为什么firststeps.simics和qsp-client-core.simics的SMM行为不同？

Question

如果我在firststeps.simics中设置SMM断点并检查寄存器，它会显示预期的RIP = 0x8000和CS base = 0x30000。但是如果我在qsp-client-core.simics中做同样的事情，它会显示RIP = 0xdffebe74和CS base = 0，我不明白为什么。

最终，我看到SMBASE从0x30000迁移到了0xdffcd000。但似乎X58芯片组手册上所说的TSeg，并没有被设置为相同的值，这是我所期望的。你知道为什么TSeg永远不会设置吗？

simics> print -x %msr_ia32_smbase
0xdffcd000
simics> get-device-offset  board.mb.nb.core_misc.bank.pci_config 0xA8 4
0 (LE)

(注意:我在直到skylake的平台上进行了测试，似乎只有在咖啡湖上才有这种行为，这也是qsp-client-core.simics的默认设置)

Answer 1

我刚刚尝试了firststeps.simics，我可以看到smm处理程序也被重新定位了。在第一个条目中，smm_base是0x30000，但它几乎马上就变成了0xdffd3000：

$ ./simics targets/qsp-x86/qsp-client-core.simics
simics> output-radix 16
simics> board.mb.cpu0.core[0][0]->smm_base
0x30000
simics> continue-seconds 30
simics> board.mb.cpu0.core[0][0]->smm_base
0xdffd3000

您也可以从日志中清楚地看到这一点：

simics> board.mb.cpu0.core[0][0].log-group -disable MSR
board.mb.cpu0.core[0][0]:
 enabled log groups: "Intermediate code" "Performance hint" "Other" "VMX" "Hardware breakpoints" "Pin change" "FPU" "Exception" "VM-monitor" "MONITOR" "X86 other" "Default_Log_Group"
 disabled log groups: "MSR"
simics> board.mb.cpu0.core[0][0].log-level 2
[board.mb.cpu0.core[0][0]] Changing log level: 1 -> 2
simics> log-setup -time-stamp 
simics> c
[board.mb.cpu0.core[0][0] info] {board.mb.cpu0.core[0][0] 0x83939a 388559012} IA32_FEATURE_CONTROL set to 0x5
[board.mb.cpu0.core[0][0] info] {board.mb.cpu0.core[0][0] 0xdf353932 388714533} Cache flush (with write-back)
[board.mb.cpu0.core[0][0] info] {board.mb.cpu0.core[0][0] 0xdf353987 388714952} Cache flush (with write-back)
[board.mb.cpu0.core[0][0] info] {board.mb.cpu0.core[0][0] 0xdf353932 388781185} Cache flush (with write-back)
[board.mb.cpu0.core[0][0] info] {board.mb.cpu0.core[0][0] 0xdf353987 388781604} Cache flush (with write-back)
[board.mb.cpu0.core[0][0] info] {board.mb.cpu0.core[0][0] 0xdf5765f5 389274426} Cache flush (with write-back)
[board.mb.cpu0.core[0][0] info] {board.mb.cpu0.core[0][0] 0xdf57664a 389274845} Cache flush (with write-back)
[board.mb.cpu0.core[0][0] info] {board.mb.cpu0.core[0][0] 0xdef5ed20 393668159} Cache flush (with write-back)
[board.mb.cpu0.core[0][0] info] {board.mb.cpu0.core[0][0] 0xdef5ecf0 393668269} Cache flush (with write-back)
[board.mb.cpu0.core[0][0] info] {board.mb.cpu0.core[0][0] 0xdffebe6e 397678713} SMI raised
[board.mb.cpu0.core[0][0] info] {board.mb.cpu0.core[0][0] 0xdffe43a9 397679321} New SMM base: 0xdffd3000
[board.mb.cpu0.core[0][0] info] {board.mb.cpu0.core[0][0] 0xdefc3471 398242965} SMI raised
[board.mb.cpu0.core[0][0] info] {board.mb.cpu0.core[0][0] 0xdefc3471 403646564} SMI raised

正如您所看到的，第一次调用SMM处理程序会更改smm_base，这是相当典型的做法。

我不知道Tseg，但希望我至少部分回答了你的问题。