[SeaBIOS] How CPU executes bios code before copying bios to shadow ram?

[Kevin O'Connor]

On Tue, Jul 26, 2016 at 03:02:02PM +0800, Li Wang wrote:
> Hi all,
> I am reading seaBios code, and I have a question about the shadow memory
> copy part. In fw/shadow.c:make_bios_writable_intel() reads pam0 to see if
> shadow memory is already readable (if pam0's fourth bit is set), if pam0
> shows shadow memory is not readable running __make_bios_writable_intel from
> high-memory flash location (statements marked green below).
>   But in my understanding the entry point of bios is 0xffff:fff0, then it
> jumps to 0xf000:e05b, which points to memory space in shadowing, but before
> __make_bios_writable_intel copying bios from high-memory flash to shadow
> memory, shadow memory is disabled, so these codes are forwarded to
> high-memory flash, including code to read pam0 before invoking
> __make_bios_writable_intel (statement marked red below). Why these codes
> are not relocate to high-memory flash, but only the invocation of
> __make_bios_writable_intel is need to be relocated?
> If shadow ram is present and readable, how cpu execute bios codes in
> 0xf000:xxxx before copying them to shadow ram?

This code only runs on QEMU and is very specific to the quirky way
that QEMU implements the pam registers.  When emulation starts, QEMU
places a read-only copy of the code in 0xe0000-0x100000.  When SeaBIOS
requests that 0xc0000-0x100000 be read/writable ram by writing to the
pam registers in __make_bios_writable_intel(), then qemu converts the
region to uninitialized memory.  This is why
__make_bios_writable_intel() needs to run from the copy of the code in
the "flash" location at the end of the first 4Gig of ram.  The
make_bios_writable_intel() code can run in 0xe0000-0x100000 because
prior to __make_bios_writable_intel() QEMU places a read-only copy of
the code there and after __make_bios_writable_intel() SeaBIOS has
restored the code by copying the code back to that ram.

-Kevin