x86 and xv6 CS 450: Operating Systems Michael Saelee - - PowerPoint PPT Presentation

x86 and xv6

CS 450: Operating Systems Michael Saelee <saelee@iit.edu>

To work on an OS kernel, we must be intimately familiar with the underlying ISA, hardware, and system conventions

• x86 ISA
• PC architecture
• Unix, GCC, ELF, etc.

§ x86 ISA

• Intel IA-32 Software Developer’s Manuals (linked on course

website) are comprehensive references

• Volume 1: Architectural Overview (e.g., regs, addressing)
• Volume 2: Instruction Set Reference
• Volume 3: Systems Programming Guide (e.g., mechanisms

that let operating system control/configure hardware)

• (Majority of diagrams in slides are from these manuals)

x86 Family of ISAs

• Started with Intel’s 8086 16-bit CPU in 1978
• Followed by 80186, 80286, 80386, 80486 (then Pentium …)
• 80386 introduced 32-bit addressing (“IA-32” architecture)
• CISC-style ISA
• Large instruction set, complex addressing modes

Backwards Compatibility

• “x86” implies backwards compatibility all the way to 8086
• All x86 CPUs boot into 16-bit “real address mode” (aka “real

mode”)

• Supported CPUs can switch into 32-bit “Protected Mode”
• i.e., we need to understand real mode to write an OS!

Instruction Set Overview

• Arithmetic: add, sub, and, etc.
• Moving data: mov, push, pop, etc.
• Control flow: jmp, call, ret, etc.
• I/O: in, out
• Privileged: int, iret, hlt, etc.

Instruction formats:

• 0 operands, e.g., ret
• 1 operand, e.g., pushl %ebp
• 2 operands — OP SRC, DST — e.g., movl $0xa, %eax
• Operands may be immediate values (constants), registers,

memory addresses

NB: we’ll be using AT&T syntax for x86 assembly

• output by GCC/GAS
• Constants are prefixed with $, Register names with %
• Instruction suffixes (b=8-bit, w=16-bit, l=32-bit, etc.) used

to indicate operand sizes

• not the same as official Intel syntax! (output by NASM)

• Figure 3-5. Alternate General-Purpose Register Names

7 15 31 16 8 AH AL BH BL CH CL DH DL BP SI DI SP 16-bit AX DX CX BX 32-bit EAX EBX ECX EDX EBP ESI ESP General-Purpose Registers EDI

• EAX — Accumulator for operands and results data
• EBX — Pointer to data in the DS segment
• ECX — Counter for string and loop operations
• EDX — I/O pointer
• ESI — Pointer to data in the segment pointed to by the DS register; source pointer for string operations
• EDI — Pointer to data (or destination) in the segment pointed to by the ES register; destination pointer for

string operations

• ESP — Stack pointer (in the SS segment)
• EBP — Pointer to data on the stack (in the SS segment)

As shown in Figure 3-5, the lower 16 bits of the general-purpose registers map directly to the register set found in

EFLAGS register used for conditional operations E.g., if last operation resulted in zero/nonzero/neg/etc.

movl $0, %eax .L0: addl $1, %eax cmpl $10, %eax # 10-eax jne .L0 # jump if ZF≠0 for (i=0; i<10; i++);

Figure 3-8. EFLAGS Register

31 29 30 28 27 26 25 24 23 22 21 20 19 18 17 16 R F I D A C V M

X Virtual-8086 Mode (VM) X Resume Flag (RF) X Nested Task (NT) X I/O Privilege Level (IOPL) S Overflow Flag (OF) C Direction Flag (DF) X Interrupt Enable Flag (IF) X Alignment Check / Access Control (AC) X ID Flag (ID) X Virtual Interrupt Pending (VIP)

15 13 14 12 11 10 9 8 7 6 5 4 3 2 1 C F A F P F 1 D F I F T F S F Z F N T V I P V I F O F I O P L

X Virtual Interrupt Flag (VIF) X Trap Flag (TF) S Sign Flag (SF) S Zero Flag (ZF) S Auxiliary Carry Flag (AF) S Parity Flag (PF) S Carry Flag (CF) S Indicates a Status Flag C Indicates a Control Flag X Indicates a System Flag Reserved bit positions. DO NOT USE. Always set to values previously read.

(only bottom 16-bits in real mode)

IP (16-bit) / EIP (32-bit) is instruction pointer register (PC elsewhere)

• always points to next instruction; automatically incremented
• change explicitly with jump, call, ret, etc.

Addressing modes:

• Direct: movl 0x401000, %eax

≈ eax = *(uint32_t *)(0x401000)

• Indirect: movl (%ebx), %eax

≈ eax = *(uint32_t *)ebx

Addressing modes (continued):

• Base-Displacement: movl 8(%ebx), %eax

≈ eax = *(uint32_t *)(ebx + 8)

• Indexed & Scaled: movl (%ebx, %ecx, 4), %eax

≈ eax = *(uint32_t *)(ebx + ecx*4)

16-bit addressing modes: 32-bit addressing modes: (Courtesy WikiMedia Commons)

Real mode addressing

• 8086 has 16-bit registers, but 20-bit physical addresses
• Use one of four 16-bit segment registers: CS, DS, SS, ES
• Shift left by 4 bits (i.e., ×16) to obtain a segment base address
• Add to virtual address to obtain physical address

Real mode addressing

• Code and Stack accesses using IP

, SP , and BP automatically use CS (code segment) and SS (stack segment) values

• e.g., if IP=0x4000 and CS=0x1100, CS:IP refers to

absolute address 0x1100×16 + 0x4000 = 0x15000

• Can be confusing and unwieldy (especially if data straddles

segments)

Protected mode addressing

• Full 32-bit addresses stored in registers
• Segment registers (expanded to CS, DS, SS, ES, FS, GS, and

still all 16-bit) no longer hold base addresses, but selectors

• Selectors are used to load segment descriptors from a descriptor

table which describe location/size/status/etc. of segments

Figure 3-5. Logical Address to Linear Address Translation

Offset (Effective Address) Base Address Descriptor Table Segment Descriptor 31(63)

• Seg. Selector

15 Logical Address

+

Linear Address 31(63)

15 3 2 1

T I Index

Table Indicator 0 = GDT 1 = LDT Requested Privilege Level (RPL)

RPL

Segmentation

• Recall: segmentation allows virtual addresses to be translated

using segment base addresses

• Segment descriptors also allow for access control (e.g.,

restricted access to certain segments)

• Mapping from segmented to linear address can be simple/

flat or arbitrarily complex!

Figure 3-2. Flat Model

Linear Address Space (or Physical Memory) Data and FFFFFFFFH Segment Limit Access Base Address Registers CS SS DS ES FS GS Code Code- and Data-Segment Descriptors Stack Not Present

Figure 3-3. Protected Flat Model

Linear Address Space (or Physical Memory) Data and FFFFFFFFH Segment Limit Access Base Address Registers CS ES SS DS FS GS Code Segment Descriptors Limit Access Base Address Memory I/O Stack Not Present

Figure 3-4. Multi-Segment Model

Linear Address Space (or Physical Memory) Segment Registers CS Segment Descriptors Limit Access Base Address SS Limit Access Base Address DS Limit Access Base Address ES Limit Access Base Address FS Limit Access Base Address GS Limit Access Base Address Limit Access Base Address Limit Access Base Address Limit Access Base Address Limit Access Base Address Stack Code Data Data Data Data

Segment Descriptor Tables

• Kernel is responsible for maintaining descriptor tables on a

system wide (via Global Descriptor Table) or task-specific (via Local Descriptor Table) basis

• Part of growing list of kernel data structures!

Figure 3-6. Segment Selector

Offset (Effective Address) Base Address Descriptor Table Segment Descriptor 31(63)

• Seg. Selector

15 Logical Address

+

Linear Address 31(63)

T I Index

Table Indicator 0 = GDT 1 = LDT Requested Privilege Level (RPL)

RPL

Figure 3-10. Global and Local Descriptor Tables

Segment Selector Global Descriptor

T

First Descriptor in GDT is Not Used TI = 0

I

56 40 48 32 24 16 8 TI = 1 56 40 48 32 24 16 8 Table (GDT) Local Descriptor Table (LDT) Base Address Limit GDTR Register LDTR Register Base Address

• Seg. Sel.

Limit

Figure 3-8. Segment Descriptor

31 24 23 22 21 20 19 16 15 13 14 12 11 8 7 P

Base 31:24

G D P L

Type

S L

4

31 16 15

Base Address 15:00 Segment Limit 15:00 Base 23:16

D / B A V L

Seg. Limit 19:16

G — Granularity LIMIT — Segment Limit P — Segment present S — Descriptor type (0 = system; 1 = code or data) TYPE — Segment type DPL — Descriptor privilege level AVL — Available for use by system software BASE — Segment base address D/B — Default operation size (0 = 16-bit segment; 1 = 32-bit segment) L — 64-bit code segment (IA-32e mode only)

CS and CPL

• Bottom 2 bits of CS indicate the CPL (current privilege level)
• Recall: 0 = highest, 3 = lowest — used to guard access to

privileged/restricted instructions and memory

• CS segment selector cannot be manipulated directly (why?)
• Loaded from descriptor DPL (when switching segments)

xv6 and Segmentation

• xv6 mostly uses a flat model, so segmentation setup is simple
• But segmentation descriptors are very similar to those used in

interrupt descriptor tables (IDTs)

• Used for carrying out interrupts and enforcing privilege

level (CPL) policies — coming later

Paging

• Recall: paging allows for more granular mapping of linear

address spaces onto physical memory

• Fixed sized pages mapped from linear to physical address space
• We will use support for 2-level paging for 32-bit addresses:
• 1K page directory entries → 1K page tables (each)
• 4KB pages

Figure 4-2. Linear-Address Translation to a 4-KByte Page using 32-Bit Paging

Directory Table Offset Page Directory PDE with PS=0 CR3 Page Table PTE 4-KByte Page Physical Address 31 21 11 12 22 Linear Address 32 10 12 10 20 20 Directory Offset Page Directory PDE with PS=1 CR3 4-MByte Page Physical Address 31 21 22 Linear Address 10 22 32 18

Segmentation & Paging

• Segmentation is set up to provide a (mostly) flat model in xv6
• Paging is used to do heavy lifting of virtual → physical

memory mapping

• xv6 sets up paging structures on a per-process basis

Figure 3-1. Segmentation and Paging

Global Descriptor Table (GDT) Linear Address Space Segment Segment Descriptor Offset Logical Address Segment Base Address Page

• Phy. Addr.
• Lin. Addr.

Segment Selector Dir Table Offset Linear Address Page Table Page Directory Entry Physical Space Entry (or Far Pointer) Paging Segmentation Address Page

31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1

Address of page directory1 Ignored P C D P W T Ignored CR3 Bits 31:22 of address

• f 4MB page frame

Reserved (must be 0) Bits 39:32 of address2 P A T Ignored G 1 D A P C D P W T U / S R / W 1 PDE: 4MB page Address of page table Ignored I g n A P C D P W T U / S R / W 1 PDE: page table Ignored PDE: not present Address of 4KB page frame Ignored G P A T D A P C D P W T U / S R / W 1 PTE: 4KB page Ignored PTE: not present

Figure 4-4. Formats of CR3 and Paging-Structure Entries with 32-Bit Paging

Control & System Registers

• Transitioning between real & protected mode, activating

paging, switching descriptor tables, etc., are all governed by control & system register settings

• Modifying these settings is restricted by CPL

• Figure 2-7. Control Registers

CR1

W P A M

Page-Directory Base

V M E P S E T S D D E P V I P G E M C E P A E P C E N W P G C D P W T P C D

Page-Fault Linear Address

P E E M M P T S N E E T

CR2 CR0 CR4 Reserved CR3 Reserved

31 29 30 28 19 18 17 16 15 6 5 4 3 2 1 31(63) 31(63) 31(63) 12 11 5 4 3 2 31(63) 9 8 7 6 5 4 3 2 1

(PDBR)

13 12 11 10

OSFXSR OSXMMEXCPT

V M X E E X M S 14 18

OSXSAVE PCIDE

17 S M E P 20

FSGSBASE

16 15 S M A P 22 21 P K E U M I P

• Figure 2-3. Transitions Among the Processor’s Operating Modes

Real-Address Protected Mode

Virtual-8086 Mode

System Management Mode

PE=1 Reset or VM=1 VM=0 PE=0 Reset

• r

RSM SMI# RSM SMI# RSM SMI# Reset Mode

IA-32e Mode

RSM SMI# LME=1, CR0.PG=1* See** * See Section 9.8.5 ** See Section 9.8.5.4

• Figure 2-7. Control Registers

CR1

Page-Directory Base

Page-Fault Linear Address

CR2 CR0 CR4 Reserved CR3 Reserved

(PDBR)

OSFXSR OSXMMEXCPT

OSXSAVE PCIDE

FSGSBASE

.code16 # Assemble for 16-bit mode .globl start start: cli # BIOS enabled interrupts; disable # Zero data segment registers DS, ES, and SS. xorw %ax,%ax # Set %ax to zero movw %ax,%ds # -> Data Segment

. . .

lgdt gdtdesc movl %cr0, %eax

• rl $CR0_PE, %eax

movl %eax, %cr0 # Complete transition to 32-bit protected mode by using long jmp # to reload %cs and %eip. The segment descriptors are set up with no # translation, so that the mapping is still the identity mapping. ljmp $(SEG_KCODE<<3), $start32 .code32 # Tell assembler to generate 32-bit code now. start32: # Set up the protected-mode data segment registers movw $(SEG_KDATA<<3), %ax # Our data segment selector movw %ax, %ds # -> DS: Data Segment

. . .

# Set up the stack pointer and call into C. movl $start, %esp call bootmain

xv6 bootstrap assembly

I/O

• Two basic models for accessing I/O devices:
• Separate I/O port address space from data address space
• Memory-mapped I/O

I/O Ports

• Separated, limited address space
• Special, privileged instructions (in/out) to explicitly read

from /write to I/O ports

• e.g., in $0x60, %al # get last typed


# character (PS/2 kbd)

Memory-mapped I/O

• I/O controllers responsible for mapping ranges of physical

addresses to I/O devices

• Look like regular memory accesses
• No special instructions!
• Accessing these special addresses read/write I/O devices

I/O Protocols

• Two basic protocols for interacting with I/O devices:
• Polling, aka Programmed I/O (PIO)
• Interrupt-driven I/O

Polling / Programmed I/O

• Software-driven, e.g.,

L0: inb STATUS_PORT, %al andb %al, BUSY_FLAG # check if busy (e.g., still writing) jne L0 movb (%esi,%ebx), %al # load data byte incb %ebx # increment index

• utb DATA_PORT, %al # write data byte to data port
• utb CONTROL_PORT, $0x01 # let device know to inspect data
• utb CONTROL_PORT, 0

jmp L0

Polling / Programmed I/O

• CPU must periodically probe hardware for status
• to check if device is ready to be written to
• to check if data is available to be read
• to check for exceptional conditions

Interrupt-driven I/O

• Device is responsible for notifying CPU of event
• CPU might still initial request, but doesn’t need to poll
• Notification happens via hardware interrupt mechanism
• Invokes interrupt handler (kernel routine)

Pros/Cons of Polled vs. Interrupt-driven I/O?

• no additional hardware

requirements

• “easy” to program
• if CPU is idle, increase

utilization

• places burden on CPU —

problematic if heavy load

• possibly unresponsive
• even if no I/O is needed!

Pros/Cons of Polling

• good for CPU utilization
• outsource responsibility
• if no I/O needed, no

CPU activity at all!

• requires hardware support

(limited interrupts)

• if frequent I/O, requires

lots of context switches!

• concurrency issues?

Pros/Cons of Interrupt-driven

Interrupts & Exceptions

• NB: terminology differs a bit from what we used in CS 351!
• Encompass all events that request special CPU attention,

typically by transferring control from the active task to a special interrupt/exception handler

Interrupts

• Hardware-sourced events requesting CPU attention
• Typically unrelated to executing instruction
• Can also be generated by software with int N instruction

Exceptions

• Errors/Events arising due to the currently executing instruction
• Classes:
• Faults
• Traps
• Aborts

Exception classes (review!)

• Faults: can be corrected — after handler, return to state prior

to faulting instruction (e.g., page fault)

• Traps: reported immediately after execution of instruction

(e.g., debugging breakpoint, system call), regular return

• Abort: severe errors; cannot return to task

“Tasks”

• Must be some sort of context to be “interrupted”
• TSS segment is used to define the currently executing task
• General purpose registers
• Control registers (including EFLAGS, EIP

, LDTR, etc.)

• Stack pointers for different privilege levels

• Figure 7-1. Structure of a Task

Code Segment Stack Segment (Current Priv. Data Segment Stack Seg.

• Priv. Level 0

Stack Seg.

• Priv. Level 1

Stack Segment (Priv. Level 2) Task-State Segment (TSS) Task Register CR3 Level)

• Figure 7-2. 32-Bit Task-State Segment (TSS)

31 100 96 92 88 84 80 76 I/O Map Base Address 15 LDT Segment Selector GS FS DS SS CS 72 68 64 60 56 52 48 44 40 36 32 28 24 20 SS2 16 12 8 4 SS1 SS0 ESP0 Previous Task Link ESP1 ESP2 CR3 (PDBR) T ES EDI ESI EBP ESP EBX EDX ECX EAX EFLAGS EIP Reserved bits. Set to 0. Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved

Handling Interrupts/Exceptions

• Interrupt Descriptor Table (IDT) contains “gate” descriptors

associating service routines with interrupt/exception numbers

• 255 total indices (aka vector numbers):
• 0-31: architecture-defined
• 32-255: user-defined; can be assigned to I/O devices

• Figure 6-1. Relationship of the IDTR and IDT

IDT Limit IDT Base Address

+

Interrupt Descriptor Table (IDT)

Gate for

IDTR Register

Interrupt #n Gate for Interrupt #3 Gate for Interrupt #2 Gate for Interrupt #1 15 16 47 31 8 16 (n−1)∗8

• Figure 6-3. Interrupt Procedure Call

IDT Interrupt or Code Segment Segment Selector GDT or LDT Segment Interrupt Vector Base Address Destination Procedure Interrupt

+

Descriptor Trap Gate Offset

Interrupt/Exception Vectors

• Table 6-1. Protected-Mode Exceptions and Interrupts

Vector Mne- monic Description Type Error Code Source #DE Divide Error Fault No DIV and IDIV instructions. 1 #DB Debug Exception Fault/ Trap No Instruction, data, and I/O breakpoints; single-step; and others. 2 — NMI Interrupt Interrupt No Nonmaskable external interrupt. 3 #BP Breakpoint Trap No INT3 instruction. 4 #OF Overflow Trap No INTO instruction. 5 #BR BOUND Range Exceeded Fault No BOUND instruction. 6 #UD Invalid Opcode (Undefined Opcode) Fault No UD instruction or reserved opcode. 7 #NM Device Not Available (No Math Coprocessor) Fault No Floating-point or WAIT/FWAIT instruction. 8 #DF Double Fault Abort Yes (zero) Any instruction that can generate an exception, an NMI, or an INTR. 9 Coprocessor Segment Overrun (reserved) Fault No Floating-point instruction.1 10 #TS Invalid TSS Fault Yes Task switch or TSS access. 11 #NP Segment Not Present Fault Yes Loading segment registers or accessing system segments. 12 #SS Stack-Segment Fault Fault Yes Stack operations and SS register loads. 13 #GP General Protection Fault Yes Any memory reference and other protection checks. 14 #PF Page Fault Fault Yes Any memory reference. 15 — (Intel reserved. Do not use.) No 16 #MF x87 FPU Floating-Point Error (Math Fault) Fault No x87 FPU floating-point or WAIT/FWAIT instruction. 17 #AC Alignment Check Fault Yes (Zero) Any data reference in memory.2 18 #MC Machine Check Abort No Error codes (if any) and source are model dependent.3 19 #XM SIMD Floating-Point Exception Fault No SSE/SSE2/SSE3 floating-point instructions4 20 #VE Virtualization Exception Fault No EPT violations5 21-31 — Intel reserved. Do not use. 32-255 — User Defined (Non-reserved) Interrupts Interrupt External interrupt or INT n instruction. NOTES:

Table 6-1. Protected-Mode Exceptions and Interrupts (Contd.)

Gate Descriptors

• Interrupts are associated with Interrupt Gates
• Exceptions are associated with Trap Gates

Figure 6-2. IDT Gate Descriptors

31 16 15 13 14 12 8 7 P

Offset 31..16

D P L

4

31 16 15

Segment Selector Offset 15..0

1 1 D

Interrupt Gate DPL Offset P Selector Descriptor Privilege Level Offset to procedure entry point Segment Present flag Segment Selector for destination code segment

31 16 15 13 14 12 8 7 P D P L

4

31 16 15

TSS Segment Selector

1 1

Task Gate

4 5

0 0 0

31 16 15 13 14 12 8 7 P

Offset 31..16

D P L

4

31 16 15

Segment Selector Offset 15..0

1 1 1 D

Trap Gate

4 5

0 0 0

Reserved Size of gate: 1 = 32 bits; 0 = 16 bits D

Privilege level checks

• Hardware ensures that interrupts cannot transfer control

from more-privileged to less-privileged code

• i.e., enforce CPL ≥ destination segment DPL
• For interrupts generated with int instruction, gate DPL is

checked to restrict interrupts

• i.e., enforce CPL ≤ gate DPL

Masking Interrupts

• Most external interrupts can be masked (i.e., ignored), by

setting the IF (interrupt flag) in EFLAGS register

• cli/sti instructions: clear/set interrupt flag
• IF is automatically cleared when an interrupt (but not a trap)

gate is taken

• How is this useful?

Interrupt Procedure

When the processor performs a call to the exception- or interrupt-handler procedure:

• If the handler procedure is going to be executed at a numerically lower privilege level, a stack switch occurs.

When the stack switch occurs: a. The segment selector and stack pointer for the stack to be used by the handler are obtained from the TSS for the currently executing task. On this new stack, the processor pushes the stack segment selector and stack pointer of the interrupted procedure. b. The processor then saves the current state of the EFLAGS, CS, and EIP registers on the new stack (see Figures 6-4). c. If an exception causes an error code to be saved, it is pushed on the new stack after the EIP value.

• If the handler procedure is going to be executed at the same privilege level as the interrupted procedure:

a. The processor saves the current state of the EFLAGS, CS, and EIP registers on the current stack (see Figures 6-4). b. If an exception causes an error code to be saved, it is pushed on the current stack after the EIP value.

IDT Interrupt or Code Segment Segment Selector GDT or LDT Segment Interrupt Vector Base Address Destination Procedure Interrupt

+

Descriptor Trap Gate Offset

• Figure 6-4. Stack Usage on Transfers to Interrupt and Exception-Handling Routines

CS Error Code EFLAGS CS EIP ESP After Transfer to Handler Error Code ESP Before Transfer to Handler EFLAGS EIP SS ESP Stack Usage with No Privilege-Level Change Stack Usage with Privilege-Level Change Interrupted Procedure’s Interrupted Procedure’s and Handler’s Stack Handler’s Stack ESP After Transfer to Handler Transfer to Handler ESP Before Stack

Returning from interrupt

• Need to restore previous stack/register states, and potentially

return to previous privileged level (switch stacks)

• iret instruction automatically restores state using values

saved on stack (including EIP , CS, EFLAGS) by interrupt procedure

Figure 2-1. IA-32 System-Level Registers and Data Structures

Local Descriptor Table (LDT) EFLAGS Register Control Registers CR1 CR2 CR3 CR4 CR0 Global Descriptor Table (GDT) Interrupt Descriptor Table (IDT) IDTR GDTR Interrupt Gate Trap Gate LDT Desc. TSS Desc. Code Stack Code Stack Code Stack Task-State Segment (TSS) Code Data Stack Task Interrupt Handler Exception Handler Protected Procedure TSS Seg. Sel. Call-Gate Segment Selector Dir Table Offset Linear Address Page Directory

• Pg. Dir. Entry

Linear Address Space Linear Addr.

• Seg. Desc.

Segment Sel. Code, Data or Stack Segment Interrupt Vector TSS Desc.

• Seg. Desc.

Task Gate Current TSS Call Gate Task-State Segment (TSS) Code Data Stack Task

• Seg. Desc.

Current TSS Current TSS Segment Selector Linear Address Task Register CR3* Page Table

• Pg. Tbl. Entry

Page Physical Addr. LDTR This page mapping example is for 4-KByte pages and the normal 32-bit physical address size. Register

*Physical Address

Physical Address XCR0 (XFEM)

§ PC Architecture

What else?

• Memory + memory layout
• Persistent store (disk)
• Text/graphics display
• Keyboard/Mouse + other I/O devices and controllers
• BIOS, Clock

Protected mode memory- mapped devices Unused Extended memory BIOS ROM Real-mode devices VGA display Low memory

0x00000000 0xFFFFFFFF (4GB) 0x000A0000 (640KB) 0x000C0000 (768KB) 0x000F0000 (960KB) 0x00100000 (1MB) Physical RAM limit

Physical memory map

Startup & BIOS

• On startup, transfer control to address FFFF:0000 (real mode)
• BIOS executes power on self test, initializes video card, disk

controller, and sets up basic interrupt routines for simple I/O

• If boot drive is found, load boot sector (512 bytes, tagged with

ending 0x55AA marker) from drive at address 0000:7C00

Bootloader Responsibilities

• Set up minimal execution environment (stack, protected mode)
• Scans disk for kernel image (may load second-stage bootloader

to navigate partitions, file system, executable formats, etc.)

• Load kernel image at predetermined location in memory
• Transfer control to kernel

On Bootloaders

• Bootloaders can get very complicated!
• E.g., multistage boot loaders like Linux Loader (LILO) and

Grand Unified Bootloader (GRUB) understand file systems and executable file formats

• Also have scripting support and built-in shells

§ QEMU

Full System Emulator

• Emulates the behavior of a real x86 PC in software
• Simulates physical memory map and I/O devices
• Supports up to 255 CPUs (speed dependent on host machine)
• Simple to debug, and won’t break your actual OS!
• Can connect to GDB to “step” through instructions

The QEMU PC System emulator simulates the following peripherals:

• i440FX host PCI bridge and PIIX3 PCI to ISA bridge
• Cirrus CLGD 5446 PCI VGA card or dummy VGA card with Bochs VESA extensions (hardware

level, including all non standard modes).

• PS/2 mouse and keyboard
• 2 PCI IDE interfaces with hard disk and CD-ROM support
• Floppy disk
• PCI and ISA network adapters
• Serial ports
• IPMI BMC, either and internal or external one
• Creative SoundBlaster 16 sound card
• ENSONIQ AudioPCI ES1370 sound card
• Intel 82801AA AC97 Audio compatible sound card
• Intel HD Audio Controller and HDA codec
• Adlib (OPL2) - Yamaha YM3812 compatible chip
• Gravis Ultrasound GF1 sound card
• CS4231A compatible sound card
• PCI UHCI, OHCI, EHCI or XHCI USB controller and a virtual USB-1.1 hub.

SMP is supported with up to 255 CPUs. QEMU uses the PC BIOS from the Seabios project and the Plex86/Bochs LGPL VGA BIOS.

§ Demo