mirror of
https://github.com/xemu-project/xemu.git
synced 2025-01-13 07:12:09 +00:00
a5b3ebfd23
More precisely, the "x-file-slots" count is bumped for all machine types that: (a) use fw_cfg, and (b) are not versioned (hence migration is not expected to work for them across QEMU releases anyway), or have version 2.9. This affects machine types implemented in the following source files: - "hw/arm/virt.c". The "virt-*" machine type is versioned, and the <= 2.8 versions already depend on HW_COMPAT_2_8 (see commit e353aac51b944). Therefore adding the "x-file-slots" compat values to HW_COMPAT_2_8 suffices. - "hw/i386/pc.c". The "pc-i440fx-*" (including "pc-*") and "pc-q35-*" machine types are versioned. Modifying HW_COMPAT_2_8 is sufficient here too (see commit "pc: Add 2.9 machine-types"). The "isapc" machtype is not versioned. The "xenfv" machine type, which uses fw_cfg for direct kernel booting, is also not versioned. - "hw/ppc/mac_newworld.c". The "mac99" machine type is not versioned. - "hw/ppc/mac_oldworld.c". The "g3beige" machine type is not versioned. - "hw/sparc/sun4m.c". None of the 9 machine types defined in this file appear versioned. - "hw/sparc64/sun4u.c". None of the 3 machine types defined in this file appear versioned. Cc: "Gabriel L. Somlo" <somlo@cmu.edu> Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Alexander Graf <agraf@suse.de> Cc: Anthony Perard <anthony.perard@citrix.com> Cc: Artyom Tarasenko <atar4qemu@gmail.com> Cc: David Gibson <david@gibson.dropbear.id.au> Cc: Eduardo Habkost <ehabkost@redhat.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Igor Mammedov <imammedo@redhat.com> Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Peter Maydell <peter.maydell@linaro.org> Cc: Stefano Stabellini <sstabellini@kernel.org> Signed-off-by: Laszlo Ersek <lersek@redhat.com> Acked-by: Gabriel Somlo <somlo@cmu.edu> Tested-by: Gabriel Somlo <somlo@cmu.edu> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
255 lines
10 KiB
Plaintext
255 lines
10 KiB
Plaintext
QEMU Firmware Configuration (fw_cfg) Device
|
|
===========================================
|
|
|
|
= Guest-side Hardware Interface =
|
|
|
|
This hardware interface allows the guest to retrieve various data items
|
|
(blobs) that can influence how the firmware configures itself, or may
|
|
contain tables to be installed for the guest OS. Examples include device
|
|
boot order, ACPI and SMBIOS tables, virtual machine UUID, SMP and NUMA
|
|
information, kernel/initrd images for direct (Linux) kernel booting, etc.
|
|
|
|
== Selector (Control) Register ==
|
|
|
|
* Write only
|
|
* Location: platform dependent (IOport or MMIO)
|
|
* Width: 16-bit
|
|
* Endianness: little-endian (if IOport), or big-endian (if MMIO)
|
|
|
|
A write to this register sets the index of a firmware configuration
|
|
item which can subsequently be accessed via the data register.
|
|
|
|
Setting the selector register will cause the data offset to be set
|
|
to zero. The data offset impacts which data is accessed via the data
|
|
register, and is explained below.
|
|
|
|
Bit14 of the selector register indicates whether the configuration
|
|
setting is being written. A value of 0 means the item is only being
|
|
read, and all write access to the data port will be ignored. A value
|
|
of 1 means the item's data can be overwritten by writes to the data
|
|
register. In other words, configuration write mode is enabled when
|
|
the selector value is between 0x4000-0x7fff or 0xc000-0xffff.
|
|
|
|
NOTE: As of QEMU v2.4, writes to the fw_cfg data register are no
|
|
longer supported, and will be ignored (treated as no-ops)!
|
|
|
|
NOTE: As of QEMU v2.9, writes are reinstated, but only through the DMA
|
|
interface (see below). Furthermore, writeability of any specific item is
|
|
governed independently of Bit14 in the selector key value.
|
|
|
|
Bit15 of the selector register indicates whether the configuration
|
|
setting is architecture specific. A value of 0 means the item is a
|
|
generic configuration item. A value of 1 means the item is specific
|
|
to a particular architecture. In other words, generic configuration
|
|
items are accessed with a selector value between 0x0000-0x7fff, and
|
|
architecture specific configuration items are accessed with a selector
|
|
value between 0x8000-0xffff.
|
|
|
|
== Data Register ==
|
|
|
|
* Read/Write (writes ignored as of QEMU v2.4, but see the DMA interface)
|
|
* Location: platform dependent (IOport [*] or MMIO)
|
|
* Width: 8-bit (if IOport), 8/16/32/64-bit (if MMIO)
|
|
* Endianness: string-preserving
|
|
|
|
[*] On platforms where the data register is exposed as an IOport, its
|
|
port number will always be one greater than the port number of the
|
|
selector register. In other words, the two ports overlap, and can not
|
|
be mapped separately.
|
|
|
|
The data register allows access to an array of bytes for each firmware
|
|
configuration data item. The specific item is selected by writing to
|
|
the selector register, as described above.
|
|
|
|
Initially following a write to the selector register, the data offset
|
|
will be set to zero. Each successful access to the data register will
|
|
increment the data offset by the appropriate access width.
|
|
|
|
Each firmware configuration item has a maximum length of data
|
|
associated with the item. After the data offset has passed the
|
|
end of this maximum data length, then any reads will return a data
|
|
value of 0x00, and all writes will be ignored.
|
|
|
|
An N-byte wide read of the data register will return the next available
|
|
N bytes of the selected firmware configuration item, as a substring, in
|
|
increasing address order, similar to memcpy().
|
|
|
|
== Register Locations ==
|
|
|
|
=== x86, x86_64 Register Locations ===
|
|
|
|
Selector Register IOport: 0x510
|
|
Data Register IOport: 0x511
|
|
DMA Address IOport: 0x514
|
|
|
|
=== ARM Register Locations ===
|
|
|
|
Selector Register address: Base + 8 (2 bytes)
|
|
Data Register address: Base + 0 (8 bytes)
|
|
DMA Address address: Base + 16 (8 bytes)
|
|
|
|
== ACPI Interface ==
|
|
|
|
The fw_cfg device is defined with ACPI ID "QEMU0002". Since we expect
|
|
ACPI tables to be passed into the guest through the fw_cfg device itself,
|
|
the guest-side firmware can not use ACPI to find fw_cfg. However, once the
|
|
firmware is finished setting up ACPI tables and hands control over to the
|
|
guest kernel, the latter can use the fw_cfg ACPI node for a more accurate
|
|
inventory of in-use IOport or MMIO regions.
|
|
|
|
== Firmware Configuration Items ==
|
|
|
|
=== Signature (Key 0x0000, FW_CFG_SIGNATURE) ===
|
|
|
|
The presence of the fw_cfg selector and data registers can be verified
|
|
by selecting the "signature" item using key 0x0000 (FW_CFG_SIGNATURE),
|
|
and reading four bytes from the data register. If the fw_cfg device is
|
|
present, the four bytes read will contain the characters "QEMU".
|
|
|
|
If the DMA interface is available, then reading the DMA Address
|
|
Register returns 0x51454d5520434647 ("QEMU CFG" in big-endian format).
|
|
|
|
=== Revision / feature bitmap (Key 0x0001, FW_CFG_ID) ===
|
|
|
|
A 32-bit little-endian unsigned int, this item is used to check for enabled
|
|
features.
|
|
- Bit 0: traditional interface. Always set.
|
|
- Bit 1: DMA interface.
|
|
|
|
=== File Directory (Key 0x0019, FW_CFG_FILE_DIR) ===
|
|
|
|
Firmware configuration items stored at selector keys 0x0020 or higher
|
|
(FW_CFG_FILE_FIRST or higher) have an associated entry in a directory
|
|
structure, which makes it easier for guest-side firmware to identify
|
|
and retrieve them. The format of this file directory (from fw_cfg.h in
|
|
the QEMU source tree) is shown here, slightly annotated for clarity:
|
|
|
|
struct FWCfgFiles { /* the entire file directory fw_cfg item */
|
|
uint32_t count; /* number of entries, in big-endian format */
|
|
struct FWCfgFile f[]; /* array of file entries, see below */
|
|
};
|
|
|
|
struct FWCfgFile { /* an individual file entry, 64 bytes total */
|
|
uint32_t size; /* size of referenced fw_cfg item, big-endian */
|
|
uint16_t select; /* selector key of fw_cfg item, big-endian */
|
|
uint16_t reserved;
|
|
char name[56]; /* fw_cfg item name, NUL-terminated ascii */
|
|
};
|
|
|
|
=== All Other Data Items ===
|
|
|
|
Please consult the QEMU source for the most up-to-date and authoritative list
|
|
of selector keys and their respective items' purpose, format and writeability.
|
|
|
|
=== Ranges ===
|
|
|
|
Theoretically, there may be up to 0x4000 generic firmware configuration
|
|
items, and up to 0x4000 architecturally specific ones.
|
|
|
|
Selector Reg. Range Usage
|
|
--------------- -----------
|
|
0x0000 - 0x3fff Generic (0x0000 - 0x3fff, generally RO, possibly RW through
|
|
the DMA interface in QEMU v2.9+)
|
|
0x4000 - 0x7fff Generic (0x0000 - 0x3fff, RW, ignored in QEMU v2.4+)
|
|
0x8000 - 0xbfff Arch. Specific (0x0000 - 0x3fff, generally RO, possibly RW
|
|
through the DMA interface in QEMU v2.9+)
|
|
0xc000 - 0xffff Arch. Specific (0x0000 - 0x3fff, RW, ignored in v2.4+)
|
|
|
|
In practice, the number of allowed firmware configuration items depends on the
|
|
machine type/version.
|
|
|
|
= Guest-side DMA Interface =
|
|
|
|
If bit 1 of the feature bitmap is set, the DMA interface is present. This does
|
|
not replace the existing fw_cfg interface, it is an add-on. This interface
|
|
can be used through the 64-bit wide address register.
|
|
|
|
The address register is in big-endian format. The value for the register is 0
|
|
at startup and after an operation. A write to the least significant half (at
|
|
offset 4) triggers an operation. This means that operations with 32-bit
|
|
addresses can be triggered with just one write, whereas operations with
|
|
64-bit addresses can be triggered with one 64-bit write or two 32-bit writes,
|
|
starting with the most significant half (at offset 0).
|
|
|
|
In this register, the physical address of a FWCfgDmaAccess structure in RAM
|
|
should be written. This is the format of the FWCfgDmaAccess structure:
|
|
|
|
typedef struct FWCfgDmaAccess {
|
|
uint32_t control;
|
|
uint32_t length;
|
|
uint64_t address;
|
|
} FWCfgDmaAccess;
|
|
|
|
The fields of the structure are in big endian mode, and the field at the lowest
|
|
address is the "control" field.
|
|
|
|
The "control" field has the following bits:
|
|
- Bit 0: Error
|
|
- Bit 1: Read
|
|
- Bit 2: Skip
|
|
- Bit 3: Select. The upper 16 bits are the selected index.
|
|
- Bit 4: Write
|
|
|
|
When an operation is triggered, if the "control" field has bit 3 set, the
|
|
upper 16 bits are interpreted as an index of a firmware configuration item.
|
|
This has the same effect as writing the selector register.
|
|
|
|
If the "control" field has bit 1 set, a read operation will be performed.
|
|
"length" bytes for the current selector and offset will be copied into the
|
|
physical RAM address specified by the "address" field.
|
|
|
|
If the "control" field has bit 4 set (and not bit 1), a write operation will be
|
|
performed. "length" bytes will be copied from the physical RAM address
|
|
specified by the "address" field to the current selector and offset. QEMU
|
|
prevents starting or finishing the write beyond the end of the item associated
|
|
with the current selector (i.e., the item cannot be resized). Truncated writes
|
|
are dropped entirely. Writes to read-only items are also rejected. All of these
|
|
write errors set bit 0 (the error bit) in the "control" field.
|
|
|
|
If the "control" field has bit 2 set (and neither bit 1 nor bit 4), a skip
|
|
operation will be performed. The offset for the current selector will be
|
|
advanced "length" bytes.
|
|
|
|
To check the result, read the "control" field:
|
|
error bit set -> something went wrong.
|
|
all bits cleared -> transfer finished successfully.
|
|
otherwise -> transfer still in progress (doesn't happen
|
|
today due to implementation not being async,
|
|
but may in the future).
|
|
|
|
= Externally Provided Items =
|
|
|
|
As of v2.4, "file" fw_cfg items (i.e., items with selector keys above
|
|
FW_CFG_FILE_FIRST, and with a corresponding entry in the fw_cfg file
|
|
directory structure) may be inserted via the QEMU command line, using
|
|
the following syntax:
|
|
|
|
-fw_cfg [name=]<item_name>,file=<path>
|
|
|
|
Or
|
|
|
|
-fw_cfg [name=]<item_name>,string=<string>
|
|
|
|
See QEMU man page for more documentation.
|
|
|
|
Using item_name with plain ASCII characters only is recommended.
|
|
|
|
Item names beginning with "opt/" are reserved for users. QEMU will
|
|
never create entries with such names unless explicitly ordered by the
|
|
user.
|
|
|
|
To avoid clashes among different users, it is strongly recommended
|
|
that you use names beginning with opt/RFQDN/, where RFQDN is a reverse
|
|
fully qualified domain name you control. For instance, if SeaBIOS
|
|
wanted to define additional names, the prefix "opt/org.seabios/" would
|
|
be appropriate.
|
|
|
|
For historical reasons, "opt/ovmf/" is reserved for OVMF firmware.
|
|
|
|
Prefix "opt/org.qemu/" is reserved for QEMU itself.
|
|
|
|
Use of names not beginning with "opt/" is potentially dangerous and
|
|
entirely unsupported. QEMU will warn if you try.
|
|
|
|
All externally provided fw_cfg items are read-only to the guest.
|