/** @file | |
Install a fake VGABIOS service handler (real mode Int10h) for the buggy | |
Windows 2008 R2 SP1 UEFI guest. | |
The handler is never meant to be directly executed by a VCPU; it's there for | |
the internal real mode emulator of Windows 2008 R2 SP1. | |
The code is based on Ralf Brown's Interrupt List: | |
<http://www.cs.cmu.edu/~ralf/files.html> | |
<http://www.ctyme.com/rbrown.htm> | |
Copyright (C) 2014, Red Hat, Inc. | |
Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.<BR> | |
SPDX-License-Identifier: BSD-2-Clause-Patent | |
**/ | |
#include <IndustryStandard/LegacyVgaBios.h> | |
#include <Library/DebugLib.h> | |
#include <Library/PciLib.h> | |
#include <Library/PrintLib.h> | |
#include <OvmfPlatforms.h> | |
#include "Qemu.h" | |
#include "VbeShim.h" | |
#pragma pack (1) | |
typedef struct { | |
UINT16 Offset; | |
UINT16 Segment; | |
} IVT_ENTRY; | |
#pragma pack () | |
// | |
// This string is displayed by Windows 2008 R2 SP1 in the Screen Resolution, | |
// Advanced Settings dialog. It should be short. | |
// | |
STATIC CONST CHAR8 mProductRevision[] = "OVMF Int10h (fake)"; | |
/** | |
Install the VBE Info and VBE Mode Info structures, and the VBE service | |
handler routine in the C segment. Point the real-mode Int10h interrupt vector | |
to the handler. The only advertised mode is 1024x768x32. | |
@param[in] CardName Name of the video card to be exposed in the | |
Product Name field of the VBE Info structure. The | |
parameter must originate from a | |
QEMU_VIDEO_CARD.Name field. | |
@param[in] FrameBufferBase Guest-physical base address of the video card's | |
frame buffer. | |
**/ | |
VOID | |
InstallVbeShim ( | |
IN CONST CHAR16 *CardName, | |
IN EFI_PHYSICAL_ADDRESS FrameBufferBase | |
) | |
{ | |
EFI_PHYSICAL_ADDRESS Segment0, SegmentC, SegmentF; | |
UINTN Segment0Pages; | |
IVT_ENTRY *Int0x10; | |
EFI_STATUS Segment0AllocationStatus; | |
UINT16 HostBridgeDevId; | |
UINTN Pam1Address; | |
UINT8 Pam1; | |
UINTN SegmentCPages; | |
VBE_INFO *VbeInfoFull; | |
VBE_INFO_BASE *VbeInfo; | |
UINT8 *Ptr; | |
UINTN Printed; | |
VBE_MODE_INFO *VbeModeInfo; | |
if ((PcdGet8 (PcdNullPointerDetectionPropertyMask) & (BIT0|BIT7)) == BIT0) { | |
DEBUG (( | |
DEBUG_WARN, | |
"%a: page 0 protected, not installing VBE shim\n", | |
__func__ | |
)); | |
DEBUG (( | |
DEBUG_WARN, | |
"%a: page 0 protection prevents Windows 7 from booting anyway\n", | |
__func__ | |
)); | |
return; | |
} | |
Segment0 = 0x00000; | |
SegmentC = 0xC0000; | |
SegmentF = 0xF0000; | |
// | |
// Attempt to cover the real mode IVT with an allocation. This is a UEFI | |
// driver, hence the arch protocols have been installed previously. Among | |
// those, the CPU arch protocol has configured the IDT, so we can overwrite | |
// the IVT used in real mode. | |
// | |
// The allocation request may fail, eg. if LegacyBiosDxe has already run. | |
// | |
Segment0Pages = 1; | |
Int0x10 = (IVT_ENTRY *)(UINTN)(Segment0 + 0x10 * sizeof (IVT_ENTRY)); | |
Segment0AllocationStatus = gBS->AllocatePages ( | |
AllocateAddress, | |
EfiBootServicesCode, | |
Segment0Pages, | |
&Segment0 | |
); | |
if (EFI_ERROR (Segment0AllocationStatus)) { | |
EFI_PHYSICAL_ADDRESS Handler; | |
// | |
// Check if a video BIOS handler has been installed previously -- we | |
// shouldn't override a real video BIOS with our shim, nor our own shim if | |
// it's already present. | |
// | |
Handler = (Int0x10->Segment << 4) + Int0x10->Offset; | |
if ((Handler >= SegmentC) && (Handler < SegmentF)) { | |
DEBUG (( | |
DEBUG_INFO, | |
"%a: Video BIOS handler found at %04x:%04x\n", | |
__func__, | |
Int0x10->Segment, | |
Int0x10->Offset | |
)); | |
return; | |
} | |
// | |
// Otherwise we'll overwrite the Int10h vector, even though we may not own | |
// the page at zero. | |
// | |
DEBUG (( | |
DEBUG_INFO, | |
"%a: failed to allocate page at zero: %r\n", | |
__func__, | |
Segment0AllocationStatus | |
)); | |
} else { | |
// | |
// We managed to allocate the page at zero. SVN r14218 guarantees that it | |
// is NUL-filled. | |
// | |
ASSERT (Int0x10->Segment == 0x0000); | |
ASSERT (Int0x10->Offset == 0x0000); | |
} | |
// | |
// Put the shim in place first. | |
// | |
// Start by determining the address of the PAM1 register. | |
// | |
HostBridgeDevId = PcdGet16 (PcdOvmfHostBridgePciDevId); | |
switch (HostBridgeDevId) { | |
case INTEL_82441_DEVICE_ID: | |
Pam1Address = PMC_REGISTER_PIIX4 (PIIX4_PAM1); | |
break; | |
case INTEL_Q35_MCH_DEVICE_ID: | |
Pam1Address = DRAMC_REGISTER_Q35 (MCH_PAM1); | |
break; | |
case MICROVM_PSEUDO_DEVICE_ID: | |
return; | |
default: | |
DEBUG (( | |
DEBUG_ERROR, | |
"%a: unknown host bridge device ID: 0x%04x\n", | |
__func__, | |
HostBridgeDevId | |
)); | |
ASSERT (FALSE); | |
if (!EFI_ERROR (Segment0AllocationStatus)) { | |
gBS->FreePages (Segment0, Segment0Pages); | |
} | |
return; | |
} | |
// | |
// low nibble covers 0xC0000 to 0xC3FFF | |
// high nibble covers 0xC4000 to 0xC7FFF | |
// bit1 in each nibble is Write Enable | |
// bit0 in each nibble is Read Enable | |
// | |
Pam1 = PciRead8 (Pam1Address); | |
PciWrite8 (Pam1Address, Pam1 | (BIT1 | BIT0)); | |
// | |
// We never added memory space during PEI or DXE for the C segment, so we | |
// don't need to (and can't) allocate from there. Also, guest operating | |
// systems will see a hole in the UEFI memory map there. | |
// | |
SegmentCPages = 4; | |
ASSERT (sizeof mVbeShim <= EFI_PAGES_TO_SIZE (SegmentCPages)); | |
CopyMem ((VOID *)(UINTN)SegmentC, mVbeShim, sizeof mVbeShim); | |
// | |
// Fill in the VBE INFO structure. | |
// | |
VbeInfoFull = (VBE_INFO *)(UINTN)SegmentC; | |
VbeInfo = &VbeInfoFull->Base; | |
Ptr = VbeInfoFull->Buffer; | |
CopyMem (VbeInfo->Signature, "VESA", 4); | |
VbeInfo->VesaVersion = 0x0300; | |
VbeInfo->OemNameAddress = (UINT32)SegmentC << 12 | (UINT16)(UINTN)Ptr; | |
CopyMem (Ptr, "QEMU", 5); | |
Ptr += 5; | |
VbeInfo->Capabilities = BIT0; // DAC can be switched into 8-bit mode | |
VbeInfo->ModeListAddress = (UINT32)SegmentC << 12 | (UINT16)(UINTN)Ptr; | |
*(UINT16 *)Ptr = 0x00f1; // mode number | |
Ptr += 2; | |
*(UINT16 *)Ptr = 0xFFFF; // mode list terminator | |
Ptr += 2; | |
VbeInfo->VideoMem64K = (UINT16)((1024 * 768 * 4 + 65535) / 65536); | |
VbeInfo->OemSoftwareVersion = 0x0000; | |
VbeInfo->VendorNameAddress = (UINT32)SegmentC << 12 | (UINT16)(UINTN)Ptr; | |
CopyMem (Ptr, "OVMF", 5); | |
Ptr += 5; | |
VbeInfo->ProductNameAddress = (UINT32)SegmentC << 12 | (UINT16)(UINTN)Ptr; | |
Printed = AsciiSPrint ( | |
(CHAR8 *)Ptr, | |
sizeof VbeInfoFull->Buffer - (Ptr - VbeInfoFull->Buffer), | |
"%s", | |
CardName | |
); | |
Ptr += Printed + 1; | |
VbeInfo->ProductRevAddress = (UINT32)SegmentC << 12 | (UINT16)(UINTN)Ptr; | |
CopyMem (Ptr, mProductRevision, sizeof mProductRevision); | |
Ptr += sizeof mProductRevision; | |
ASSERT (sizeof VbeInfoFull->Buffer >= Ptr - VbeInfoFull->Buffer); | |
ZeroMem (Ptr, sizeof VbeInfoFull->Buffer - (Ptr - VbeInfoFull->Buffer)); | |
// | |
// Fil in the VBE MODE INFO structure. | |
// | |
VbeModeInfo = (VBE_MODE_INFO *)(VbeInfoFull + 1); | |
// | |
// bit0: mode supported by present hardware configuration | |
// bit1: optional information available (must be =1 for VBE v1.2+) | |
// bit3: set if color, clear if monochrome | |
// bit4: set if graphics mode, clear if text mode | |
// bit5: mode is not VGA-compatible | |
// bit7: linear framebuffer mode supported | |
// | |
VbeModeInfo->ModeAttr = BIT7 | BIT5 | BIT4 | BIT3 | BIT1 | BIT0; | |
// | |
// bit0: exists | |
// bit1: bit1: readable | |
// bit2: writeable | |
// | |
VbeModeInfo->WindowAAttr = BIT2 | BIT1 | BIT0; | |
VbeModeInfo->WindowBAttr = 0x00; | |
VbeModeInfo->WindowGranularityKB = 0x0040; | |
VbeModeInfo->WindowSizeKB = 0x0040; | |
VbeModeInfo->WindowAStartSegment = 0xA000; | |
VbeModeInfo->WindowBStartSegment = 0x0000; | |
VbeModeInfo->WindowPositioningAddress = 0x0000; | |
VbeModeInfo->BytesPerScanLine = 1024 * 4; | |
VbeModeInfo->Width = 1024; | |
VbeModeInfo->Height = 768; | |
VbeModeInfo->CharCellWidth = 8; | |
VbeModeInfo->CharCellHeight = 16; | |
VbeModeInfo->NumPlanes = 1; | |
VbeModeInfo->BitsPerPixel = 32; | |
VbeModeInfo->NumBanks = 1; | |
VbeModeInfo->MemoryModel = 6; // direct color | |
VbeModeInfo->BankSizeKB = 0; | |
VbeModeInfo->NumImagePagesLessOne = 0; | |
VbeModeInfo->Vbe3 = 0x01; | |
VbeModeInfo->RedMaskSize = 8; | |
VbeModeInfo->RedMaskPos = 16; | |
VbeModeInfo->GreenMaskSize = 8; | |
VbeModeInfo->GreenMaskPos = 8; | |
VbeModeInfo->BlueMaskSize = 8; | |
VbeModeInfo->BlueMaskPos = 0; | |
VbeModeInfo->ReservedMaskSize = 8; | |
VbeModeInfo->ReservedMaskPos = 24; | |
// | |
// bit1: Bytes in reserved field may be used by application | |
// | |
VbeModeInfo->DirectColorModeInfo = BIT1; | |
VbeModeInfo->LfbAddress = (UINT32)FrameBufferBase; | |
VbeModeInfo->OffScreenAddress = 0; | |
VbeModeInfo->OffScreenSizeKB = 0; | |
VbeModeInfo->BytesPerScanLineLinear = 1024 * 4; | |
VbeModeInfo->NumImagesLessOneBanked = 0; | |
VbeModeInfo->NumImagesLessOneLinear = 0; | |
VbeModeInfo->RedMaskSizeLinear = 8; | |
VbeModeInfo->RedMaskPosLinear = 16; | |
VbeModeInfo->GreenMaskSizeLinear = 8; | |
VbeModeInfo->GreenMaskPosLinear = 8; | |
VbeModeInfo->BlueMaskSizeLinear = 8; | |
VbeModeInfo->BlueMaskPosLinear = 0; | |
VbeModeInfo->ReservedMaskSizeLinear = 8; | |
VbeModeInfo->ReservedMaskPosLinear = 24; | |
VbeModeInfo->MaxPixelClockHz = 0; | |
ZeroMem (VbeModeInfo->Reserved, sizeof VbeModeInfo->Reserved); | |
// | |
// Clear Write Enable (bit1), keep Read Enable (bit0) set | |
// | |
PciWrite8 (Pam1Address, (Pam1 & ~BIT1) | BIT0); | |
// | |
// Second, point the Int10h vector at the shim. | |
// | |
Int0x10->Segment = (UINT16)((UINT32)SegmentC >> 4); | |
Int0x10->Offset = (UINT16)((UINTN)(VbeModeInfo + 1) - SegmentC); | |
DEBUG ((DEBUG_INFO, "%a: VBE shim installed\n", __func__)); | |
} |