On Tue, Jul 26, 2016 at 03:02:02PM +0800, Li Wang wrote:

Hi all, I am reading seaBios code, and I have a question about the shadow memory copy part. In fw/shadow.c:make_bios_writable_intel() reads pam0 to see if shadow memory is already readable (if pam0's fourth bit is set), if pam0 shows shadow memory is not readable running __make_bios_writable_intel from high-memory flash location (statements marked green below). But in my understanding the entry point of bios is 0xffff:fff0, then it jumps to 0xf000:e05b, which points to memory space in shadowing, but before __make_bios_writable_intel copying bios from high-memory flash to shadow memory, shadow memory is disabled, so these codes are forwarded to high-memory flash, including code to read pam0 before invoking __make_bios_writable_intel (statement marked red below). Why these codes are not relocate to high-memory flash, but only the invocation of __make_bios_writable_intel is need to be relocated? If shadow ram is present and readable, how cpu execute bios codes in 0xf000:xxxx before copying them to shadow ram?

This code only runs on QEMU and is very specific to the quirky way that QEMU implements the pam registers. When emulation starts, QEMU places a read-only copy of the code in 0xe0000-0x100000. When SeaBIOS requests that 0xc0000-0x100000 be read/writable ram by writing to the pam registers in __make_bios_writable_intel(), then qemu converts the region to uninitialized memory. This is why __make_bios_writable_intel() needs to run from the copy of the code in the "flash" location at the end of the first 4Gig of ram. The make_bios_writable_intel() code can run in 0xe0000-0x100000 because prior to __make_bios_writable_intel() QEMU places a read-only copy of the code there and after __make_bios_writable_intel() SeaBIOS has restored the code by copying the code back to that ram. -Kevin