Video mode initialization and transition to protected mode
In the previous part, we have seen first pieces of C code that run in the Linux kernel. One of the main goal of this stage is to switch into the protected mode, but before this, we have seen some early setup code which executes early initialization procedures, such as:
Setup of console to be able to print messages from the kernel's setup code
Validation of CPU
Detection of available memory
Initialization of keyboard
In this part we will continue to explore the next steps before we will see the transition into the protected mode.
Video mode setup
Previously, we stopped right at the point where the kernel setup code was about to initialize the video mode.
The setup code is located in the arch/x86/boot/video.c and implemented by the set_video function. Now let's take a look at the implementation of the set_video function:
void set_video(void)
{
u16 mode = boot_params.hdr.vid_mode;
RESET_HEAP();
store_mode_params();
save_screen();
probe_cards(0);
for (;;) {
if (mode == ASK_VGA)
mode = mode_menu();
if (!set_mode(mode))
break;
printf("Undefined video mode number: %x\n", mode);
mode = ASK_VGA;
}
boot_params.hdr.vid_mode = mode;
vesa_store_edid();
store_mode_params();
if (do_restore)
restore_screen();
}Let's try to understand what this function does in the next sections.
Video modes
The implementation of the set_video function starts by getting the video mode from the boot_params.hdr structure:
[!NOTE] Instead of old good standard C data types like
int,short,unsigned short, Linux kernel provides own data types for numeric values. Here is the table that will help you to remember them:
Size
1
2
4
8
1
2
4
8
The initial value of the video mode can be filled by the bootloader. This header field defined in the Linux kernel boot protocol:
Information about potential values for this field can be also found in the Linux kernel boot protocol document:
This tells us that we can add the vga option to the GRUB (or another bootloader's) configuration file and it will pass this option to the kernel command line. This option can have different values as mentioned in the description above. For example, it can be an integer number 0xFFFD or ask. If you pass ask to vga, you will see a menu with the possible video modes. We can test it using QEMU virtual machine:
If you did everything correctly, after the kernel is loaded it will ask you to press the ENTER. By pressing on it you should see something like this:
Early heap API
Before proceeding further to investigate what the set_video function does, it will be useful to take a look at the API for the management of the kernel's early heap.
After getting the video mode set by the bootloader, we can see resetting the heap value by the RESET_HEAP macro. The definition of this macro is in the arch/x86/boot/boot.h:
If you have read the part, you should remember that we have seen initialization of the heap memory area.The kernel setup code provides a couple of utility macros and functions for managing the early heap. Let's take a look at some of them, especially at ones which we will meet in this chapter.
The RESET_HEAP macro resets the heap by setting the HEAP variable to the _end which represents the end of the early setup kernel's text (or code) section. By doing this we just set the heap pointer to the very beginning of the heap.
The next useful macro is:
The goal of this macro is to allocate memory on the early heap. This macro calls the __get_heap function from the same header file with the following three parameters:
The size of the datatype to be allocated for
Specifies how variables of this type are to be aligned
How many items specified by the first parameter to allocate
The implementation of __get_heap is:
Let's try to understand how the __get_heap function works. First of all we can see here that HEAP pointer is assigned to the aligned address of the memory. The address is aligned based on the size of data type for which we want to allocate memory. After we have got the initial aligned address, we just move the HEAP pointer by the requested size.
The last but not least API of the early heap that we will see is the heap_free function which checks the availability of the given size of memory on the heap:
As you may see, the implementation of this function is pretty trivial. It just subtracts the current value of the heap pointer from the address which represents the end of heap memory area. The function returns true if there is enough memory for n or false otherwise.
Return to the setup of the video mode
Since the heap pointer is in the right place, we can move directly to video mode initialization. The next step after this is the call to store_mode_params function which stores currently available video mode parameters in the boot_params.screen_info. This structure defined in the include/uapi/linux/screen_info.h header file and provides basic information about the screen and video mode. Such as current position of the cursor, the BIOS video mode number that was set when the kernel was loaded, the number of text rows and columns and so on. The store_mode_params function asks the BIOS services about this information and stores it in this structure for later usage.
The next step is save the current contents of the screen to the heap by calling the save_screen function. This function collects all the data which we got in the previous functions (like the rows and columns, and stuff) and stores it in the saved_screen structure, which is defined as:
After the contents of the screen is saved, the next step is to collect currently available video modes in the system. This job is done by the probe_cards function defined in the arch/x86/boot/video-mode.c. It goes over all video_cards and collects the information about them:
The video_cards is an array defined as:
The __videocard macro allows to define structures which describe video cards and the linker will put them into the video_cards array. Example of such structure can be found in the arch/x86/boot/video-vga.c:
After the probe_cards function executes we have a bunch of structures in our video_cards array and the known number of video modes they provide. At the next step the kernel setup code will print menu with available video modes if the vid_mode=ask option was passed to the kernel command line and set up the video mode having all the parameters that we have gathered at the previous steps. The video mode is set by the set_mode function is defined in video-mode.c. This function expects one parameter - the video mode identifier. This identifier is set by the bootloader or set based on the choice of the video modes menu. The set_mode function goes over all available video cards defined in the video_cards array and if the given mode belongs to the given card, the card->set_mode() callback is called to setup the video mode.
Let's take a look at the example of setting up VGA video mode:
The vga_set_mode function is responsible for configuring the VGA display to a specific text mode, based on the settings which we collected in the previous steps. The vga_set_basic_mode function resets the VGA hardware into a standard text mode. The next statement sets up the video mode based on the video mode that was selected. Most of these functions have very similar implementation based on the 0x10 BIOS interrupt.
After this step, the video mode is configured and we save all the information about it again for later use. Having done this, the video mode setup is complete and now we can take a look at the last preparation before we will see the switch into the protected mode.
Last preparation before transition into protected mode
Returning to the main function of the early kernel setup code, we finally can see:
As the comment says: Do the last things and invoke protected mode, so let's see what these last things are and switch into protected mode.
The go_to_protected_mode function is defined in arch/x86/boot/pm.c. It contains some routines which make the last preparations before we can jump into protected mode, so let's look at it and try to understand what it does and how it works.
The very first function that we may see in the go_to_protected_mode is the realmode_switch_hook function. This function invokes the real mode switch hook if it is present or disables NMI otherwise. The hooks are used if the bootloader runs in a hostile environment. You can read more about hooks in the boot protocol (see ADVANCED BOOT LOADER HOOKS). Interrupts must be disabled before switching to protected mode because otherwise the CPU could receive an interrupt when there is no valid interrupt table or handlers. Once the kernel will set up the protected-mode interrupt infrastructure, interrupts will be disabled again.
We will consider only more-less standard use case, when the bootloader does not provide any hooks. So we just disable non-maskable interrupts:
At the first line, there is an inline assembly statement with the cli instruction which clears the interrupt flag. After this, external interrupts are disabled. The next line disables NMI (non-maskable interrupt). An interrupt is a signal to the CPU which is emitted by hardware or software. After getting such a signal, the CPU suspends the current instruction sequence, saves its state and transfers control to the interrupt handler. After the interrupt handler has finished its work, it transfers control back to the interrupted instruction. Non-maskable interrupts (NMI) are interrupts which are always processed, independently of permission. They cannot be ignored and are typically used to signal for non-recoverable hardware errors. We will not dive into the details of interrupts now but we will be discussing them in the next posts.
Let's get back to the code. We can see in the second line that we are writing the byte 0x0 to the port 0x80. After that, a call to the io_delay function occurs. io_delay causes a small delay and looks like:
To output any byte to the port 0x80 should delay exactly 1 microsecond. This delay is needed to be sure that the change of the NMI mask has fully taken effect. After this delay, the realmode_switch_hook function has finished execution and we can be sure that all interrupts are disabled.
The next step is the enable_a20 function, which enables the A20 line. Enabling of this line allows kernel to have access above 1 MB.
The enable_a20 function is defined in arch/x86/boot/a20.c and tries to enable the A20 gate using the different approaches. The first is the a20_test_short function which checks if A20 is already enabled or not using the a20_test function:
To verify whether the A20 line is already enabled or not, the kernel performs a simple memory test. It begins by setting the FS register to 0x0000 and the GS register to 0xffff values. By doing this, an access to FS:0x200 (A20_TEST_ADDR) points into the very beginning of memory, while an access to GS:0x2010 refers to a location just past the one-megabyte boundary. If the A20 line is disabled, the latter will wrap around and point to the same physical address.
If the A20 gate is disabled, the kernel will try to enable it using different methods which you can find in enable_a20 function. For example, it can be done with a call to the 0x15 BIOS interrupt with AH register set to 0x2041. If this function finished with a failure, print an error message and call the function die which will stop the process of the kernel setup.
After the A20 gate is successfully enabled, the reset_coprocessor function is called:
This function resets the math coprocessor to be sure it is in a clean state by writing 0 to 0xF0 and then resets it by writing 0 to 0xF1.
The next step is the mask_all_interrupts function:
This function masks or in other words forbids all interrupts on the primary and secondary PICs. This is needed for safeness, we forbid all the interrupts from the PIC so nothing can interrupt the CPU while the kernel is doing transition into protected mode.
All the operations before this point, were executed for safe transition to the protected mode. The next operations will prepare the transition to the protected mode. Let's take a look at them.
Entering Protected Mode
At this point, we are very close to see the switching into protected mode of the Linux kernel.
Only two steps remain:
Setting up the Interrupt Descriptor Table
Setting up the Global Descriptor Table
And that’s all! Once these two structures will be configured, the Linux kernel can make the jump into protected mode.
Set up the Interrupt Descriptor Table
Before the CPU can safely enter protected mode, it needs to know where to find the handlers that will be triggered in a case of interrupts and exceptions. In real mode, the CPU relies on the Interrupt Vector Table. In the protected mode this mechanism changes to the Interrupt Descriptor Table.
This is a special structure located in memory which contains descriptors that describes where CPU can find handlers for interrupts and exceptions. The full description of Interrupt Description Table and its entries we will see later, because for now we anyway disabled all the interrupts at the previous steps. Let's take a look at the function which setups zero filled Interrupt Descriptor Table:
As we may see, it just load the IDT which is filled with zero using the lidtl instruction. The null_idt has type gdt_ptr which is structure defined in the same source code file:
This structure provides information about the pointer to the Interrupt Descriptor Table.
Set up Global Descriptor Table
The next is the setup of the Global Descriptor Table. As you may remember, the memory access is based on segment:offset addressing in real mode. The protected mode introduces the different model based on the Global Descriptor Table. If you forgot the details about the Global Description Table structure, you can find more information in the previous chapter. Instead of fixed segment bases and limits, the CPU now looks for memory regions defined by descriptors located in the Global Descriptor Table. The goal of kernel is to setup these descriptors.
All the job will be done by the setup_gdt function which is defined in the same source code file. Let's take a look at the definition of this function:
The initial memory descriptors specified by the items of the boot_gdt array. The setup_gdt function just loads the pointer to the Global Descriptor Table filled with these items using the lgdtl instruction. Let's take a closer look at the memory descriptors definition.
Initially, the 3 memory descriptors specified:
Code segment
Memory segment
Task state segment
We will skip the description of the task state segment for now as it was added there to make Intel VT happy. The other two segments belongs to the memory for kernel code and data sections. Both memory descriptors defined using the GDT_ENTRY macro. This macro defined in the arch/x86/include/asm/segment.h and expects to get three arguments:
flagsbaselimit
Let's take a look at the definition of the code memory segment:
The base address of this memory segment is defined as 0 and limit as 0xFFFFF or 1 Megabyte. The DESC_CODE32 describes the flags of this segment. If we take a look at the flags, we will see that granularity (bit G) of this segment is set to 4 KB units. This means that the segment covers addresses 0x00000000–0xFFFFFFFF - entire 4 GB linear address space. The same base address and limit will be defined for the data segment. It is done this way because Linux kernel using so-called flat memory model.
Besides the granularity bit, the DESC_CODE32 specifies other flags. Among them you can find, the this a 32-bit segment which is readable, executable and present in memory. The privilege level is set to the highest value as kernel needs.
Looking at the documentation of the Global Descriptor Table and its entries you can check all the initial segments by yourself. It is not so hard.
Transition into protected mode
We are standing right before it. Interrupts are disabled, the Interrupt Descriptor Table and Global Descriptor Table are initialized. Finally, the kernel can execute jump into protected mode. But despite good news, we need to return to assembly again 😅
The transition to the protected mode we can find in the arch/x86/boot/pmjump.S. Let's take a look at it:
First of all, we preserve the address of boot_params structure in the esi register. After this, we compute the real-mode segment base of the current code and add it to the value pointed to by the 2f label which is the entry point to the protected mode. This is needed because as you remember at the previous step, the code memory segment starts from 0, so the jump instruction must contain absolute linear address of the entry point.
At the next steps we save the segment addresses of the data and task state in general purpose registers cx and di and set the PE bit in the control cr0 register. From this point, the protected mode is turned on, and we need just to jump into it, to set proper value of the code segment:
The kernel is in protected mode now 🥳🥳🥳
Let's look at the first steps taken in the protected mode. First of all we set up the data segment with the data segment address that we preserved in the cx register at the previous step:
Since we are in the protected mode, our segment bases point to zero. Because of this, the stack pointer will point somewhere below the code, so we need to adjust it, at least for debugging purposes:
The last step before the jump into actual 32-bit entry point is to clear the general purpose registers:
Now everything is ready. The kernel is in the protected mode and we can jump to the next code, address of which was passed in the eax register:
Conclusion
This is the end of the third part about Linux kernel insides. If you have questions or suggestions, feel free ping me on X - 0xAX, drop me an email, or just create an issue.
Links
Here is the list of the links that you may find useful during reading of this chapter:
Last updated
Was this helpful?