<html><body><p><font size="2">Hi Marty,</font><br><br><tt><font size="2">> Very cool tricks, thanks. One(?) more question: I assume that<br>> Kernel Address : 0xfffe8998<br>> is where jump_to_kernel executes; I can't quite locate this entry point<br>> in the disassembly (obviously this address exists but it doesn't appear<br>> to be an entry point/function start). I'm interested in this bit as it<br></font></tt><br><tt><font size="2">The OTPROM (burnt into the chip, can't change -- </font></tt><tt><font size="2">src/boot/otprom_init.S)</font></tt><br><tt><font size="2">will read the start of the XIP image, check the magic and jump to the </font></tt><br><tt><font size="2">address listed in next 8 bytes (here it is 0xFF800244):</font></tt><br><tt><font size="2">00000000 58 49 50 20 53 45 50 4d 00 00 00 00 ff 80 02 44 |XIP SEPM.......D|</font></tt><br><br><tt><font size="2">This lines up with the L1 loader:</font></tt><br><tt><font size="2">> L1 Loader Address : 0xff800244</font></tt><br><tt><font size="2">> .loader_text 4 0 0x00000200 0x0000039b 0x0000019c (412) </font></tt><br><br><br><tt><font size="2">==========</font></tt><br><tt><font size="2">The L1 loader (src/boot/loader_l1.S) will load the PIBMEM (SBE RAM) repairs</font></tt><br><tt><font size="2">and then copies the L2 Loader from seeprom into PIBMEM. Note that this</font></tt><br><tt><font size="2">runs without a stack. The load address is hardcoded:</font></tt><br><br><tt><font size="2"> _liw %r3, SBE_LOADER_BASE_SECTION # Source on SEEPROM: 0xF80000B8</font></tt><br><tt><font size="2"> _liw %r4, SBE_LOADER_BASE_ORIGIN # dest in PIBMEM</font></tt><br><tt><font size="2">/// Each section table entry is 12 bytes(SIZE_OF_SBE_XIP_SECTION) size,</font></tt><br><tt><font size="2">// Base Loader is 10 th (P9_XIP_SECTION_BASELOADER) section</font></tt><br><tt><font size="2">#define SBE_LOADER_BASE_SECTION SBE_SEEPROM_BASE_ORIGIN + SBE_XIP_TOC_OFFSET \</font></tt><br><tt><font size="2"> + 120</font></tt><br><tt><font size="2">#define SBE_LOADER_BASE_ORIGIN 0xFFFFE400</font></tt><br><tt><font size="2">> L2 Loader Address : 0xffffe400</font></tt><br><tt><font size="2">> .baseloader 8 0 0x0001f820 0</font></tt><tt><font size="2">x0001fb2f 0x00000310 (784)</font></tt><br><tt><font size="2">000000b0 00 01 03 b3 04 00 00 00 </font></tt><tt><b><font size="2">00 01 f8 20</font></b></tt><tt><font size="2"> 00 00 03 10 |........... ....|</font></tt><br><br><br><tt><font size="2">===========</font></tt><br><tt><font size="2">The L2 loader (</font></tt><tt><font size="2">src/boot/loader_l2_setup.S, </font></tt><tt><font size="2">src/boot/loader_l2.c</font></tt><tt><font size="2">) then loads </font></tt><br><tt><font size="2">the SBE kernel/payload proper while running in PIBMEM, where it can have</font></tt><br><font size="2">a stack.</font><br><br><tt><font size="2">loadSection(&(hdr->iv_section[P9_XIP_SECTION_SBE_BASE]), pibMemAddr);</font></tt><br><tt><font size="2"> // Set the IVPR register. This is required so that interrupt vector table</font></tt><br><tt><font size="2"> // points to pk interfaces.</font></tt><br><tt><font size="2"> uint64_t data = (uint64_t)(SBE_BASE_ORIGIN) << 32;</font></tt><br><tt><font size="2"> PPE_STVD(g_ivprLoc, data);</font></tt><br><tt><font size="2"> // Jump to pk boot function</font></tt><br><tt><font size="2"> uint32_t addr = hdr->iv_kernelAddr;</font></tt><br><tt><font size="2"> JUMP_TO_ADDR(addr);</font></tt><br><br><tt><font size="2">000000a0 00 00 00 00 00 00 00 00 08 00 00 00 </font></tt><tt><b><font size="2">00 01 fb 30</font></b></tt><tt><font size="2"> |...............0|</font></tt><br><tt><font size="2">000000b0 00 01 03 b3 04 00 00 00 00 01 f8 20 00 00 03 10 |........... ....|</font></tt><br><tt><font size="2">> .base 4 0 0x0001fb30 0x0002fee2 0x000103b3 (66483)</font></tt><br><tt><font size="2">The hdr is the XIP TOC header so the jump point is here:</font></tt><br><tt><font size="2">> Kernel Address : 0xfffe8998</font></tt><br><tt><font size="2">which can be found in </font></tt><tt><font size="2">output/build/sbe-<commit number>/images/sbe_seeprom_DD2.dis</font></tt><tt><font size="2"> </font></tt><br><tt><font size="2">as fffe8998 <__pk_boot>:</font></tt><br><br><tt><font size="2">this is added to the sbe.bin xip file with:</font></tt><br><tt><font size="2">output/build/sbe-<commit>/src/build/Makefile: $(P9_XIP_TOOL) $(IMG_DIR)/$(IMAGE_NAME).bin \</font></tt><br><tt><font size="2"> set kernelAddr 0x`nm $(IMG_DIR)/$(IMAGE_NAME).out | grep __pk_boot | cut -f 1 -d " "`</font></tt><br><br><br><tt><font size="2">> (if I understand corr</font></tt><tt><font size="2">ectly) is the actual sbe code running (the stuff<br>> prior is just setting up stuff for it to run) and contains the meat of<br>> the code which I'd have to understand for a coreboot port.<br></font></tt><br><tt><font size="2">I think we might be talking past each other :) The above information goes </font></tt><br><tt><font size="2">into details on how the SBE operates, but from what I understand you want to</font></tt><br><tt><font size="2">put the coreboot file system on the PNOR? The SBE proper _never_ accesses the</font></tt><br><tt><font size="2">PNOR directly. The first thing that touches the PNOR is the Hostboot boot loader</font></tt><br><tt><font size="2">(which is loaded by the SBE into the P9 cache and is executed by the P9 core itself).</font></tt><br><br><tt><font size="2">Unless you want to run coreboot _from_ the SBE (limited environment and I don't see</font></tt><br><tt><font size="2">the value?) I would recommend focusing on modifications to the Hostboot bootloader.</font></tt><br><tt><font size="2">The Hostboot bootloader (HBBL) is part of the SBE SEEPROM customized in by Hostboot --</font></tt><br><tt><font size="2">but it doesn't execute on the SBE. It is the first thing the P9 core executes. </font></tt><br><tt><font size="2">That seems like the logical hook point to me?</font></tt><br><br><font size="2">Dean Sanner<br>dsanner@us.ibm.com<br></font><br><BR>
</body></html>