Add to collection(s) Add to saved
  1. No category
Uploaded by mvnimbalkar.scoe

80386 Protected Mode Address Translation

advertisement 
Sinhgad College of Engineering
Dept. of Information Technology
Class - SE
Processor Architecture & Interfacing
(214450)
UNIT II
80386 PROTECTED MODE –
ADDRESS TRANSLATION &
PROTECTION MECHANISM
Protected Memory Management and
Address Translation
 Virtual Address and Virtual Address Space
 virtual address : selector(16-bit): offset(32-bit)
47
32 31
selector
INDEX


0
offset
T
I
RPL
214(16,384 = 16K) unique segments of memory, each of which
has a maximum size of 4G bytes
Total virtual address space = 246 , 64 TB
Protected Memory Management and
Address Translation
 Segment Partitioning of the Virtual Address Space
Local segment 8191
Local address space
32 Terabytes
Local segment 1
Virtual Address Space
Local segment 0
64 Terabytes
Global segment 8191
Global address space
32 Terabytes
Global segment 1
Global segment 0

Application Program : a collection of tasks
task: a group of program routines that together perform a specific
function
 A task can activate both global and local segments of memory

Task 1
Local Address
Space
Task 1 Virtual Address Space
Global
Task 3 Virtual Address Space
Task 2 Virtual Address Space
Address
Space
Task 2
Task 3
Local Address
Local Address
Space
Space
Physical Address Space and Virtual-toPhysical Address Translation
Address Translation process is divided into
1. Segment translation
SELECTOR
2. Page translation
OFFSET
LOGICAL ADDRESS
SEGMENT
TRANSLATION
PAGING DISABLED
PG?
PAGING ENABLED
31
LINEAR ADDRESS
DIR PAGE
0
OFFSET
PAGE
TRANSLATION
PHYSICAL ADDRESS
Segmentation Virtual to Physical
Address Translation
SELECTOR
OFFSET
LOGICAL ADDRESS
SEGMENT
TRANSLATION
PAGING DISABLED
PG?
PAGING ENABLED
LINEAR ADDRESS
31
DIR PAGE
Selector Offset(EBX)
(DS)
Operand
Data
Segment
0
OFFSET
PAGE
TRANSLATION
PHYSICAL ADDRESS
Data Segment
Descriptor
Cache Register
Segment
Descriptor
LDT
1. Segment translation
7
SCOE
2. Paging Memory Management
Segmentation : 4GB physical memory -- organized into segments that can be
any size from 1 byte to 4G byte
Paging: 1,048,496 pages that are each 4K(4096) bytes long
SELECTO
R
OFFSET
LOGICAL ADDRESS
Page 1,048495 4KB
. 1,048,494 4KB
Page
.
Physical
Address
PAGING ENABLED
space
31
.
DIR
LINEAR ADDRESS
.
Page 1 4KB
Page 0 4KB
SEGMENT
TRANSLATION
PG?
PAGING DISABLED
0
PAGE
PAGE
TRANSLATION
PHYSICAL ADDRESS
OFFSET
Linear Address Format
PAGE
DIR
31
22 21
•TLB (Translation Lookaside Buffe
•maintaining 32 sets of table
entries
•128 KB of paged memory
are always directly accessible
OFFSET
12 11
0
Operand
Translation
lookaside
buffer
(TLB)
Page Frame
Page table entry
Page table
Page directory entry
Page directory
table
PDBR(CR3)
Memory Segmentation
 Segment Descriptors
 80886
to 80386+
In 8086, the program is not expected to generate a
non-existent memory address. If it does, then the
processor shall try to access the same and read
bogus data, or crash
In 80386+ (and above) the segment attributes
(base, limit, privilege etc) are programmable and
no matter how privileged the code may be, it
cannot access an area of memory unless that area
is described to it.
Insight into 80386+ segments
 Segments are
 Areas
of memory
 Defined by the programmer
 Used for different purposes, such as code, data and
stack
 Segments are not
 All the same size
 Necessarily paragraph aligned
 Limited to 64KB
Segment Descriptors
 Describes a segment using 64-bits (0-63)





4 Words / 8 bytes
Must be created for every segment
Is created by the programmer
Determines a segment’s base address (32-bits)
Determines a segment’s size (20-bits)
Determines segments attributes.
Segment Descriptors (Cont’d)
Segment Descriptor format
Segment Descriptors (Cont’d)
 BASE ADDRESS




(32-bits) (Bits 16-39, 56-63) : Defines the location of the
segment within the 4 gigabyte linear address space.
SEGMENTS LIMIT (20-bits) (Bits 0-15, 48-51) :
Defines the size of the segment. Size = limit + 1. The processor interprets the
limit field in units of 1 byte or 4 KBs, depending on the setting of the
granularity bit:
GRANULARITY (G) Bit, Bit 55 : Specifies the units with which the LIMIT
field is interpreted. When the bit is clear, the limit is interpreted in units of one
byte; when set, the limit is interpreted in units of 4 Kilobytes.
DEFAULT SIZE (D)-bit, Bit 54: When this bit is cleared, operands
contained within this segment are assumed to be 16 bits in size. When it
is set, operands are assumed to be 32-bits.
AVAILABLE (AVL) bit, Bit 52 : Available for system programmers.
Segment Descriptor (Cont’d)
 Access Right Byte - Bits 40-47 :
 Present (P), Bit 47 : Indicates whether the segment described
by this descriptor is currently available in physical memory or
not.
 Descriptor Privilege Level (DPL) (2 bits) (Bits 45 - 46) :
Determines a segment’s privilege level
 System bit (S), Bit 44 : Defines whether a segment is a system
segment (=0) or non-system (=1) (code, data or stack) segment
 Type Field, Bits 40 - 43

(Type) (3 bits) (Bits 41 - 43) : Determines a segment’s use/type after the above
classification.

Accessed (A), Bit 40 : Automatically set and not cleared by the processor
when a memory reference is made to the segment described by this
descriptor.
Non System Segment Descriptors – TYPE
Non System Segment types ( S = 1 )
ARB – Data or Stack / Code seg. descriptor
17
SCOE
System Segment Descriptors (S=0)- TYPE
18
SCOE
System Segment Descriptors Ex.(Cont’d)
System Segment types ( S = 0 )
LDT Descriptor
D-bit for different descriptors


Code segment
 D = 0 then 16-bit 80286 code
 D = 1 then 32-bit 80386+ code
Stack Segment
 D = 0 then stack operations are 16-bit wide, SP is used as a stack pointer,
maximum stack size is FFFF (64 KB)
 D = 1 then stack operations are 32-bit wide, ESP is used as a stack pointer,
maximum stack size is FFFFFFFF (4 GB)
 All offsets must be
FFFF
FFFF
Limit
Limit
Addressa
ble area
Base
Non-stack
Base
Addressa
ble area
greater than limit.
 In stack descriptor,
D and G bits are to
be the same, else
contradiction.
Stack/expand-down
Ex.
21
SCOE
Ex.
22
SCOE
Page Directory Entry
23
• The Page Directory is 4K bytes long and allows
up to 1024 Page Directory Entries.
• Each Page Directory Entry contains the address
of the next level of tables, the Page Tables and
information about the page table.
• Page Directory Entry (PDE)
SCOE
Page Directory Entry
24
• Page Table address.
• A ( Accessed): Sets if read or write access occurs to an
address covered by the entry.
• D bit is undefined for PDE.
• P ( Present ) :If set , the pointed page is present in physical
memory.
• U/S ( User /Supervisor) : These are used for protection. If set
the memory page that this PDE covers are accessible from all
privilege levels. If clear only PL0,1and 2.
• R/W (Read/Write) :
SCOE
Page Table Entry
25
•The Page table is 4K bytes long and allows up to
1024 Page table Entries.
• Each Page Table Entry contains the address of
the page frame, and information about the page
frame.
• Page Table Entry (PTE)
SCOE
Protected-Mode System-Control Instruction Set
26
SCOE
Protected-Mode System-Control Instruction Set
27
SCOE
28
80386 Protected
Mode –
Protection Mechanism
SCOE
Why Protection ?…
29
The purpose of the protection features of the 80386 is
To prevent users from interfering each other.
 To prevent program bugs from damaging data.
 To prevent Malicious attempts to compromise system
integrity.
 To prevent accidental damage to data.
 To help to detect and identify bugs in hundreds or
thousands of program modules.
 To help debug applications run faster and make them
more robust.

SCOE
So for protection …
30
 The 80386 contains mechanisms to verify
memory accesses and instruction execution for
conformance to protection criteria. These
mechanisms may be used or ignored, according
to system design objectives.
 The protection hardware of the 80386 is an
integral part of the memory management
hardware.
 Also by privilege Protection.
SCOE
Protection Rings
31
SCOE
Loading Segment Selectors into segment
registers
 Whenever segment registers are loaded, the following rules are
checked by the processor and if violated an exception is raised
thus giving high degree of memory protection
 Rule 1: Index field of the selector within limits of the GDT/LDT to be






accessed – else raise a General Protection Fault exception.
Rule 2: The selector references the correct descriptor table.
Rule 3: The descriptor is of the correct type
Loading a selector into DS,ES,FS or GS that points to a non-readable segment
results in an exception
For loading into SS, the segment pointed to should be readable and writable
For loading into CS, the segment should be executable type
Rule 4: The selector uses the correct privilege level. Discussed later in detail.


All segment registers except CS may be loaded using MOV, LDS, LES, LFS, LGS
and LSS.
The CS is loaded using a JMP or a CALL instruction
Privilege Protection
 Continuous checking by the processor on whether
the application is privileged enough to
Type 1: Execute certain instructions
 Type 2: Reference data other than its own
 Type 3: Transfer control to code other than its own

 To manage this every segment has a privilege level
called the DPL (Descriptor Privilege Level) Bits
45,46
Privilege Level – DPL, CPL, RPL
 DPL : The privilege level is defined in the segment descriptor, DPL field.( The




descriptor has no privilege level assigned to it.)
Privilege levels apply to entire segments
CPL : At the given point , the processors privilege level is determined by the
DPL of the code Segment from which it is currently fetching and executing
code , this is referred as Current privilege level (CPL)
RPL : Requestors Privilege level ( Seg. Selector) RPL is the two least
significant bits in the segment selector.
The Least Privilege Principle


At ring 0, you can do whatever you want. Can we put some limit on it, such that
we only use the least privilege that is needed? we can drop the privilege
temporarily
How to achieve the Least Privilege Principle: RPL.
 RPL is usually less than or equal to CPL.
 When RPL = 0, RPL will have no effect.
Type 1: Execute certain instructions


Privileged Instructions
Instructions that modify the interrupt flag ,alter segmentation,
perform peripheral I/O or affect the protection mechanism are
privileged instructions.
1.
Segmentation and Protection Based (HLT, CLTS, LGDT,
LIDT, LLDT, LTR, moving data to Control, Debug and
Test registers)
2.
Interrupt flag based & Peripheral IO based
(CLI, STI, IN, INS, OUT, OUTS)
Privileged Instructions
36
SCOE
Privileged instructions
 First type of privileged instructions can be executed only
when CPL = 0, that is, these instructions can be in code
segment with DPL = 0.
 The I/O based privileged instructions are executed only if
CPL <= IOPL in EFLAGS register.
 To add to the security the POPF/POPFD instructions which
load values into the EFLAGS shall not touch the IOPL bit
or IF bit if CPL > 0.
Type 2: Reference data other than its own
 Used with applications in a multi-tasking environment share data.




Programs are not allowed to read or write data items that have a
higher privilege level however applications can use data at the same
or lower privilege level.
With stack segments it is more restrictive.(CPL=DPL of stack Des)
This is achieved by two ways
1] Whenever selector is loaded in data segment register, CPU
checks if max(RPL,CPL) <= DPL (RPL may weaken your
privilege level ) and if not true then 386 rejects the selector
immediately.
2] When selector makes a memory reference 80386 checks whether
the type of access you are requesting( read or write) is allowed for
that segment.
Privilege check for data
39
SCOE
Privilege check for data
Type 3: Transfer control to code other than
its own
 The DPL of the target descriptor must be similar value.





i.e. Numerically, Target DPL = Max (RPL or CPL)
Otherwise 80386 generates a general protection fault.
Essentially load a new selector into CS register
Many programs in multitasking share pieces of code such as run time
libraries.
Programs are not allowed to CALL or JMP to code segment
 That have different privilege level.
 Another segment must be a code segment (executable permission) and
marked present.
To move between code segments requires inter-segment JMP, CALL or RET
instruction.
Changing Privilege levels
 Control transfer from a code of some PL to another code
with different PL.
 There are 2 ways to implement inter- privilege level
transfer.
1) Simple - Conforming Code Segments
2) Complex - Call Gates
 Conforming code segments confirms with the privilege
level of the calling code. So if a control transfer happens
from segment S to a confirming segment T, the privilege
of T would be the privilege of S.
Conforming Code Segment
 Privilege Check for Control Transfer without Using a Gate
 Policy:
 CPL = DPL of code segment
 CPL > DPL (allowed if the conforming bit is 1, but when the conforming
bit is 0, this is not allowed)
 CPL = 2 can invoke DPL = 1.
 CPL = 2 cannot invoke code with DPL = 3.
 You can transfer control across or up not down
 Why can't we access code with a higher DPL (i.e., lower privilege)? It is easy
to jump (lower the CPL) to the code with higher DPL, but it is difficult to
return back, because on returning, we jump from a lower privileged ring to a
higher privileged ring. This violates the mandatory access control policy.
 Why can’t we jump to code with a lower DPL (i.e., higher privilege)?
 For security reasons, we cannot do this.
 However, we definitely need this. For example, we want to access device
driver code, which should be in segments with a higher privilege.
---
Call Gates
 These are special system descriptors.
 Acts as an interface layer between code segments at
different privilege levels.
 Provide the only means to alter the current privilege
level
 Define entry points to other privilege levels
 Must be invoked using a CALL Instruction
 Occupy a slot in the descriptor tables.
 Are defined like segment descriptors but do not describe
a memory segment.
CALL GATE descriptor
 Is defined by a system descriptor (S=0) in GDT which is
used by the JMP or CALL.
CALL GATE descriptor
 Call-Gate Descriptor contains the following
information:

Destination selector - Code segment to be accessed through segment
descriptor
 Destination offset - Entry point for a procedure in the specified code segment
 DPL – (call gate PL) Privilege level required for a caller trying to access the
procedure
 WC ( Word Parameter Count) - if a stack switch occurs, it specifies the
number of optional parameters to be copied between stacks.

How to use call gates?




Call xxxxxx
xxxxxx specifies the call gate entry in the GDT
From the table, the entry point of the procedure will be obtained.
DPL of the gate descriptor allows the CPU to decide whether the invocator
can enter the gate.
Call gate mechanism
Calling Higher privileged code
Code Seg
Code Seg
Code Desc
CALL
CALL
SEG OFFSET
SEG OFFSET
Gate – Sel
+ offset
Correct way
CodeDesc
Incorrect way
Call Gate accessibility
 Access Control Policy for Call Gates
 CPL ≤ DPL of the call gate.
 For CALL: DPL of the target code segment ≤ CPL
(only calls to the more privileged code segment are allowed).
 Why can't we CALL a less privileged code segment using Gates?
Still returning will be a problem, because returning will be from the
less privileged code to the more privileged code, and it violates the
mandatory access control.
 Target DPL <= Max (RPL, CPL) <= Gate DPL
 For eg. CPL = 2 and the target PL = 0, you should use a Gate with
PL = 2 or 3
Call Gate accessibility
Accessing call gates
Returning from a Called Procedure
• The RET instruction can be used to perform a near return, a far return at the
same privilege level, and a far return to a different privilege level
• A far return that requires a privilege-level change is only allowed when returning
to a less privileged level
Accessing call gates
53
SCOE
Privilege levels and Stacks
 To maintain system integrity, each privilege level has a separate






stack.
The stack PL = CPL always
When changing the CPL, the processor automatically changes the
stack!!!
How – using the Task State Segment (TSS)
The base of the TSS is stored in a Task register (TR) which is
updated by the privileged instruction LTR
The TSS associates a stack for each code for each of the privilege
levels 0, 1 and 2
Each stack must contain enough space to hold the old SS:ESP, the
return address, and all parameters and local variables that may be
required to process a call.
Inter level CALL – Stack operations
 The processor performs the following stack-related steps
in executing an interlevel CALL.
 1. The new stack is checked to assure that it is large enough to hold
the parameters and linkages; if it is not, a stack fault occurs with
an error code of 0.
 2. The old value of the stack registers SS:ESP is pushed onto the
new stack as two doublewords.
 3. The parameters are copied.
 4. A pointer to the instruction after the CALL instruction (the former
value of CS:EIP) is pushed onto the new stack. The final value of
SS:ESP points to this return pointer on the new stack.
Inter level CALL – Stack operations
Related documents
Math 1070 Extra Credit 1 Due: 25 February, 2013
Math 1070 Extra Credit 1 Due: 25 February, 2013
Document
Document
Download
advertisement