get an idea of how crt0.base works, look at the following files. This is the order of execution specified by the configuration file for sis735.
cpu/i386/entry16.inc cpu/i386/entry32.inc superio/sis/950/setup_serial.inc pc80/serial.inc arch/i386/lib/console.inc cpu/k7/earlymtrr.inc northsouthbridge/sis/735/raminit.inc arch/i386/config/crt0.base
Next look at c_start.S which will show you what happens once control is transferred to _start. Finally, look at arch/{arch}/lib/hardwaremain.c to see what other stuff is done to get Linux loaded.
Most other files are specific to particular hardware, so it can be pretty confusing to just browse the tree.
Hope this helps,
It Looks like a very good summary.
Eric
In addition there is some background work on secure/trusted booting. I don't know if anything has really happened with that yet, but ADLO grow out of the interest in trusted booting.
The evils of software patents are still in force. It exists, it can't be released..
Adam Agnew agnew@cs.umd.edu writes:
In addition there is some background work on secure/trusted booting. I don't know if anything has really happened with that yet, but ADLO grow out of the interest in trusted booting.
The evils of software patents are still in force. It exists, it can't be released..
Is this the patent application process or due to conflicting patents?
In any case I would love to get a good feel for what problems are being addressed and roughly how that is done. As time goes by this is one of the features I would like to see well integrated if parts of it are not built on rubish ideas.
Eric
If anyone has some actual patent #'s we can all find out more at http://delphion.com
Of interest so far I find:
US6546489: Disk drive which provides a secure boot of a host computer system from a protected area of a disk -doesn't sound like it uses PKI but it's a start US6175924: Method and apparatus for protecting application data in secure storage areas -uses PKI, but for userspace code.
And we could see the really interesting stuff about MS's Palladium (I know, they changed the name...) pending applications for a mere $75 a month.
Jeremy ----- Original Message ----- From: "Adam Agnew" agnew@cs.umd.edu To: "Eric W. Biederman" ebiederman@lnxi.com Cc: "McMechan, James W CIV" james.mcmechan@navy.mil; linuxbios@clustermatic.org Sent: Wednesday, April 16, 2003 7:58 PM Subject: Re: Random comments on LinuxBIOS
In addition there is some background work on secure/trusted booting. I
don't
know if anything has really happened with that yet, but ADLO grow out of the interest in trusted booting.
The evils of software patents are still in force. It exists, it can't be released..
Linuxbios mailing list Linuxbios@clustermatic.org http://www.clustermatic.org/mailman/listinfo/linuxbios
The one in question is 6,185,678 http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=...)
And from my understanding, it's owned by the U of Penn and comes down to their decision when an open source implementation can be released.
- Adam A.
On Wed, 16 Apr 2003, Jeremy Jackson wrote:
If anyone has some actual patent #'s we can all find out more at http://delphion.com
Of interest so far I find:
US6546489: Disk drive which provides a secure boot of a host computer system from a protected area of a disk -doesn't sound like it uses PKI but it's a start US6175924: Method and apparatus for protecting application data in secure storage areas -uses PKI, but for userspace code.
And we could see the really interesting stuff about MS's Palladium (I know, they changed the name...) pending applications for a mere $75 a month.
Jeremy ----- Original Message ----- From: "Adam Agnew" agnew@cs.umd.edu To: "Eric W. Biederman" ebiederman@lnxi.com Cc: "McMechan, James W CIV" james.mcmechan@navy.mil; linuxbios@clustermatic.org Sent: Wednesday, April 16, 2003 7:58 PM Subject: Re: Random comments on LinuxBIOS
In addition there is some background work on secure/trusted booting. I
don't
know if anything has really happened with that yet, but ADLO grow out of the interest in trusted booting.
The evils of software patents are still in force. It exists, it can't be released..
Linuxbios mailing list Linuxbios@clustermatic.org http://www.clustermatic.org/mailman/listinfo/linuxbios
Linuxbios mailing list Linuxbios@clustermatic.org http://www.clustermatic.org/mailman/listinfo/linuxbios
On Thu, 2003-04-17 at 10:53, Adam Agnew wrote:
The one in question is 6,185,678 http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=...)
And from my understanding, it's owned by the U of Penn and comes down to their decision when an open source implementation can be released.
Doesn't the professor (Bill) own a patent on secure boot ? Can you cross license with U of Penn ?
On Thu, 2003-04-17 at 10:53, Adam Agnew wrote:
The one in question is 6,185,678 http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=...)
And from my understanding, it's owned by the U of Penn and comes down to their decision when an open source implementation can be released.
- Adam A.
Wow !! It is really a patent evil. Prof Arbaugh invented the patent but assigned it to U of Penn such that he and/or his student can not do some things related in U of Maryland ??
ollie lho ollie@sis.com.tw writes:
Wow !! It is really a patent evil. Prof Arbaugh invented the patent but assigned it to U of Penn such that he and/or his student can not do some things related in U of Maryland ??
I wonder if there is enough wiggle room in there to walk around the patent in a LinuxBIOS scenario. Our standing assumptions are quite different, and there are some of the pieces suggested that have much cleaner alternatives.
As I slowly digest the ideas I have a very hard time with the idea of signing a boot block, and believing that will provide some measure of security and trust. At that point there is software chaining but more than that there is not enough room in a boot block to verify the loaded operating system. Unless someone is a lot more creative with 512 bytes that I am.
Quite a few of the pieces I know it is safe to write and deploy while they do not compose a complete solution. Teaching etherboot about IPsec is totally outside the scope of the patent, for example.
Though for Bill and his students there may be some good faith with the university system that keeps them from exercising all of their options.
Eric
On 17 Apr 2003, Eric W. Biederman wrote:
ollie lho ollie@sis.com.tw writes:
Wow !! It is really a patent evil. Prof Arbaugh invented the patent but assigned it to U of Penn such that he and/or his student can not do some things related in U of Maryland ??
I wonder if there is enough wiggle room in there to walk around the patent in a LinuxBIOS scenario. Our standing assumptions are quite different, and there are some of the pieces suggested that have much cleaner alternatives.
As I slowly digest the ideas I have a very hard time with the idea of signing a boot block, and believing that will provide some measure of security and trust. At that point there is software chaining but more than that there is not enough room in a boot block to verify the loaded operating system. Unless someone is a lot more creative with 512 bytes that I am.
I can't think of a way to sign a boot block either. That's why its nice to just load the linux kernel as an elf image. When you start booting expansion roms, loading bootloaders from boot sectors, booting off of floppies, loading Windows.. it gets a lot fuzzier..
Quite a few of the pieces I know it is safe to write and deploy while they do not compose a complete solution. Teaching etherboot about IPsec is totally outside the scope of the patent, for example.
Though for Bill and his students there may be some good faith with the university system that keeps them from exercising all of their options.
Yeah.
----- Original Message ----- From: "Eric W. Biederman" ebiederman@lnxi.com To: "ollie lho" ollie@sis.com.tw Cc: "Adam Agnew" agnew@cs.umd.edu; "Jeremy Jackson" jerj@coplanar.net; "McMechan, James W CIV" james.mcmechan@navy.mil; "LinuxBIOS Mailing List" linuxbios@clustermatic.org Sent: Thursday, April 17, 2003 3:26 AM Subject: Re: Random comments on LinuxBIOS
ollie lho ollie@sis.com.tw writes:
Wow !! It is really a patent evil. Prof Arbaugh invented the patent but assigned it to U of Penn such that he and/or his student can not do some things related in U of Maryland ??
I wonder if there is enough wiggle room in there to walk around the patent in a LinuxBIOS scenario. Our standing assumptions are quite different, and there are some of the pieces suggested that have much cleaner alternatives.
That was my thought as well. To be air tight would require getting (ie purchasing a copy) of the full text of the patent, and comparing etherboot, etc. against the claims. It specifically states (as do most patents) that the examples given (ie the freely available part you get on the website) do not limit the scope of the patent, and that the claims state what is covered by the patent.
Regards,
Jeremy
Adam Agnew agnew@cs.umd.edu writes:
The one in question is 6,185,678 http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=...)
That was an interesting read. At least I now have an idea of what Bill was thinking of. Most interesting is that there is not a mechanism for the trust to go both ways. In particular how is the loaded code to know it is running on a trusted system.
In addition there are some fundamental things in his description that I would simply not implement as described. Nastily extending DHCP and TFTP when IPsec could be used. And in general I don't think any trust is needed at all of the Network Packets. Just the loaded image needs to carry a signature that can be verified.
And the description does not address when the system has exploitable bugs. In particular systems like the X-box can be compromised with buffer overflows and other security standard security holes. Allowing an untrusted application to gain special privileges on the machine.
This is not to say that strong/trusted integrity checks of the components of the system are a bad idea. But rather to show that simply loading trusted components does not give a secure system. That requires only trusting bug free software which as an engineering assumption is impossible.
And from my understanding, it's owned by the U of Penn and comes down to their decision when an open source implementation can be released.
The universities playing with ``IP'' and stifling innovation... Sigh.
----- Original Message ----- From: "Eric W. Biederman" ebiederman@lnxi.com To: "Adam Agnew" agnew@cs.umd.edu Cc: "Jeremy Jackson" jerj@coplanar.net; "McMechan, James W CIV" james.mcmechan@navy.mil; linuxbios@clustermatic.org Sent: Thursday, April 17, 2003 3:11 AM Subject: Re: Random comments on LinuxBIOS
Adam Agnew agnew@cs.umd.edu writes:
The one in question is 6,185,678
http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=... l/search-adv.htm&r=1&f=G&l=50&d=PTXT&p=1&p=1&S1=(William+AND+Arbaugh)&OS=Wil liam+AND+Arbaugh&RS=(William+AND+Arbaugh)
That was an interesting read. At least I now have an idea of what Bill was thinking of. Most interesting is that there is not a mechanism for the trust to go both ways. In particular how is the loaded code to know it is running on a trusted system.
I think that is addressed by MS's Palladium (new name escapes me).
[The content of this email was forwarded on request from Bill Arbaugh]
All,
Adam Agnew asked me to respond to the issues involving UPenn's patent based on my dissertation work.
If you've done any technical work at University here in the US, then you know that the University where you are going to school (or working) owns your IP in most circumstances (not all fortunately). As a result, the patent on my dissertation research is owned by UPenn and not myself.
When we started the secure boot work at Maryland, I had assurances from UPenn that we could release the code to the open source community. I've been working with the lawyers at UPenn for two years now to make that happen. A slow and painful process. I'm told that the paperwork to do that is now awaiting approval. I have not seen the final paperwork, nor even an initial draft. So I have no idea, what it looks like. Once it is possible to release the secure boot code, we will.
The ADLO work (minus the security hooks) is a different matter completely. While it came out of the secure boot work, it is not encumbered by the UPenn patent and can be released.
Bill
On 17 Apr 2003, Eric W. Biederman wrote:
Adam Agnew agnew@cs.umd.edu writes:
The one in question is 6,185,678 http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=...)
That was an interesting read. At least I now have an idea of what Bill was thinking of. Most interesting is that there is not a mechanism for the trust to go both ways. In particular how is the loaded code to know it is running on a trusted system.
In addition there are some fundamental things in his description that I would simply not implement as described. Nastily extending DHCP and TFTP when IPsec could be used. And in general I don't think any trust is needed at all of the Network Packets. Just the loaded image needs to carry a signature that can be verified.
And the description does not address when the system has exploitable bugs. In particular systems like the X-box can be compromised with buffer overflows and other security standard security holes. Allowing an untrusted application to gain special privileges on the machine.
This is not to say that strong/trusted integrity checks of the components of the system are a bad idea. But rather to show that simply loading trusted components does not give a secure system. That requires only trusting bug free software which as an engineering assumption is impossible.
And from my understanding, it's owned by the U of Penn and comes down to their decision when an open source implementation can be released.
The universities playing with ``IP'' and stifling innovation... Sigh.
Linuxbios mailing list Linuxbios@clustermatic.org http://www.clustermatic.org/mailman/listinfo/linuxbios
On 17 Apr 2003, Eric W. Biederman wrote:
Adam Agnew agnew@cs.umd.edu writes:
The one in question is 6,185,678 http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=...)
That was an interesting read. At least I now have an idea of what Bill was thinking of. Most interesting is that there is not a mechanism for the trust to go both ways. In particular how is the loaded code to know it is running on a trusted system.
In addition there are some fundamental things in his description that I would simply not implement as described. Nastily extending DHCP and TFTP when IPsec could be used. And in general I don't think any trust is needed at all of the Network Packets. Just the loaded image needs to carry a signature that can be verified.
A lot of things like that in the description weren't implemented by choice. All we've done is to check elf image signatures so far. I think you'd agree that's the only part that was really necessary towards getting an operating system up in a trusted state. As long as you confine execution to elf images, you can continue to chain along.. As far as etherboot goes, same rules. No need to worry about individual packets. I'm just going to check the signature once it all arrives anyway.
And the description does not address when the system has exploitable bugs. In particular systems like the X-box can be compromised with buffer overflows and other security standard security holes. Allowing an untrusted application to gain special privileges on the machine.
Right, we trust that the components are signed and therefor an authority intended to grant the component permission to run on the machine. It does not mean that we trust the new component not to break the chain of trust, or be bug ridden. Why, we even thought about "trusting" certain closed operating systems!
Adam Agnew agnew@cs.umd.edu writes:
A lot of things like that in the description weren't implemented by choice. All we've done is to check elf image signatures so far. I think you'd agree that's the only part that was really necessary towards getting an operating system up in a trusted state. As long as you confine execution to elf images, you can continue to chain along.. As far as etherboot goes, same rules. No need to worry about individual packets. I'm just going to check the signature once it all arrives anyway.
Ok interesting. The implemented code base is quite different from the description in the patent :)
In the etherboot case there is a bit of vulnerability with respect to replay attacks where an attacker could trick the software into loading and old but buggy but previously signed image.
And the description does not address when the system has exploitable bugs. In particular systems like the X-box can be compromised with buffer overflows and other security standard security holes. Allowing an untrusted application to gain special privileges on the machine.
Right, we trust that the components are signed and therefor an authority intended to grant the component permission to run on the machine. It does not mean that we trust the new component not to break the chain of trust, or be bug ridden. Why, we even thought about "trusting" certain closed operating systems!
Yep, my main goal here was to understand the limitations. A lot of the noise you hear from other systems talking about trusted booting seems to promise the world.
Eric
On Thu, Apr 17, 2003 at 10:59:07AM -0400, Adam Agnew wrote:
A lot of things like that in the description weren't implemented by choice. All we've done is to check elf image signatures so far. I think you'd agree that's the only part that was really necessary towards getting an operating system up in a trusted state. As long as you confine execution to elf images, you can continue to chain along.. As far as etherboot goes, same rules. No need to worry about individual packets. I'm just going to check the signature once it all arrives anyway.
I may be missing something (please tell me!) but is there any real point in checking signatures when the checking and the public key isn't done in hardware, like in the X-Box?
If the OS allows a complete write of the memory area where data, signatures or public keys are stored, this allows the administrator to distribute updated versions of the code using only software. It will allow the hacker to do the exact same thing however.
If the OS doesn't allow a complete write of that memory, no automated lowlevel firmware updates will be possible either for root or r00t.
How does it become secure? (Yeah, I should read the patent. Will it answer the question?)
//Peter
Eric W. Biederman wrote:
For LPC flash parts the address line count is not a real issue, new boards have them and they current are up to 8Mbit in size, but do not have a theoretical limit.
This reminds me of something I have intended to mention. Right now, linuxbios starts up in the high 4G and jumps to the start of the assy code, which is located at 0xffff0004 or 0xf0004 depending on the setting of biosbase (which sets _ROMBASE). For biosbase set to 0xffff0000, the jump is a 16-bit relative jump to 0xffff0004 and so it does a kind of wrap around I think (segment register not reloaded).
Given the large LPC flash parts are coming, and so large flash storage, it seems we should change the startup to set 32-bit mode first, then jump 32-bit to the start of the assy code. The usual way that I have done this jump relative on reset enough bytes below the reset vector, to setup a flat gdt, and go into 32-bit mode, then jump 32-bit to the flash code start. This allows one to start anywhere in flash, not just the top 64k-bytes. I also think we should default to wp cacheing for the flash region as well.
In my view anyway, the current startup jump seems clumsy, and I am not clear on why one would want to jump to 0xf0000 (the default) and run there (for those that aren't familiar 0xf0000 is normally aliased to 0xffff0000 by most if not all chipsets on startup, and doesn't become ram until you enable it). But being in 32-bit mode you could go where you want.
Maybe there is a good reason for this but it escapes me.
-Steve
On Thu, 2003-04-17 at 11:44, Steve Gehlbach wrote:
This reminds me of something I have intended to mention. Right now, linuxbios starts up in the high 4G and jumps to the start of the assy code, which is located at 0xffff0004 or 0xf0004 depending on the setting of biosbase (which sets _ROMBASE). For biosbase set to 0xffff0000, the jump is a 16-bit relative jump to 0xffff0004 and so it does a kind of wrap around I think (segment register not reloaded).
Given the large LPC flash parts are coming, and so large flash storage, it seems we should change the startup to set 32-bit mode first, then jump 32-bit to the start of the assy code. The usual way that I have done this jump relative on reset enough bytes below the reset vector, to setup a flat gdt, and go into 32-bit mode, then jump 32-bit to the flash code start. This allows one to start anywhere in flash, not just the top 64k-bytes. I also think we should default to wp cacheing for the flash region as well.
In my view anyway, the current startup jump seems clumsy, and I am not clear on why one would want to jump to 0xf0000 (the default) and run there (for those that aren't familiar 0xf0000 is normally aliased to 0xffff0000 by most if not all chipsets on startup, and doesn't become ram until you enable it). But being in 32-bit mode you could go where you want.
The very first LinuxBIOS implementation does almost this. Part of the historical reason of 16-bit code is, for DoC with only 512 IPL area, every bit counts. So the asm code for chipsets with DoC support are coded in 16-bit mode instead of 32-bit mode. Now, it seems that DoC is obselete by the non-open attitude of its manufacture and Firmware Hub, we may consider consolidating these asm code to 32-bit in the next development cycle.
ollie lho wrote:
The very first LinuxBIOS implementation does almost this. Part of the historical reason of 16-bit code is, for DoC with only 512 IPL area, every bit counts. So the asm code for chipsets with DoC support are coded in 16-bit mode instead of 32-bit mode. Now, it seems that DoC is obselete by the non-open attitude of its manufacture and Firmware Hub, we may consider consolidating these asm code to 32-bit in the next development cycle.
Thanks, I suspected it had something to do with 16-bit code, but I couldn't understand why. This explains it.
Also, CF is much cheaper than DOC, too.
-Steve
Also, CF is much cheaper than DOC, too.
FYI, snapgear finished the DOC Millennium plus support on Linux, and it is under GPL. It could be a new option for LinuxBIOS.
-Andrew
Steve Gehlbach steve@nexpath.com writes:
Eric W. Biederman wrote:
For LPC flash parts the address line count is not a real issue, new boards have them and they current are up to 8Mbit in size, but do not have a
theoretical
limit.
This reminds me of something I have intended to mention. Right now, linuxbios starts up in the high 4G and jumps to the start of the assy code, which is located at 0xffff0004 or 0xf0004 depending on the setting of biosbase (which sets _ROMBASE). For biosbase set to 0xffff0000, the jump is a 16-bit relative jump to 0xffff0004 and so it does a kind of wrap around I think (segment register not reloaded).
The CPU starts at: CS = 0xFFFF0000 IP=0xFFF0 So you have an entire 64K to work with.
Given the large LPC flash parts are coming, and so large flash storage, it seems
we should change the startup to set 32-bit mode first, then jump 32-bit to the start of the assy code. The usual way that I have done this jump relative on reset enough bytes below the reset vector, to setup a flat gdt, and go into 32-bit mode, then jump 32-bit to the flash code start. This allows one to start anywhere in flash, not just the top 64k-bytes. I also think we should default to wp cacheing for the flash region as well.
WP caching?? We should cache it certainly but note that WP caching != Write Protect in the normal sense.
Except for the location the 16->32bit transition this is pretty much what the code currently does. And for our ``normal'' images when we have 2 copies of LinuxBIOS the start up is entirely 32bit.
In my view anyway, the current startup jump seems clumsy, and I am not clear on why one would want to jump to 0xf0000 (the default) and run there (for those that aren't familiar 0xf0000 is normally aliased to 0xffff0000 by most if not all chipsets on startup, and doesn't become ram until you enable it). But being in 32-bit mode you could go where you want.
There are other reasons for keeping the BIOS image small so a 64K restriction has not been a big deal. That is the reason it has not changed up to this point. But thank you for the reminder. This is something that is worth looking at the development branch along with removing the estimates of LinuxBIOS size that we currently use.
Maybe there is a good reason for this but it escapes me.
Mostly it is one of those we started with it and have not yet found it to be a real limitation.
Eric
Eric W. Biederman wrote:
I also think we should default to wp cacheing for the flash region as well.
WP caching?? We should cache it certainly but note that WP caching != Write Protect in the normal sense.
Except for the location the 16->32bit transition this is pretty much what the code currently does. And for our ``normal'' images when we have 2 copies of LinuxBIOS the start up is entirely 32bit.
I was referring to memory type=5, which Intel calls WP (vol 3, 10-23). It is not by default done for the upper 4G regions in linuxbios AFAIK (biosbase=0xffff0000). One has to set XIP_ROM_BASE, XIP_ROM_SIZE, and then an mtrr is set of type 5 for this region, I am pretty sure. It made a big difference in the pcchips787, as I could not use compression otherwise, took too long to decompress, and the watchdog reset kicked off. I have not studied in detail what WP means precisely but I know that others use this type for flash regions.
-Steve
On Wed, 16 Apr 2003, Steve Gehlbach wrote:
Given the large LPC flash parts are coming, and so large flash storage, it seems we should change the startup to set 32-bit mode first, then jump 32-bit to the start of the assy code. The usual way that I have done this jump relative on reset enough bytes below the reset vector, to setup a flat gdt, and go into 32-bit mode, then jump 32-bit to the flash code start. This allows one to start anywhere in flash, not just the top 64k-bytes. I also think we should default to wp cacheing for the flash region as well.
I would rather not. There are chipset reasons for just assuming that only the top 64K of flash is usable, which is why we have left it as is. The use of the top 64K is not just due to real mode issues.
ron
ron minnich wrote:
On Wed, 16 Apr 2003, Steve Gehlbach wrote:
Given the large LPC flash parts are coming, and so large flash storage, it seems we should change the startup to set 32-bit mode first, then jump 32-bit to the start of the assy code. The usual way that I have done this jump relative on reset enough bytes below the reset vector, to setup a flat gdt, and go into 32-bit mode, then jump 32-bit to the flash code start. This allows one to start anywhere in flash, not just the top 64k-bytes. I also think we should default to wp cacheing for the flash region as well.
I would rather not. There are chipset reasons for just assuming that only the top 64K of flash is usable, which is why we have left it as is. The use of the top 64K is not just due to real mode issues.
Maybe this is too minor of an issue to take up everyones time on. It just seems to me that as the flash parts get larger, limiting ourselves to 64K of code space is being trapped in the past. But we do now have compression which helps a lot.
-Steve
On Thu, 17 Apr 2003, Steve Gehlbach wrote:
Maybe this is too minor of an issue to take up everyones time on. It just seems to me that as the flash parts get larger, limiting ourselves to 64K of code space is being trapped in the past. But we do now have compression which helps a lot.
you're not totally limited to 64k, it's just the code that makes you not limited to 64k is limited to 64k, if you get my drift.
ron
-
Adam Agnew -
Andrew Ip -
ebiederman@lnxi.com -
Jeremy Jackson -
ollie lho -
Peter Stuge -
ron minnich -
Steve Gehlbach