Random Stuff       Thread starter Wultra       1001       1
Status
Not open for further replies.

Wultra

Developer
Senior Member
Contributor
#~Translated Copy From China~#
FreeBSD
startup page table setup process analysis.

to see a few days ago FreeBSD memory management code, it was found user headspace was not originally imagine starting both kernel space 4M differences between the i386. For this reason, Ihttp://www.freebsdchina.org/forum/viewtopic.php?t=38102 posts open Q. and NetBSD after the adoption of the code, it is found in NetBSD pmap.h have relevant content display memory space distribution.

/ *
* See pte.h for A Description of beginning for the i386 and the MMU Terminology Hardware
* interface.
*
* A pmap Describes A Processes' 4GB Virtual address Space. the this
* Virtual address Space CAN BE INTO 1024 Broken up 4MB Which Regions
* are Described by PDEs in at The the PDP at The PDEs are defined AS Follows:.
*
* (Ranges are Inclusive is -> exclusive, the Just like vm_map_entry Start / End)
* (at The following Assumes that KERNBASE IS 0xC0000000)
*
* the PDE # S VA the Range Usage
0- *> 766 0x0 -> 0xbfc00000 the User Space address
* 767 0xbfc00000-> recursive This Mapping of the PDP (Used for
* 0xC0000000 Linear Mapping of PTPs)
* 768-> 0xc0000000- 1023> Kernel address Space (Constant
* 0xffc00000 across apos All pmap / Processes)
* 1023 0xffc00000-> "Alternate" recursive This Mapping the PDP
* <End> (for pmaps, OTHER)
*
*
* Note: A recursive This Way to the PDP Mapping Provides A Map for All at The PTEs
* A INTO A Linear Space 4GB address of the chunk Virtual Memory. in OTHER
* words, at The PTE for Page 0 IS at The First int mapped INTO at The 4MB recursive This
* Area. at The PTE for Page 1 IS at The SECOND int. at The Very Last int in at The
* 4MB the Range IS at The PTE that Maps VA 0xfffff000 (at The Last Page in A 4GB
* address).
*
* All pmap apos the PD apos of MUST have have at The Same values in slots 768-> 1023 SO that
* at The Kernel IS Always mapped in Every Process. THESE values are loaded
* INTO at The the PD AT pmap Creation Time.
*
* AT the any One Time only One pmap CAN BE Active ON A Processor. the this IS
* at The pmap Whose the PDP IS pointed to by Processor Register% Cr3. the this pmap
* Will have have All the ITS PTEs mapped INTO Memory AT at The recursive This Mapping
. * Point (The slot # 767 AS Show above) the when at The pmap code Wants to the Find at The
* PTE for A Virtual address, All IT has to do IS at The following:
*
* address of PTE = (767 * 4MB) + (VA / PAGE_SIZE) * the sizeof (pt_entry_t)
* = 0xbfc00000 + (VA / 4096) * 4
*
* What happens IF at The pmap Layer IS Asked to the Perform AN Operation
* ON A pmap that IS Not at The One Which IS Rate this page Currently Active? in that
* Case We Take at The PA of at The the PDP of non-Active pmap and PUT IT in
* The slot 1023 of at The Active pmap. the this Causes at The non-Active pmap apos
* PTEs to GET mapped in at The Final 4MB of at The 4GB address Space
* (EG Starting AT 0xffc00000).
*
* at The following Figure Shows at The Effects of the PDP at The recursive This Mapping:
*
* the PDP (Cr3%)
* + ---- +
* | 0 | -> # 0 that the PTP Maps VA 0x0 -> 0x400000
* | |
* | |
* | 767 | -> Points Back to the PDP (% Cr3) Mapping VA 0xbfc00000 -> 0xC0000000
* | 768 | -> First Kernel the PTP (Maps 0xC0000000 -> 0xc0400000)
* | |
* | 1023 | -> Points to apos pmap the PDP Alternate (Maps 0xffc00000 -> End)
* + ---- +
*
* Note that the PDE # 767 at The VA (0xbfc00000) defined AS IS "PTE_BASE"
* Note that the PDE # 1023 at The VA (0xffc00000) defined AS IS " APTE_BASE "
*
* Starting AT VA 0xbfc00000 the PDP at The Active Current (% Cr3) The Acts of AS A
* the PTP:
*
* the PTP # 767 == the PDP (% Cr3) => Maps VA 0xbfc00000 -> 0xC0000000
* + ---- +
* | 0 | -> Maps at The Contents of the PTP # 0 AT VA 0xbfc00000-> 0xbfc01000
* | |
* | |
* | 767 | -> Maps Contents of the PTP # 767 (at The the PDP) AT VA 0xbfeff000
* | 768 | -> Maps First Kernel of the PTP Contents
* | |
* | 1023 |
* + ---- +
*
* Note that the PDP at The Mapping of the PTP # 767 AT apos VA (0xbfeff000) IS
* defined AS "PDP_BASE" .... Within that there Mapping are TWO
* Defines:
* "PDP_PDE" (0xbfeffbfc) IS at The VA of at The the PDE in at The the PDP
. * Which Points Back to Itself
* "APDP_PDE" (0xbfeffffc) IS at The VA of at The the PDE in at The the PDP Which
* Establishes at The recursive This Mapping of at The Alternate pmap.
* to SET at The Alternate the PDP, One the Just has to PUT at The correct
* PA the info in * APDP_PDE.
*
* Note that in at The APTE_BASE Space, at The APDP the Appears AT VA
* "APDP_BASE" (0xfffff000).
* /

from the above information appears to 4G linear address space, user space from 0x00000000 -.> 0xbfc00000 is 3G-4M 4M this space actually used to store the page table of this part of the code in part locore.S. there pmap.c part in.

Here's a look locore.S. it is the first to be executed by the kernel code for kernel is loaded after the jump to bootloader locore.S started. create_pagetables piece of code which begins (should said to be a compilation of functions implemented) is part of my interest. kernel detecting End CPU type after the beginning of the establishment of page table after the adoption of source code analysis, this time the CPU should be set up to protect the bootloader mode but not yet open the page. after creating complete page table paging mechanism can open the sake of simplicity, I will skip the SMP, PAE-related code.

706 / ****************** ************************************************** **
707 *
708 * the Create the ITS at The First Page Directory and Page Tables.
709 *
710 * /
711
712 create_pagetables:
713
714 / * End of the Find Kernel Image (Rounded up to Page A boundary) * /.
715 R & lt movl $ ( _end),% ESI
716
717 / * the Include Symbols, IF the any. * /
718 movl R & lt (the bootinfo â € + BI_ESYMTAB),% EDI
719 testl% EDI,% EDI
720 JE over_symalloc
721 movl% EDI,% ESI
722 movl $ KERNBASE, % EDI
723 ADDL% EDI, R & lt (the bootinfo â € + BI_SYMTAB)
724 ADDL% EDI, R & lt (the bootinfo â € + BI_ESYMTAB)
725 over_symalloc:
726
727 / * the If We are Told the WHERE at The End of at The Kernel Space IS, Believe IT * /.
728 movl R & lt (the bootinfo â € + BI_KERNEND),% EDI
729 testl% EDI,% EDI
730 JE no_kernend
731 movl% EDI,% ESI
732 no_kernend:
733
734 ADDL $ PDRMASK,% ESI / * Play Conservative for now, and * /
735 andl ~ PDRMASK $,% ESI / * ... Next wrap to 4M. * /
736% movl ESI, R & lt (KERNend) / * End of the Save Kernel * /
737% movl ESI, R & lt (physfree) / * Next Page IS as Free at end of kernel * /

after first determining kernel loads, where the end of the kernel is then aligned to 4M, and the last address written KERNend physfree. alignment with 4M aim is to create a page directory, the kernel image portion can (Pages of each addressable 4M space that is 1024 page table entries * 4096 bytes / page.) Now the end of the kernel address is stored in the KERNend. Physfree which is stored inside the free physical memory starting address, initially it KERNend same.



before continuing down analysis, we see two macro definition

156 #define R (foo) (( foo) -KERNBASE) / * for the linear address conversion As a physical address, because the link is to use KERNBASE ELF file as the base address, so the code in all the global variable address, function address is based on KERNBASE, and bootloader is the kernel to load the physical address 0 start space, this macro is used to linear address into a physical address of the actual kernel * / in memory of the
157
158 #define ALLOCPAGES (foo) \
159 movl R & lt (physfree),% ESI; / * ESI = free pages address * / \
160 movl $ ((foo) * PAGE_SIZE),% EAX; / * calculate the number of bytes needed * / \
161 ESI ADDL%,% EAX; \
162 movl% EAX, R & lt (physfree); / * updated idle address of the page * / \
163 movl% ESI,% EDI; / * allocated to the space first address * / \
164 movl $ ((foo) * PAGE_SIZE),% ECX; \
165 xorl% EAX,% EAX; \
166 CLD; \
167 REP; / * Clear the memory allocated * / \
168 stosb
169

by defining ALLOCPAGES may know, ALLOCPAGES parameters are required to apply the memory pages, starting memory address on the application to register esi .

the OK, we can continue the analysis.
739 / * Allocate Kernel Page the Tables * /
740 ALLOCPAGES (NKPT)
741 movl% ESI, R & lt (KPTphys)
742
.
.
.
.
749 ALLOCPAGES (NPGPTD)
750 movl% ESI, R & lt (IdlePTD)
751
752 / * Allocate KSTACK * /
753 ALLOCPAGES (KSTACK_PAGES)
754 movl% ESI, R & lt (p0kpa)
755 ADDL $ KERNBASE,% ESI
756 movl% ESI, R & lt (proc0kstack)
757
758 ALLOCPAGES (1) / * vm86 / the BIOS Stack * /
759 movl% ESI, R & lt (vm86phystk)
760
761 ALLOCPAGES (3) / * pgtable + EXT + IOPAGES * /
762% movl ESI, R & lt (vm86pa)
763 ADDL $ KERNBASE,% ESI
764 ESI movl%, R & lt (vm86paddr)​
Source: Watchstor
 
Status
Not open for further replies.
Recent Articles
PS4 Debug Watch App Port for 6.72 Firmware via Withmetta
Based on the Debug Watch utility by jogolden (Twitter) and the PS4Debug 6.72 Fork by GiantPluto (Twitter), recently I (aka withmetta) recompiled PS4 Debug Watch and got it working on PlayStation 4...
PS4 Syscon Loader Python Script for System Controller Files by SocraticBliss
Following the PS4 SysGlitch Tool and SysCon Glitching Pinout and his PS4 Unfself Tool, today PlayStation 4 developer @SocraticBliss is back with a PS4 Syscon Loader via Twitter tested with the IDA...
XNA RPKGMAN: XNA Remote Package Manager by Cypheron
Hey everyone, following PS4 PKG Sender v1.03 I have created XNA RPKGMAN: XNA Remote Package Manager which is a fully dynamic, lightweight package manager that only requires NodeJS/NPM and runs on...
Bad_Hoist PS4 Toolchain Porting Guide for Unsupported Firmware by Sleirsgoevy
Proceeding his PS4 ROP 8CC Port, Bad_Hoist 6.72 PS4 Webkit Exploit Port and preliminary Checklist to Port the Toolchain, today PlayStation 4 developer sleirsgoevy updated his Github repository...
Top