1 .. SPDX-License-Identifier: GPL-2.0
3 ===========================
4 The Linux/x86 Boot Protocol
5 ===========================
7 On the x86 platform, the Linux kernel uses a rather complicated boot
8 convention. This has evolved partially due to historical aspects, as
9 well as the desire in the early days to have the kernel itself be a
10 bootable image, the complicated PC memory model and due to changed
11 expectations in the PC industry caused by the effective demise of
12 real-mode DOS as a mainstream operating system.
14 Currently, the following versions of the Linux/x86 boot protocol exist.
16 ============= ============================================================
17 Old kernels zImage/Image support only. Some very early kernels
18 may not even support a command line.
20 Protocol 2.00 (Kernel 1.3.73) Added bzImage and initrd support, as
21 well as a formalized way to communicate between the
22 boot loader and the kernel. setup.S made relocatable,
23 although the traditional setup area still assumed
26 Protocol 2.01 (Kernel 1.3.76) Added a heap overrun warning.
28 Protocol 2.02 (Kernel 2.4.0-test3-pre3) New command line protocol.
29 Lower the conventional memory ceiling. No overwrite
30 of the traditional setup area, thus making booting
31 safe for systems which use the EBDA from SMM or 32-bit
32 BIOS entry points. zImage deprecated but still
35 Protocol 2.03 (Kernel 2.4.18-pre1) Explicitly makes the highest possible
36 initrd address available to the bootloader.
38 Protocol 2.04 (Kernel 2.6.14) Extend the syssize field to four bytes.
40 Protocol 2.05 (Kernel 2.6.20) Make protected mode kernel relocatable.
41 Introduce relocatable_kernel and kernel_alignment fields.
43 Protocol 2.06 (Kernel 2.6.22) Added a field that contains the size of
44 the boot command line.
46 Protocol 2.07 (Kernel 2.6.24) Added paravirtualised boot protocol.
47 Introduced hardware_subarch and hardware_subarch_data
48 and KEEP_SEGMENTS flag in load_flags.
50 Protocol 2.08 (Kernel 2.6.26) Added crc32 checksum and ELF format
51 payload. Introduced payload_offset and payload_length
52 fields to aid in locating the payload.
54 Protocol 2.09 (Kernel 2.6.26) Added a field of 64-bit physical
55 pointer to single linked list of struct setup_data.
57 Protocol 2.10 (Kernel 2.6.31) Added a protocol for relaxed alignment
58 beyond the kernel_alignment added, new init_size and
59 pref_address fields. Added extended boot loader IDs.
61 Protocol 2.11 (Kernel 3.6) Added a field for offset of EFI handover
64 Protocol 2.12 (Kernel 3.8) Added the xloadflags field and extension fields
65 to struct boot_params for loading bzImage and ramdisk
68 Protocol 2.13 (Kernel 3.14) Support 32- and 64-bit flags being set in
69 xloadflags to support booting a 64-bit kernel from 32-bit
72 Protocol 2.14: BURNT BY INCORRECT COMMIT ae7e1238e68f2a472a125673ab506d49158c1889
73 (x86/boot: Add ACPI RSDP address to setup_header)
74 DO NOT USE!!! ASSUME SAME AS 2.13.
76 Protocol 2.15: (Kernel 5.5) Added the kernel_info and kernel_info.setup_type_max.
77 ============= ============================================================
80 The protocol version number should be changed only if the setup header
81 is changed. There is no need to update the version number if boot_params
82 or kernel_info are changed. Additionally, it is recommended to use
83 xloadflags (in this case the protocol version number should not be
84 updated either) or kernel_info to communicate supported Linux kernel
85 features to the boot loader. Due to very limited space available in
86 the original setup header every update to it should be considered
87 with great care. Starting from the protocol 2.15 the primary way to
88 communicate things to the boot loader is the kernel_info.
94 The traditional memory map for the kernel loader, used for Image or
95 zImage kernels, typically looks like::
98 0A0000 +------------------------+
99 | Reserved for BIOS | Do not use. Reserved for BIOS EBDA.
100 09A000 +------------------------+
102 | Stack/heap | For use by the kernel real-mode code.
103 098000 +------------------------+
104 | Kernel setup | The kernel real-mode code.
105 090200 +------------------------+
106 | Kernel boot sector | The kernel legacy boot sector.
107 090000 +------------------------+
108 | Protected-mode kernel | The bulk of the kernel image.
109 010000 +------------------------+
110 | Boot loader | <- Boot sector entry point 0000:7C00
111 001000 +------------------------+
112 | Reserved for MBR/BIOS |
113 000800 +------------------------+
114 | Typically used by MBR |
115 000600 +------------------------+
117 000000 +------------------------+
119 When using bzImage, the protected-mode kernel was relocated to
120 0x100000 ("high memory"), and the kernel real-mode block (boot sector,
121 setup, and stack/heap) was made relocatable to any address between
122 0x10000 and end of low memory. Unfortunately, in protocols 2.00 and
123 2.01 the 0x90000+ memory range is still used internally by the kernel;
124 the 2.02 protocol resolves that problem.
126 It is desirable to keep the "memory ceiling" -- the highest point in
127 low memory touched by the boot loader -- as low as possible, since
128 some newer BIOSes have begun to allocate some rather large amounts of
129 memory, called the Extended BIOS Data Area, near the top of low
130 memory. The boot loader should use the "INT 12h" BIOS call to verify
131 how much low memory is available.
133 Unfortunately, if INT 12h reports that the amount of memory is too
134 low, there is usually nothing the boot loader can do but to report an
135 error to the user. The boot loader should therefore be designed to
136 take up as little space in low memory as it reasonably can. For
137 zImage or old bzImage kernels, which need data written into the
138 0x90000 segment, the boot loader should make sure not to use memory
139 above the 0x9A000 point; too many BIOSes will break above that point.
141 For a modern bzImage kernel with boot protocol version >= 2.02, a
142 memory layout like the following is suggested::
145 | Protected-mode kernel |
146 100000 +------------------------+
148 0A0000 +------------------------+
149 | Reserved for BIOS | Leave as much as possible unused
151 | Command line | (Can also be below the X+10000 mark)
152 X+10000 +------------------------+
153 | Stack/heap | For use by the kernel real-mode code.
154 X+08000 +------------------------+
155 | Kernel setup | The kernel real-mode code.
156 | Kernel boot sector | The kernel legacy boot sector.
157 X +------------------------+
158 | Boot loader | <- Boot sector entry point 0000:7C00
159 001000 +------------------------+
160 | Reserved for MBR/BIOS |
161 000800 +------------------------+
162 | Typically used by MBR |
163 000600 +------------------------+
165 000000 +------------------------+
167 ... where the address X is as low as the design of the boot loader permits.
170 The Real-Mode Kernel Header
171 ===========================
173 In the following text, and anywhere in the kernel boot sequence, "a
174 sector" refers to 512 bytes. It is independent of the actual sector
175 size of the underlying medium.
177 The first step in loading a Linux kernel should be to load the
178 real-mode code (boot sector and setup code) and then examine the
179 following header at offset 0x01f1. The real-mode code can total up to
180 32K, although the boot loader may choose to load only the first two
181 sectors (1K) and then examine the bootup sector size.
183 The header looks like:
185 =========== ======== ===================== ============================================
186 Offset/Size Proto Name Meaning
187 =========== ======== ===================== ============================================
188 01F1/1 ALL(1) setup_sects The size of the setup in sectors
189 01F2/2 ALL root_flags If set, the root is mounted readonly
190 01F4/4 2.04+(2) syssize The size of the 32-bit code in 16-byte paras
191 01F8/2 ALL ram_size DO NOT USE - for bootsect.S use only
192 01FA/2 ALL vid_mode Video mode control
193 01FC/2 ALL root_dev Default root device number
194 01FE/2 ALL boot_flag 0xAA55 magic number
195 0200/2 2.00+ jump Jump instruction
196 0202/4 2.00+ header Magic signature "HdrS"
197 0206/2 2.00+ version Boot protocol version supported
198 0208/4 2.00+ realmode_swtch Boot loader hook (see below)
199 020C/2 2.00+ start_sys_seg The load-low segment (0x1000) (obsolete)
200 020E/2 2.00+ kernel_version Pointer to kernel version string
201 0210/1 2.00+ type_of_loader Boot loader identifier
202 0211/1 2.00+ loadflags Boot protocol option flags
203 0212/2 2.00+ setup_move_size Move to high memory size (used with hooks)
204 0214/4 2.00+ code32_start Boot loader hook (see below)
205 0218/4 2.00+ ramdisk_image initrd load address (set by boot loader)
206 021C/4 2.00+ ramdisk_size initrd size (set by boot loader)
207 0220/4 2.00+ bootsect_kludge DO NOT USE - for bootsect.S use only
208 0224/2 2.01+ heap_end_ptr Free memory after setup end
209 0226/1 2.02+(3) ext_loader_ver Extended boot loader version
210 0227/1 2.02+(3) ext_loader_type Extended boot loader ID
211 0228/4 2.02+ cmd_line_ptr 32-bit pointer to the kernel command line
212 022C/4 2.03+ initrd_addr_max Highest legal initrd address
213 0230/4 2.05+ kernel_alignment Physical addr alignment required for kernel
214 0234/1 2.05+ relocatable_kernel Whether kernel is relocatable or not
215 0235/1 2.10+ min_alignment Minimum alignment, as a power of two
216 0236/2 2.12+ xloadflags Boot protocol option flags
217 0238/4 2.06+ cmdline_size Maximum size of the kernel command line
218 023C/4 2.07+ hardware_subarch Hardware subarchitecture
219 0240/8 2.07+ hardware_subarch_data Subarchitecture-specific data
220 0248/4 2.08+ payload_offset Offset of kernel payload
221 024C/4 2.08+ payload_length Length of kernel payload
222 0250/8 2.09+ setup_data 64-bit physical pointer to linked list
224 0258/8 2.10+ pref_address Preferred loading address
225 0260/4 2.10+ init_size Linear memory required during initialization
226 0264/4 2.11+ handover_offset Offset of handover entry point
227 0268/4 2.15+ kernel_info_offset Offset of the kernel_info
228 =========== ======== ===================== ============================================
231 (1) For backwards compatibility, if the setup_sects field contains 0, the
234 (2) For boot protocol prior to 2.04, the upper two bytes of the syssize
235 field are unusable, which means the size of a bzImage kernel
236 cannot be determined.
238 (3) Ignored, but safe to set, for boot protocols 2.02-2.09.
240 If the "HdrS" (0x53726448) magic number is not found at offset 0x202,
241 the boot protocol version is "old". Loading an old kernel, the
242 following parameters should be assumed::
246 Real-mode kernel must be located at 0x90000.
248 Otherwise, the "version" field contains the protocol version,
249 e.g. protocol version 2.01 will contain 0x0201 in this field. When
250 setting fields in the header, you must make sure only to set fields
251 supported by the protocol version in use.
254 Details of Harder Fileds
255 ========================
257 For each field, some are information from the kernel to the bootloader
258 ("read"), some are expected to be filled out by the bootloader
259 ("write"), and some are expected to be read and modified by the
260 bootloader ("modify").
262 All general purpose boot loaders should write the fields marked
263 (obligatory). Boot loaders who want to load the kernel at a
264 nonstandard address should fill in the fields marked (reloc); other
265 boot loaders can ignore those fields.
267 The byte order of all fields is littleendian (this is x86, after all.)
269 ============ ===========
270 Field name: setup_sects
274 ============ ===========
276 The size of the setup code in 512-byte sectors. If this field is
277 0, the real value is 4. The real-mode code consists of the boot
278 sector (always one 512-byte sector) plus the setup code.
280 ============ =================
281 Field name: root_flags
282 Type: modify (optional)
285 ============ =================
287 If this field is nonzero, the root defaults to readonly. The use of
288 this field is deprecated; use the "ro" or "rw" options on the
289 command line instead.
291 ============ ===============================================
294 Offset/size: 0x1f4/4 (protocol 2.04+) 0x1f4/2 (protocol ALL)
296 ============ ===============================================
298 The size of the protected-mode code in units of 16-byte paragraphs.
299 For protocol versions older than 2.04 this field is only two bytes
300 wide, and therefore cannot be trusted for the size of a kernel if
301 the LOAD_HIGH flag is set.
303 ============ ===============
305 Type: kernel internal
308 ============ ===============
310 This field is obsolete.
312 ============ ===================
314 Type: modify (obligatory)
316 ============ ===================
318 Please see the section on SPECIAL COMMAND LINE OPTIONS.
320 ============ =================
322 Type: modify (optional)
325 ============ =================
327 The default root device device number. The use of this field is
328 deprecated, use the "root=" option on the command line instead.
330 ============ =========
331 Field name: boot_flag
335 ============ =========
337 Contains 0xAA55. This is the closest thing old Linux kernels have
347 Contains an x86 jump instruction, 0xEB followed by a signed offset
348 relative to byte 0x202. This can be used to determine the size of
358 Contains the magic number "HdrS" (0x53726448).
367 Contains the boot protocol version, in (major << 8)+minor format,
368 e.g. 0x0204 for version 2.04, and 0x0a11 for a hypothetical version
371 ============ =================
372 Field name: realmode_swtch
373 Type: modify (optional)
376 ============ =================
378 Boot loader hook (see ADVANCED BOOT LOADER HOOKS below.)
380 ============ =============
381 Field name: start_sys_seg
385 ============ =============
387 The load low segment (0x1000). Obsolete.
389 ============ ==============
390 Field name: kernel_version
394 ============ ==============
396 If set to a nonzero value, contains a pointer to a NUL-terminated
397 human-readable kernel version number string, less 0x200. This can
398 be used to display the kernel version to the user. This value
399 should be less than (0x200*setup_sects).
401 For example, if this value is set to 0x1c00, the kernel version
402 number string can be found at offset 0x1e00 in the kernel file.
403 This is a valid value if and only if the "setup_sects" field
404 contains the value 15 or higher, as::
406 0x1c00 < 15*0x200 (= 0x1e00) but
407 0x1c00 >= 14*0x200 (= 0x1c00)
409 0x1c00 >> 9 = 14, So the minimum value for setup_secs is 15.
411 ============ ==================
412 Field name: type_of_loader
413 Type: write (obligatory)
416 ============ ==================
418 If your boot loader has an assigned id (see table below), enter
419 0xTV here, where T is an identifier for the boot loader and V is
420 a version number. Otherwise, enter 0xFF here.
422 For boot loader IDs above T = 0xD, write T = 0xE to this field and
423 write the extended ID minus 0x10 to the ext_loader_type field.
424 Similarly, the ext_loader_ver field can be used to provide more than
425 four bits for the bootloader version.
427 For example, for T = 0x15, V = 0x234, write::
429 type_of_loader <- 0xE4
430 ext_loader_type <- 0x05
431 ext_loader_ver <- 0x23
433 Assigned boot loader ids (hexadecimal):
435 == =======================================
437 (0x00 reserved for pre-2.00 bootloader)
440 (0x20, all other values reserved)
442 4 Etherboot/gPXE/iPXE
449 C Arcturus Networks uCbootloader
451 E Extended (see ext_loader_type)
452 F Special (0xFF = undefined)
454 11 Minimal Linux Bootloader
455 <http://sebastian-plotz.blogspot.de>
456 12 OVMF UEFI virtualization stack
457 == =======================================
459 Please contact <hpa@zytor.com> if you need a bootloader ID value assigned.
461 ============ ===================
462 Field name: loadflags
463 Type: modify (obligatory)
466 ============ ===================
468 This field is a bitmask.
470 Bit 0 (read): LOADED_HIGH
472 - If 0, the protected-mode code is loaded at 0x10000.
473 - If 1, the protected-mode code is loaded at 0x100000.
475 Bit 1 (kernel internal): KASLR_FLAG
477 - Used internally by the compressed kernel to communicate
478 KASLR status to kernel proper.
480 - If 1, KASLR enabled.
481 - If 0, KASLR disabled.
483 Bit 5 (write): QUIET_FLAG
485 - If 0, print early messages.
486 - If 1, suppress early messages.
488 This requests to the kernel (decompressor and early
489 kernel) to not write early messages that require
490 accessing the display hardware directly.
492 Bit 6 (write): KEEP_SEGMENTS
496 - If 0, reload the segment registers in the 32bit entry point.
497 - If 1, do not reload the segment registers in the 32bit entry point.
499 Assume that %cs %ds %ss %es are all set to flat segments with
500 a base of 0 (or the equivalent for their environment).
502 Bit 7 (write): CAN_USE_HEAP
504 Set this bit to 1 to indicate that the value entered in the
505 heap_end_ptr is valid. If this field is clear, some setup code
506 functionality will be disabled.
509 ============ ===================
510 Field name: setup_move_size
511 Type: modify (obligatory)
514 ============ ===================
516 When using protocol 2.00 or 2.01, if the real mode kernel is not
517 loaded at 0x90000, it gets moved there later in the loading
518 sequence. Fill in this field if you want additional data (such as
519 the kernel command line) moved in addition to the real-mode kernel
522 The unit is bytes starting with the beginning of the boot sector.
524 This field is can be ignored when the protocol is 2.02 or higher, or
525 if the real-mode code is loaded at 0x90000.
527 ============ ========================
528 Field name: code32_start
529 Type: modify (optional, reloc)
532 ============ ========================
534 The address to jump to in protected mode. This defaults to the load
535 address of the kernel, and can be used by the boot loader to
536 determine the proper load address.
538 This field can be modified for two purposes:
540 1. as a boot loader hook (see Advanced Boot Loader Hooks below.)
542 2. if a bootloader which does not install a hook loads a
543 relocatable kernel at a nonstandard address it will have to modify
544 this field to point to the load address.
546 ============ ==================
547 Field name: ramdisk_image
548 Type: write (obligatory)
551 ============ ==================
553 The 32-bit linear address of the initial ramdisk or ramfs. Leave at
554 zero if there is no initial ramdisk/ramfs.
556 ============ ==================
557 Field name: ramdisk_size
558 Type: write (obligatory)
561 ============ ==================
563 Size of the initial ramdisk or ramfs. Leave at zero if there is no
564 initial ramdisk/ramfs.
566 ============ ===============
567 Field name: bootsect_kludge
568 Type: kernel internal
571 ============ ===============
573 This field is obsolete.
575 ============ ==================
576 Field name: heap_end_ptr
577 Type: write (obligatory)
580 ============ ==================
582 Set this field to the offset (from the beginning of the real-mode
583 code) of the end of the setup stack/heap, minus 0x0200.
585 ============ ================
586 Field name: ext_loader_ver
587 Type: write (optional)
590 ============ ================
592 This field is used as an extension of the version number in the
593 type_of_loader field. The total version number is considered to be
594 (type_of_loader & 0x0f) + (ext_loader_ver << 4).
596 The use of this field is boot loader specific. If not written, it
599 Kernels prior to 2.6.31 did not recognize this field, but it is safe
600 to write for protocol version 2.02 or higher.
602 ============ =====================================================
603 Field name: ext_loader_type
604 Type: write (obligatory if (type_of_loader & 0xf0) == 0xe0)
607 ============ =====================================================
609 This field is used as an extension of the type number in
610 type_of_loader field. If the type in type_of_loader is 0xE, then
611 the actual type is (ext_loader_type + 0x10).
613 This field is ignored if the type in type_of_loader is not 0xE.
615 Kernels prior to 2.6.31 did not recognize this field, but it is safe
616 to write for protocol version 2.02 or higher.
618 ============ ==================
619 Field name: cmd_line_ptr
620 Type: write (obligatory)
623 ============ ==================
625 Set this field to the linear address of the kernel command line.
626 The kernel command line can be located anywhere between the end of
627 the setup heap and 0xA0000; it does not have to be located in the
628 same 64K segment as the real-mode code itself.
630 Fill in this field even if your boot loader does not support a
631 command line, in which case you can point this to an empty string
632 (or better yet, to the string "auto".) If this field is left at
633 zero, the kernel will assume that your boot loader does not support
636 ============ ===============
637 Field name: initrd_addr_max
641 ============ ===============
643 The maximum address that may be occupied by the initial
644 ramdisk/ramfs contents. For boot protocols 2.02 or earlier, this
645 field is not present, and the maximum address is 0x37FFFFFF. (This
646 address is defined as the address of the highest safe byte, so if
647 your ramdisk is exactly 131072 bytes long and this field is
648 0x37FFFFFF, you can start your ramdisk at 0x37FE0000.)
650 ============ ============================
651 Field name: kernel_alignment
652 Type: read/modify (reloc)
654 Protocol: 2.05+ (read), 2.10+ (modify)
655 ============ ============================
657 Alignment unit required by the kernel (if relocatable_kernel is
658 true.) A relocatable kernel that is loaded at an alignment
659 incompatible with the value in this field will be realigned during
660 kernel initialization.
662 Starting with protocol version 2.10, this reflects the kernel
663 alignment preferred for optimal performance; it is possible for the
664 loader to modify this field to permit a lesser alignment. See the
665 min_alignment and pref_address field below.
667 ============ ==================
668 Field name: relocatable_kernel
672 ============ ==================
674 If this field is nonzero, the protected-mode part of the kernel can
675 be loaded at any address that satisfies the kernel_alignment field.
676 After loading, the boot loader must set the code32_start field to
677 point to the loaded code, or to a boot loader hook.
679 ============ =============
680 Field name: min_alignment
684 ============ =============
686 This field, if nonzero, indicates as a power of two the minimum
687 alignment required, as opposed to preferred, by the kernel to boot.
688 If a boot loader makes use of this field, it should update the
689 kernel_alignment field with the alignment unit desired; typically::
691 kernel_alignment = 1 << min_alignment
693 There may be a considerable performance cost with an excessively
694 misaligned kernel. Therefore, a loader should typically try each
695 power-of-two alignment from kernel_alignment down to this alignment.
697 ============ ==========
698 Field name: xloadflags
702 ============ ==========
704 This field is a bitmask.
706 Bit 0 (read): XLF_KERNEL_64
708 - If 1, this kernel has the legacy 64-bit entry point at 0x200.
710 Bit 1 (read): XLF_CAN_BE_LOADED_ABOVE_4G
712 - If 1, kernel/boot_params/cmdline/ramdisk can be above 4G.
714 Bit 2 (read): XLF_EFI_HANDOVER_32
716 - If 1, the kernel supports the 32-bit EFI handoff entry point
717 given at handover_offset.
719 Bit 3 (read): XLF_EFI_HANDOVER_64
721 - If 1, the kernel supports the 64-bit EFI handoff entry point
722 given at handover_offset + 0x200.
724 Bit 4 (read): XLF_EFI_KEXEC
726 - If 1, the kernel supports kexec EFI boot with EFI runtime support.
729 ============ ============
730 Field name: cmdline_size
734 ============ ============
736 The maximum size of the command line without the terminating
737 zero. This means that the command line can contain at most
738 cmdline_size characters. With protocol version 2.05 and earlier, the
739 maximum size was 255.
741 ============ ====================================
742 Field name: hardware_subarch
743 Type: write (optional, defaults to x86/PC)
746 ============ ====================================
748 In a paravirtualized environment the hardware low level architectural
749 pieces such as interrupt handling, page table handling, and
750 accessing process control registers needs to be done differently.
752 This field allows the bootloader to inform the kernel we are in one
753 one of those environments.
755 ========== ==============================
756 0x00000000 The default x86/PC environment
759 0x00000003 Moorestown MID
760 0x00000004 CE4100 TV Platform
761 ========== ==============================
763 ============ =========================
764 Field name: hardware_subarch_data
765 Type: write (subarch-dependent)
768 ============ =========================
770 A pointer to data that is specific to hardware subarch
771 This field is currently unused for the default x86/PC environment,
774 ============ ==============
775 Field name: payload_offset
779 ============ ==============
781 If non-zero then this field contains the offset from the beginning
782 of the protected-mode code to the payload.
784 The payload may be compressed. The format of both the compressed and
785 uncompressed data should be determined using the standard magic
786 numbers. The currently supported compression formats are gzip
787 (magic numbers 1F 8B or 1F 9E), bzip2 (magic number 42 5A), LZMA
788 (magic number 5D 00), XZ (magic number FD 37), and LZ4 (magic number
789 02 21). The uncompressed payload is currently always ELF (magic
792 ============ ==============
793 Field name: payload_length
797 ============ ==============
799 The length of the payload.
801 ============ ===============
802 Field name: setup_data
803 Type: write (special)
806 ============ ===============
808 The 64-bit physical pointer to NULL terminated single linked list of
809 struct setup_data. This is used to define a more extensible boot
810 parameters passing mechanism. The definition of struct setup_data is
820 Where, the next is a 64-bit physical pointer to the next node of
821 linked list, the next field of the last node is 0; the type is used
822 to identify the contents of data; the len is the length of data
823 field; the data holds the real payload.
825 This list may be modified at a number of points during the bootup
826 process. Therefore, when modifying this list one should always make
827 sure to consider the case where the linked list already contains
830 The setup_data is a bit awkward to use for extremely large data objects,
831 both because the setup_data header has to be adjacent to the data object
832 and because it has a 32-bit length field. However, it is important that
833 intermediate stages of the boot process have a way to identify which
834 chunks of memory are occupied by kernel data.
836 Thus setup_indirect struct and SETUP_INDIRECT type were introduced in
839 struct setup_indirect {
841 __u32 reserved; /* Reserved, must be set to zero. */
846 The type member is a SETUP_INDIRECT | SETUP_* type. However, it cannot be
847 SETUP_INDIRECT itself since making the setup_indirect a tree structure
848 could require a lot of stack space in something that needs to parse it
849 and stack space can be limited in boot contexts.
851 Let's give an example how to point to SETUP_E820_EXT data using setup_indirect.
852 In this case setup_data and setup_indirect will look like this:
855 __u64 next = 0 or <addr_of_next_setup_data_struct>;
856 __u32 type = SETUP_INDIRECT;
857 __u32 len = sizeof(setup_data);
858 __u8 data[sizeof(setup_indirect)] = struct setup_indirect {
859 __u32 type = SETUP_INDIRECT | SETUP_E820_EXT;
861 __u64 len = <len_of_SETUP_E820_EXT_data>;
862 __u64 addr = <addr_of_SETUP_E820_EXT_data>;
867 SETUP_INDIRECT | SETUP_NONE objects cannot be properly distinguished
868 from SETUP_INDIRECT itself. So, this kind of objects cannot be provided
871 ============ ============
872 Field name: pref_address
876 ============ ============
878 This field, if nonzero, represents a preferred load address for the
879 kernel. A relocating bootloader should attempt to load at this
882 A non-relocatable kernel will unconditionally move itself and to run
886 Field name: init_size
891 This field indicates the amount of linear contiguous memory starting
892 at the kernel runtime start address that the kernel needs before it
893 is capable of examining its memory map. This is not the same thing
894 as the total amount of memory the kernel needs to boot, but it can
895 be used by a relocating boot loader to help select a safe load
896 address for the kernel.
898 The kernel runtime start address is determined by the following algorithm::
900 if (relocatable_kernel)
901 runtime_start = align_up(load_address, kernel_alignment)
903 runtime_start = pref_address
905 ============ ===============
906 Field name: handover_offset
909 ============ ===============
911 This field is the offset from the beginning of the kernel image to
912 the EFI handover protocol entry point. Boot loaders using the EFI
913 handover protocol to boot the kernel should jump to this offset.
915 See EFI HANDOVER PROTOCOL below for more details.
917 ============ ==================
918 Field name: kernel_info_offset
922 ============ ==================
924 This field is the offset from the beginning of the kernel image to the
925 kernel_info. The kernel_info structure is embedded in the Linux image
926 in the uncompressed protected mode region.
932 The relationships between the headers are analogous to the various data
936 boot_params/setup_data = .bss
938 What is missing from the above list? That's right:
940 kernel_info = .rodata
942 We have been (ab)using .data for things that could go into .rodata or .bss for
943 a long time, for lack of alternatives and -- especially early on -- inertia.
944 Also, the BIOS stub is responsible for creating boot_params, so it isn't
945 available to a BIOS-based loader (setup_data is, though).
947 setup_header is permanently limited to 144 bytes due to the reach of the
948 2-byte jump field, which doubles as a length field for the structure, combined
949 with the size of the "hole" in struct boot_params that a protected-mode loader
950 or the BIOS stub has to copy it into. It is currently 119 bytes long, which
951 leaves us with 25 very precious bytes. This isn't something that can be fixed
952 without revising the boot protocol entirely, breaking backwards compatibility.
954 boot_params proper is limited to 4096 bytes, but can be arbitrarily extended
955 by adding setup_data entries. It cannot be used to communicate properties of
956 the kernel image, because it is .bss and has no image-provided content.
958 kernel_info solves this by providing an extensible place for information about
959 the kernel image. It is readonly, because the kernel cannot rely on a
960 bootloader copying its contents anywhere, but that is OK; if it becomes
961 necessary it can still contain data items that an enabled bootloader would be
962 expected to copy into a setup_data chunk.
964 All kernel_info data should be part of this structure. Fixed size data have to
965 be put before kernel_info_var_len_data label. Variable size data have to be put
966 after kernel_info_var_len_data label. Each chunk of variable size data has to
967 be prefixed with header/magic and its size, e.g.:
970 .ascii "LToP" /* Header, Linux top (structure). */
971 .long kernel_info_var_len_data - kernel_info
972 .long kernel_info_end - kernel_info
973 .long 0x01234567 /* Some fixed size data for the bootloaders. */
974 kernel_info_var_len_data:
975 example_struct: /* Some variable size data for the bootloaders. */
976 .ascii "0123" /* Header/Magic. */
977 .long example_struct_end - example_struct
981 example_strings: /* Some variable size data for the bootloaders. */
982 .ascii "ABCD" /* Header/Magic. */
983 .long example_strings_end - example_strings
989 This way the kernel_info is self-contained blob.
992 Each variable size data header/magic can be any 4-character string,
993 without \0 at the end of the string, which does not collide with
994 existing variable length data headers/magics.
997 Details of the kernel_info Fields
998 =================================
1000 ============ ========
1002 Offset/size: 0x0000/4
1003 ============ ========
1005 Contains the magic number "LToP" (0x506f544c).
1007 ============ ========
1009 Offset/size: 0x0004/4
1010 ============ ========
1012 This field contains the size of the kernel_info including kernel_info.header.
1013 It does not count kernel_info.kernel_info_var_len_data size. This field should be
1014 used by the bootloaders to detect supported fixed size fields in the kernel_info
1015 and beginning of kernel_info.kernel_info_var_len_data.
1017 ============ ========
1018 Field name: size_total
1019 Offset/size: 0x0008/4
1020 ============ ========
1022 This field contains the size of the kernel_info including kernel_info.header
1023 and kernel_info.kernel_info_var_len_data.
1025 ============ ==============
1026 Field name: setup_type_max
1027 Offset/size: 0x000c/4
1028 ============ ==============
1030 This field contains maximal allowed type for setup_data and setup_indirect structs.
1036 From boot protocol version 2.08 onwards the CRC-32 is calculated over
1037 the entire file using the characteristic polynomial 0x04C11DB7 and an
1038 initial remainder of 0xffffffff. The checksum is appended to the
1039 file; therefore the CRC of the file up to the limit specified in the
1040 syssize field of the header is always 0.
1043 The Kernel Command Line
1044 =======================
1046 The kernel command line has become an important way for the boot
1047 loader to communicate with the kernel. Some of its options are also
1048 relevant to the boot loader itself, see "special command line options"
1051 The kernel command line is a null-terminated string. The maximum
1052 length can be retrieved from the field cmdline_size. Before protocol
1053 version 2.06, the maximum was 255 characters. A string that is too
1054 long will be automatically truncated by the kernel.
1056 If the boot protocol version is 2.02 or later, the address of the
1057 kernel command line is given by the header field cmd_line_ptr (see
1058 above.) This address can be anywhere between the end of the setup
1061 If the protocol version is *not* 2.02 or higher, the kernel
1062 command line is entered using the following protocol:
1064 - At offset 0x0020 (word), "cmd_line_magic", enter the magic
1067 - At offset 0x0022 (word), "cmd_line_offset", enter the offset
1068 of the kernel command line (relative to the start of the
1071 - The kernel command line *must* be within the memory region
1072 covered by setup_move_size, so you may need to adjust this
1076 Memory Layout of The Real-Mode Code
1077 ===================================
1079 The real-mode code requires a stack/heap to be set up, as well as
1080 memory allocated for the kernel command line. This needs to be done
1081 in the real-mode accessible memory in bottom megabyte.
1083 It should be noted that modern machines often have a sizable Extended
1084 BIOS Data Area (EBDA). As a result, it is advisable to use as little
1085 of the low megabyte as possible.
1087 Unfortunately, under the following circumstances the 0x90000 memory
1088 segment has to be used:
1090 - When loading a zImage kernel ((loadflags & 0x01) == 0).
1091 - When loading a 2.01 or earlier boot protocol kernel.
1094 For the 2.00 and 2.01 boot protocols, the real-mode code
1095 can be loaded at another address, but it is internally
1096 relocated to 0x90000. For the "old" protocol, the
1097 real-mode code must be loaded at 0x90000.
1099 When loading at 0x90000, avoid using memory above 0x9a000.
1101 For boot protocol 2.02 or higher, the command line does not have to be
1102 located in the same 64K segment as the real-mode setup code; it is
1103 thus permitted to give the stack/heap the full 64K segment and locate
1104 the command line above it.
1106 The kernel command line should not be located below the real-mode
1107 code, nor should it be located in high memory.
1110 Sample Boot Configuartion
1111 =========================
1113 As a sample configuration, assume the following layout of the real
1116 When loading below 0x90000, use the entire segment:
1118 ============= ===================
1119 0x0000-0x7fff Real mode kernel
1120 0x8000-0xdfff Stack and heap
1121 0xe000-0xffff Kernel command line
1122 ============= ===================
1124 When loading at 0x90000 OR the protocol version is 2.01 or earlier:
1126 ============= ===================
1127 0x0000-0x7fff Real mode kernel
1128 0x8000-0x97ff Stack and heap
1129 0x9800-0x9fff Kernel command line
1130 ============= ===================
1132 Such a boot loader should enter the following fields in the header::
1134 unsigned long base_ptr; /* base address for real-mode segment */
1136 if ( setup_sects == 0 ) {
1140 if ( protocol >= 0x0200 ) {
1141 type_of_loader = <type code>;
1142 if ( loading_initrd ) {
1143 ramdisk_image = <initrd_address>;
1144 ramdisk_size = <initrd_size>;
1147 if ( protocol >= 0x0202 && loadflags & 0x01 )
1152 if ( protocol >= 0x0201 ) {
1153 heap_end_ptr = heap_end - 0x200;
1154 loadflags |= 0x80; /* CAN_USE_HEAP */
1157 if ( protocol >= 0x0202 ) {
1158 cmd_line_ptr = base_ptr + heap_end;
1159 strcpy(cmd_line_ptr, cmdline);
1161 cmd_line_magic = 0xA33F;
1162 cmd_line_offset = heap_end;
1163 setup_move_size = heap_end + strlen(cmdline)+1;
1164 strcpy(base_ptr+cmd_line_offset, cmdline);
1167 /* Very old kernel */
1171 cmd_line_magic = 0xA33F;
1172 cmd_line_offset = heap_end;
1174 /* A very old kernel MUST have its real-mode code
1175 loaded at 0x90000 */
1177 if ( base_ptr != 0x90000 ) {
1178 /* Copy the real-mode kernel */
1179 memcpy(0x90000, base_ptr, (setup_sects+1)*512);
1180 base_ptr = 0x90000; /* Relocated */
1183 strcpy(0x90000+cmd_line_offset, cmdline);
1185 /* It is recommended to clear memory up to the 32K mark */
1186 memset(0x90000 + (setup_sects+1)*512, 0,
1187 (64-(setup_sects+1))*512);
1191 Loading The Rest of The Kernel
1192 ==============================
1194 The 32-bit (non-real-mode) kernel starts at offset (setup_sects+1)*512
1195 in the kernel file (again, if setup_sects == 0 the real value is 4.)
1196 It should be loaded at address 0x10000 for Image/zImage kernels and
1197 0x100000 for bzImage kernels.
1199 The kernel is a bzImage kernel if the protocol >= 2.00 and the 0x01
1200 bit (LOAD_HIGH) in the loadflags field is set::
1202 is_bzImage = (protocol >= 0x0200) && (loadflags & 0x01);
1203 load_address = is_bzImage ? 0x100000 : 0x10000;
1205 Note that Image/zImage kernels can be up to 512K in size, and thus use
1206 the entire 0x10000-0x90000 range of memory. This means it is pretty
1207 much a requirement for these kernels to load the real-mode part at
1208 0x90000. bzImage kernels allow much more flexibility.
1210 Special Command Line Options
1211 ============================
1213 If the command line provided by the boot loader is entered by the
1214 user, the user may expect the following command line options to work.
1215 They should normally not be deleted from the kernel command line even
1216 though not all of them are actually meaningful to the kernel. Boot
1217 loader authors who need additional command line options for the boot
1218 loader itself should get them registered in
1219 Documentation/admin-guide/kernel-parameters.rst to make sure they will not
1220 conflict with actual kernel options now or in the future.
1223 <mode> here is either an integer (in C notation, either
1224 decimal, octal, or hexadecimal) or one of the strings
1225 "normal" (meaning 0xFFFF), "ext" (meaning 0xFFFE) or "ask"
1226 (meaning 0xFFFD). This value should be entered into the
1227 vid_mode field, as it is used by the kernel before the command
1231 <size> is an integer in C notation optionally followed by
1232 (case insensitive) K, M, G, T, P or E (meaning << 10, << 20,
1233 << 30, << 40, << 50 or << 60). This specifies the end of
1234 memory to the kernel. This affects the possible placement of
1235 an initrd, since an initrd should be placed near end of
1236 memory. Note that this is an option to *both* the kernel and
1240 An initrd should be loaded. The meaning of <file> is
1241 obviously bootloader-dependent, and some boot loaders
1242 (e.g. LILO) do not have such a command.
1244 In addition, some boot loaders add the following options to the
1245 user-specified command line:
1248 The boot image which was loaded. Again, the meaning of <file>
1249 is obviously bootloader-dependent.
1252 The kernel was booted without explicit user intervention.
1254 If these options are added by the boot loader, it is highly
1255 recommended that they are located *first*, before the user-specified
1256 or configuration-specified command line. Otherwise, "init=/bin/sh"
1257 gets confused by the "auto" option.
1263 The kernel is started by jumping to the kernel entry point, which is
1264 located at *segment* offset 0x20 from the start of the real mode
1265 kernel. This means that if you loaded your real-mode kernel code at
1266 0x90000, the kernel entry point is 9020:0000.
1268 At entry, ds = es = ss should point to the start of the real-mode
1269 kernel code (0x9000 if the code is loaded at 0x90000), sp should be
1270 set up properly, normally pointing to the top of the heap, and
1271 interrupts should be disabled. Furthermore, to guard against bugs in
1272 the kernel, it is recommended that the boot loader sets fs = gs = ds =
1275 In our example from above, we would do::
1277 /* Note: in the case of the "old" kernel protocol, base_ptr must
1278 be == 0x90000 at this point; see the previous sample code */
1280 seg = base_ptr >> 4;
1282 cli(); /* Enter with interrupts disabled! */
1284 /* Set up the real-mode kernel stack */
1288 _DS = _ES = _FS = _GS = seg;
1289 jmp_far(seg+0x20, 0); /* Run the kernel */
1291 If your boot sector accesses a floppy drive, it is recommended to
1292 switch off the floppy motor before running the kernel, since the
1293 kernel boot leaves interrupts off and thus the motor will not be
1294 switched off, especially if the loaded kernel has the floppy driver as
1295 a demand-loaded module!
1298 Advanced Boot Loader Hooks
1299 ==========================
1301 If the boot loader runs in a particularly hostile environment (such as
1302 LOADLIN, which runs under DOS) it may be impossible to follow the
1303 standard memory location requirements. Such a boot loader may use the
1304 following hooks that, if set, are invoked by the kernel at the
1305 appropriate time. The use of these hooks should probably be
1306 considered an absolutely last resort!
1308 IMPORTANT: All the hooks are required to preserve %esp, %ebp, %esi and
1309 %edi across invocation.
1312 A 16-bit real mode far subroutine invoked immediately before
1313 entering protected mode. The default routine disables NMI, so
1314 your routine should probably do so, too.
1317 A 32-bit flat-mode routine *jumped* to immediately after the
1318 transition to protected mode, but before the kernel is
1319 uncompressed. No segments, except CS, are guaranteed to be
1320 set up (current kernels do, but older ones do not); you should
1321 set them up to BOOT_DS (0x18) yourself.
1323 After completing your hook, you should jump to the address
1324 that was in this field before your boot loader overwrote it
1325 (relocated, if appropriate.)
1328 32-bit Boot Protocol
1329 ====================
1331 For machine with some new BIOS other than legacy BIOS, such as EFI,
1332 LinuxBIOS, etc, and kexec, the 16-bit real mode setup code in kernel
1333 based on legacy BIOS can not be used, so a 32-bit boot protocol needs
1336 In 32-bit boot protocol, the first step in loading a Linux kernel
1337 should be to setup the boot parameters (struct boot_params,
1338 traditionally known as "zero page"). The memory for struct boot_params
1339 should be allocated and initialized to all zero. Then the setup header
1340 from offset 0x01f1 of kernel image on should be loaded into struct
1341 boot_params and examined. The end of setup header can be calculated as
1344 0x0202 + byte value at offset 0x0201
1346 In addition to read/modify/write the setup header of the struct
1347 boot_params as that of 16-bit boot protocol, the boot loader should
1348 also fill the additional fields of the struct boot_params as that
1349 described in zero-page.txt.
1351 After setting up the struct boot_params, the boot loader can load the
1352 32/64-bit kernel in the same way as that of 16-bit boot protocol.
1354 In 32-bit boot protocol, the kernel is started by jumping to the
1355 32-bit kernel entry point, which is the start address of loaded
1358 At entry, the CPU must be in 32-bit protected mode with paging
1359 disabled; a GDT must be loaded with the descriptors for selectors
1360 __BOOT_CS(0x10) and __BOOT_DS(0x18); both descriptors must be 4G flat
1361 segment; __BOOT_CS must have execute/read permission, and __BOOT_DS
1362 must have read/write permission; CS must be __BOOT_CS and DS, ES, SS
1363 must be __BOOT_DS; interrupt must be disabled; %esi must hold the base
1364 address of the struct boot_params; %ebp, %edi and %ebx must be zero.
1366 64-bit Boot Protocol
1367 ====================
1369 For machine with 64bit cpus and 64bit kernel, we could use 64bit bootloader
1370 and we need a 64-bit boot protocol.
1372 In 64-bit boot protocol, the first step in loading a Linux kernel
1373 should be to setup the boot parameters (struct boot_params,
1374 traditionally known as "zero page"). The memory for struct boot_params
1375 could be allocated anywhere (even above 4G) and initialized to all zero.
1376 Then, the setup header at offset 0x01f1 of kernel image on should be
1377 loaded into struct boot_params and examined. The end of setup header
1378 can be calculated as follows::
1380 0x0202 + byte value at offset 0x0201
1382 In addition to read/modify/write the setup header of the struct
1383 boot_params as that of 16-bit boot protocol, the boot loader should
1384 also fill the additional fields of the struct boot_params as described
1387 After setting up the struct boot_params, the boot loader can load
1388 64-bit kernel in the same way as that of 16-bit boot protocol, but
1389 kernel could be loaded above 4G.
1391 In 64-bit boot protocol, the kernel is started by jumping to the
1392 64-bit kernel entry point, which is the start address of loaded
1393 64-bit kernel plus 0x200.
1395 At entry, the CPU must be in 64-bit mode with paging enabled.
1396 The range with setup_header.init_size from start address of loaded
1397 kernel and zero page and command line buffer get ident mapping;
1398 a GDT must be loaded with the descriptors for selectors
1399 __BOOT_CS(0x10) and __BOOT_DS(0x18); both descriptors must be 4G flat
1400 segment; __BOOT_CS must have execute/read permission, and __BOOT_DS
1401 must have read/write permission; CS must be __BOOT_CS and DS, ES, SS
1402 must be __BOOT_DS; interrupt must be disabled; %rsi must hold the base
1403 address of the struct boot_params.
1405 EFI Handover Protocol
1406 =====================
1408 This protocol allows boot loaders to defer initialisation to the EFI
1409 boot stub. The boot loader is required to load the kernel/initrd(s)
1410 from the boot media and jump to the EFI handover protocol entry point
1411 which is hdr->handover_offset bytes from the beginning of
1414 The function prototype for the handover entry point looks like this::
1416 efi_main(void *handle, efi_system_table_t *table, struct boot_params *bp)
1418 'handle' is the EFI image handle passed to the boot loader by the EFI
1419 firmware, 'table' is the EFI system table - these are the first two
1420 arguments of the "handoff state" as described in section 2.3 of the
1421 UEFI specification. 'bp' is the boot loader-allocated boot params.
1423 The boot loader *must* fill out the following fields in bp::
1427 - hdr.ramdisk_image (if applicable)
1428 - hdr.ramdisk_size (if applicable)
1430 All other fields should be zero.