NAME

loader — kernel bootstrapping final stage

DESCRIPTION

The program called loader is the final stage of FreeBSD's kernel bootstrapping process. On IA32 (i386) architectures, it is a BTX client. It is linked statically to libstand(3) and usually located in the directory /boot.

It provides a scripting language that can be used to automate tasks, do pre-configuration or assist in recovery procedures. This scripting language is roughly divided in two main components. The smaller one is a set of commands designed for direct use by the casual user, called "builtin commands" for historical reasons. The main drive behind these commands is user-friendliness. The bigger component is an ANS Forth compatible Forth interpreter based on FICL, by John Sadler.

During initialization, loader will probe for a console and set the console variable, or set it to serial console (“comconsole”) if the previous boot stage used that. If multiple consoles are selected, they will be listed separated by spaces. Then, devices are probed, currdev and loaddev are set, and LINES is set to 24. Next, FICL is initialized, the builtin words are added to its vocabulary, and /boot/loader.4th is processed if it exists. No disk switching is possible while that file is being read. The inner interpreter loader will use with FICL is then set to interpret, which is FICL's default. After that, /boot/loader.rc is processed if available. These files are processed through the include command, which reads all of them into memory before processing them, making disk changes possible.

At this point, if an autoboot has not been tried, and if autoboot_delay is not set to “NO” (not case sensitive), then an autoboot will be tried. If the system gets past this point, prompt will be set and loader will engage interactive mode. Please note that historically even when autoboot_delay is set to “0” user will be able to interrupt autoboot process by pressing some key on the console while kernel and modules are being loaded. In some cases such behaviour may be undesirable, to prevent it set autoboot_delay to “-1”, in this case loader will engage interactive mode only if autoboot has failed.

BUILTIN COMMANDS

In loader, builtin commands take parameters from the command line. Presently, the only way to call them from a script is by using evaluate on a string. If an error condition occurs, an exception will be generated, which can be intercepted using ANS Forth exception handling words. If not intercepted, an error message will be displayed and the interpreter's state will be reset, emptying the stack and restoring interpreting mode.

The builtin commands available are:

autoboot [seconds [prompt]]

Proceeds to bootstrap the system after a number of seconds, if not interrupted by the user. Displays a countdown prompt warning the user the system is about to be booted, unless interrupted by a key press. The kernel will be loaded first if necessary. Defaults to 10 seconds.

bcachestat

Displays statistics about disk cache usage. For debugging only.

boot

boot kernelname [...]

boot -flag ...

Immediately proceeds to bootstrap the system, loading the kernel if necessary. Any flags or arguments are passed to the kernel, but they must precede the kernel name, if a kernel name is provided.

WARNING: The behavior of this builtin is changed if loader.4th(8) is loaded.

echo [-n] [⟨message⟩]

Displays text on the screen. A new line will be printed unless -n is specified.

heap

Displays memory usage statistics. For debugging purposes only.

help [topic [subtopic]]

Shows help messages read from /boot/loader.help. The special topic index will list the topics available.

include file [file ...]

Process script files. Each file, in turn, is completely read into memory, and then each of its lines is passed to the command line interpreter. If any error is returned by the interpreter, the include command aborts immediately, without reading any other files, and returns an error itself (see ERRORS).

load [-t type] file ...

Loads a kernel, kernel loadable module (kld), disk image, or file of opaque contents tagged as being of the type type. Kernel and modules can be either in a.out or ELF format. Any arguments passed after the name of the file to be loaded will be passed as arguments to that file. Use the md_image type to make the kernel create a file-backed md(4) disk. This is useful for booting from a temporary rootfs. Currently, argument passing does not work for the kernel.

load_geli [-n keyno] prov file

Loads a geli(8) encryption keyfile for the given provider name. The key index can be specified via keyno or will default to zero.

ls [-l] [path]

Displays a listing of files in the directory path, or the root directory if path is not specified. If -l is specified, file sizes will be shown too.

lsdev [-v]

Lists all of the devices from which it may be possible to load modules, as well as ZFS pools. If -v is specified, more details are printed, including ZFS pool information in a format that resembles zpool status output.

lsmod [-v]

Displays loaded modules. If -v is specified, more details are shown.

lszfs filesystem

A ZFS extended command that can be used to explore the ZFS filesystem hierarchy in a pool. Lists the immediate children of the filesystem. The filesystem hierarchy is rooted at a filesystem with the same name as the pool.

more file [file ...]

Display the files specified, with a pause at each LINES displayed.

pnpscan [-v]

Scans for Plug-and-Play devices. This is not functional at present.

read [-t seconds] [-p prompt] [variable]

Reads a line of input from the terminal, storing it in variable if specified. A timeout can be specified with -t, though it will be canceled at the first key pressed. A prompt may also be displayed through the -p flag.

reboot

Immediately reboots the system.

set variable

set variable=value

Set loader's environment variables.

show [variable]

Displays the specified variable's value, or all variables and their values if variable is not specified.

unload

Remove all modules from memory.

unset variable

Removes variable from the environment.

?

Lists available commands.

BUILTIN ENVIRONMENT VARIABLES

The loader has actually two different kinds of ‘environment’ variables. There are ANS Forth's environmental queries, and a separate space of environment variables used by builtins, which are not directly available to Forth words. It is the latter type that this section covers.

Environment variables can be set and unset through the set and unset builtins, and can have their values interactively examined through the use of the show builtin. Their values can also be accessed as described in BUILTIN PARSER.

Notice that these environment variables are not inherited by any shell after the system has been booted.

A few variables are set automatically by loader. Others can affect the behavior of either loader or the kernel at boot. Some options may require a value, while others define behavior just by being set. Both types of builtin variables are described below.

autoboot_delay: Number of seconds autoboot will wait before booting. Configuration options are described in loader.conf(5).
boot_askname: Instructs the kernel to prompt the user for the name of the root device when the kernel is booted.
boot_cdrom: Instructs the kernel to try to mount the root file system from CD-ROM.
boot_ddb: Instructs the kernel to start in the DDB debugger, rather than proceeding to initialize when booted.
boot_dfltroot: Instructs the kernel to mount the statically compiled-in root file system.
boot_gdb: Selects gdb-remote mode for the kernel debugger by default.
boot_multicons: Enables multiple console support in the kernel early on boot. In a running system, console configuration can be manipulated by the conscontrol(8) utility.
boot_mute: All kernel console output is suppressed when console is muted. In a running system, the state of console muting can be manipulated by the conscontrol(8) utility.
boot_pause: During the device probe, pause after each line is printed.
boot_serial: Force the use of a serial console even when an internal console is present.
boot_single: Prevents the kernel from initiating a multi-user startup; instead, a single-user mode will be entered when the kernel has finished device probing.
boot_verbose: Setting this variable causes extra debugging information to be printed by the kernel during the boot phase.
bootfile: List of semicolon-separated search path for bootable kernels. The default is “kernel”.
comconsole_speed: Defines the speed of the serial console (i386 and amd64 only). If the previous boot stage indicated that a serial console is in use then this variable is initialized to the current speed of the console serial port. Otherwise it is set to 9600 unless this was overridden using the BOOT_COMCONSOLE_SPEED variable when loader was compiled. Changes to the comconsole_speed variable take effect immediately.
comconsole_port: Defines the base i/o port used to access console UART (i386 and amd64 only). If the variable is not set, its assumed value is 0x3F8, which corresponds to PC port COM1, unless overridden by BOOT_COMCONSOLE_PORT variable during the compilation of loader. Setting the comconsole_port variable automatically set hw.uart.console environment variable to provide a hint to kernel for location of the console. Loader console is changed immediately after variable comconsole_port is set.
comconsole_pcidev: Defines the location of a PCI device of the 'simple communication' class to be used as the serial console UART (i386 and amd64 only). The syntax of the variable is 'bus:device:function[:bar]', where all members must be numeric, with possible 0x prefix to indicate a hexadecimal value. The bar member is optional and assumed to be 0x10 if omitted. The bar must decode i/o space. Setting the variable comconsole_pcidev automatically sets the variable comconsole_port to the base of the selected bar, and hint hw.uart.console. Loader console is changed immediately after variable comconsole_pcidev is set.
console: Defines the current console or consoles. Multiple consoles may be specified. In that case, the first listed console will become the default console for userland output (e.g. from init(8)).
currdev: Selects the default device to loader the kernel from. The syntax is:
loader_device:
or
zfs:dataset:
Examples:
disk0p2:

zfs:zroot/ROOT/default:
dumpdev: Sets the device for kernel dumps. This can be used to ensure that a device is configured before the corresponding dumpdev directive from rc.conf(5) has been processed, allowing kernel panics that happen during the early stages of boot to be captured.
init_chroot: See init(8).
init_exec: See init(8).
init_path: Sets the list of binaries which the kernel will try to run as the initial process. The first matching binary is used. The default list is “/sbin/init:/sbin/oinit:/sbin/init.bak:/rescue/init”.
init_script: See init(8).
init_shell: See init(8).
interpret: Has the value “OK” if the Forth's current state is interpreting.
LINES: Define the number of lines on the screen, to be used by the pager.
module_path: Sets the list of directories which will be searched for modules named in a load command or implicitly required by a dependency. The default value for this variable is “/boot/kernel;/boot/modules”.
num_ide_disks: Sets the number of IDE disks as a workaround for some problems in finding the root disk at boot. This has been deprecated in favor of root_disk_unit.
prompt: Value of loader's prompt. Defaults to “${interpret}”. If variable prompt is unset, the default prompt is ‘>’.
root_disk_unit: If the code which detects the disk unit number for the root disk is confused, e.g. by a mix of SCSI and IDE disks, or IDE disks with gaps in the sequence (e.g. no primary slave), the unit number can be forced by setting this variable.
rootdev: By default the value of currdev is used to set the root file system when the kernel is booted. This can be overridden by setting rootdev explicitly.

Other variables are used to override kernel tunable parameters. The following tunables are available:

efi.rt.disabled

Disable UEFI runtime services in the kernel, if applicable. Runtime services are only available and used if the kernel is booted in a UEFI environment.

hw.physmem

Limit the amount of physical memory the system will use. By default the size is in bytes, but the k, K, m, M, g and G suffixes are also accepted and indicate kilobytes, megabytes and gigabytes respectively. An invalid suffix will result in the variable being ignored by the kernel.

hw.pci.host_start_mem, hw.acpi.host_start_mem

When not otherwise constrained, this limits the memory start address. The default is 0x80000000 and should be set to at least size of the memory and not conflict with other resources. Typically, only systems without PCI bridges need to set this variable since PCI bridges typically constrain the memory starting address (and the variable is only used when bridges do not constrain this address).

hw.pci.enable_io_modes

Enable PCI resources which are left off by some BIOSes or are not enabled correctly by the device driver. Tunable value set to ON (1) by default, but this may cause problems with some peripherals.

kern.maxusers

Set the size of a number of statically allocated system tables; see tuning(7) for a description of how to select an appropriate value for this tunable. When set, this tunable replaces the value declared in the kernel compile-time configuration file.

kern.ipc.nmbclusters

Set the number of mbuf clusters to be allocated. The value cannot be set below the default determined when the kernel was compiled.

kern.ipc.nsfbufs

Set the number of sendfile(2) buffers to be allocated. Overrides NSFBUFS. Not all architectures use such buffers; see sendfile(2) for details.

kern.maxswzone

Limits the amount of KVM to be used to hold swap metadata, which directly governs the maximum amount of swap the system can support, at the rate of approximately 200 MB of swap space per 1 MB of metadata. This value is specified in bytes of KVA space. If no value is provided, the system allocates enough memory to handle an amount of swap that corresponds to eight times the amount of physical memory present in the system.

Note that swap metadata can be fragmented, which means that the system can run out of space before it reaches the theoretical limit. Therefore, care should be taken to not configure more swap than approximately half of the theoretical maximum.

Running out of space for swap metadata can leave the system in an unrecoverable state. Therefore, you should only change this parameter if you need to greatly extend the KVM reservation for other resources such as the buffer cache or kern.ipc.nmbclusters. Modifies kernel option VM_SWZONE_SIZE_MAX.

kern.maxbcache

Limits the amount of KVM reserved for use by the buffer cache, specified in bytes. The default maximum is 200MB on i386, and 400MB on amd64 and sparc64. This parameter is used to prevent the buffer cache from eating too much KVM in large-memory machine configurations. Only mess around with this parameter if you need to greatly extend the KVM reservation for other resources such as the swap zone or kern.ipc.nmbclusters. Note that the NBUF parameter will override this limit. Modifies VM_BCACHE_SIZE_MAX.

kern.msgbufsize

Sets the size of the kernel message buffer. The default limit of 96KB is usually sufficient unless large amounts of trace data need to be collected between opportunities to examine the buffer or dump it to a file. Overrides kernel option MSGBUF_SIZE.

machdep.disable_mtrrs

Disable the use of i686 MTRRs (x86 only).

net.inet.tcp.tcbhashsize

Overrides the compile-time set value of TCBHASHSIZE or the preset default of 512. Must be a power of 2.

twiddle_divisor

Throttles the output of the ‘twiddle’ I/O progress indicator displayed while loading the kernel and modules. This is useful on slow serial consoles where the time spent waiting for these characters to be written can add up to many seconds. The default is 1 (full speed); a value of 2 spins half as fast, and so on.

vm.kmem_size

Sets the size of kernel memory (bytes). This overrides the value determined when the kernel was compiled. Modifies VM_KMEM_SIZE.

vm.kmem_size_min

vm.kmem_size_max

Sets the minimum and maximum (respectively) amount of kernel memory that will be automatically allocated by the kernel. These override the values determined when the kernel was compiled. Modifies VM_KMEM_SIZE_MIN and VM_KMEM_SIZE_MAX.

ZFS FEATURES

loader supports the following format for specifying ZFS filesystems which can be used wherever loader(8) refers to a device specification:

zfs:pool/filesystem:

where pool/filesystem is a ZFS filesystem name as described in zfs(8).

If /etc/fstab does not have an entry for the root filesystem and vfs.root.mountfrom is not set, but currdev refers to a ZFS filesystem, then loader will instruct kernel to use that filesystem as the root filesystem.

BUILTIN PARSER

When a builtin command is executed, the rest of the line is taken by it as arguments, and it is processed by a special parser which is not used for regular Forth commands.

This special parser applies the following rules to the parsed text:

All backslash characters are preprocessed.
- \b , \f , \r , \n and \t are processed as in C.
- \s is converted to a space.
- \v is converted to ASCII 11.
- \z is just skipped. Useful for things like “\0xf\z\0xf”.
- \0xN and \0xNN are replaced by the hex N or NN.
- \NNN is replaced by the octal NNN ASCII character.
- \" , \' and \$ will escape these characters, preventing them from receiving special treatment in Step 2, described below.
- \\ will be replaced with a single \ .
- In any other occurrence, backslash will just be removed.
Every string between non-escaped quotes or double-quotes will be treated as a single word for the purposes of the remaining steps.
Replace any $VARIABLE or ${VARIABLE} with the value of the environment variable VARIABLE.
Space-delimited arguments are passed to the called builtin command. Spaces can also be escaped through the use of \\ .

An exception to this parsing rule exists, and is described in BUILTINS AND FORTH.

BUILTINS AND FORTH

All builtin words are state-smart, immediate words. If interpreted, they behave exactly as described previously. If they are compiled, though, they extract their arguments from the stack instead of the command line.

If compiled, the builtin words expect to find, at execution time, the following parameters on the stack:

addrN lenN ... addr2 len2 addr1 len1 N

where addrX lenX are strings which will compose the command line that will be parsed into the builtin's arguments. Internally, these strings are concatenated in from 1 to N, with a space put between each one.

If no arguments are passed, a 0 must be passed, even if the builtin accepts no arguments.

While this behavior has benefits, it has its trade-offs. If the execution token of a builtin is acquired (through ' or [']), and then passed to catch or execute, the builtin behavior will depend on the system state

at the time catch or execute is processed!

This is particularly annoying for programs that want or need to handle exceptions. In this case, the use of a proxy is recommended. For example:

: (boot) boot

;

FICL

FICL is a Forth interpreter written in C, in the form of a forth virtual machine library that can be called by C functions and vice versa.

In loader, each line read interactively is then fed to FICL, which may call loader back to execute the builtin words. The builtin include will also feed FICL, one line at a time.

The words available to FICL can be classified into four groups. The ANS Forth standard words, extra FICL words, extra FreeBSD words, and the builtin commands; the latter were already described. The ANS Forth standard words are listed in the STANDARDS section. The words falling in the two other groups are described in the following subsections.

FICL EXTRA WORDS

.env
.ver
-roll
2constant
>name
body>
compare: This is the STRING word set's compare.
compile-only
endif
forget-wid
parse-word
sliteral: This is the STRING word set's sliteral.
wid-set-super
w@
w!
x.
empty
cell-
-rot

FREEBSD EXTRA WORDS

$ (--): Evaluates the remainder of the input buffer, after having printed it first.
% (--): Evaluates the remainder of the input buffer under a catch exception guard.
.#: Works like . but without outputting a trailing space.
fclose (fd --): Closes a file.
fkey (fd -- char): Reads a single character from a file.
fload (fd --): Processes a file fd.
fopen (addr len mode -- fd): Opens a file. Returns a file descriptor, or -1 in case of failure. The mode parameter selects whether the file is to be opened for read access, write access, or both. The constants O_RDONLY, O_WRONLY, and O_RDWR are defined in /boot/support.4th, indicating read only, write only, and read-write access, respectively.
fread (fd addr len -- len'): Tries to read len bytes from file fd into buffer addr. Returns the actual number of bytes read, or -1 in case of error or end of file.
heap? (-- cells): Return the space remaining in the dictionary heap, in cells. This is not related to the heap used by dynamic memory allocation words.
inb (port -- char): Reads a byte from a port.
key (-- char): Reads a single character from the console.
key? (-- flag): Returns true if there is a character available to be read from the console.
ms (u --): Waits u microseconds.
outb (port char --): Writes a byte to a port.
seconds (-- u): Returns the number of seconds since midnight.
tib> (-- addr len): Returns the remainder of the input buffer as a string on the stack.
trace! (flag --): Activates or deactivates tracing. Does not work with catch.

FREEBSD DEFINED ENVIRONMENTAL QUERIES

arch-i386: TRUE if the architecture is IA32.
MidnightBSD_version: version at compile time.
loader_version: loader version.

SECURITY

Access to the loader command line provides several ways of compromising system security, including, but not limited to:

Booting from removable storage, by setting the currdev or loaddev variables
Executing binary of choice, by setting the init_path or init_script variables
Overriding ACPI DSDT to inject arbitrary code into the ACPI subsystem

One can prevent unauthorized access to the loader command line by setting the password, or setting autoboot_delay to -1. See loader.conf(5) for details. In order for this to be effective, one should also configure the firmware (BIOS or UEFI) to prevent booting from unauthorized devices.

MD

Memory disk (MD) can be used when the loader was compiled with MD_IMAGE_SIZE. The size of the memory disk is determined by MD_IMAGE_SIZE. If MD available, a file system can be embedded into the loader with /sys/tools/embed_mfs.sh. Then, MD will be probed and be set to currdev during initialization.

Currently, MD is only supported in loader.efi(8).

FILES

/boot/loader: loader itself.
/boot/loader.4th: Additional FICL initialization.
/boot/defaults/loader.conf
/boot/loader.4th: Extra builtin-like words.
/boot/loader.conf
/boot/loader.conf.local: loader configuration files, as described in loader.conf(5).
/boot/loader.rc: loader bootstrapping script.
/boot/loader.help: Loaded by help. Contains the help messages.
/boot/support.4th: loader.conf processing words.
/usr/share/examples/bootforth/: Assorted examples.

EXAMPLES

Boot in single user mode:

boot -s

Load the kernel, a splash screen, and then autoboot in five seconds. Notice that a kernel must be loaded before any other load command is attempted.

load kernel
load splash_bmp
load -t splash_image_data /boot/chuckrulez.bmp
autoboot 5

Set the disk unit of the root device to 2, and then boot. This would be needed in a system with two IDE disks, with the second IDE disk hardwired to ada2 instead of ada1.

set root_disk_unit=2
boot /boot/kernel/kernel

Set the default device used for loading a kernel from a ZFS filesystem:

set currdev=zfs:tank/ROOT/knowngood:

ERRORS

The following values are thrown by loader:

100: Any type of error in the processing of a builtin.
-1: Abort executed.
-2: Abort" executed.
-56: Quit executed.
-256: Out of interpreting text.
-257: Need more text to succeed -- will finish on next run.
-258: Bye executed.
-259: Unspecified error.

STANDARDS

For the purposes of ANS Forth compliance, loader is an

ANS Forth System with Environmental Restrictions, Providing

.(, :noname, ?do, parse, pick, roll, refill, to, value, \, false, true, <>, 0<>, compile, , erase, nip, tuck

and marker

from the Core Extensions word set, Providing the Exception Extensions word set, Providing the Locals Extensions word set, Providing the Memory-Allocation Extensions word set, Providing

.s, bye, forget, see, words, [if], [else]

and [then]

from the Programming-Tools extension word set, Providing the Search-Order extensions word set.

HISTORY

The loader first appeared in FreeBSD 3.1.

AUTHORS

The loader was written by Michael Smith ⟨msmith@FreeBSD.org⟩.

FICL was written by John Sadler ⟨john_sadler@alum.mit.edu⟩.

BUGS

The expect and accept words will read from the input buffer instead of the console. The latter will be fixed, but the former will not.