[coreboot] Disassembly of coreboot binaries

Chauhan, Himanshu hschauhan at nulltrace.org
Sun Dec 18 16:37:11 CET 2016 

Hi Aaron,

I figured out the crash. It wan't because wrong load of the ROM image
(thanks to the nifty post_code which I could trap on IO). I see that
the page fault I am getting is in following code:
(gdb) list *(((0xfff81e41 - 0xfff80000)-200)+0x2000000)
0x2001d79 is in imd_recover (src/lib/imd.c:139).
134
135     static void imdr_init(struct imdr *ir, void *upper_limit)
136     {
137             uintptr_t limit = (uintptr_t)upper_limit;
138             /* Upper limit is aligned down to 4KiB */
139             ir->limit = ALIGN_DOWN(limit, LIMIT_ALIGN);
140             ir->r = NULL;
141     }
142
143     static int imdr_create_empty(struct imdr *imdr, size_t root_size,

I see that this function is being called multiple times (I added some
more post_code and see them being trapped). I get a series of page
faults which I am able to honour all but last.

(__handle_vm_exception:543) Guest fault: 0x7f7fffc (rIP: 00000000FFF81E41)
(__handle_vm_exception:543) Guest fault: 0x7f7effc (rIP: 00000000FFF81E41)
(__handle_vm_exception:543) Guest fault: 0x7f7dffc (rIP: 00000000FFF81E41)
(__handle_vm_exception:543) Guest fault: 0x7f7cffc (rIP: 00000000FFF81E41)
(__handle_vm_exception:543) Guest fault: 0x7f7bffc (rIP: 00000000FFF81E41)
(__handle_vm_exception:543) Guest fault: 0x7f7affc (rIP: 00000000FFF81E41)
(__handle_vm_exception:543) Guest fault: 0x7f79ffc (rIP: 00000000FFF81E41)
(__handle_vm_exception:543) Guest fault: 0x7f78ffc (rIP: 00000000FFF81E41)
(__handle_vm_exception:543) Guest fault: 0x7f77ffc (rIP: 00000000FFF81E41)
(__handle_vm_exception:543) Guest fault: 0x7f76ffc (rIP: 00000000FFF81E41)
<snip>

handle_guest_realmode_page_fault: offset: 0x3ffc fault: 0x1003ffc reg: 0x1000000
handle_guest_realmode_page_fault: offset: 0x2ffc fault: 0x1002ffc reg: 0x1000000
handle_guest_realmode_page_fault: offset: 0x1ffc fault: 0x1001ffc reg: 0x1000000
handle_guest_realmode_page_fault: offset: 0xffc fault: 0x1000ffc reg: 0x1000000

(__handle_vm_exception:561) ERROR: No region mapped to guest physical: 0xfffffc


I want to understand why imd_recover gets called multiple times
starting from top of memory (128MB is what I have assigned to the
guest) to 16MB last (after which I can't honour). There is something
amiss in my understanding of core boot memory map.

Could you please help?

Regards
Himanshu

On Wed, Dec 14, 2016 at 9:27 PM, Chauhan, Himanshu
<hschauhan at nulltrace.org> wrote:
> Hi Aaron,
>
> Yes, I am mapping the memory where coreboot.rom is loaded to upper 4GiB. I
> create a fixed shadow page table entry for reset vector.
>
> Coreboot doesn't have a linked address of RIP that I shared. I think with
> the increase in size of coreboot (from the previous tag I was using) the
> load address (guest physical) has changed. I used to calculate the load
> address manually. I will check this and get back.
>
> Thanks.
>
> On Wed, Dec 14, 2016 at 8:17 PM, Aaron Durbin <adurbin at google.com> wrote:
>>
>> On Wed, Dec 14, 2016 at 3:11 AM, Chauhan, Himanshu
>> <hschauhan at nulltrace.org> wrote:
>> > Hi,
>> >
>> > I am working on a hypvervisor and am using coreboot + FILO as guest
>> > BIOS.
>> > While things were fine a while back, it has stopped working. I see that
>> > my
>> > hypervisor can't handle address 0xFFFFFC while coreboot's RIP is at
>> > 0xfff81e41.
>>
>>
>> How are you loading up coreboot.rom in the VM? Are you just memory
>> mapping it at the top of 4GiB address space? If so, what does
>> 'cbfstool coreboot.rom print' show?
>>
>> >
>> > The exact register dump of guest is as follow:
>> >
>> > [guest0/uart0] (__handle_vm_exception:558) ERROR: No region mapped to
>> > guest
>> > physical: 0xfffffc
>> >
>> > GUEST guest0/vcpu0 dump state:
>> >
>> > RAX: 0x9fe80 RBX: 0xfffff8 RCX: 0x1b RDX: 0x53a11439
>> > R08: 0x0 R09: 0x0 R10: 0x0 R11: 0x0
>> > R12: 0x0 R13: 0x0 R14: 0x0 R15: 0x0
>> > RSP: 0x9fe54 RBP: 0xa0000 RDI: 0xfff801e4 RSI: 0x9fe80
>> > RIP: 0xfff81e41
>> >
>> > CR0: 0xe0000011 CR2: 0x0 CR3: 0xa23000 CR4: 0x0
>> > CS    : Sel: 0x00000008 Limit: 0xffffffff Base: 0x00000000 (G:  1 DB:  1
>> > L:
>> > 0 AVL:  0 P:  1 DPL:  0 S:  1 Type: 11)
>> > DS    : Sel: 0x00000010 Limit: 0xffffffff Base: 0x00000000 (G:  1 DB:  1
>> > L:
>> > 0 AVL:  0 P:  1 DPL:  0 S:  1 Type:  3)
>> > ES    : Sel: 0x00000010 Limit: 0xffffffff Base: 0x00000000 (G:  1 DB:  1
>> > L:
>> > 0 AVL:  0 P:  1 DPL:  0 S:  1 Type:  3)
>> > SS    : Sel: 0x00000010 Limit: 0xffffffff Base: 0x00000000 (G:  1 DB:  1
>> > L:
>> > 0 AVL:  0 P:  1 DPL:  0 S:  1 Type:  3)
>> > FS    : Sel: 0x00000010 Limit: 0xffffffff Base: 0x00000000 (G:  1 DB:  1
>> > L:
>> > 0 AVL:  0 P:  1 DPL:  0 S:  1 Type:  3)
>> > GS    : Sel: 0x00000010 Limit: 0xffffffff Base: 0x00000000 (G:  1 DB:  1
>> > L:
>> > 0 AVL:  0 P:  1 DPL:  0 S:  1 Type:  3)
>> > GDT   : Sel: 0x00000000 Limit: 0x0000001f Base: 0xfff80200 (G:  0 DB:  0
>> > L:
>> > 0 AVL:  0 P:  0 DPL:  0 S:  0 Type:  0)
>> > LDT   : Sel: 0x00000000 Limit: 0x0000ffff Base: 0x00000000 (G:  0 DB:  0
>> > L:
>> > 0 AVL:  0 P:  0 DPL:  0 S:  0 Type:  0)
>> > IDT   : Sel: 0x00000000 Limit: 0x00000000 Base: 0x00000000 (G:  0 DB:  0
>> > L:
>> > 0 AVL:  0 P:  0 DPL:  0 S:  0 Type:  0)
>> > TR    : Sel: 0x00000000 Limit: 0x0000ffff Base: 0x00000000 (G:  1 DB:  0
>> > L:
>> > 1 AVL:  1 P:  0 DPL:  0 S:  0 Type:  0)
>> > RFLAGS: 0xa    [ ]
>> >
>> > I want to know which binary file (.o) should I disassemble to look at
>> > the
>> > RIP?
>> >
>> > I was looking at
>> > objdump -D  -mi386 -Maddr16,data16 generated/ramstage.o
>> >
>> > but this is prior to linking and thus only has offsets.
>> >
>> > --
>> >
>> > Regards
>> > [Himanshu Chauhan]
>> >
>> >
>> > --
>> > coreboot mailing list: coreboot at coreboot.org
>> > https://www.coreboot.org/mailman/listinfo/coreboot
>
>
>
>
> --
>
> Regards
> [Himanshu Chauhan]
>



-- 

Regards
[Himanshu Chauhan]

More information about the coreboot mailing list