xref: /illumos-gate/usr/src/boot/i386/btx/btx/btx.S (revision 55fea89d)

/*
 * Copyright (c) 1998 Robert Nordier
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms are freely
 * permitted provided that the above copyright notice and this
 * paragraph and the following disclaimer are duplicated in all
 * such forms.
 *
 * This software is provided "AS IS" and without any express or
 * implied warranties, including, without limitation, the implied
 * warranties of merchantability and fitness for a particular
 * purpose.
 *
 * $FreeBSD$
 */

#include <bootargs.h>

/*
 * Memory layout.
 */
		.set MEM_BTX,0x1000		# Start of BTX memory
		.set MEM_ESP0,0x1800		# Supervisor stack
		.set MEM_BUF,0x1800		# Scratch buffer
		.set MEM_ESPR,0x5e00		# Real mode stack
		.set MEM_IDT,0x5e00		# IDT
		.set MEM_TSS,0x5f98		# TSS
		.set MEM_MAP,0x6000		# I/O bit map
		.set MEM_TSS_END,0x7fff		# End of TSS
		.set MEM_ORG,0x9000		# BTX code
		.set MEM_USR,0xa000		# Start of user memory
/*
 * Paging control.
 */
		.set PAG_SIZ,0x1000		# Page size
		.set PAG_CNT,0x1000		# Pages to map
/*
 * Fields in %eflags.
 */
		.set PSL_RESERVED_DEFAULT,0x00000002
		.set PSL_T,0x00000100		# Trap flag
		.set PSL_I,0x00000200		# Interrupt enable flag
		.set PSL_D,0x00000400		# String instruction direction
		.set PSL_NT,0x00004000		# Nested task flag
		.set PSL_VM,0x00020000		# Virtual 8086 mode flag
		.set PSL_AC,0x00040000		# Alignment check flag
/*
 * Segment selectors.
 */
		.set SEL_SCODE,0x8		# Supervisor code
		.set SEL_SDATA,0x10		# Supervisor data
		.set SEL_RCODE,0x18		# Real mode code
		.set SEL_RDATA,0x20		# Real mode data
		.set SEL_UCODE,0x28|3		# User code
		.set SEL_UDATA,0x30|3		# User data
		.set SEL_TSS,0x38		# TSS
/*
 * Task state segment fields.
 */
		.set TSS_ESP0,0x4		# PL 0 ESP
		.set TSS_SS0,0x8		# PL 0 SS
		.set TSS_MAP,0x66		# I/O bit map base
/*
 * System calls.
 */
		.set SYS_EXIT,0x0		# Exit
		.set SYS_EXEC,0x1		# Exec
/*
 * Fields in V86 interface structure.
 */
		.set V86_CTL,0x0		# Control flags
		.set V86_ADDR,0x4		# Int number/address
		.set V86_ES,0x8			# V86 ES
		.set V86_DS,0xc			# V86 DS
		.set V86_FS,0x10		# V86 FS
		.set V86_GS,0x14		# V86 GS
/*
 * V86 control flags.
 */
		.set V86F_ADDR,0x10000		# Segment:offset address
		.set V86F_CALLF,0x20000		# Emulate far call
		.set V86F_FLAGS,0x40000		# Return flags
/*
 * Dump format control bytes.
 */
		.set DMP_X16,0x1		# Word
		.set DMP_X32,0x2		# Long
		.set DMP_MEM,0x4		# Memory
		.set DMP_EOL,0x8		# End of line
/*
 * Screen defaults and assumptions.
 */
		.set SCR_MAT,0x7		# Mode/attribute
		.set SCR_COL,0x50		# Columns per row
		.set SCR_ROW,0x19		# Rows per screen
/*
 * BIOS Data Area locations.
 */
		.set BDA_MEM,0x413		# Free memory
		.set BDA_SCR,0x449		# Video mode
		.set BDA_POS,0x450		# Cursor position
		.set BDA_BOOT,0x472		# Boot howto flag
/*
 * Derivations, for brevity.
 */
		.set _ESP0H,MEM_ESP0>>0x8	# Byte 1 of ESP0
		.set _TSSIO,MEM_MAP-MEM_TSS	# TSS I/O base
		.set _TSSLM,MEM_TSS_END-MEM_TSS	# TSS limit
		.set _IDTLM,MEM_TSS-MEM_IDT-1	# IDT limit
/*
 * Code segment.
 */
		.globl start
		.code16
start:						# Start of code
/*
 * BTX header.
 */
btx_hdr:	.byte 0xeb			# Machine ID
		.byte 0xe			# Header size
		.ascii "BTX"			# Magic
		.byte 0x1			# Major version
		.byte 0x2			# Minor version
		.byte BTX_FLAGS			# Flags
		.word PAG_CNT-MEM_ORG>>0xc	# Paging control
		.word break-start		# Text size
		.long 0x0			# Entry address
/*
 * Initialization routine.
 */
init:		cli				# Disable interrupts
		xor %ax,%ax			# Zero/segment
		mov %ax,%ss			# Set up
		mov $MEM_ESP0,%sp		#  stack
		mov %ax,%es			# Address
		mov %ax,%ds			#  data
		pushl $0x2			# Clear
		popfl				#  flags
/*
 * Initialize memory.
 */
		mov $MEM_IDT,%di		# Memory to initialize
		mov $(MEM_ORG-MEM_IDT)/2,%cx	# Words to zero
		rep				# Zero-fill
		stosw				#  memory
/*
 * Update real mode IDT for reflecting hardware interrupts.
 */
		mov $intr20,%bx			# Address first handler
		mov $0x10,%cx			# Number of handlers
		mov $0x20*4,%di			# First real mode IDT entry
init.0:		mov %bx,(%di)			# Store IP
		inc %di				# Address next
		inc %di				#  entry
		stosw				# Store CS
		add $4,%bx			# Next handler
		loop init.0			# Next IRQ
/*
 * Create IDT.
 */
		mov $MEM_IDT,%di
		mov $idtctl,%si			# Control string
init.1: 	lodsb				# Get entry
		cbw				#  count
		xchg %ax,%cx			#  as word
		jcxz init.4			# If done
		lodsb				# Get segment
		xchg %ax,%dx	 		#  P:DPL:type
		lodsw				# Get control
		xchg %ax,%bx			#  set
		lodsw				# Get handler offset
		mov $SEL_SCODE,%dh		# Segment selector
init.2: 	shr %bx				# Handle this int?
		jnc init.3			# No
		mov %ax,(%di)			# Set handler offset
		mov %dh,0x2(%di)		#  and selector
		mov %dl,0x5(%di)		# Set P:DPL:type
		add $0x4,%ax			# Next handler
init.3: 	lea 0x8(%di),%di		# Next entry
		loop init.2			# Till set done
		jmp init.1			# Continue
/*
 * Initialize TSS.
 */
init.4: 	movb $_ESP0H,TSS_ESP0+1(%di)	# Set ESP0
		movb $SEL_SDATA,TSS_SS0(%di)	# Set SS0
		movb $_TSSIO,TSS_MAP(%di)	# Set I/O bit map base
/*
 * Bring up the system.
 */
		mov $0x2820,%bx			# Set protected mode
		callw setpic			#  IRQ offsets
		lidt idtdesc	 		# Set IDT
		lgdt gdtdesc	 		# Set GDT
		mov %cr0,%eax			# Switch to protected
		inc %ax				#  mode
		mov %eax,%cr0			#
		ljmp $SEL_SCODE,$init.8		# To 32-bit code
		.code32
init.8: 	xorl %ecx,%ecx			# Zero
		movb $SEL_SDATA,%cl		# To 32-bit
		movw %cx,%ss			#  stack
/*
 * Launch user task.
 */
		movb $SEL_TSS,%cl		# Set task
		ltr %cx				#  register
		movl $MEM_USR,%edx		# User base address
		movzwl %ss:BDA_MEM,%eax 	# Get free memory
		shll $0xa,%eax			# To bytes
		subl $ARGSPACE,%eax		# Less arg space
		subl %edx,%eax			# Less base
		movb $SEL_UDATA,%cl		# User data selector
		pushl %ecx			# Set SS
		pushl %eax			# Set ESP
		push $0x202			# Set flags (IF set)
		push $SEL_UCODE			# Set CS
		pushl btx_hdr+0xc		# Set EIP
		pushl %ecx			# Set GS
		pushl %ecx			# Set FS
		pushl %ecx			# Set DS
		pushl %ecx			# Set ES
		pushl %edx			# Set EAX
		movb $0x7,%cl			# Set remaining
init.9:		push $0x0			#  general
		loop init.9			#  registers
#ifdef BTX_SERIAL
		call sio_init			# setup the serial console
#endif
		popa				#  and initialize
		popl %es			# Initialize
		popl %ds			#  user
		popl %fs			#  segment
		popl %gs			#  registers
		iret				# To user mode
/*
 * Exit routine.
 */
exit:		cli				# Disable interrupts
		movl $MEM_ESP0,%esp		# Clear stack
/*
 * Turn off paging.
 */
		movl %cr0,%eax			# Get CR0
		andl $~0x80000000,%eax		# Disable
		movl %eax,%cr0			#  paging
		xorl %ecx,%ecx			# Zero
		movl %ecx,%cr3			# Flush TLB
/*
 * Restore the GDT in case we caught a kernel trap.
 */
		lgdt %cs:gdtdesc		# Set GDT
/*
 * To 16 bits.
 */
		ljmpw $SEL_RCODE,$exit.1	# Reload CS
		.code16
exit.1: 	mov $SEL_RDATA,%cl		# 16-bit selector
		mov %cx,%ss			# Reload SS
		mov %cx,%ds			# Load
		mov %cx,%es			#  remaining
		mov %cx,%fs			#  segment
		mov %cx,%gs			#  registers
/*
 * To real-address mode.
 */
		dec %ax				# Switch to
		mov %eax,%cr0			#  real mode
		ljmp $0x0,$exit.2		# Reload CS
exit.2: 	xor %ax,%ax			# Real mode segment
		mov %ax,%ss			# Reload SS
		mov %ax,%ds			# Address data
		mov $0x7008,%bx			# Set real mode
		callw setpic			#  IRQ offsets
		lidt ivtdesc	 		# Set IVT
/*
 * Reboot or await reset.
 */
		sti				# Enable interrupts
		testb $0x1,btx_hdr+0x7		# Reboot?
exit.3:		jz exit.3			# No
		movw $0x1234, BDA_BOOT		# Do a warm boot
		ljmp $0xf000,$0xfff0		# reboot the machine
/*
 * Set IRQ offsets by reprogramming 8259A PICs.
 */
setpic: 	in $0x21,%al			# Save master
		push %ax			#  IMR
		in $0xa1,%al			# Save slave
		push %ax			#  IMR
		movb $0x11,%al			# ICW1 to
		outb %al,$0x20			#  master,
		outb %al,$0xa0			#  slave
		movb %bl,%al			# ICW2 to
		outb %al,$0x21			#  master
		movb %bh,%al			# ICW2 to
		outb %al,$0xa1			#  slave
		movb $0x4,%al			# ICW3 to
		outb %al,$0x21			#  master
		movb $0x2,%al			# ICW3 to
		outb %al,$0xa1			#  slave
		movb $0x1,%al			# ICW4 to
		outb %al,$0x21			#  master,
		outb %al,$0xa1			#  slave
		pop %ax				# Restore slave
		outb %al,$0xa1			#  IMR
		pop %ax				# Restore master
		outb %al,$0x21			#  IMR
		retw				# To caller
		.code32
/*
 * Exception jump table.
 */
intx00: 	push $0x0			# Int 0x0: #DE
		jmp ex_noc			# Divide error
		push $0x1			# Int 0x1: #DB
		jmp ex_noc			# Debug
		push $0x3			# Int 0x3: #BP
		jmp ex_noc			# Breakpoint
		push $0x4			# Int 0x4: #OF
		jmp ex_noc			# Overflow
		push $0x5			# Int 0x5: #BR
		jmp ex_noc			# BOUND range exceeded
		push $0x6			# Int 0x6: #UD
		jmp ex_noc			# Invalid opcode
		push $0x7			# Int 0x7: #NM
		jmp ex_noc			# Device not available
		push $0x8			# Int 0x8: #DF
		jmp except			# Double fault
		push $0xa			# Int 0xa: #TS
		jmp except			# Invalid TSS
		push $0xb			# Int 0xb: #NP
		jmp except			# Segment not present
		push $0xc			# Int 0xc: #SS
		jmp except			# Stack segment fault
		push $0xd			# Int 0xd: #GP
		jmp except			# General protection
		push $0xe			# Int 0xe: #PF
		jmp except			# Page fault
intx10: 	push $0x10			# Int 0x10: #MF
		jmp ex_noc			# Floating-point error
/*
 * Save a zero error code.
 */
ex_noc: 	pushl (%esp,1)			# Duplicate int no
		movb $0x0,0x4(%esp,1)		# Fake error code
/*
 * Handle exception.
 */
except: 	cld				# String ops inc
		pushl %ds			# Save
		pushl %es			#  most
		pusha				#  registers
		pushl %gs			# Set GS
		pushl %fs			# Set FS
		pushl %ds			# Set DS
		pushl %es			# Set ES
		cmpw $SEL_SCODE,0x44(%esp,1)	# Supervisor mode?
		jne except.1			# No
		pushl %ss			# Set SS
		jmp except.2			# Join common code
except.1:	pushl 0x50(%esp,1)		# Set SS
except.2:	pushl 0x50(%esp,1)		# Set ESP
		push $SEL_SDATA			# Set up
		popl %ds			#  to
		pushl %ds			#  address
		popl %es			#  data
		movl %esp,%ebx			# Stack frame
		movl $dmpfmt,%esi		# Dump format string
		movl $MEM_BUF,%edi		# Buffer
		pushl %edi			# Dump to
		call dump			#  buffer
		popl %esi			#  and
		call putstr			#  display
		leal 0x18(%esp,1),%esp		# Discard frame
		popa				# Restore
		popl %es			#  registers
		popl %ds			#  saved
		cmpb $0x3,(%esp,1)		# Breakpoint?
		je except.3			# Yes
		cmpb $0x1,(%esp,1)		# Debug?
		jne except.2a			# No
		testl $PSL_T,0x10(%esp,1)	# Trap flag set?
		jnz except.3			# Yes
except.2a:	jmp exit			# Exit
except.3:	leal 0x8(%esp,1),%esp		# Discard err, int no
		iret				# From interrupt

/*
 * Reboot the machine by setting the reboot flag and exiting
 */
reboot:		orb $0x1,btx_hdr+0x7		# Set the reboot flag
		jmp exit			# Terminate BTX and reboot

/*
 * Protected Mode Hardware interrupt jump table.
 */
intx20: 	push $0x8			# Int 0x20: IRQ0
		jmp int_hw			# V86 int 0x8
		push $0x9			# Int 0x21: IRQ1
		jmp int_hw			# V86 int 0x9
		push $0xa			# Int 0x22: IRQ2
		jmp int_hw			# V86 int 0xa
		push $0xb			# Int 0x23: IRQ3
		jmp int_hw			# V86 int 0xb
		push $0xc			# Int 0x24: IRQ4
		jmp int_hw			# V86 int 0xc
		push $0xd			# Int 0x25: IRQ5
		jmp int_hw			# V86 int 0xd
		push $0xe			# Int 0x26: IRQ6
		jmp int_hw			# V86 int 0xe
		push $0xf			# Int 0x27: IRQ7
		jmp int_hw			# V86 int 0xf
		push $0x70			# Int 0x28: IRQ8
		jmp int_hw			# V86 int 0x70
		push $0x71			# Int 0x29: IRQ9
		jmp int_hw			# V86 int 0x71
		push $0x72			# Int 0x2a: IRQ10
		jmp int_hw			# V86 int 0x72
		push $0x73			# Int 0x2b: IRQ11
		jmp int_hw			# V86 int 0x73
		push $0x74			# Int 0x2c: IRQ12
		jmp int_hw			# V86 int 0x74
		push $0x75			# Int 0x2d: IRQ13
		jmp int_hw			# V86 int 0x75
		push $0x76			# Int 0x2e: IRQ14
		jmp int_hw			# V86 int 0x76
		push $0x77			# Int 0x2f: IRQ15
		jmp int_hw			# V86 int 0x77

/*
 * Invoke real mode interrupt/function call from user mode with arguments.
 */
intx31: 	pushl $-1			# Dummy int no for btx_v86
/*
 * Invoke real mode interrupt/function call from protected mode.
 *
 * We place a trampoline on the user stack that will return to rret_tramp
 * which will reenter protected mode and then finally return to the user
 * client.
 *
 * Kernel frame %esi points to:		Real mode stack frame at MEM_ESPR:
 *
 * -0x00 user %ss			-0x04 kernel %esp (with full frame)
 * -0x04 user %esp			-0x08 btx_v86 pointer
 * -0x08 user %eflags			-0x0c flags (only used if interrupt)
 * -0x0c user %cs			-0x10 real mode CS:IP return trampoline
 * -0x10 user %eip			-0x12 real mode flags
 * -0x14 int no				-0x16 real mode CS:IP (target)
 * -0x18 %eax
 * -0x1c %ecx
 * -0x20 %edx
 * -0x24 %ebx
 * -0x28 %esp
 * -0x2c %ebp
 * -0x30 %esi
 * -0x34 %edi
 * -0x38 %gs
 * -0x3c %fs
 * -0x40 %ds
 * -0x44 %es
 * -0x48 zero %eax (hardware int only)
 * -0x4c zero %ecx (hardware int only)
 * -0x50 zero %edx (hardware int only)
 * -0x54 zero %ebx (hardware int only)
 * -0x58 zero %esp (hardware int only)
 * -0x5c zero %ebp (hardware int only)
 * -0x60 zero %esi (hardware int only)
 * -0x64 zero %edi (hardware int only)
 * -0x68 zero %gs (hardware int only)
 * -0x6c zero %fs (hardware int only)
 * -0x70 zero %ds (hardware int only)
 * -0x74 zero %es (hardware int only)
 */
int_hw: 	cld				# String ops inc
		pusha				# Save gp regs
		pushl %gs			# Save
		pushl %fs			#  seg
		pushl %ds			#  regs
		pushl %es
		push $SEL_SDATA			# Set up
		popl %ds			#  to
		pushl %ds			#  address
		popl %es			#  data
		leal 0x44(%esp,1),%esi		# Base of frame
		movl %esp,MEM_ESPR-0x04		# Save kernel stack pointer
		movl -0x14(%esi),%eax		# Get Int no
		cmpl $-1,%eax			# Hardware interrupt?
		jne intusr.1			# Yes
/*
 * v86 calls save the btx_v86 pointer on the real mode stack and read
 * the address and flags from the btx_v86 structure.  For interrupt
 * handler invocations (VM86 INTx requests), disable interrupts,
 * tracing, and alignment checking while the handler runs.
 */
		movl $MEM_USR,%ebx		# User base
		movl %ebx,%edx			#  address
		addl -0x4(%esi),%ebx		# User ESP
		movl (%ebx),%ebp		# btx_v86 pointer
		addl %ebp,%edx			# Flatten btx_v86 ptr
		movl %edx,MEM_ESPR-0x08		# Save btx_v86 ptr
		movl V86_ADDR(%edx),%eax	# Get int no/address
		movl V86_CTL(%edx),%edx		# Get control flags
		movl -0x08(%esi),%ebx		# Save user flags in %ebx
		testl $V86F_ADDR,%edx		# Segment:offset?
		jnz intusr.4			# Yes
		andl $~(PSL_I|PSL_T|PSL_AC),%ebx # Disable interrupts, tracing,
						#  and alignment checking for
						#  interrupt handler
		jmp intusr.3			# Skip hardware interrupt
/*
 * Hardware interrupts store a NULL btx_v86 pointer and use the
 * address (interrupt number) from the stack with empty flags.  Also,
 * push a dummy frame of zeros onto the stack for all the general
 * purpose and segment registers and clear %eflags.  This gives the
 * hardware interrupt handler a clean slate.
 */
intusr.1:	xorl %edx,%edx			# Control flags
		movl %edx,MEM_ESPR-0x08		# NULL btx_v86 ptr
		movl $12,%ecx			# Frame is 12 dwords
intusr.2:	pushl $0x0			# Fill frame
		loop intusr.2			#  with zeros
		movl $PSL_RESERVED_DEFAULT,%ebx # Set clean %eflags
/*
 * Look up real mode IDT entry for hardware interrupts and VM86 INTx
 * requests.
 */
intusr.3:	shll $0x2,%eax			# Scale
		movl (%eax),%eax		# Load int vector
		jmp intusr.5			# Skip CALLF test
/*
 * Panic if V86F_CALLF isn't set with V86F_ADDR.
 */
intusr.4:	testl $V86F_CALLF,%edx		# Far call?
		jnz intusr.5			# Ok
		movl %edx,0x30(%esp,1)		# Place VM86 flags in int no
		movl $badvm86,%esi		# Display bad
		call putstr			#  VM86 call
		popl %es			# Restore
		popl %ds			#  seg
		popl %fs			#  regs
		popl %gs
		popal				# Restore gp regs
		jmp ex_noc			# Panic
/*
 * %eax now holds the segment:offset of the function.
 * %ebx now holds the %eflags to pass to real mode.
 * %edx now holds the V86F_* flags.
 */
intusr.5:	movw %bx,MEM_ESPR-0x12		# Pass user flags to real mode
						#  target
/*
 * If this is a v86 call, copy the seg regs out of the btx_v86 structure.
 */
		movl MEM_ESPR-0x08,%ecx		# Get btx_v86 ptr
		jecxz intusr.6			# Skip for hardware ints
		leal -0x44(%esi),%edi		# %edi => kernel stack seg regs
		pushl %esi			# Save
		leal V86_ES(%ecx),%esi		# %esi => btx_v86 seg regs
		movl $4,%ecx			# Copy seg regs
		rep				#  from btx_v86
		movsl				#  to kernel stack
		popl %esi			# Restore
intusr.6:	movl -0x08(%esi),%ebx		# Copy user flags to real
		movl %ebx,MEM_ESPR-0x0c		#  mode return trampoline
		movl $rret_tramp,%ebx		# Set return trampoline
		movl %ebx,MEM_ESPR-0x10		#  CS:IP
		movl %eax,MEM_ESPR-0x16		# Real mode target CS:IP
		ljmpw $SEL_RCODE,$intusr.7	# Change to 16-bit segment
		.code16
intusr.7:	movl %cr0,%eax			# Leave
		dec %al				#  protected
		movl %eax,%cr0			#  mode
		ljmpw $0x0,$intusr.8
intusr.8:	xorw %ax,%ax			# Reset %ds
		movw %ax,%ds			#  and
		movw %ax,%ss			#  %ss
		lidt ivtdesc	 		# Set IVT
		popl %es			# Restore
		popl %ds			#  seg
		popl %fs			#  regs
		popl %gs
		popal				# Restore gp regs
		movw $MEM_ESPR-0x16,%sp		# Switch to real mode stack
		iret				# Call target routine
/*
 * For the return to real mode we setup a stack frame like this on the real
 * mode stack.  Note that callf calls won't pop off the flags, but we just
 * ignore that by repositioning %sp to be just above the btx_v86 pointer
 * so it is aligned.  The stack is relative to MEM_ESPR.
 *
 * -0x04	kernel %esp
 * -0x08	btx_v86
 * -0x0c	%eax
 * -0x10	%ecx
 * -0x14	%edx
 * -0x18	%ebx
 * -0x1c	%esp
 * -0x20	%ebp
 * -0x24	%esi
 * -0x28	%edi
 * -0x2c	%gs
 * -0x30	%fs
 * -0x34	%ds
 * -0x38	%es
 * -0x3c	%eflags
 */
rret_tramp:	movw $MEM_ESPR-0x08,%sp		# Reset stack pointer
		pushal				# Save gp regs
		pushl %gs			# Save
		pushl %fs			#  seg
		pushl %ds			#  regs
		pushl %es
		pushfl				# Save %eflags
		pushl $PSL_RESERVED_DEFAULT|PSL_D # Use clean %eflags with
		popfl				#  string ops dec
		xorw %ax,%ax			# Reset seg
		movw %ax,%ds			#  regs
		movw %ax,%es			#  (%ss is already 0)
		lidt idtdesc	 		# Set IDT
		lgdt gdtdesc	 		# Set GDT
		mov %cr0,%eax			# Switch to protected
		inc %ax				#  mode
		mov %eax,%cr0			#
		ljmp $SEL_SCODE,$rret_tramp.1	# To 32-bit code
		.code32
rret_tramp.1:	xorl %ecx,%ecx			# Zero
		movb $SEL_SDATA,%cl		# Setup
		movw %cx,%ss			#  32-bit
		movw %cx,%ds			#  seg
		movw %cx,%es			#  regs
		movl MEM_ESPR-0x04,%esp		# Switch to kernel stack
		leal 0x44(%esp,1),%esi		# Base of frame
		andb $~0x2,tss_desc+0x5		# Clear TSS busy
		movb $SEL_TSS,%cl		# Set task
		ltr %cx				#  register
/*
 * Now we are back in protected mode.  The kernel stack frame set up
 * before entering real mode is still intact. For hardware interrupts,
 * leave the frame unchanged.
 */
		cmpl $0,MEM_ESPR-0x08		# Leave saved regs unchanged
		jz rret_tramp.3			#  for hardware ints
/*
 * For V86 calls, copy the registers off of the real mode stack onto
 * the kernel stack as we want their updated values.  Also, initialize
 * the segment registers on the kernel stack.
 *
 * Note that the %esp in the kernel stack after this is garbage, but popa
 * ignores it, so we don't have to fix it up.
 */
		leal -0x18(%esi),%edi		# Kernel stack GP regs
		pushl %esi			# Save
		movl $MEM_ESPR-0x0c,%esi	# Real mode stack GP regs
		movl $8,%ecx			# Copy GP regs from
		rep				#  real mode stack
		movsl				#  to kernel stack
		movl $SEL_UDATA,%eax		# Selector for data seg regs
		movl $4,%ecx			# Initialize %ds,
		rep				#  %es, %fs, and
		stosl				#  %gs
/*
 * For V86 calls, copy the saved seg regs on the real mode stack back
 * over to the btx_v86 structure.  Also, conditionally update the
 * saved eflags on the kernel stack based on the flags from the user.
 */
		movl MEM_ESPR-0x08,%ecx		# Get btx_v86 ptr
		leal V86_GS(%ecx),%edi		# %edi => btx_v86 seg regs
		leal MEM_ESPR-0x2c,%esi		# %esi => real mode seg regs
		xchgl %ecx,%edx			# Save btx_v86 ptr
		movl $4,%ecx			# Copy seg regs
		rep				#  from real mode stack
		movsl				#  to btx_v86
		popl %esi			# Restore
		movl V86_CTL(%edx),%edx		# Read V86 control flags
		testl $V86F_FLAGS,%edx		# User wants flags?
		jz rret_tramp.3			# No
		movl MEM_ESPR-0x3c,%eax		# Read real mode flags
		andl $~(PSL_T|PSL_NT),%eax	# Clear unsafe flags
		movw %ax,-0x08(%esi)		# Update user flags (low 16)
/*
 * Return to the user task
 */
rret_tramp.3:	popl %es			# Restore
		popl %ds			#  seg
		popl %fs			#  regs
		popl %gs
		popal				# Restore gp regs
		addl $4,%esp			# Discard int no
		iret				# Return to user mode

/*
 * System Call.
 */
intx30: 	cmpl $SYS_EXEC,%eax		# Exec system call?
		jne intx30.1			# No
		pushl %ss			# Set up
		popl %es			#  all
		pushl %es			#  segment
		popl %ds			#  registers
		pushl %ds			#  for the
		popl %fs			#  program
		pushl %fs			#  we're
		popl %gs			#  invoking
		movl $MEM_USR,%eax		# User base address
		addl 0xc(%esp,1),%eax		# Change to user
		leal 0x4(%eax),%esp		#  stack
		popl %eax			# Call
		call *%eax			#  program
intx30.1:	orb $0x1,%ss:btx_hdr+0x7	# Flag reboot
		jmp exit			# Exit
/*
 * Dump structure [EBX] to [EDI], using format string [ESI].
 */
dump.0: 	stosb				# Save char
dump:		lodsb				# Load char
		testb %al,%al			# End of string?
		jz dump.10			# Yes
		testb $0x80,%al 		# Control?
		jz dump.0			# No
		movb %al,%ch			# Save control
		movb $'=',%al			# Append
		stosb				#  '='
		lodsb				# Get offset
		pushl %esi			# Save
		movsbl %al,%esi 		# To
		addl %ebx,%esi			#  pointer
		testb $DMP_X16,%ch		# Dump word?
		jz dump.1			# No
		lodsw				# Get and
		call hex16			#  dump it
dump.1: 	testb $DMP_X32,%ch		# Dump long?
		jz dump.2			# No
		lodsl				# Get and
		call hex32			#  dump it
dump.2: 	testb $DMP_MEM,%ch		# Dump memory?
		jz dump.8			# No
		pushl %ds			# Save
		testl $PSL_VM,0x50(%ebx)	# V86 mode?
		jnz dump.3			# Yes
		verr 0x4(%esi)	 		# Readable selector?
		jnz dump.3			# No
		ldsl (%esi),%esi		# Load pointer
		jmp dump.4			# Join common code
dump.3: 	lodsl				# Set offset
		xchgl %eax,%edx 		# Save
		lodsl				# Get segment
		shll $0x4,%eax			#  * 0x10
		addl %edx,%eax			#  + offset
		xchgl %eax,%esi 		# Set pointer
dump.4: 	movb $2,%dl			# Num lines
dump.4a:	movb $0x10,%cl			# Bytes to dump
dump.5: 	lodsb				# Get byte and
		call hex8			#  dump it
		decb %cl			# Keep count
		jz dump.6a			# If done
		movb $'-',%al			# Separator
		cmpb $0x8,%cl			# Half way?
		je dump.6			# Yes
		movb $' ',%al			# Use space
dump.6: 	stosb				# Save separator
		jmp dump.5			# Continue
dump.6a:	decb %dl			# Keep count
		jz dump.7			# If done
		movb $0xa,%al			# Line feed
		stosb				# Save one
		movb $7,%cl			# Leading
		movb $' ',%al			#  spaces
dump.6b:	stosb				# Dump
		decb %cl			#  spaces
		jnz dump.6b
		jmp dump.4a			# Next line
dump.7: 	popl %ds			# Restore
dump.8: 	popl %esi			# Restore
		movb $0xa,%al			# Line feed
		testb $DMP_EOL,%ch		# End of line?
		jnz dump.9			# Yes
		movb $' ',%al			# Use spaces
		stosb				# Save one
dump.9: 	jmp dump.0			# Continue
dump.10:	stosb				# Terminate string
		ret				# To caller
/*
 * Convert EAX, AX, or AL to hex, saving the result to [EDI].
 */
hex32:		pushl %eax			# Save
		shrl $0x10,%eax 		# Do upper
		call hex16			#  16
		popl %eax			# Restore
hex16:		call hex16.1			# Do upper 8
hex16.1:	xchgb %ah,%al			# Save/restore
hex8:		pushl %eax			# Save
		shrb $0x4,%al			# Do upper
		call hex8.1			#  4
		popl %eax			# Restore
hex8.1: 	andb $0xf,%al			# Get lower 4
		cmpb $0xa,%al			# Convert
		sbbb $0x69,%al			#  to hex
		das				#  digit
		orb $0x20,%al			# To lower case
		stosb				# Save char
		ret				# (Recursive)
/*
 * Output zero-terminated string [ESI] to the console.
 */
putstr.0:	call putchr			# Output char
putstr: 	lodsb				# Load char
		testb %al,%al			# End of string?
		jnz putstr.0			# No
		ret				# To caller
#ifdef BTX_SERIAL
		.set SIO_PRT,SIOPRT		# Base port
		.set SIO_FMT,SIOFMT		# 8N1
		.set SIO_DIV,(115200/SIOSPD)	# 115200 / SPD

/*
 * int sio_init(void)
 */
sio_init:	movw $SIO_PRT+0x3,%dx		# Data format reg
		movb $SIO_FMT|0x80,%al		# Set format
		outb %al,(%dx)			#  and DLAB
		pushl %edx			# Save
		subb $0x3,%dl			# Divisor latch reg
		movw $SIO_DIV,%ax		# Set
		outw %ax,(%dx)			#  BPS
		popl %edx			# Restore
		movb $SIO_FMT,%al		# Clear
		outb %al,(%dx)			#  DLAB
		incl %edx			# Modem control reg
		movb $0x3,%al			# Set RTS,
		outb %al,(%dx)			#  DTR
		incl %edx			# Line status reg
		call sio_getc.1 		# Get character

/*
 * int sio_flush(void)
 */
sio_flush:	xorl %eax,%eax			# Return value
		xorl %ecx,%ecx			# Timeout
		movb $0x80,%ch			#  counter
sio_flush.1:	call sio_ischar 		# Check for character
		jz sio_flush.2			# Till none
		loop sio_flush.1		#  or counter is zero
		movb $1, %al			# Exhausted all tries
sio_flush.2:	ret				# To caller

/*
 * void sio_putc(int c)
 */
sio_putc:	movw $SIO_PRT+0x5,%dx		# Line status reg
		xor %ecx,%ecx			# Timeout
		movb $0x40,%ch			#  counter
sio_putc.1:	inb (%dx),%al			# Transmitter
		testb $0x20,%al 		#  buffer empty?
		loopz sio_putc.1		# No
		jz sio_putc.2			# If timeout
		movb 0x4(%esp,1),%al		# Get character
		subb $0x5,%dl			# Transmitter hold reg
		outb %al,(%dx)			# Write character
sio_putc.2:	ret $0x4			# To caller

/*
 * int sio_getc(void)
 */
sio_getc:	call sio_ischar 		# Character available?
		jz sio_getc			# No
sio_getc.1:	subb $0x5,%dl			# Receiver buffer reg
		inb (%dx),%al			# Read character
		ret				# To caller

/*
 * int sio_ischar(void)
 */
sio_ischar:	movw $SIO_PRT+0x5,%dx		# Line status register
		xorl %eax,%eax			# Zero
		inb (%dx),%al			# Received data
		andb $0x1,%al			#  ready?
		ret				# To caller

/*
 * Output character AL to the serial console.
 */
putchr: 	pusha				# Save
		cmpb $10, %al			# is it a newline?
		jne putchr.1			#  no?, then leave
		push $13			# output a carriage
		call sio_putc			#  return first
		movb $10, %al			# restore %al
putchr.1:	pushl %eax			# Push the character
						#  onto the stack
		call sio_putc			# Output the character
		popa				# Restore
		ret				# To caller
#else
/*
 * Output character AL to the console.
 */
putchr: 	pusha				# Save
		xorl %ecx,%ecx			# Zero for loops
		movb $SCR_MAT,%ah		# Mode/attribute
		movl $BDA_POS,%ebx		# BDA pointer
		movw (%ebx),%dx 		# Cursor position
		movl $0xb8000,%edi		# Regen buffer (color)
		cmpb %ah,BDA_SCR-BDA_POS(%ebx)	# Mono mode?
		jne putchr.1			# No
		xorw %di,%di			# Regen buffer (mono)
putchr.1:	cmpb $0xa,%al			# New line?
		je putchr.2			# Yes
		xchgl %eax,%ecx 		# Save char
		movb $SCR_COL,%al		# Columns per row
		mulb %dh			#  * row position
		addb %dl,%al			#  + column
		adcb $0x0,%ah			#  position
		shll %eax			#  * 2
		xchgl %eax,%ecx 		# Swap char, offset
		movw %ax,(%edi,%ecx,1)		# Write attr:char
		incl %edx			# Bump cursor
		cmpb $SCR_COL,%dl		# Beyond row?
		jb putchr.3			# No
putchr.2:	xorb %dl,%dl			# Zero column
		incb %dh			# Bump row
putchr.3:	cmpb $SCR_ROW,%dh		# Beyond screen?
		jb putchr.4			# No
		leal 2*SCR_COL(%edi),%esi	# New top line
		movw $(SCR_ROW-1)*SCR_COL/2,%cx # Words to move
		rep				# Scroll
		movsl				#  screen
		movb $0x20,%al			# Space
		movb $SCR_COL,%cl		# Columns to clear
		rep				# Clear
		stosw				#  line
		movb $SCR_ROW-1,%dh		# Bottom line
putchr.4:	movw %dx,(%ebx) 		# Update position
		popa				# Restore
		ret				# To caller
#endif

		.code16
/*
 * Real Mode Hardware interrupt jump table.
 */
intr20: 	push $0x8			# Int 0x20: IRQ0
		jmp int_hwr			# V86 int 0x8
		push $0x9			# Int 0x21: IRQ1
		jmp int_hwr			# V86 int 0x9
		push $0xa			# Int 0x22: IRQ2
		jmp int_hwr			# V86 int 0xa
		push $0xb			# Int 0x23: IRQ3
		jmp int_hwr			# V86 int 0xb
		push $0xc			# Int 0x24: IRQ4
		jmp int_hwr			# V86 int 0xc
		push $0xd			# Int 0x25: IRQ5
		jmp int_hwr			# V86 int 0xd
		push $0xe			# Int 0x26: IRQ6
		jmp int_hwr			# V86 int 0xe
		push $0xf			# Int 0x27: IRQ7
		jmp int_hwr			# V86 int 0xf
		push $0x70			# Int 0x28: IRQ8
		jmp int_hwr			# V86 int 0x70
		push $0x71			# Int 0x29: IRQ9
		jmp int_hwr			# V86 int 0x71
		push $0x72			# Int 0x2a: IRQ10
		jmp int_hwr			# V86 int 0x72
		push $0x73			# Int 0x2b: IRQ11
		jmp int_hwr			# V86 int 0x73
		push $0x74			# Int 0x2c: IRQ12
		jmp int_hwr			# V86 int 0x74
		push $0x75			# Int 0x2d: IRQ13
		jmp int_hwr			# V86 int 0x75
		push $0x76			# Int 0x2e: IRQ14
		jmp int_hwr			# V86 int 0x76
		push $0x77			# Int 0x2f: IRQ15
		jmp int_hwr			# V86 int 0x77
/*
 * Reflect hardware interrupts in real mode.
 */
int_hwr: 	push %ax			# Save
		push %ds			# Save
		push %bp			# Save
		mov %sp,%bp			# Address stack frame
		xchg %bx,6(%bp)			# Swap BX, int no
		xor %ax,%ax			# Set %ds:%bx to
		shl $2,%bx			#  point to
		mov %ax,%ds			#  IDT entry
		mov (%bx),%ax			# Load IP
		mov 2(%bx),%bx			# Load CS
		xchg %ax,4(%bp)			# Swap saved %ax,%bx with
		xchg %bx,6(%bp)			#  CS:IP of handler
		pop %bp				# Restore
		pop %ds				# Restore
		lret				# Jump to handler

		.p2align 4
/*
 * Global descriptor table.
 */
gdt:		.word 0x0,0x0,0x0,0x0		# Null entry
		.word 0xffff,0x0,0x9a00,0xcf	# SEL_SCODE
		.word 0xffff,0x0,0x9200,0xcf	# SEL_SDATA
		.word 0xffff,0x0,0x9a00,0x0	# SEL_RCODE
		.word 0xffff,0x0,0x9200,0x0	# SEL_RDATA
		.word 0xffff,MEM_USR,0xfa00,0xcf# SEL_UCODE
		.word 0xffff,MEM_USR,0xf200,0xcf# SEL_UDATA
tss_desc:	.word _TSSLM,MEM_TSS,0x8900,0x0 # SEL_TSS
gdt.1:
/*
 * Pseudo-descriptors.
 */
gdtdesc:	.word gdt.1-gdt-1,gdt,0x0	# GDT
idtdesc:	.word _IDTLM,MEM_IDT,0x0	# IDT
ivtdesc:	.word 0x400-0x0-1,0x0,0x0	# IVT
/*
 * IDT construction control string.
 */
idtctl: 	.byte 0x10,  0x8e		# Int 0x0-0xf
		.word 0x7dfb,intx00		#  (exceptions)
		.byte 0x10,  0x8e		# Int 0x10
		.word 0x1,   intx10		#  (exception)
		.byte 0x10,  0x8e		# Int 0x20-0x2f
		.word 0xffff,intx20		#  (hardware)
		.byte 0x1,   0xee		# int 0x30
		.word 0x1,   intx30		#  (system call)
		.byte 0x2,   0xee		# Int 0x31-0x32
		.word 0x1,   intx31		#  (V86, null)
		.byte 0x0			# End of string
/*
 * Dump format string.
 */
dmpfmt: 	.byte '\n'			# "\n"
		.ascii "int"			# "int="
		.byte 0x80|DMP_X32,	   0x40 # "00000000  "
		.ascii "err"			# "err="
		.byte 0x80|DMP_X32,	   0x44 # "00000000  "
		.ascii "efl"			# "efl="
		.byte 0x80|DMP_X32,	   0x50 # "00000000  "
		.ascii "eip"			# "eip="
		.byte 0x80|DMP_X32|DMP_EOL,0x48 # "00000000\n"
		.ascii "eax"			# "eax="
		.byte 0x80|DMP_X32,	   0x34 # "00000000  "
		.ascii "ebx"			# "ebx="
		.byte 0x80|DMP_X32,	   0x28 # "00000000  "
		.ascii "ecx"			# "ecx="
		.byte 0x80|DMP_X32,	   0x30 # "00000000  "
		.ascii "edx"			# "edx="
		.byte 0x80|DMP_X32|DMP_EOL,0x2c # "00000000\n"
		.ascii "esi"			# "esi="
		.byte 0x80|DMP_X32,	   0x1c # "00000000  "
		.ascii "edi"			# "edi="
		.byte 0x80|DMP_X32,	   0x18 # "00000000  "
		.ascii "ebp"			# "ebp="
		.byte 0x80|DMP_X32,	   0x20 # "00000000  "
		.ascii "esp"			# "esp="
		.byte 0x80|DMP_X32|DMP_EOL,0x0	# "00000000\n"
		.ascii "cs"			# "cs="
		.byte 0x80|DMP_X16,	   0x4c # "0000  "
		.ascii "ds"			# "ds="
		.byte 0x80|DMP_X16,	   0xc	# "0000  "
		.ascii "es"			# "es="
		.byte 0x80|DMP_X16,	   0x8	# "0000  "
		.ascii "  "			# "  "
		.ascii "fs"			# "fs="
		.byte 0x80|DMP_X16,	   0x10 # "0000  "
		.ascii "gs"			# "gs="
		.byte 0x80|DMP_X16,	   0x14 # "0000  "
		.ascii "ss"			# "ss="
		.byte 0x80|DMP_X16|DMP_EOL,0x4	# "0000\n"
		.ascii "cs:eip" 		# "cs:eip="
		.byte 0x80|DMP_MEM|DMP_EOL,0x48 # "00 00 ... 00 00\n"
		.ascii "ss:esp" 		# "ss:esp="
		.byte 0x80|DMP_MEM|DMP_EOL,0x0	# "00 00 ... 00 00\n"
		.asciz "BTX halted\n"		# End
/*
 * Bad VM86 call panic
 */
badvm86:	.asciz "Invalid VM86 Request\n"

/*
 * End of BTX memory.
 */
		.p2align 4
break: