Hi,
embryo2 wrote:Brendan wrote:So the OS takes a CRC of the malicious AML when the OS is installed; and then whenever the AML changes (firmware is updated, BIOS settings are changed, etc) the OS stops working?
If you want trusted computing then you must buy trusted hardware. Where's the AML's place in the picture of missed efforts?
I don't understand your question (I get a parse error for "the picture of missed efforts").
Security and trustworthiness can never be perfect; and the goal is always to improve security and trustworthiness (regardless of what the hardware is).
embryo2 wrote:Brendan wrote:A bare AML interpreter probably isn't that hard to implement on its own, but that's just the tip of the iceberg. To use AML properly you have to tell it that the OS is a recent version of Windows (otherwise the firmware/AML suppresses various features), and when you tell AML the OS is a recent version of Windows the OS has to behave like a recent version of Windows (which is extremely difficult/undocumented).
Can you be more specific on it? What part of AML behaves in an unspecified manner? I mean the ACPI specification. If your parser detects something non standard, then who in the world insists you should use such an inconsistent part of the ACPI data?
Just grab an AML disassembler (there's one in virtually every Linux distro) and take a look at your own (real not virtual) computer's AML. Look for anything that depends on the "\_OS" object.
I found a random AML disassembly
here if you couldn't be bothered. If you look at this you'll find a method called "OSFL" that contains a few lines like "If (MCTH (\_OS, "Microsoft Windows NT"))" and "If (MCTH (\_OS, "Microsoft WindowsME: Millennium Edition"))" and "If (\_OSI ("Windows 2001"))". These checks end up setting a variable called OSVR to different values (depending on what the OS told ACPI it is), and this OSVR variable is returned by the method. Then you'll notice that this "OSFL" method is called from all over the place in lines like "If (LEqual (OSFL (), 0x00))". Also note that if AML doesn't recognise the "OS name" that the OS provides (e.g. because the OS said "Linux" or "Ubuntu" or "BCOS" or "Embryo's OS") you end up with "OSVR = 0x00" and severely reduced functionality.
Note that it's not just the "\_OS" name, there's also "_OSI" (Operating System Interfaces") which takes an OS defined string (representing a certain feature/interface) that an OS uses to ask ACPI if a certain (OS specific) feature is supported.
Essentially, the behaviour of most of the AML changes depending on what the OS says it is; and these differences in behaviour depend on what Microsoft felt like doing and are not documented anywhere (that I know of). This is why it took a team of Intel developers about 10 years to get ACPICA to work properly (even though they probably could've done the "AML interpreter" alone in less than 6 months). It's also why OSs that aren't Windows have to lie to ACPI and say they are a version of Windows (so they don't end up with "minimal functionality AML").
embryo2 wrote:Brendan wrote:Basically, writing my own equivalent of ACPICA is an extremely bad idea.
Is it the conclusion you have managed to come to after the Windows specific behavior of AML cornered you into an inescapable trap? Is this trap really inescapable? Or the escape costs on par with writing a lot of motherboard drivers?
You can't avoid the "Windows specific behaviour" trap. With a lot of work you could figure out the Windows specific behaviour; but you'd have to do that for each different "OS name" Microsoft uses (in the past, now, and in the future) and each "_OSI" OS defined string that Microsoft define.
embryo2 wrote:Brendan wrote:Porting ACPICA would require a C compiler that understands my executable file format (and is able to generate my byte-code);
Why? As far as I know there's a call convention defined in the specification. Can you create a structure in memory, change stack pointer and call the ACPICA stuff without any knowledge of C?
If I could compile ACPICA (with a compiler that will never exist) and link it to something else (with a linker that will never exist); then calling it would be mostly trivial.
embryo2 wrote:Brendan wrote:and I do want the OS to be self hosting one day.
Then you can create your own AML interpreter. Does it cost more than a thousand of motherboard drivers?
Again, the AML interpreter alone is just the tip of the iceberg (almost completely useless without a huge amount of other code, plus a whitelist/blacklist, plus "replacement AML" for all the known buggy computers).
Your comparison is like comparing an over-priced turd sandwich to a reasonably priced porterhouse steak. The steak might (or might not) be a little more expensive, but who wants to eat turd?
embryo2 wrote:Brendan wrote:By providing motherboard drivers I can include features that ACPI doesn't support, and in that way (if a motherboard driver exists) the OS can be superior to everything else. For one example, the motherboard driver can reconfigure the physical address space (and get rid of things like the "legacy ROM" areas).
Is the legacy ROM area configurable on all motherboards? And how long it will take to collect the information about such a kind of configuration (which is not implemented even by the motherboard vendor)?
For all "modern" (since about 1995) 80x86 motherboards the legacy ROM area/s used by devices (e.g. video card, etc) can be converted to normal RAM. The legacy ROM area used by BIOS itself can too, but doing that is too risky (without some extensive testing) because you can't be sure if the BIOS' SMM code relies on it under certain conditions. You can also get rid of the "legacy VGA" area, but often the RAM underneath is locked for "SMM only" (and that can't be changed) so getting rid of "legacy VGA" area doesn't help. In some cases (e.g. if other RAM is used for SMM and the legacy BIOS area isn't called from SMM) you can convert the physical address space so that you've got a single unfragmented slab of RAM at 0x00000000 with none of the typical junk in the first 1 MiB. Of course all of this requires chipset/motherboard specific knowledge (and isn't supported by ACPI/AML). Note that when combined with a "boot from ROM boot loader" you don't have to worry so much about SMM (because the firmware is yours and not "unknown") and can do a better job.
For Intel's chipsets it's typically well documented by their datasheets. For other manufacturers it can be hard to get documentation (and in that case I'd just skip it). The OS would also need to do some other things to make it work properly (reprogram MTRRs so the RAM is cached properly, add the recovered RAM to its physical memory manager so it can be used, etc).
embryo2 wrote:Brendan wrote:For another example; I plan to include (simplified) 3D models of all hardware (including the motherboard) so that people can see exactly where different PCI and RAM slots are (for hardware upgrades, faults, etc). If the OS detects that RAM at physical address 0x1234567 is faulty then it should be able to correctly identify which RAM module in which slot needs to be replaced (where figuring out the relationship between physical address and RAM module is excessively difficult without a motherboard/chipset driver to start with) and should then be able to show a maintenance person where that RAM module is so they don't accidentally replace the wrong RAM module.
Nice idea. But what's wrong with the AML here? How the AML prevents you from gathering spatial data for a motherboard? I don't know if the RAM module information is provided by the AML, but at least I see the device configuration objects and things like NUMA nodes location information. So, if the required information is provided by the AML, then what a point in refusing to use it (and collecting it yourself)?
For everything that AML doesn't support, AML doesn't support it. This means that (if you want to do things that AML doesn't support, like determine the relationship between physical addresses and RAM modules, or like providing 3D models) you have to provide motherboard specific info and/or code regardless of whether you use AML or not. If you're providing motherboard drivers regardless of whether you use AML or not, then there isn't as much reason to bother with AML in the first place.
embryo2 wrote:Brendan wrote:Note that this also means being able to supporting old hardware well; including old hardware with old AML that doesn't include features that were introduced in later versions of ACPI, and including ancient hardware that doesn't support ACPI at all.
Well, the old hardware adds a bit to your information collection efforts. The old hardware manufacturers didn't know the way you can find new features in the ancient things. But you, of course, do know it. Are you serious?
I don't understand your question.
For a 20 year old motherboard (e.g. from before ACPI existed), it's no different to writing a motherboard driver for a new motherboard - you can still get information from the datasheet, still support whatever features the hardware supports (without bothering with older interfaces like APM), still create a 3D model, etc.
embryo2 wrote:Brendan wrote:For a variety of purposes (embedded systems, high-end HPC, etc) I also want to support "boot from ROM" where the firmware is the OS's boot loader and boot files (kernel, drivers, etc). In this case providing motherboard drivers means that whoever creates a "boot from ROM boot loader" doesn't have to bother with ACPI, AML and some of the SMM stuff.
Is it now about a new BIOS vendor arrival? But have you explored the market before such a journey? It differs a bit from the OS market.
Normally I provide a "firmware development kit" with working example code for Bochs; so that (eventually) if someone wants to write a "boot from ROM boot loader" they only need to worry about writing/modifying any motherboard/chipset specific things that are needed before the OS starts. Of course the OS does things like (re)configuring PCI buses and bridges itself so "boot from ROM boot loader" firmware doesn't have to bother with any of that, and the OS would have a "motherboard driver" so that the "boot from ROM boot loader" firmware doesn't have to bother with any of that either.
embryo2 wrote:Brendan wrote:Don't forget that I could implement a kind of "motherboard driver builder" utility that auto-converts ACPI's AML into initial source code for a motherboard driver; where to create a motherboard driver a programmer would start by using this utility to get all the boilerplate out of the way, and would then double check and tweak the auto-generated code, and then fill in things that AML doesn't support.
Do you mean your "double check and tweak" solves the security issue with the untrusted hardware? A hundred pages of cryptic text is really helpful here.
I wouldn't expect anyone to use source code auto-generated by a "clever" utility without bothering to check it. I wasn't planning to provide a hundred pages of cryptic text (and have no idea where you got a silly idea like that from). It'd generate normal source code, with normal/descriptive function names, and with comments (like "// Code to determine IO APIC input from PCI slot" and "// Add code to support FOO here!"), etc.
embryo2 wrote:Brendan wrote:Also don't forget that (if I find out later that I have no choice) nothing would really prevent me from having a "generic motherboard driver" that does use AML internally, and having that as a fall-back for cases where there's no (more suitable) motherboard driver.
It would be wise to create the "fall-back" driver and after some time just to forget about the world-wide contest "let's try to find a hardware information".
No. As soon as I provide a "generic motherboard driver" I destroy any hope that people will ever bother to write motherboard drivers that don't suck, and the OS will suck forever.
embryo2 wrote:Brendan wrote:Even just a brief look at the
ACPI Wikipedia page is probably enough to convince the majority of people that "doesn't rely on ACPI/AML" is a good thing
Well, again it's easier to point to something like
this piece of information about everything and nothing in particular and claim "you shouldn't use Brendan's firmware, just because you are unable to read a few pages from the wiki". And yes, there also is the part about security risks (for the very informed part of the users who make decisions after reading ACPI wiki article).
Not sure how your comment is supposed to make any sense at all. I'm not providing any firmware (other than for open source emulators where it's easier); and if I was providing firmware then people would be choosing between an existing proprietary blob that came with their computer and firmware provided by the same person that wrote the OS they're using (who they must've trusted already or they wouldn't be using the OS in the first place).
Cheers,
Brendan