Fork: 0
ajax / AMI-Aptio-BIOS-Reversed
Transfer to URL with SHA Find file
Newer
Older
AMI-Aptio-BIOS-Reversed / WheaErrorLog / WheaErrorLog_analysis.md
@Ajax Dong Ajax Dong 2 days ago 18 KB Init
Raw Blame History

WheaErrorLog Module Analysis

Overview

SMM WHEA (Windows Hardware Error Architecture) error logging driver for Intel Purley platform. This module initializes WHEA error record storage in SMRAM, registers SMI handlers for error record update and notification callbacks, and interfaces with platform MP (Multi-Processor) sync data, PCIe MM config space, and WHEA boot-time protocols to log hardware errors during OS runtime.

The module acts as the SMM-side counterpart to the DXE WHEA infrastructure, providing persistent error record buffers that survive across SMI entries.

Address Range

0x300 - 0x2FA8 (63 functions, ~154 KB image total including .data)

Image Characteristics

Property Value
Full path 0226_WheaErrorLog_7676e07fb4c8/WheaErrorLog.efi
MD5 24a2707e0606e07658e042b6a8f332e2
Architecture x64 (PE32+)
Image size 0x25780 (153 KB)
.text 0x300 - 0x3080 (11.6 KB, RX)
.rdata 0x3080 - 0x3D80 (3.2 KB, R)
.data 0x3D80 - 0x25380 (135 KB, RW)

Key Functions

Address Name Size Purpose
0x5E8 _ModuleEntryPoint 0xED DXE/SMM entry point
0x21C0 sub_21C0 0x3B9 Constructor chain: calls 14 init sub-functions
0x25EC sub_25EC 0x78 Main init: disables SET alarm, calls sub_26F4
0x26F4 sub_26F4 0x50D Protocol installation + SMI handler registration
0x2C04 sub_2C04 0x2EC WHEA error record creation/handler
0x2EF0 sub_2EF0 0xB6 Pre-initialize error status blocks
0x2FA8 sub_2FA8 0x28 SMM notify callback to reset state
0x2688 sub_2688 0x22 SMI handler to enable WHEA logging
0x2664 sub_2664 0x22 SMI handler to disable WHEA logging
0x2170 sub_2170 0x50 SMM callback registration wrapper
0x1ACC sub_1ACC 0x3A3 Protocol resolution (WheaSiliconHooksLib)
0x13B0 sub_13B0 0x4B8 MP sync data initialization
0x11A0 sub_11A0 0x20F ACPI PM1 timer-based delay / WHEA boot protocol init
0xC3C sub_C3C 0x172 SMM memory allocation - get SMRAM ranges
0xEBC sub_EBC 0xBA PCI MMIO base (DxeMmPciBase) initialization
0x1F5C sub_1F5C 0x60 WHEA silicon hooks config data initialization
0x2040 sub_2040 0xB6 PCD protocol locator
0xFDC sub_FDC 0x110 HOB list locator (via SystemTable config table, GUID at 0x3D80)
0x1154 sub_1154 0x49 HOB list traversal by GUID
0xA6C sub_A6C 0x67 GUID comparison (8-byte QWORD compare)
0x9E8 sub_9E8 0x82 ZeroMem wrapper
0x93C sub_93C 0xA9 CopyMem wrapper
0xB24 sub_B24 0x8C Debug assertion + debug print via CMOS check
0x890 sub_890 0x4E LongJump wrapper
0x1F04 sub_1F04 0x57 Initialize error record structure (check subtype, translate IDs)
0x1E70 sub_1E70 0x93 ID translation table lookup (255-terminated array)
0x26AC sub_26AC 0x46 Find WHEA error status block by severity level
0x6D8 sub_6D8 0x9B Boot services table library init
0x774 sub_774 0x3A Runtime services table lib init
0x7B0 sub_7B0 0xDF SMM services table lib init
0x2130 sub_2130 0x3D SpinLock init (set to 1)
0x1FBC sub_1FBC 0x48 IO port word write (16-bit)
0x2004 sub_2004 0x39 IO port dword read (32-bit)
0xAD4 sub_AD4 0x4F Get debug print function pointer

Entry Points (Public API)

Protocols Implemented / Consumed

The module consumes the following protocols (identified by GUID):

GUID Address GUID Protocol Name (Inferred) Consumer
0x3D80 7739F24C-93D7-11D4-9A3A-0090273FC14D EFI_HOB_LIST_GUID (System Table config table) sub_FDC
0x3DA0 F4CCBFB7-F6E0-47FD-9DD4-10A8F150C191 EFI_SMM_BASE2_PROTOCOL_GUID sub_7B0, sub_13B0
0x3DB0 86B091ED-1463-43B5-82A1-2C8B83CB8917 EFI_SMM_SYSTEM_TABLE2_PROTOCOL_GUID (gEfiSmmCpuProtocolGuid or SmmBase2) sub_26F4, sub_1F5C, sub_1ACC
0x3DC0 6820ABD4-A292-4817-9147-D91DC8C53542 EFI_SMM_CPU_PROTOCOL_GUID sub_26F4, sub_1ACC
0x3DD0 18A3C6DC-5EEA-48C8-A1C1-B53389F98999 EFI_SMM_CPU_SERVICE_PROTOCOL (SMM CPU Service) sub_26F4
0x3DE0 EEE07404-26EE-43C9-9071-4E48008C4691 EFI_SMM_SW_DISPATCH2_PROTOCOL_GUID sub_26F4
0x3DF0 11B34006-D85B-4D0A-A290-D5A571310EF7 gEfiPcdProtocolGuid (PCD protocol) sub_2040
0x3E00 441FFA18-8714-421E-8C95-587080796FEE Unknown - EFI_WHEA_BOOT_PROTOCOL sub_1ACC
0x3E10 C2702B74-800C-4131-8746-8FB5B89CE4AC EFI_SMM_ACCESS_PROTOCOL sub_C3C
0x3E20 FD480A76-B134-4EF7-ADFE-B0E054639807 EFI_MM_PCI_ROOT_BRIDGE_PROTOCOL or gEfiMmPciBaseProtocolGuid sub_EBC
0x3E30 A7CED760-C71C-4E1A-ACB1-89604D5216CB Unknown - sync data protocol sub_13B0
0x3E40 0067835F-9A50-433A-8CBB-852078197814 EFI_MP_SERVICE_PROTOCOL (MP sync service) sub_13B0, sub_1F5C, sub_1ACC
0x3E50 5B1B31A1-9562-11D2-8E3F-00A0C969723B EFI_SMM_MP_PROTOCOL (or gEfiSmmMpProtocolGuid) sub_13B0
0x3E70 6D7E4A32-9A73-46BA-94A1-5F2F25EF3E29 Unknown - WheaSilicon HOB protocol sub_1ACC
0x3E80 4A0266FE-FE57-4738-80AB-146E46F03A65 Unknown - EFI_WHEA_BOOT_PROTOCOL sub_1ACC
0x3E90 F08FC315-CC4F-4D8C-B34C-B030C4E7B919 Unknown - another platform protocol sub_1ACC
0x3EA0 9876CCAD-47B4-4BDB-B65E-16F193C4F3DB WHEA error source GUID A (Corrected Machine Check) sub_2C04
0x3EB0 DC3EA0B0-A144-4797-B55B-53FA242B6E1D WHEA error source GUID B (Recoverable) sub_2C04
0x3EC0 A5BC1114-6F64-4EDE-B863-3E83ED7C83B1 WHEA error source GUID C (PCIe / Corrected) sub_2C04, sub_1F04
0x3ED0 71761D37-32B2-45CD-A7D0-B0FEDD93E8CF WHEA error source GUID D (Fatal/Non-Maskable) sub_2C04
0x3EE0 D995E954-BBC1-430F-AD91-B44DCB3C6F35 WHEA error source GUID E (Corrected Machine Check variant) sub_2C04

SMI Handlers (Registered via SmmSwDispatch2)

  • sub_2688 (0x2688) - SMI handler for SwSmi 157: Enables WHEA error logging (byte_40A0 = 1), installs PCI MMIO base
  • sub_2664 (0x2664) - SMI handler for SwSmi 158: Disables WHEA error logging (byte_40A0 = 0), releases PCI MMIO base
  • sub_2C04 (0x2C04) - SMI handler registered via sub_26F4 callback (caller protocol): Processes WHEA error records, reads CPER data from error sources, writes them into the error status block
  • sub_2FA8 (0x2FA8) - SMM notification callback: Clears WHEA state flags (byte_40A1, byte_40A2, byte_40A3)

Internal Helpers

Initialization Chain (from sub_21C0)

sub_21C0 calls 14 init functions in sequence. Each call is wrapped in ASSERT_EFI_ERROR. The chain is:

Order Function Purpose
1 sub_6D8 (0x6D8) Init gImageHandle, gST, gBS (BootServices)
2 sub_774 (0x774) Init gRT (RuntimeServices)
3 sub_7B0 (0x7B0) Init gSmst (SMM Services Table), locate SMM Base2 protocol
4 sub_C3C (0xC3C) Get SMRAM ranges via SMM Access Protocol
5 sub_EB8 (0xEB8) Thunk to SMM PCI MMIO base init
6 sub_EBC (0xEBC) Init PCI MMIO base (DxeMmPciBase)
7 sub_F78 (0xF78) Get PCD value (token 5) - platform configuration
8 sub_10EC (0x10EC) Init HOB list
9 sub_11A0 (0x11A0) ACPI PM timer delay + WHEA boot protocol init
10 sub_13B0 (0x13B0) MP sync data table init (per-CPU structures)
11 sub_1ACC (0x1ACC) WHEA silicon hooks: resolve all remaining protocols
12 sub_1868 (0x1868) CPU topology detection (thread/core bits via CPUID)

Protocol Resolution (sub_1ACC)

Looked-up protocols at 0x3E70, 0x3E40 (MP), 0x3E80 (gEfiWheaBootProtocolGuid), 0x3E90 + HOB GUID at 0x3D90.

The function sub_1154 searches the HOB list for a specific GUID (at 0x3D90: 5138B5C5-9369-48EC-5B97-38A2F7096675). The HOB data offset +24 is stored at qword_4148 as a pointer to the WHEA silicon configuration data.

Error Record Processing (sub_2C04)

The SMI handler at 0x2C04 is the core error logging function:

  1. Checks if byte_40A0 is set (WHEA logging enabled). Returns EFI_NOT_READY if not.
  2. Calls sub_2EF0 to check if error status blocks are pre-initialized. If not, initialize them.
  3. Extracts error record details from the input context (offset +128 from a1 / CommunicationBuffer).
  4. Calls sub_1F04 to determine error record subtype. If it matches 0x3EC0 (Corrected/PCIe), performs ID translation via sub_1E70.
  5. Calls sub_26AC to find the appropriate error status block entry by severity (1 or 2).
  6. Extracts a pointer from the error status block entry.
  7. Determines error severity (192=non-fatal, 80=corrected, 228=fatal) based on source GUID matching (0x3EA0, 0x3EB0, 0x3EC0, 0x3ED0, 0x3EE0) and policy config.
  8. If the error source matches the policy config, fills in the error record:
    • Sets severity flags
    • Copies error timestamp
    • Sets error source GUID
    • Copies FRU (Field Replaceable Unit) text if present (16/20 bytes)
    • Copies error data payload of variable size (n192 bytes)
  9. Updates the error block header fields (length, severity flags).

State Management

Global Variables

Address Name Size Purpose
0x4098 qword_4098 8 Error status accumulator / global init status
0x40A0 byte_40A0 1 WHEA logging enabled flag
0x40A1 byte_40A1 1 Dual-rank/dual-socket error pending flag
0x40A2 byte_40A2 1 Single-rank/single-socket error pending flag
0x40A3 byte_40A3 1 Error status blocks initialized flag
0x40A8 SystemTable 8 EFI System Table (gST)
0x40B0 BootServices 8 EFI Boot Services (gBS)
0x40B8 qword_40B8 8 Image handle (gImageHandle)
0x40C0 qword_40C0 8 Runtime Services (gRT)
0x40C8 qword_40C8 8 SMM System Table (gSmst)
0x40D8 qword_40D8 8 PCI MMIO base protocol pointer
0x40E0 qword_40E0 8 PCD value (token 5)
0x40E8 qword_40E8 8 HOB list pointer (VendorTable)
0x40F0 qword_40F0 8 MP sync data protocol pointer
0x40F8 qword_40F8 8 SMM Base2 protocol pointer
0x4100 qword_4100 8 SMM MP protocol pointer
0x4108 unk_4108 ... MP sync data structure
0x4110 qword_4110 8 Number of WHEA error source entries
0x4126 unk_4126 ... WHEA error source array (variable, 26 bytes per entry)
0x4138 unk_4138 8 MP Service protocol pointer (saved)
0x4140 unk_4140 8 SmmCpu protocol pointer (saved)
0x4148 qword_4148 8 WHEA silicon HOB data pointer (+24)
0x4150 unk_4150 8 WHEA Boot protocol pointer
0x4158 unk_4158 8 Saved protocol pointer
0x4160 qword_4160 8 PCD protocol pointer
0x4170 unk_4170 ... WHEA silicon config data structure (328 bytes)
0x4178 qword_4178 8 Policy configuration data pointer (from SMM protocol)
0x4180 qword_4180 8 SMM CPU Service protocol pointer
0x42E8 unk_42E8 ... WHEA silicon hooks config
0x42F0 unk_42F0 8 Protocol pointer

Per-CPU Data Structures (initialized in sub_13B0)

Three parallel arrays indexed by CPU (up to 512 CPUs):

Address Name Element Size Purpose
0x9320 byte_9320 1 Per-CPU active flag
0x9B20 qword_9B20 8 Per-CPU APIC ID map
0xDB20 dword_DB20 4 Per-CPU register values
0xFB20 byte_FB20 1 Per-CPU status (0=inactive, 1=active, 2=running)

Also:
0x4308 | byte_4308 | 40 | Per-CPU (up to 0x5000/40=512) sync data structure header |

Layout: [64 * (socket + 448 * package)] [socket offset = 64, package stride = 448 * 64]

SpinLocks

| 0x9308 | unk_9308 | 8 | SpinLock for MP sync |
0x9310 | unk_9310 | 8 | SpinLock for MP sync |

SMRAM Range Info

| 0x25328 | qword_25328 | 8 | Number of SMRAM descriptors (total_size >> 5) |
0x25330 | qword_25330 | 8 | SMRAM range descriptor array pointer |

WHEA Error Status Block Table (at 0x3F28)

Entry structure (24 bytes per entry):

Offset  Size  Field
0x00    2     Type/severity level (1 or 2 = corrected or non-fatal)
0x02    4     Data size
0x08    8     Pointer to error status block structure
0x10    8     Pointer to error source specific data

Entry count at qword_3F90. Each entry points to an error status block whose first field is a flags/status value.

Data Structures

Error Status Block (referenced from 0x3F28 table entries)

Offset  Size  Field
0x00    4     Status/flags bits (bit 0=valid, bit 1=overflow, bit 2=corrected overflow,
              bits 4-5=severity, bits 12-15=type mask)
0x04    4     Reserved
0x08    2     Error severity code
0x0A    2     Reserved
0x0C    4     Error source ID
0x10    16    Error source GUID
0x20    2     Timestamp seconds
0x22    2     Timestamp microseconds

Per-CPU Sync Data Structure Entry (64 bytes each)

Layout derived from sub_13B0 loops:

Offset  Size  Field
0x00    8     Reserved (zeroed)
0x08    8     APIC ID (qword_9B20 entry)
0x10    4     Register value (dword_DB20 entry)
0x14    1     Status byte (0/1/2)
0x18-40       Reserved (zeroed)

Calling Patterns

Module Entry Flow

_ModuleEntryPoint (0x5E8)
  -> sub_21C0 (0x21C0)  [constructors]
      -> sub_6D8   - Init boot services (gBS)
      -> sub_774   - Init runtime services (gRT)
      -> sub_7B0   - Init SMM services (gSmst)
      -> sub_C3C   - Get SMRAM ranges
      -> sub_EB8   - Thunk: init PCI MMIO
      -> sub_EBC   - PCI MMIO base init
      -> sub_F78   - Get PCD token 5
      -> sub_10EC  - Init HOB list
      -> sub_11A0  - ACPI PM timer + WHEA boot protocol
      -> sub_13B0  - MP sync data table init
      -> sub_1ACC  - WHEA silicon hooks protocol resolution
  -> sub_25EC (0x25EC)  [main init]
      -> sub_300   - Save/restore callee regs + SetJump
      -> sub_26F4  - Main protocol installation (SmiHandler registration)
  -> sub_257C (0x257C)  [on failure: unload]
      -> sub_DB0   - Thunk: unload handler

SMI Handler Flow (WHEA error logging)

SMI Entry -> SmmCpuService Router -> sub_2C04 (0x2C04)
  -> sub_2EF0 (0x2EF0)  [pre-init error status blocks if needed]
      -> sub_9E8  [ZeroMem on each block]
  -> sub_1F04 (0x1F04)  [determine error type/severity]
      -> sub_A6C  [GUID compare - check if PCIe error type]
      -> sub_1E70 [ID translation via lookup table]
  -> sub_26AC (0x26AC)  [find error status block by severity]
  -> sub_93C   [CopyMem - copy FRU text, timestamps, error data]

SMM Enable/Disable Callback Flow

sub_2688 - SMI handler 158: enables WHEA
  -> Sets byte_40A0 = 1
  -> Installs PCI MMIO base

sub_2664 - SMI handler 157: disables WHEA
  -> Sets byte_40A0 = 0
  -> Releases PCI MMIO base

sub_2FA8 - SMM Notify callback: reset WHEA state
  -> Clears byte_40A1, byte_40A2, byte_40A3

Dependencies

Consumed Protocols (located via SMM protocol database / Boot Services)

Protocol Located by Used by
EFI_SMM_BASE2_PROTOCOL sub_7B0 sub_13B0
EFI_SMM_CPU_PROTOCOL sub_1ACC sub_26F4, sub_1ACC
EFI_SMM_SYSTEM_TABLE2 sub_7B0 All SMM operations
EFI_SMM_SW_DISPATCH2 sub_26F4 SMI handler registration
EFI_SMM_ACCESS_PROTOCOL sub_C3C SMRAM enumeration
EFI_MM_PCI_ROOT_BRIDGE sub_EBC PCI configuration access
PCD Protocol sub_2040 sub_F78
MP Service Protocol sub_1ACC sub_13B0
SMM MP Protocol sub_13B0 CPU topology init
gEfiWheaBootProtocolGuid sub_1ACC Boot-time WHEA info
SystemTable HOB GUID sub_FDC HOB list discovery

Consumed Boot Services Functions

The module uses the following gBS function table offsets:

  • Offset 192 (0xC0) - gBS->RegisterProtocolNotify
  • Offset 208 (0xD0) - gBS->LocateProtocol (or SMM equivalent via gSmst at 0x40C8+208)
  • Offset 320 (0x140) - gBS->LocateProtocol (DXE boot services version)

Consumed Libraries (linked statically)

  • UefiBootServicesTableLib - gBS, gImageHandle init
  • UefiRuntimeServicesTableLib - gRT init
  • SmmServicesTableLib - SMM table init
  • BaseLib - SetJump/LongJump
  • BaseMemoryLibRepStr - CopyMem, ZeroMem
  • SmmMemoryAllocationLib - SMRAM allocation
  • DxeMmPciBaseLib - PCI MMIO configuration
  • DxeHobLib - HOB list traversal
  • DxePcdLib - PCD protocol access
  • BaseIoLibIntrinsic - IO port access (PM1, CMOS)
  • BaseSynchronizationLib - SpinLock init
  • mpsyncdatalib - MP sync data
  • WheaSiliconHooksLib - Platform WHEA hooks

Consumed By (SMI Handlers)

  • SMM Core dispatches to registered SwSmi handlers (0x9D / 157, 0x9E / 158)
  • SMM CPU Service Callback calls sub_2C04 for WHEA error notification
  • SMM Notify calls sub_2FA8 for state cleanup

Platform Configuration

PCD token 5 is read via sub_F78:

  • Value stored at qword_40E0
  • Used in sub_11A0 at port 0x504 (1280) and 0x508 (1288) - typical ACPI PM1 base

CMOS access in debug logging (sub_B24):

  • CMOS index 0x70 / 0x71, register 0x4C
  • Determines debug verbosity level based on platform type

Error Source Types (at 0x3EA0-0x3EE0)

GUID Inferred Error Type Severity Code
0x3EA0 Machine Check (Corrected) 0 (non-updated)
0x3EB0 Recoverable Error Skip in handler
0x3EC0 PCIe Corrected Error 80 (corrected)
0x3ED0 Fatal/Non-Maskable Interrupt 80 (corrected, special flag)
0x3EE0 Corrected Machine Check Variant 228 (fatal)

Notes

  • The module is an SMM driver that registers into gSmst (EFI_SMM_SYSTEM_TABLE2). Despite referencing BootServices, it operates in SMM phase.
  • Error status block table at 0x3F28 contains entries with 24-byte stride. Entry count is at qword_3F90.
  • WHEA error source configuration array at 0x4126 has 26-byte per-entry stride. Count at qword_4110.
  • The error handler at 0x2C04 processes a communication buffer (in SMM) at offset +128 from the input argument, which contains: timestamp at +8, FRU text at +16(16 bytes)/+32(20 bytes), error data at +72, subtype GUID at +16, error severity flags at +10.
  • The ID translation table in sub_1E70 is a 255-terminated array of 8-byte entries (4 WORDs each).
  • Debug logging uses port 0x70/0x71 CMOS register 0x4C to detect platform debug level.
  • ACPI PM1 timer is used in sub_11A0 for timed delay loops (waiting 357 units on port 0x508/1288).
  • The module path indicates this is built from PurleyPlatPkg/Ras/Whea/WheaErrorLog/.