xv6系统Bootloader启动分析

Bootloader启动分析

参考xv6的附录B
https://github.com/ranxian/xv6-chinese/blob/master/content/AppendixB.md

计算机启动后硬件的动作

一直很好奇计算器按下电源后发生了什么？基本上分为三步
BIOS引导-》bootloader加载内核到内存-》控制权交给内核
源码在此https://github.com/mit-pdos/xv6-public/blob/master/bootasm.S

bootloader简易的实现及其编译

这里我们先看下如何19行代码实现一个简易的bootloader

计算机通电启动后 BIOS会从引导设备读取512个字节，如果在这512个字节的末尾检测到一个双字节“magic number”（0x55AA），则将这512个字节的数据作为代码加载并运行。这512个字节的数据就叫做bootloader。
这里使用19行代码实现一个小的操作系统并输出“Hello world!”的bootlaoder。
参考： http://50linesofco.de/post/2018-02-28-writing-an-x86-hello-world-bootloader-with-assembly

.code16 #告诉操作系统要用16位
.global init #设置启动点

init:
  mov $msg, %si # loads the address of msg into si  #把msg放入寄存器
  mov $0xe, %ah # loads 0xe (function number for int 0x10) into ah  #
print_char:
  lodsb # loads the byte from the address in si into al and increments si
  cmp $0, %al # compares content in AL with zero
  je done # if al == 0, go to "done"
  int $0x10 # 使用中断将字符输出到屏幕
  jmp print_char # repeat with next byte
done:
  hlt # stop execution

msg: .asciz "Hello world!"

编译出的bootloader没有512字节

as -o boot.o boot.s
ld -o boot.bin --oformat binary -e init boot.o
ls -lh .
  3 boot.bin
784 boot.o
152 boot.s

使用0填充至510字节 并在末尾加上magic number 0xaa55

.fill 510-(.-init), 1, 0 # add zeroes to make it 510 bytes long
.word 0xaa55 # magic bytes that tell BIOS that this is bootable

as -o boot.o boot.s
ld -o boot.bin --oformat binary -e init boot.o
ls -lh .
 512 boot.bin
1.3k boot.o
 176 boot.s

使用qemu调起bootloader

sudo apt-get install qemu
qemu-system-x86_64 boot.bin

BIOS引导

CPU通电后的第一条指令位于内存F000:FFF0位置。此时CPU工作于实时模式，该模式会通过段寄存器CS与指令寄存器IP共同寻找指令所在的物理地址。计算方法是CS里的内容左移4位再加上IP里的内容，得到实际物理地址，这里BIOS第一条指令的物理地址是0xffff0。这条指令是：

ljmp   $0xf000,$0xe05b

　　跳转到物理地址0xfe05b位置，执行后续的指令。这个也比较好理解，因为0xffff0比较接近0xfffff这个物理内存地址的最顶端，这么少的内存空间做不了什么事，这时候就转移一下代码的所在位置。然后，BIOS会进行一系列的硬件初始化工作。当这些工作都完成了，计算机的硬件都处在一个基础的就绪状态，就可以进行操作系统的引导了。xv6作为一个精简的unix操作系统，其boot loader在可启动磁盘上的第一个扇区，即第一个512字节的区域。BIOS会把这段代码拷贝到物理地址0x7c00到0x7dff的内存空间中。这段代码就叫做boot loader，主要用于引导操作系统内核。

boot loader

　　BIOS设置cs寄存器为0x0，ip寄存器为0x7c00，开始执行boot loader程序。该程序可分为两部分，第一部分是汇编语言编写,一部分是c语言编写：
　 基本流程如下：

   CPU初始化操作
　　打开A20Gate
　　GDT的设置
　　**实模式切换为32位的保护模式（内存管理，进程管理，硬件管理）现在主流计算都用的是分段式管理
　　初始化栈寄存器
　　跳转到boot/main.c

#include <inc/mmu.h>

# Start the CPU: switch to 32-bit protected mode, jump into C.
# The BIOS loads this code from the first sector of the hard disk into
# memory at physical address 0x7c00 and starts executing in real mode
# with %cs=0 %ip=7c00.

.set PROT_MODE_CSEG, 0x8         # kernel code segment selector
.set PROT_MODE_DSEG, 0x10        # kernel data segment selector
.set CR0_PE_ON,      0x1         # protected mode enable flag

.globl start
start:
  .code16                     # Assemble for 16-bit mode
  cli                         # Disable interrupts
  cld                         # String operations increment

  # Set up the important data segment registers (DS, ES, SS).
  xorw    %ax,%ax             # Segment number zero
  movw    %ax,%ds             # -> Data Segment
  movw    %ax,%es             # -> Extra Segment
  movw    %ax,%ss             # -> Stack Segment

  # Enable A20:
  #   For backwards compatibility with the earliest PCs, physical
  #   address line 20 is tied low, so that addresses higher than
  #   1MB wrap around to zero by default.  This code undoes this.
seta20.1:
  inb     $0x64,%al   #从端口取一个字节的数据            # Wait for not busy
  testb   $0x2,%al
  jnz     seta20.1   #不为0则跳转

  movb    $0xd1,%al               # 0xd1 -> port 0x64
  outb    %al,$0x64
#　向0x64写入命令0xd1，该命令用于指示即将向键盘控制器的输出端口写一个字节的数据。
seta20.2:
  inb     $0x64,%al               # Wait for not busy
  testb   $0x2,%al
  jnz     seta20.2

  movb    $0xdf,%al               # 0xdf -> port 0x60
  outb    %al,$0x60
#　再检查0x64，判断键盘控制器是否忙碌。等不忙碌后，就可以向0x60写入数据0xdf。该数据代表开A20。


  # Swit from real to protected mode, using a bootstrap GDT
  # and segment translation that makes virtual addresses ch
  # identical to their physical addresses, so that the 
  # effective memory map does not change during the switch.
  lgdt    gdtdesc
  movl    %cr0, %eax
  orl     $CR0_PE_ON, %eax
  movl    %eax, %cr0

  # Jump to next instruction, but in 32-bit code segment.
  # Switches processor into 32-bit mode.
  ljmp    $PROT_MODE_CSEG, $protcseg

  .code32                     # Assemble for 32-bit mode
protcseg:
  # Set up the protected-mode data segment registers
  movw    $PROT_MODE_DSEG, %ax    # Our data segment selector
  movw    %ax, %ds                # -> DS: Data Segment
  movw    %ax, %es                # -> ES: Extra Segment
  movw    %ax, %fs                # -> FS
  movw    %ax, %gs                # -> GS
  movw    %ax, %ss                # -> SS: Stack Segment

  # Set up the stack pointer and call into C.
  movl    $start, %esp
  call bootmain

  # If bootmain returns (it shouldn't), loop.
spin:
  jmp spin  
#GDT全局描述符表 操作部分
# Bootstrap GDT
.p2align 2                                # force 4 byte alignment
gdt:
  SEG_NULL              # null seg
  SEG(STA_X|STA_R, 0x0, 0xffffffff) # code seg
  SEG(STA_W, 0x0, 0xffffffff) # data seg

gdtdesc:
  .word   0x17                            # sizeof(gdt) - 1
  .long   gdt                             # address gdt

把kernel加载到内存

这部分boot/main.c代码的主要作用是加载内核文件（elf）到内存中。

加载ELF头部与程序头表
　　kernel是一个ELF格式的可执行文件，它遵守标准的ELF格式。我们暂时关心的就是ELF头部与程序头表，通过把它们从磁盘里加载到内存中，就可以让内核正式接管计算机了！

　　kernel文件的ELF头部从启动磁盘的第二个扇区开始。前面已经说到，第一个扇区512字节就是boot loader。ELF头部与程序头表大小是4KB。
　　
　　内存管理单元（英语：memory management unit，缩写为MMU）

#include <inc/x86.h>
#include <inc/elf.h>

/**********************************************************************
 * This a dirt simple boot loader, whose sole job is to boot
 * an ELF kernel image from the first IDE hard disk.
 *
 * DISK LAYOUT
 *  * This program(boot.S and main.c) is the bootloader.  It should
 *    be stored in the first sector of the disk.
 *
 *  * The 2nd sector onward holds the kernel image.
 *
 *  * The kernel image must be in ELF format.
 *
 * BOOT UP STEPS
 *  * when the CPU boots it loads the BIOS into memory and executes it
 *
 *  * the BIOS intializes devices, sets of the interrupt routines, and
 *    reads the first sector of the boot device(e.g., hard-drive)
 *    into memory and jumps to it.
 *
 *  * Assuming this boot loader is stored in the first sector of the
 *    hard-drive, this code takes over...
 *
 *  * control starts in boot.S -- which sets up protected mode,
 *    and a stack so C code then run, then calls bootmain()
 *
 *  * bootmain() in this file takes over, reads in the kernel and jumps to it.
 **********************************************************************/

#define SECTSIZE    512
#define ELFHDR      ((struct Elf *) 0x10000) // scratch space

void readsect(void*, uint32_t);
void readseg(uint32_t, uint32_t, uint32_t);

void
bootmain(void)
{
    struct Proghdr *ph, *eph;

    // read 1st page off disk
    readseg((uint32_t) ELFHDR, SECTSIZE*8, 0);

    // is this a valid ELF?
    if (ELFHDR->e_magic != ELF_MAGIC)
        goto bad;
    //Program Header Table。这个表格存放着程序中所有段的信息。通过这个表我们才能找到要执行的代码段，数据段等等。所以我们要先获得这个表。
    // load each program segment (ignores ph flags)
    ph = (struct Proghdr *) ((uint8_t *) ELFHDR + ELFHDR->e_phoff);//程序头表
    eph = ph + ELFHDR->e_phnum;//e_phnum 程序头表的表项的数目
    for (; ph < eph; ph++)
        // p_pa is the load address of this segment (as well
        // as the physical address)
        readseg(ph->p_pa, ph->p_memsz, ph->p_offset);

    // call the entry point from the ELF header
    // note: does not return!
    ((void (*)(void)) (ELFHDR->e_entry))();//系统转移控制权到的虚拟地址，从而开始进程。

bad:
    outw(0x8A00, 0x8A00);
    outw(0x8A00, 0x8E00);
    while (1)
        /* do nothing */;
}

// Read 'count' bytes at 'offset' from kernel into physical address 'pa'.
// Might copy more than asked
void
readseg(uint32_t pa, uint32_t count, uint32_t offset)
{
    uint32_t end_pa;

    end_pa = pa + count;

    // round down to sector boundary
    pa &= ~(SECTSIZE - 1);

    // translate from bytes to sectors, and kernel starts at sector 1
    offset = (offset / SECTSIZE) + 1;

    // If this is too slow, we could read lots of sectors at a time.
    // We'd write more to memory than asked, but it doesn't matter --
    // we load in increasing order.
    while (pa < end_pa) {
        // Since we haven't enabled paging yet and we're using
        // an identity segment mapping (see boot.S), we can
        // use physical addresses directly.  This won't be the
        // case once JOS enables the MMU.
        readsect((uint8_t*) pa, offset);
        pa += SECTSIZE;
        offset++;
    }
}

void
waitdisk(void)
{
    // wait for disk reaady
    while ((inb(0x1F7) & 0xC0) != 0x40)
        /* do nothing */;
}

void
readsect(void *dst, uint32_t offset)
{
    // wait for disk to be ready
    waitdisk();

    outb(0x1F2, 1);     // count = 1
    outb(0x1F3, offset);
    outb(0x1F4, offset >> 8);
    outb(0x1F5, offset >> 16);
    outb(0x1F6, (offset >> 24) | 0xE0);
    outb(0x1F7, 0x20);  // cmd 0x20 - read sectors

    // wait for disk to be ready
    waitdisk();

    // read a sector
    insl(0x1F0, dst, SECTSIZE/4);
}

先给出IDE的IO接口对应的寄存器参数：
1F2 - 扇区计数。这里面存放你要操作的扇区数量
1F3 - 扇区LBA地址的0-7位
1F4 - 扇区LBA地址的8-15位
1F5 - 扇区LBA地址的16-23位
1F6 (低4位) - 扇区LBA地址的24-27位
1F6 (第4位) - 0表示选择主盘，1表示选择从盘
1F6 (5-7位) - 必须为1
1F7 (写) - 命令寄存器
1F7 (读) - 状态寄存器
bit 7 = 1 控制器忙
bit 6 = 1 驱动器就绪
bit 5 = 1 设备错误
bit 4 N/A
bit 3 = 1 扇区缓冲区错误
bit 2 = 1 磁盘已被读校验
bit 1 N/A
bit 0 = 1 上一次命令执行失败


打印寄存器 这里就可以看到xv6使用的寄存器和当前对应的值
(gdb) info reg
eax 0x112800 1124352
ecx 0x0 0
edx 0x9d 157
ebx 0x10094 65684
esp 0x7bec 0x7bec
ebp 0x7bf8 0x7bf8
esi 0x10094 65684
edi 0x0 0
eip 0x10000c 0x10000c
eflags 0x46 [ PF ZF ]
cs 0x8 8
ss 0x10 16
ds 0x10 16
es 0x10 16
fs 0x10 16
gs 0x10 16


参考：
http://blog.csdn.net/qq_25426415/article/details/54583835

elf格式:https://mudongliang.github.io/2015/10/31/linuxelf.html