1 THE LINUX/I386 BOOT PROTOCOL
2 ----------------------------
3
4 H. Peter Anvin <hpa@zytor.com>
5 Last update 2000-07-27
6
7 On the i386 platform, the Linux kernel uses a rather complicated boot
8 convention. This has evolved partially due to historical aspects, as
9 well as the desire in the early days to have the kernel itself be a
10 bootable image, the complicated PC memory model and due to changed
11 expectations in the PC industry caused by the effective demise of
12 real-mode DOS as a mainstream operating system.
13
14 Currently, four versions of the Linux/i386 boot protocol exist.
15
16 Old kernels: zImage/Image support only. Some very early kernels
17 may not even support a command line.
18
19 Protocol 2.00: (Kernel 1.3.73) Added bzImage and initrd support, as
20 well as a formalized way to communicate between the
21 boot loader and the kernel. setup.S made relocatable,
22 although the traditional setup area still assumed
23 writable.
24
25 Protocol 2.01: (Kernel 1.3.76) Added a heap overrun warning.
26
27 Protocol 2.02: (Kernel 2.4.0-test3-pre3) New command line protocol.
28 Lower the conventional memory ceiling. No overwrite
29 of the traditional setup area, thus making booting
30 safe for systems which use the EBDA from SMM or 32-bit
31 BIOS entry points. zImage deprecated but still
32 supported.
33
34
35 **** MEMORY LAYOUT
36
37 The traditional memory map for the kernel loader, used for Image or
38 zImage kernels, typically looks like:
39
40 | |
41 0A0000 +------------------------+
42 | Reserved for BIOS | Do not use. Reserved for BIOS EBDA.
43 09A000 +------------------------+
44 | Stack/heap/cmdline | For use by the kernel real-mode code.
45 098000 +------------------------+
46 | Kernel setup | The kernel real-mode code.
47 090200 +------------------------+
48 | Kernel boot sector | The kernel legacy boot sector.
49 090000 +------------------------+
50 | Protected-mode kernel | The bulk of the kernel image.
51 010000 +------------------------+
52 | Boot loader | <- Boot sector entry point 0000:7C00
53 001000 +------------------------+
54 | Reserved for MBR/BIOS |
55 000800 +------------------------+
56 | Typically used by MBR |
57 000600 +------------------------+
58 | BIOS use only |
59 000000 +------------------------+
60
61
62 When using bzImage, the protected-mode kernel was relocated to
63 0x100000 ("high memory"), and the kernel real-mode block (boot sector,
64 setup, and stack/heap) was made relocatable to any address between
65 0x10000 and end of low memory. Unfortunately, in protocols 2.00 and
66 2.01 the command line is still required to live in the 0x9XXXX memory
67 range, and that memory range is still overwritten by the early kernel.
68 The 2.02 protocol fixes that.
69
70 It is desirable to keep the "memory ceiling" -- the highest point in
71 low memory touched by the boot loader -- as low as possible, since
72 some newer BIOSes have begun to allocate some rather large amounts of
73 memory, called the Extended BIOS Data Area, near the top of low
74 memory. The boot loader should use the "INT 12h" BIOS call to verify
75 how much low memory is available.
76
77 Unfortunately, if INT 12h reports that the amount of memory is too
78 low, there is usually nothing the boot loader can do but to report an
79 error to the user. The boot loader should therefore be designed to
80 take up as little space in low memory as it reasonably can. For
81 zImage or old bzImage kernels, which need data written into the
82 0x90000 segment, the boot loader should make sure not to use memory
83 above the 0x9A000 point; too many BIOSes will break above that point.
84
85
86 **** THE REAL-MODE KERNEL HEADER
87
88 In the following text, and anywhere in the kernel boot sequence, "a
89 sector" refers to 512 bytes. It is independent of the actual sector
90 size of the underlying medium.
91
92 The first step in loading a Linux kernel should be to load the
93 real-mode code (boot sector and setup code) and then examine the
94 following header at offset 0x01f1. The real-mode code can total up to
95 32K, although the boot loader may choose to load only the first two
96 sectors (1K) and then examine the bootup sector size.
97
98 The header looks like:
99
100 Offset Proto Name Meaning
101 /Size
102
103 01F1/1 ALL setup_sects The size of the setup in sectors
104 01F2/2 ALL root_flags If set, the root is mounted readonly
105 01F4/2 ALL syssize DO NOT USE - for bootsect.S use only
106 01F6/2 ALL swap_dev DO NOT USE - obsolete
107 01F8/2 ALL ram_size DO NOT USE - for bootsect.S use only
108 01FA/2 ALL vid_mode Video mode control
109 01FC/2 ALL root_dev Default root device number
110 01FE/2 ALL boot_flag 0xAA55 magic number
111 0200/2 2.00+ jump Jump instruction
112 0202/4 2.00+ header Magic signature "HdrS"
113 0206/2 2.00+ version Boot protocol version supported
114 0208/4 2.00+ realmode_swtch Boot loader hook (see below)
115 020C/4 2.00+ start_sys Points to kernel version string
116 0210/1 2.00+ type_of_loader Boot loader identifier
117 0211/1 2.00+ loadflags Boot protocol option flags
118 0212/2 2.00+ setup_move_size Move to high memory size (used with hooks)
119 0214/4 2.00+ code32_start Boot loader hook (see below)
120 0218/4 2.00+ ramdisk_image initrd load address (set by boot loader)
121 021C/4 2.00+ ramdisk_size initrd size (set by boot loader)
122 0220/4 2.00+ bootsect_kludge DO NOT USE - for bootsect.S use only
123 0224/2 2.01+ heap_end_ptr Free memory after setup end
124 0226/2 N/A pad1 Unused
125 0228/4 2.02+ cmd_line_ptr 32-bit pointer to the kernel command line
126
127 For backwards compatibility, if the setup_sects field contains 0, the
128 real value is 4.
129
130 If the "HdrS" (0x53726448) magic number is not found at offset 0x202,
131 the boot protocol version is "old". Loading an old kernel, the
132 following parameters should be assumed:
133
134 Image type = zImage
135 initrd not supported
136 Real-mode kernel must be located at 0x90000.
137
138 Otherwise, the "version" field contains the protocol version,
139 e.g. protocol version 2.01 will contain 0x0201 in this field. When
140 setting fields in the header, you must make sure only to set fields
141 supported by the protocol version in use.
142
143 Most boot loaders will simply load the kernel at its target address
144 directly. Such boot loaders do not need to worry about filling in
145 most of the fields in the header. The following fields should be
146 filled out, however:
147
148 type_of_loader:
149 If your boot loader has an identifier assigned in
150 arch/i386/boot/setup.S, enter that value. Otherwise, enter
151 0xFF here.
152
153 loadflags, heap_end_ptr:
154 If the protocol version is 2.01 or higher, enter the
155 offset limit of the setup heap into heap_end_ptr and set the
156 0x80 bit (CAN_USE_HEAP) of loadflags. heap_end_ptr appears to
157 be relative to the start of setup (offset 0x0200).
158
159 setup_move_size:
160 When using protocol 2.00 or 2.01, if the real mode
161 kernel is not loaded at 0x90000, it gets moved there later in
162 the loading sequence. Fill in this field if you want
163 additional data (such as the kernel command line) moved in
164 addition to the real-mode kernel itself.
165
166 ramdisk_image, ramdisk_size:
167 If your boot loader has loaded an initial ramdisk (initrd),
168 set ramdisk_image to the 32-bit pointer to the ramdisk data
169 and the ramdisk_size to the size of the ramdisk data.
170
171 The initrd should typically be located as high in memory as
172 possible, as it may otherwise get overwritten by the early
173 kernel initialization sequence. However, it must never be
174 located above address 0x3C000000 if you want all kernels to
175 read it.
176
177 cmd_line_ptr:
178 If the protocol version is 2.02 or higher, this is a 32-bit
179 pointer to the kernel command line. The kernel command line
180 can be located anywhere between the end of setup and 0xA0000.
181 Fill in this field even if your boot loader does not support a
182 command line, in which case you can point this to an empty
183 string (or better yet, to the string "auto".) If this field
184 is left at zero, the kernel will assume that your boot loader
185 does not support the 2.02 protocol.
186
187
188 **** THE KERNEL COMMAND LINE
189
190 The kernel command line has become an important way for the boot
191 loader to communicate with the kernel. Some of its options are also
192 relevant to the boot loader itself, see "special command line options"
193 below.
194
195 The kernel command line is a null-terminated string up to 255
196 characters long, plus the final null.
197
198 If the boot protocol version is 2.02 or later, the address of the
199 kernel command line is given by the header field cmd_line_ptr (see
200 above.)
201
202 If the protocol version is *not* 2.02 or higher, the kernel
203 command line is entered using the following protocol:
204
205 At offset 0x0020 (word), "cmd_line_magic", enter the magic
206 number 0xA33F.
207
208 At offset 0x0022 (word), "cmd_line_offset", enter the offset
209 of the kernel command line (relative to the start of the
210 real-mode kernel).
211
212 The kernel command line *must* be within the memory region
213 covered by setup_move_size, so you may need to adjust this
214 field.
215
216
217 **** SAMPLE BOOT CONFIGURATION
218
219 As a sample configuration, assume the following layout of the real
220 mode segment:
221
222 0x0000-0x7FFF Real mode kernel
223 0x8000-0x8FFF Stack and heap
224 0x9000-0x90FF Kernel command line
225
226 Such a boot loader should enter the following fields in the header:
227
228 unsigned long base_ptr; /* base address for real-mode segment */
229
230 if ( setup_sects == 0 ) {
231 setup_sects = 4;
232 }
233
234 if ( protocol >= 0x0200 ) {
235 type_of_loader = <type code>;
236 if ( loading_initrd ) {
237 ramdisk_image = <initrd_address>;
238 ramdisk_size = <initrd_size>;
239 }
240 if ( protocol >= 0x0201 ) {
241 heap_end_ptr = 0x9000 - 0x200;
242 loadflags |= 0x80; /* CAN_USE_HEAP */
243 }
244 if ( protocol >= 0x0202 ) {
245 cmd_line_ptr = base_ptr + 0x9000;
246 } else {
247 cmd_line_magic = 0xA33F;
248 cmd_line_offset = 0x9000;
249 setup_move_size = 0x9100;
250 }
251 } else {
252 /* Very old kernel */
253
254 cmd_line_magic = 0xA33F;
255 cmd_line_offset = 0x9000;
256
257 /* A very old kernel MUST have its real-mode code
258 loaded at 0x90000 */
259
260 if ( base_ptr != 0x90000 ) {
261 /* Copy the real-mode kernel */
262 memcpy(0x90000, base_ptr, (setup_sects+1)*512);
263 /* Copy the command line */
264 memcpy(0x99000, base_ptr+0x9000, 256);
265
266 base_ptr = 0x90000; /* Relocated */
267 }
268
269 /* It is recommended to clear memory up to the 32K mark */
270 memset(0x90000 + (setup_sects+1)*512, 0,
271 (64-(setup_sects+1))*512);
272 }
273
274
275 **** LOADING THE REST OF THE KERNEL
276
277 The non-real-mode kernel starts at offset (setup_sects+1)*512 in the
278 kernel file (again, if setup_sects == 0 the real value is 4.) It
279 should be loaded at address 0x10000 for Image/zImage kernels and
280 0x100000 for bzImage kernels.
281
282 The kernel is a bzImage kernel if the protocol >= 2.00 and the 0x01
283 bit (LOAD_HIGH) in the loadflags field is set:
284
285 is_bzImage = (protocol >= 0x0200) && (loadflags & 0x01);
286 load_address = is_bzImage ? 0x100000 : 0x10000;
287
288 Note that Image/zImage kernels can be up to 512K in size, and thus use
289 the entire 0x10000-0x90000 range of memory. This means it is pretty
290 much a requirement for these kernels to load the real-mode part at
291 0x90000. bzImage kernels allow much more flexibility.
292
293
294 **** SPECIAL COMMAND LINE OPTIONS
295
296 If the command line provided by the boot loader is entered by the
297 user, the user may expect the following command line options to work.
298 They should normally not be deleted from the kernel command line even
299 though not all of them are actually meaningful to the kernel. Boot
300 loader authors who need additional command line options for the boot
301 loader itself should get them registered in
302 linux/Documentation/kernel-parameters.txt to make sure they will not
303 conflict with actual kernel options now or in the future.
304
305 vga=<mode>
306 <mode> here is either an integer (in C notation, either
307 decimal, octal, or hexadecimal) or one of the strings
308 "normal" (meaning 0xFFFF), "ext" (meaning 0xFFFE) or "ask"
309 (meaning 0xFFFD). This value should be entered into the
310 vid_mode field, as it is used by the kernel before the command
311 line is parsed.
312
313 mem=<size>
314 <size> is an integer in C notation optionally followed by K, M
315 or G (meaning << 10, << 20 or << 30). This specifies to the
316 kernel the memory size. This affects the possible placement
317 of an initrd, since an initrd should be placed near end of
318 memory. Note that this is an option to *both* the kernel and
319 the bootloader!
320
321 initrd=<file>
322 An initrd should be loaded. The meaning of <file> is
323 obviously bootloader-dependent, and some boot loaders
324 (e.g. LILO) do not have such a command.
325
326 In addition, some boot loaders add the following options to the
327 user-specified command line:
328
329 BOOT_IMAGE=<file>
330 The boot image which was loaded. Again, the meaning of <file>
331 is obviously bootloader-dependent.
332
333 auto
334 The kernel was booted without explicit user intervention.
335
336 If these options are added by the boot loader, it is highly
337 recommended that they are located *first*, before the user-specified
338 or configuration-specified command line. Otherwise, "init=/bin/sh"
339 gets confused by the "auto" option.
340
341
342 **** RUNNING THE KERNEL
343
344 The kernel is started by jumping to the kernel entry point, which is
345 located at *segment* offset 0x20 from the start of the real mode
346 kernel. This means that if you loaded your real-mode kernel code at
347 0x90000, the kernel entry point is 9020:0000.
348
349 At entry, ds = es = ss should point to the start of the real-mode
350 kernel code (0x9000 if the code is loaded at 0x90000), sp should be
351 set up properly, normally pointing to the top of the heap, and
352 interrupts should be disabled. Furthermore, to guard against bugs in
353 the kernel, it is recommended that the boot loader sets fs = gs = ds =
354 es = ss.
355
356 In our example from above, we would do:
357
358 /* Note: in the case of the "old" kernel protocol, base_ptr must
359 be == 0x90000 at this point; see the previous sample code */
360
361 seg = base_ptr >> 4;
362
363 cli(); /* Enter with interrupts disabled! */
364
365 /* Set up the real-mode kernel stack */
366 _SS = seg;
367 _SP = 0x9000; /* Load SP immediately after loading SS! */
368
369 _DS = _ES = _FS = _GS = seg;
370 jmp_far(seg+0x20, 0); /* Run the kernel */
371
372 If your boot sector accesses a floppy drive, it is recommended to
373 switch off the floppy motor before running the kernel, since the
374 kernel boot leaves interrupts off and thus the motor will not be
375 switched off, especially if the loaded kernel has the floppy driver as
376 a demand-loaded module!
377
378
379 **** ADVANCED BOOT TIME HOOKS
380
381 If the boot loader runs in a particularly hostile environment (such as
382 LOADLIN, which runs under DOS) it may be impossible to follow the
383 standard memory location requirements. Such a boot loader may use the
384 following hooks that, if set, are invoked by the kernel at the
385 appropriate time. The use of these hooks should probably be
386 considered an absolutely last resort!
387
388 IMPORTANT: All the hooks are required to preserve %ebp, %esi and %edi
389 across invocation.
390
391 realmode_swtch:
392 A 16-bit real mode far subroutine invoked immediately before
393 entering protected mode. The default routine disables NMI, so
394 your routine should probably do so, too.
395
396 code32_start:
397 A 32-bit flat-mode routine *jumped* to immediately after the
398 transition to protected mode, but before the kernel is
399 uncompressed. No segments, except CS, are set up; you should
400 set them up to KERNEL_DS (0x18) yourself.
401
402 After completing your hook, you should jump to the address
403 that was in this field before your boot loader overwrote it.
404
This page was automatically generated by the
LXR engine.
Visit the LXR main site for more
information.