SeaBIOS January 2022

seabios@seabios.org

16 participants
18 discussions

Re: INT 14H
by Paul Edwards 29 Sep '22

29 Sep '22

Hi Gerd. Thanks for your reply. Sorry for the delay, was swamped with other things. >> Currently I don't know what to recommend, because I >> don't understand the other side of the INT 13H/14H, >> only the OS side. > Well, the other side talks to the hardware, > and needs drivers to do so. See src/hw > Surely one can write a serial driver which connects to a remote place > using some bluetooth protocol instead of talking to a 16550. That'll > be *alot* of work though, you basically have to implement both > bluetooth stack and hardware driver. I expected to assemble, rather than write, such a thing. If not from the Linux source code, then FreeBSD or ReactOS. If for some reason (what would that be?) no-one has abstracted bluetooth to have a clean interface that I could have trivially reused, then I will put aside my bluetooth dreams and switch to a different technology. How about Wifi? Does that exist in a state usable for my purposes? >> Sure. For now, I want PDOS/386 to remain traditional. >> When I have exhausted everything that is possible >> via the BIOS, I will consider adding UEFI support. > If you want your firmware provide drivers to you for modern hardware you > are in a *much* better position with UEFI. Well, on some/many/most modern machines there is absolutely no other choice - the BIOS doesn't exist, even as CSM. > There is a bluetooth > protocol specification for example, although I'm not sure how common it > is to find an actual uefi driver for bluetooth hardware in the firmware. > Talking to ethernet using the firmware-provided uefi driver shouldn't be > much of a problem though b/c network boot is a rather standard feature. Ok, maybe in the medium term I should use a hardware device, forget the name, that turns ethernet into Wifi. So then the problem is reduced to me needing to provide a BOOTX64.EFI that converts INT 14H into UEFI ethernet calls. >> But I'd like to transport all of that software, designed for >> that environment, and change nothing at all, and have >> it work on a new environment that includes Wifi, bluetooth >> and maybe ethernet, and maybe infrared, and maybe >> other things I don't know about, but make sense (at >> some level) to be accessed via INT 14H. > Well. In the server world it is rather common to provide access to the > serial line over the network for system management purposes. > One approach for that is to have a separate management controller (bmc), > and the serial port of the machine is linked to the management > controller instead of a D9 socket. You can then connect to the bmc to > manage the machine, and one of the options available is to get serial > console access. Ok, this would allow me to have a BBS. But not allow me to have a "virtual modem" so that I can dial out. > Another approach is to have a virtual 16550 provided by the firmware. > Accessing the virtual 16550 will trap into SMM mode where the firmware > emulates a serial device and allows to access the serial port remotely > over the network, roughly comparable to how qemu provides an virtual > 16550 to virtual machines. Ok, but in the case of qemu I have the same issue - at the end of the day I want to drive a modem, so with qemu I can get it to talk to a "virtual modem". If the firmware is providing the serial to network conversion, I also need to stick in a virtual modem there. And that's what I was hoping SeaBIOS would allow me to do. > Note that both approaches work at hardware level not int14h level, > because modern operating systems use int14h services in bootloaders > only if at all. My operating system, PDOS/386, may not be considered "modern", even though it is in active development, but I do wish to use INT 14H, as that was the traditional BIOS service provided, and I wish to maintain contact with the original 80386 machines. I expect a modern environment to have the CPU, memory etc required to support this basic interface. BFN. Paul.

2 4

[PATCH] fw/coreboot.c: Use coreboot table to find cbfs
by Arthur Heymans 22 Apr '22

22 Apr '22

The "cbfs master header" cbfs file is considered a legacy feature in coreboot and is planned for removal in the master branch. Since 2015 the coreboot tables have exported info about the active cbfs. This change uses the cbfs information in the coreboot tables instead of following the cbfs master header pointer in the bootblock to find cbfs. This change makes it possible to access CBFS fmap regions that don't feature a "cbfs master header", which is the case with Googles VBOOT solution. This breaks compatibility with very old coreboot build (build before fb5d5b16 "2015-07-14, cbtable: describe boot media"). Keeping backward compatibility with the "cbfs master header" would complicate the code. Signed-off-by: Arthur Heymans <arthur(a)aheymans.xyz> diff --git a/src/Kconfig b/src/Kconfig index 3a8ffa1..51ba827 100644 --- a/src/Kconfig +++ b/src/Kconfig @@ -93,15 +93,6 @@ endchoice help Support CBFS files compressed using the lzma decompression algorithm. - config CBFS_LOCATION - depends on COREBOOT_FLASH - hex "CBFS memory end location" - default 0 - help - Memory address of where the CBFS data ends. This should - be zero for normal builds. It may be a non-zero value if - the CBFS filesystem is at a non-standard location (eg, - 0xffe00000 if CBFS ends 2Meg below the end of flash). config MULTIBOOT depends on COREBOOT diff --git a/src/fw/coreboot.c b/src/fw/coreboot.c index 7c0954b..8a35c1d 100644 --- a/src/fw/coreboot.c +++ b/src/fw/coreboot.c @@ -88,6 +88,18 @@ struct cbmem_console { #define CBMC_OVERFLOW (1 << 31) static struct cbmem_console *cbcon = NULL; +#define CB_TAG_BOOT_MEDIA_PARAMS 0x30 + +struct cb_boot_media_params { + u32 tag; + u32 size; + /* offsets are relative to start of boot media */ + u64 fmap_offset; + u64 cbfs_offset; + u64 cbfs_size; + u64 boot_media_size; +}; + static u16 ipchksum(char *buf, int count) { @@ -146,7 +158,12 @@ find_cb_subtable(struct cb_header *cbh, u32 tag) struct cb_header * find_cb_table(void) { - struct cb_header *cbh = find_cb_header(0, 0x1000); + static struct cb_header *cbh; + + if (cbh) + return cbh; + + cbh= find_cb_header(0, 0x1000); if (!cbh) return NULL; struct cb_forward *cbf = find_cb_subtable(cbh, CB_TAG_FORWARD); @@ -317,20 +334,8 @@ ulzma(u8 *dst, u32 maxlen, const u8 *src, u32 srclen) * Coreboot flash format ****************************************************************/ -#define CBFS_HEADER_MAGIC 0x4F524243 -#define CBFS_VERSION1 0x31313131 - -struct cbfs_header { - u32 magic; - u32 version; - u32 romsize; - u32 bootblocksize; - u32 align; - u32 offset; - u32 pad[2]; -} PACKED; - #define CBFS_FILE_MAGIC 0x455649484352414cLL // LARCHIVE +#define CBFS_ALIGNMENT 64 struct cbfs_file { u64 magic; @@ -429,30 +434,50 @@ coreboot_cbfs_init(void) if (!CONFIG_COREBOOT_FLASH) return; - struct cbfs_header *hdr = *(void **)(CONFIG_CBFS_LOCATION - 4); - if ((u32)hdr & 0x03) { - dprintf(1, "Invalid CBFS pointer %p\n", hdr); + dprintf(3, "Attempting to initialize coreboot cbfs\n"); + + struct cb_header *cbh = find_cb_table(); + if (!cbh) { + dprintf(1, "cbfs_init: unable to find cb table\n"); return; } - if (CONFIG_CBFS_LOCATION && (u32)hdr > CONFIG_CBFS_LOCATION) - // Looks like the pointer is relative to CONFIG_CBFS_LOCATION - hdr = (void*)hdr + CONFIG_CBFS_LOCATION; - if (hdr->magic != cpu_to_be32(CBFS_HEADER_MAGIC)) { - dprintf(1, "Unable to find CBFS (ptr=%p; got %x not %x)\n" - , hdr, hdr->magic, cpu_to_be32(CBFS_HEADER_MAGIC)); + + struct cb_boot_media_params *cbbmp = + find_cb_subtable(cbh, CB_TAG_BOOT_MEDIA_PARAMS); + + if (!cbbmp) { + dprintf(1, "cbfs_init: unable to find boot media params\n"); return; } - dprintf(1, "Found CBFS header at %p\n", hdr); - u32 romsize = be32_to_cpu(hdr->romsize); - u32 romstart = CONFIG_CBFS_LOCATION - romsize; - struct cbfs_file *fhdr = (void*)romstart + be32_to_cpu(hdr->offset); + const u32 romsize = cbbmp->boot_media_size; + const u32 cbfs_start = cbbmp->cbfs_offset - romsize; + const u32 cbfs_end = cbfs_start + cbbmp->cbfs_size - 1; + + dprintf(3, "cbfs_init: cbfs_start=0x%08x, cbfs_end=0x%08x\n", cbfs_start, + cbfs_end); + + u32 offset = cbfs_start; + for (;;) { - if ((u32)fhdr - romstart > romsize) - break; - u64 magic = fhdr->magic; - if (magic != CBFS_FILE_MAGIC) + if (offset > cbfs_end || offset < cbfs_start) break; + + struct cbfs_file *fhdr = (void*)offset; + + if (fhdr->magic != CBFS_FILE_MAGIC) { + offset++; + offset = ALIGN(offset, CBFS_ALIGNMENT); + continue; + } + + /* Skip empty space */ + if (strcmp(fhdr->filename, "") == 0) { + offset += ALIGN(be32_to_cpu(fhdr->offset) + be32_to_cpu(fhdr->len) + , CBFS_ALIGNMENT); + continue; + } + struct cbfs_romfile_s *cfile = malloc_tmp(sizeof(*cfile)); if (!cfile) { warn_noalloc(); @@ -473,8 +498,8 @@ coreboot_cbfs_init(void) } romfile_add(&cfile->file); - fhdr = (void*)ALIGN((u32)cfile->data + cfile->rawsize - , be32_to_cpu(hdr->align)); + offset = ALIGN((u32)cfile->data + cfile->rawsize + , CBFS_ALIGNMENT); } process_links_file(); -- 2.30.2

4 8

[PATCH] nvme: fix LBA format data structure
by Florian Larysch 03 Feb '22

03 Feb '22

The LBA Format Data structure is dword-sized, but struct nvme_lba_format erroneously contains an additional member, misaligning all LBAF descriptors after the first and causing them to be misinterpreted. Remove it. Signed-off-by: Florian Larysch <fl(a)n621.de> --- src/hw/nvme-int.h | 1 - 1 file changed, 1 deletion(-) diff --git a/src/hw/nvme-int.h b/src/hw/nvme-int.h index a4c1555..5779203 100644 --- a/src/hw/nvme-int.h +++ b/src/hw/nvme-int.h @@ -156,7 +156,6 @@ struct nvme_lba_format { u16 ms; u8 lbads; u8 rp; - u8 res; }; struct nvme_identify_ns { -- 2.34.1

3 7

Cut 1.15.1 release?
by Paul Menzel 28 Jan '22

28 Jan '22

Dear SeaBIOS folks, with the latest NVMe fixes, would it make sense to tag a 1.15.1 release? The 1.16.0 release is planned for end of February, as far as I understand it. Maybe that could be moved up two weeks? Kind regards, Paul

3 2

[PATCH] nvme: avoid use-after-free in nvme_controller_enable()
by Jan Beulich 27 Jan '22

27 Jan '22

Commit b68f313c9139 ("nvme: Record maximum allowed request size") introduced a use of "identify" past it being passed to free(). Latch the value of interest into a local variable. Reported-by: Coverity (ID 1497613) Signed-off-by: Jan Beulich <jbeulich(a)suse.com> --- It was a Xen Project Coverity run which reported this after our updating to 1.15.0. --- a/src/hw/nvme.c +++ b/src/hw/nvme.c @@ -620,6 +620,7 @@ identify->nn, (identify->nn == 1) ? "" : "s"); ctrl->ns_count = identify->nn; + u8 mdts = identify->mdts; free(identify); if ((ctrl->ns_count == 0) || nvme_create_io_queues(ctrl)) { @@ -631,7 +632,7 @@ /* Populate namespace IDs */ int ns_idx; for (ns_idx = 0; ns_idx < ctrl->ns_count; ns_idx++) { - nvme_probe_ns(ctrl, ns_idx, identify->mdts); + nvme_probe_ns(ctrl, ns_idx, mdts); } dprintf(3, "NVMe initialization complete!\n");

2 1

[PATCH] sercon: Fix missing GET_LOW() to access rx_bytes
by Kevin O'Connor 27 Jan '22

27 Jan '22

The variable rx_bytes is marked VARLOW, but there was a missing GET_LOW() to access rx_bytes. Fix by copying rx_bytes to a local variable and avoid the repetitive segment memory accesses. Reported-by: Gabe Black <gabe.black(a)gmail.com> Signed-off-by: Volker Rümelin <vr_qemu(a)t-online.de> Signed-off-by: Kevin O'Connor <kevin(a)koconnor.net> --- src/sercon.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/src/sercon.c b/src/sercon.c index 66a1f24..3019d9b 100644 --- a/src/sercon.c +++ b/src/sercon.c @@ -626,7 +626,7 @@ sercon_check_event(void) u16 addr = GET_LOW(sercon_port); u16 keycode; u8 byte, count = 0; - int seq, chr; + int seq; // check to see if there is a active serial port if (!addr) @@ -640,20 +640,23 @@ sercon_check_event(void) // read all available data while (inb(addr + SEROFF_LSR) & 0x01) { byte = inb(addr + SEROFF_DATA); - if (GET_LOW(rx_bytes) < sizeof(rx_buf)) { - SET_LOW(rx_buf[rx_bytes], byte); - SET_LOW(rx_bytes, GET_LOW(rx_bytes) + 1); + u8 rb = GET_LOW(rx_bytes); + if (rb < sizeof(rx_buf)) { + SET_LOW(rx_buf[rb], byte); + SET_LOW(rx_bytes, rb + 1); count++; } } for (;;) { // no (more) input data - if (!GET_LOW(rx_bytes)) + u8 rb = GET_LOW(rx_bytes); + if (!rb) return; // lookup escape sequences - if (GET_LOW(rx_bytes) > 1 && GET_LOW(rx_buf[0]) == 0x1b) { + u8 next_char = GET_LOW(rx_buf[0]); + if (rb > 1 && next_char == 0x1b) { seq = findseq(); if (seq >= 0) { enqueue_key(GET_GLOBAL(termseq[seq].keycode)); @@ -664,12 +667,11 @@ sercon_check_event(void) // Seems we got a escape sequence we didn't recognise. // -> If we received data wait for more, maybe it is just incomplete. - if (GET_LOW(rx_buf[0]) == 0x1b && count) + if (next_char == 0x1b && count) return; // Handle input as individual char. - chr = GET_LOW(rx_buf[0]); - keycode = ascii_to_keycode(chr); + keycode = ascii_to_keycode(next_char); if (keycode) enqueue_key(keycode); shiftbuf(1); -- 2.31.1

2 2

[PATCHv2 0/6] Rework NVME page transfers and avoid fsegment allocation
by Kevin O'Connor 27 Jan '22

27 Jan '22

This is a resend of the previous series. Changes since last time: * Patch 1: Fix function comment on nvme_io_xfer() * Patch 3-5: Added "goto bounce" to nvme_io_xfer() as suggested by Alex * Patch 6: Added separate "single dma bounce buffer" patch to this series * Patch 6: Add checking for malloc failure -Kevin Kevin O'Connor (6): nvme: Rework nvme_io_readwrite() to return -1 on error nvme: Add nvme_bounce_xfer() helper function nvme: Convert nvme_build_prpl() to nvme_prpl_xfer() nvme: Pass prp1 and prp2 directly to nvme_io_xfer() nvme: Build the page list in the existing dma buffer nvme: Only allocate one dma bounce buffer for all nvme drives src/hw/nvme-int.h | 10 --- src/hw/nvme.c | 163 ++++++++++++++++++++++------------------------ 2 files changed, 78 insertions(+), 95 deletions(-) -- 2.31.1

2 11

[PATCH 0/5] Rework NVME page transfers and avoid fsegment allocation
by Kevin O'Connor 22 Jan '22

22 Jan '22

Hi Alex, I was looking at your recent fix for SeaBIOS NVME. I agree that it is not valid to write to the f-segment during runtime. However, I was struggling to understand the PRP list management in the nvme.c code. I came up with a different implementation that avoids allocating another buffer in the "high zone". Instead, the code in this patch series builds the page list in the existing "dma bounce buffer". I don't have a good way to test this on real hardware. It passes simple qemu tests (both with and without kvm). For example: qemu-system-x86_64 -k en-us -snapshot -L test -chardev stdio,id=seabios -device isa-debugcon,iobase=0x402,chardev=seabios -m 512 -drive file=dos-drivec,if=none,id=drive0 -device nvme,drive=drive0,serial=nvme-1 -boot menu=on Thanks, -Kevin Kevin O'Connor (5): nvme: Rework nvme_io_readwrite() to return -1 on error nvme: Add nvme_bounce_xfer() helper function nvme: Convert nvme_build_prpl() to nvme_prpl_xfer() nvme: Pass prp1 and prp2 directly to nvme_io_xfer() nvme: Build the page list in the existing dma buffer src/hw/nvme-int.h | 7 --- src/hw/nvme.c | 143 ++++++++++++++++++++-------------------------- 2 files changed, 61 insertions(+), 89 deletions(-) -- 2.31.1

4 18

[PATCH] smm: Suppress gcc array-bounds warnings
by Kevin O'Connor 21 Jan '22

21 Jan '22

Add a hack to suppress spurious gcc array-bounds warning. Signed-off-by: Kevin O'Connor <kevin(a)koconnor.net> --- src/fw/smm.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/src/fw/smm.c b/src/fw/smm.c index d90e43a..a0b50b2 100644 --- a/src/fw/smm.c +++ b/src/fw/smm.c @@ -59,6 +59,14 @@ struct smm_layout { struct smm_state cpu; }; +// Hack to supress some gcc array-bounds warnings +static void +memcpy_nowarn(void *d, const void *s, size_t len) +{ + asm("" : "+r"(d), "+r"(s)); + memcpy(d, s, len); +} + void VISIBLE32FLAT handle_smi(u16 cs) { @@ -85,8 +93,8 @@ handle_smi(u16 cs) if (CONFIG_CALL32_SMM) { // Backup current cpu state for SMM trampolining struct smm_layout *newsmm = (void*)BUILD_SMM_ADDR; - memcpy(&newsmm->backup1, &smm->cpu, sizeof(newsmm->backup1)); - memcpy(&newsmm->backup2, &smm->cpu, sizeof(newsmm->backup2)); + memcpy_nowarn(&newsmm->backup1, &smm->cpu, sizeof(newsmm->backup1)); + memcpy_nowarn(&newsmm->backup2, &smm->cpu, sizeof(newsmm->backup2)); HaveSmmCall32 = 1; } @@ -145,8 +153,8 @@ smm_save_and_copy(void) // save original memory content struct smm_layout *initsmm = (void*)BUILD_SMM_INIT_ADDR; struct smm_layout *smm = (void*)BUILD_SMM_ADDR; - memcpy(&smm->cpu, &initsmm->cpu, sizeof(smm->cpu)); - memcpy(&smm->codeentry, &initsmm->codeentry, sizeof(smm->codeentry)); + memcpy_nowarn(&smm->cpu, &initsmm->cpu, sizeof(smm->cpu)); + memcpy_nowarn(&smm->codeentry, &initsmm->codeentry, sizeof(smm->codeentry)); // Setup code entry point. initsmm->codeentry = SMI_INSN; @@ -168,8 +176,9 @@ smm_relocate_and_restore(void) /* restore original memory content */ struct smm_layout *initsmm = (void*)BUILD_SMM_INIT_ADDR; struct smm_layout *smm = (void*)BUILD_SMM_ADDR; - memcpy(&initsmm->cpu, &smm->cpu, sizeof(initsmm->cpu)); - memcpy(&initsmm->codeentry, &smm->codeentry, sizeof(initsmm->codeentry)); + memcpy_nowarn(&initsmm->cpu, &smm->cpu, sizeof(initsmm->cpu)); + memcpy_nowarn(&initsmm->codeentry, &smm->codeentry + , sizeof(initsmm->codeentry)); // Setup code entry point. smm->codeentry = SMI_INSN; -- 2.31.1

2 2

[PATCH] nvme: Only allocate one dma bounce buffer for all nvme drives
by Kevin O'Connor 21 Jan '22

21 Jan '22

There is no need to create multiple dma bounce buffers as the BIOS disk code isn't reentrant capable. Signed-off-by: Kevin O'Connor <kevin(a)koconnor.net> --- This is a minor cleanup on top of the previous nvme code series. -Kevin --- src/hw/nvme-int.h | 3 --- src/hw/nvme.c | 14 +++++++++----- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/src/hw/nvme-int.h b/src/hw/nvme-int.h index f0d717d..f9c807e 100644 --- a/src/hw/nvme-int.h +++ b/src/hw/nvme-int.h @@ -117,9 +117,6 @@ struct nvme_namespace { u32 block_size; u32 metadata_size; u32 max_req_size; - - /* Page aligned buffer of size NVME_PAGE_SIZE. */ - char *dma_buffer; }; /* Data structures for NVMe admin identify commands */ diff --git a/src/hw/nvme.c b/src/hw/nvme.c index 39b9138..0ba981c 100644 --- a/src/hw/nvme.c +++ b/src/hw/nvme.c @@ -20,6 +20,9 @@ #include "nvme.h" #include "nvme-int.h" +// Page aligned "dma bounce buffer" of size NVME_PAGE_SIZE in high memory +static void *nvme_dma_buffer; + static void * zalloc_page_aligned(struct zone_s *zone, u32 size) { @@ -294,7 +297,8 @@ nvme_probe_ns(struct nvme_ctrl *ctrl, u32 ns_idx, u8 mdts) ns->max_req_size = -1U; } - ns->dma_buffer = zalloc_page_aligned(&ZoneHigh, NVME_PAGE_SIZE); + if (!nvme_dma_buffer) + nvme_dma_buffer = zalloc_page_aligned(&ZoneHigh, NVME_PAGE_SIZE); char *desc = znprintf(MAXDESCSIZE, "NVMe NS %u: %llu MiB (%llu %u-byte " "blocks + %u-byte metadata)", @@ -460,12 +464,12 @@ nvme_bounce_xfer(struct nvme_namespace *ns, u64 lba, void *buf, u16 count, u16 blocks = count < max_blocks ? count : max_blocks; if (write) - memcpy(ns->dma_buffer, buf, blocks * ns->block_size); + memcpy(nvme_dma_buffer, buf, blocks * ns->block_size); - int res = nvme_io_xfer(ns, lba, ns->dma_buffer, NULL, blocks, write); + int res = nvme_io_xfer(ns, lba, nvme_dma_buffer, NULL, blocks, write); if (!write && res >= 0) - memcpy(buf, ns->dma_buffer, res * ns->block_size); + memcpy(buf, nvme_dma_buffer, res * ns->block_size); return res; } @@ -499,7 +503,7 @@ nvme_prpl_xfer(struct nvme_namespace *ns, u64 lba, void *buf, u16 count, if ((ns->block_size * count) > (NVME_PAGE_SIZE * 2)) { /* We need to describe more than 2 pages, build PRP List */ u32 prpl_len = 0; - u64 *prpl = (void*)ns->dma_buffer; + u64 *prpl = nvme_dma_buffer; int first_page = 1; for (; size > 0; base += NVME_PAGE_SIZE, size -= NVME_PAGE_SIZE) { if (first_page) { -- 2.31.1

2 1

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

SeaBIOS January 2022