On Thu, 2013-01-03 at 19:13 -0500, Kevin O'Connor wrote:
On Thu, Jan 03, 2013 at 02:31:43PM -0700, Alex Williamson wrote:
Hi,
I was playing a bit with vfio-based PCI device assignment of VGA in qemu and I seem to be hitting a wall just trying to jump into the VGA BIOS. I'm booting qemu with -vga none and assigning a radeon hd5450 via vfio-pci with some extra code to handle passing legacy accesses through to the host. Legacy access hardly seems to matter though as the experiment quickly dies when the vcpu starts executing zero'd memory. gdb shows me something like this:
[...]
0x000fbd20: 66 ea 26 bd 28 00 ljmpw $0x28,$0xbd26 0x0000bd26: 00 00 add %al,(%eax)
Everything looks okay except for here. I'd guess it's likely just a reporting issue. The code being run is actually at 0xfbd26 - as part of jumping into real-mode, the code has a segment offset (0xf0000) that must be added in.
Trying to follow the code into __callrom(), I'm really confused how the option rom init vector is actually used since callrom() passes the option rom header offset to the init vector rather than anything actually resembling the value of the init vector. I really don't know x86 though, so maybe I'm missing something.
The option rom should actually have code (eg, a jmp instruction) at offset 3 of the option rom. So, the goal really is to jump to the 3rd byte of the option rom to execute it.
Yes!
(gdb) x/i 0xc0003 0xc0003: jmp 0xc0229
(gdb) x/10i 0xc0229 0xc0229: push %ax 0xc022b: push %cx 0xc022d: push %dx 0xc022f: push %bx 0xc0231: push %bp 0xc0233: push %si 0xc0235: push %di 0xc0237: push %cs 0xc0238: pop %ds 0xc0239: mov %eax,0xe8c01c2
Thanks for filling in that piece of the puzzle for me. If the above is just a reporting problem, how do I fix it so I can actually step through the rom? Thanks,
Alex