80386
Features of 80386
•
It is a 32 bit processor that supports 8/16/32 bit data operands.
•
Have 32 bit internal registers
•
It has 32 bit address/data bus
•
It supports
–
Physical Address of 4GB(2
32
)
–
Virtual Address of 64TB
–
Max. Segment Size of 4GB
•
Three different operating modes: Real, Protected and Virtual 8086
•
The Memory Management Unit (MMU) provides virtual memory, paging and four levels of protection
•
Clock Frequency: 20,25 and 33 MHz
•
132 Pin Package
Programming Model
•
The basic programming model consists of the following aspects:
–
Registers
–
Instruction Set
–
Addressing Modes
–
Data Types
–
Memory Organization
–
Interrupts and Exceptions
Register Overview
•
The Intel386 DX has 32 register resources in the following categories:
–
General Purpose Registers
–
Segment Registers
–
Instruction Pointer and Flags
–
Control Registers
–
System Address Registers
–
Debug Registers
–
Test Registers

General Purpose Registers
• hold data or address values.
• support data of 1, 8, 16, 32 and 64 bits.
•
32-bit registers : EAX, EBX, ECX, EDX, ESI, EDI, EBP, and ESP.
•
The least significant 16 bits of the registers can be accessed as in 8086 with names of the registers AX, BX, CX, DX, SI, DI, BP, and SP.
•
When accessed as a 16-bit operand, the upper 16 bits of the register are neither used nor changed.
•
8-bit operations can be performed with AL, BL, CL and DL.
•
The higher bytes are AH, BH, CH and DH
•
The individual byte accessibility offers flexibility for data operations.
Segment Registers

•
The segment registers
–
CS indicates the current code segment
–
SS indicates the current stack segment
–
DS, ES, FS and GS indicate four current data segments.
•
On any data reference the DS-pointed data segment is assumed by default.
•
In order to access any other data segment, an override directive is used
Instruction Pointer
•
It is a 32-bit register named EIP.
•
EIP holds the offset of the next instruction to be executed.
•
The offset is always relative to the base of the code segment (CS).
•
The lower 16 bits of EIP contain the 16-bit instruction pointer named IP, which is used by 16-bit addressing.
Flag Register
•
Bit 17 (VM Bit, Virtual Mode):
–
When VM bit is set, the processor will be working in Virtual 8086 mode
•
Bit 16 (RF Bit, Resume Flag):
–
The RF flag is used in conjunction with the debug register breakpoints.
–
When RF is set, it causes any debug fault to be ignored on the next instruction. RF is then automatically reset at the successful completion of every instruction
•
Bit 15 : Reserved
•
Bit 14 (NT Bit, Nested Task):
–
This flag applies to Protected Mode.

–
NT is set to indicate that the execution of this task is nested within another task.
–
If set, it indicates that the current nested task's Task State Segment (TSS) has a valid back link to the previous task's TSS.
•
Bit 13,12 (IOPL Bit, Input/output Privilege):
– maximum CPL (current privilege level) value permitted to execute I/O instructions without generating an exception 13 fault or consulting the I/O
Permission Bitmap.
•
Bit 11 (OF Bit, Overflow Flag):
–
OF is set if the operation resulted in a signed overflow.
•
Bit 10 (DF Bit, Direction Flag):
–
DF defines whether ESI/EDI registers post-decrement or post-increment during the string instructions.
–
Post-increment occurs if DF is reset.
–
Post-decrement occurs if DF is set.
•
Bit 9 (IF Bit, Interrupt Enable Flag):
–
When IF =1 the processor allows recognition of external interrupts on INTR pin
•
Bit 8 (TF Bit, Trap Enable Flag):
–
When TF =1 the processor enables the single step mode for debugging.
•
Bit 7 (SF Bit, Sign Flag):
–
SF is set if the high-order bit of the result is set, it is reset otherwise.
•
Bit 6 (ZF bit, Zero Flag):
–
ZF is set if all bits of the result are 0.
•
Bit 4 (AF Bit, Auxiliary Carry Flag):
–
The Auxiliary Flag is used to simplify the addition and subtraction of packed
BCD numbers.
–
AF is set if the operation resulted in a carry out of bit 3 (addition) or a borrow into bit 3 (subtraction).
–
Otherwise AF is reset.
–
AF is only for bit 3.
•
Bit 2 (PF Bit, Parity Flag):
–
PF is set for even parity.
•
Bit 0 (CF Bit, Carry Flag):
–
CF is set for 8-, 16- or 32-bit operations if it results in a carry out of (addition), or a borrow into (subtraction) the high-order bit.
Control Registers
•
Intel386 DX has three control registers of 32 bits, CR0, CR2 and CR3, to hold machine state of a global nature
•
These registers along with System Address Registers hold machine state that affects all tasks in the system
•
To access Control Registers, load and store instructions are defined

CR0 : Machine Control Register
•
CR0 contains 6 defined bits for control and status purposes.
•
The low-order 16 bits of CR0 is defined as Machine Status Word
•
To operate only on the low-order 16-bits of CR0, LMSW and SMSW instructions are used.
•
For 32-bit operations the system should use MOV CR0, Reg instruction.
•
Bit 31 (PG Bit, Paging Enable) : The PG bit is set to enable the on-chip paging unit.
•
Bit 4 (Reserved) : This bit is reserved by Intel.
•
Bit 3 (TS Bit, Task Switched) : TS is automatically set whenever a task switch operation is performed.
•
Bit 2 (EM Bit, Emulate Coprocessor) :
•
This bit is set to cause all coprocessor opcodes to generate a Coprocessor Not
Available fault (exception 7).
•
Bit 1 (MP Bit, Monitor Coprocessor) :
•
The MP bit is used with TS bit to determine if the WAIT opcode will generate a
Coprocessor Not Available fault (exception 7).
•
When both MP = 1 and TS= 1, the WAIT opcode generates a trap which checks for the coprocessor availability.
•
Bit 0 (PE Bit, Protection Enable) :
•
The PE bit is set to enable the Protected Mode.
•
If PE is reset, the processor operates in Real Mode.
CR1 : Reserved
•
CR1 is reserved for use in future Intel processors
CR2 : Page Fault Linear Address
•
CR2 holds the 32-bit linear address that caused the last page fault detected.

CR3 : Page Directory Base Address
•
CR3 contains the physical base address of the page directory table.
•
The Intel386 DX page directory table is always page-aligned (4 Kbyte-aligned).
•
Thus the lowest twelve bits of CR3 are ignored.
•
A task switch through a TSS invalidates all page table entries in paging unit cache.
System Address Registers
•
Four special registers are defined to reference the tables.
•
These tables or segments are:
–
GDT (Global Descriptor Table)
–
IDT (Interrupt Descriptor Table)
–
LDT (Local Descriptor Table)
–
TSS (Task State Segment)
•
The addresses of these tables and segments are stored in special registers, the System
Address and System Segment Registers.
•
These registers are named GDTR, IDTR, LDTR and TR, respectively
GDTR and IDTR(Global and Interrupt Descriptor Table Register)
•
These registers hold:
–
32-bit linear base address and
–
16-bit limit of GDT and IDT respectively.
•
GDT and IDT segments are global to all tasks in the system.
LDTR and TR(Local Descriptor Table Register and Task Register)

•
These registers hold 16-bit selector for
–
LDT descriptor and
–
TSS descriptor
•
Since they are task specific, they are defined by selector values stored in system segment registers.
•
A system descriptor register, which is not visible to programmer, is associated with each system segment register
Debug Registers
The six debug registers provide on-chip support for debugging.
•
Debug Registers DR0±3 specify the four linear breakpoints.
•
Debug Control Register DR7 is used to set the breakpoints
•
Debug Status Register DR6 displays the current state of the breakpoints.
Test Registers
•
They are used to control the testing of Translation Look-aside Buffer of Intel386 DX.
•
TR6 is the command test register
•
TR7 is the data register which contains the data of Translation Look-aside buffer test.

Instruction Set
•
The instruction set is divided into 9 categories of operations:
•
Data Transfer
•
Arithmetic
•
Shift/Rotate
•
String Manipulation
•
Bit Manipulation
•
Control Transfer
•
High Level Language Support
•
Operating System Support
•
Processor Control
•
These instructions operate on either 0,1,2 or 4 operands
• where an operand resides in
•
Register
•
Instruction itself
•
Memory
•
Most zero operand instructions take only one byte
•
One operand instructions are generally two bytes long
•
The average instruction is 3.2 bytes long
•
Since 80386 has a 16-byte queue, an average of 5 instructions are prefetched.
•
The use of 2 operands permits the following types of common instruction:
•
Register to Register
•
Memory to Register
•
Immediate to Register
•
Register to Memory
•
Immediate to Memory
•
The operands can be either 8,16 or 32 bits long
Addressing Modes
•
The Intel386 DX provides 11 addressing modes for instructions to specify operands.
•
Register Operand Mode:
•
The operand is located in one of the 8-, 16- or 32-bit general registers.
•
Example : ADD EAX,EBX
•
Immediate Operand Mode:
•
The operand is included in the instruction as part of the opcode.
•
Example : CLI,STI
•
The remaining 9 modes provide a mechanism for specifying the effective address of an operand.
•
The linear address consists of two components:
•
the segment base address and
• an effective address.
•
The effective address is calculated by using four address elements:

•
DISPLACEMENT: An 8-, or 32-bit immediate value
•
BASE: The contents of any general purpose register. It is generally used by compilers to point to the start of the local variable area.
•
INDEX: The contents of any general purpose register except for ESP. The index registers are used to access the elements of an array, or a string of characters.
•
SCALE: The index register's value can be multiplied by a scale factor, either 1, 2,
4 or 8. Scaled index mode is especially useful for accessing arrays or structures.
•
Combinations of these 4 components make up the 9 additional addressing modes
•
The effective address (EA) of an operand is calculated according to the following formula:
EA = Base Register+ (Index Register * Scaling) + Displacement.
•
This calculation can be shown as follows:
•
Direct Mode:
•
The operand's offset is contained as part of the instruction as an 8- or 32-bit displacement.
•
Example: INC Word PTR [500]

•
Register Indirect Mode:
•
A base register will contain the address of operand
•
Example: MOV [ECX], EDX
•
Based Mode:
•
A BASE register's contents is added to a DISPLACEMENT to form the operands offset.
•
Example: MOV ECX, [EAX+24]
•
Index Mode:
•
An INDEX register's contents is added to a DISPLACEMENT to form the operands offset.
•
EXAMPLE: ADD EAX, TABLE[ESI]

•
Scaled Index Mode:
•
An INDEX register's contents is multiplied by a scaling factor which is added to a
DISPLACEMENT to form the operands offset.
•
Example: IMUL EBX, TABLE[ESI*4],7
•
Based Index Mode:
•
The contents of a BASE register is added to the contents of an INDEX register to form the effective address of an operand.
•
Example: MOV EAX, [ESI] [EBX]
•
Based Scaled Index Mode:
•
The contents of an INDEX register is multiplied by a SCALING factor and the result is added to the contents of a BASE register to obtain the operands offset.
•
Example: MOV ECX, [EDX*8] [EAX]

•
Based Index Mode with Displacement:
•
The contents of an INDEX Register and a BASE register's contents and a
DISPLACEMENT are all summed together to form the operand offset.
•
Example: ADD EDX, [ESI] [EBP+00FFFFF0H]
•
Based Scaled Index Mode with Displacement:
•
The contents of an INDEX register are multiplied by a SCALING factor, the result is added to the contents of a BASE register and a DISPLACEMENT to form the operand's offset.
•
EXAMPLE: MOV EAX, LOCALTABLE[EDI*4] [EBP+80]
Data Types
• The Intel386 DX supports all of the data types commonly used in high level languages:
•
Bit: A single bit quantity.

•
Bit Field: A group of upto 32 contiguous bits, which spans a maximum of four bytes.
• Bit String : A set of contiguous bits, on the Intel386 DX bit strings can be up to 4 gigabits long.
•
Byte: A signed 8-bit quantity
• Unsigned Byte: An unsigned 8-bit quantity.
•
Integer (Word): A signed 16-bit quantity.
•
Long Integer (Double Word):
–
A signed 32-bit quantity.
–
All operations assume a 2's complement representation.

•
Unsigned Integer (Word): An unsigned 16-bit quantity.
•
Unsigned Long Integer (Double Word): An unsigned 32-bit quantity.
•
Signed Quad Word: A signed 64-bit quantity.
• Unsigned Quad Word: An unsigned 64-bit quantity.
•
Offset: A 16- or 32-bit offset only quantity which indirectly references another memory location.

•
Pointer: A full pointer which consists of a 16-bit segment selector and either a 16- or 32bit offset.
•
Char: A byte representation of an ASCII Alphanumeric or control character.
•
String: A contiguous sequence of bytes, words or dwords. A string may contain between
1 byte and 4 GB.
•
BCD: A byte (unpacked) representation of decimal digits 0±9.
•
Packed BCD:
A byte (packed) representation of two decimal digits 0±9 storing one digit in each nibble.

•
When 80386 DX is coupled with 387 Numeric Coprocessor then the following common floating point types are supported.
•
Floating Point: A signed 32-, 64-, or 80-bit real number representation.
Memory Organization and Segmentation
Introduction
•
Memory is divided into bytes, words and dwords.
•
Words are stored in two consecutive bytes and dwords in 4 consecutive bytes
•
It supports larger units of memory: pages and segments.
• Segmentation: Memory is divided into one or more variable length segments, which can be swapped to disk or shared between programs.
•
Paging: Memory is organized into one or more 4KB pages.
•
Segmentation and Paging can be combined to gain advantages of both systems.
•
Segmentation is used for organizing memory in logical modules (for application program)
• Pages are useful for system programmer for managing physical memory of system.
Address Spaces
•
80386DX has three distinct address spaces:
•
Logical(Virtual) Address:
–
It consists of a selector and an offset
– Selector : contents of segment register
–
Offset : Effective address (sum of base, index and displacement)
–
Each task has maximum of 16K selectors (2
14
) and offset can be 4GB(2
32
) to give a total of 2
46
or 64TB
•
Linear Address
– Segmentation unit translates logical address space into 32-bit linear address space.
–
If there is no paging linear address will be the physical address
•
Physical Address
–
Paging unit translates linear address space to physical address space
– It is what appears on address pins.

Operating Modes
•
The Intel 386DX has two modes of operation
– Real (Real Address) Mode and
–
Protected Mode (Protected Virtual Address Mode)
•
Real Mode:
–
It works as a very fast 8086 with 32-bit extensions.
–
It is required to set up the processor for protected mode
• Protected Mode:
– It provides access to sophisticated memory management, paging and privilege capabilities of the processor
Real Mode Architecture
•
It has same base architecture as 8086
• When a processor is reset, it is initialized in real mode.
•
It sets up the processor for Protected Mode.
•
The segment size of 80386 in real mode is 64KB
•
The maximum memory size is 1MB
•
Only address lines A2-A19 are active
• Since paging is not allowed in real mode, the physical address is same as linear.
• Physical Address is formed by adding contents of segment register shifted left by 4 bits to an effective address.
•
This results in a physical address from 00000000 to 0010FFEF (FFFF0+FFFF)
•
Real mode segments always start on 16-byte boundaries since they are left shifted.

• All segments in the Real Mode are exactly 64KB .
•
Segments may be overlapped in real mode
Protected Mode Architecture
•
It increases linear address space to 4GB and virtual address space to 64TB
•
It provides an increased address space (64TB virtual memory) and different addressing mechanism.
•
This mode uses two components to form the logical address:
•
16 bit selector: to determine the linear base address of the segment
•
32 bit offset: Added to base address to form the linear address
•
In this mode, the selector is used to specify an index to the operating system defined table
• The table contains the 32-bit base address of a given segment.
•
In this mode, the contents of segment registers are used as selectors to address descriptors which contain
•
segment limit
• base address and
• access right bytes of the segment.
•
The linear address is formed by adding base address to the offset

•
Paging provides a means of managing very large segments.
•
It translates linear address into physical address.
Segmentation
•
Segmentation provides the basis of protection which encapsulates regions of memory which have common attributes.(all code together).
• All information about a segment is stored in an 8-byte data structure called a descriptor.
•
All descriptors are contained in tables recognized by hardware.
Segment Register Usage
•
The main data structure in segmentation is a segment.
•
Segments are variable sized blocks of linear addresses which can have some attributes associated with them.
•
It can be as small as 1 byte to as large as 4GB
•
There are two types of segments: code and data.
•
It is not required to specify which segment register is used.
•
A default segment register is automatically chosen according to Segment Register
Selection Rules.
• The override prefixes allow the use of ES, FS and GS segment registers

Segment Register Selection Rules
Selector (Segment Register)
•
A selector in protected mode has 3 fields:
– TI (Table Indicator): Local or Global Descriptor Table Indicator
– Index(Descriptor Entry Index ): Selects one of 8K descriptors
– RPL (Requestor Privilege Level): allows testing of selector’s privilege attributes
•
Level 0: Most Privilege Level
•
Level 3: Least Privilege Level

Descriptor Tables
•
It defines all the segments used in x86 system
•
There are 3 types of table:
–
Global Descriptor Table(GDT)
– Local Descriptor Table(LDT)
–
Interrupt Descriptor Table(IDT)
•
All tables are variable length memory arrays.
•
They can range in size from 8 bytes to 64KB. (2
13
x 2
3
) (3 bits are implied as descriptor size is fixed)
• Each table can hold up to 8192(2
13
) 8-byte descriptors.
•
The table has registers associated with them named GDTR, LDTR and IDTR which hold the 32-bit linear base address and 16-bit limit of each table.
•
These tables are manipulated by the OS using privileged instructions.
Global Descriptor Table
•
It contains descriptors which are possibly available to all of the tasks in a system.
•
Every Intel386 DX system contains a GDT.
•
It contains code and data segments used by the operating systems and task state segments and descriptors for the LDTs in a system.
•
The first slot of GDT corresponds to the null selector and is not used.
Local Descriptor Table
•
LDTs contain descriptors which are associated with a given task.
•
Generally, Operating Systems are designed so that each task has a separate LDT.
•
LDT may contain only code, data, stack, task gate and call gate descriptors.
•
LDTs isolates a given task's code and data segments from the rest of the OS while GDT contains descriptors for segments which are common to all tasks.
•
This provides both isolation and protection for a task's segments while still allowing global data to be shared among tasks.
•
Unlike the 6 byte GDT or IDT registers which contain a base address and limit, the visible portion of the LDT register contains only a 16-bit selector.
•
This selector refers to a Local Descriptor Table Descriptor in the GDT.

Local Descriptor Table Register
Interrupt Descriptor Table
•
The IDT contains the descriptors which point to the location of up to 256 interrupt service routines.
•
Every interrupt used by a system must have an entry in the IDT.
•
IDT entries are referenced via INT instructions , external interrupt vectors, and exceptions.
Segment Descriptors
•
The object to which the segment selector points to is called a descriptor.
•
Descriptors are 8 byte quantities which contain attributes about a given segment.
•
These attributes include :
–
32-bit base linear address of the segment,
–
20-bit length and granularity of the segment,
– the protection level,
–
read, write or execute privileges,
– the default size of the operands (16-bit or 32-bit)
– the type of segment.
General Format of a Descriptor
•
A (Accessed Bit): It indicates whether the segment has been accessed by CPU or not
•
Type: It decides the descriptor type and hence the segment type
•
The five types of descriptors that the 80386 has are as follows:

1.
Code or data Segment Descriptors
2.
System Descriptors
3.
Local Descriptors
4.
TSS(Task State Segment) Register
5.
GATE Descriptors
•
S (Segment Descriptor) bit: It decides whether it is a system descriptor (S=0) or code/data segment descriptor (S=1).
•
DPL(Descriptor Privilege Level) bits: It describes the privilege level (Level 0-3)
•
P(Present) Bit: It signifies whether the segment is present in physical memory or not
•
(P=1 indicates that the segment is present in the physical memory)
•
AVL(Available) bit: This field specifies whether the descriptor is available to the user or to the operating system.
•
G(Granularity) bit: It indicates whether the segment is page addressable (how to interpret limit)
•
G=1 indicates that the segment length is page granular (in units of 4kB upto 4GB)
•
G=0 indicates that the segment length is byte granular (in units of 1 byte upto 1MB)
•
D(Default Operand Size): It indicates whether the operands and the addressing modes 16 or 32 bits.
•
D = 1

32-bit operand
•
D = 0

16-bit operand
Paging
•
Paging is used for virtual memory multitasking operating system.
•
Pages are fixed size portions of the program module or data.
•
The complete task need not be in physical memory at any time and only a few pages are required.
•
Hence the remaining space can be allocated for other tasks and thus multitasking can be achieved
•
The paging unit uses a two level table mechanism to convert linear address to physical.
•
There are 3 components in paging mechanism:
•
Page Directory
•
Page Table
•
Page Frame (page itself)

Page Descriptor Base Register
•
CR2 is used to store the 32-bit linear address at which the previous page fault was detected
•
CR3 is the Page Directory Physical Base Address Register to store the physical starting address of the Page Directory.
•
The lower 12 bits of CR3 are always zero to ensure that the Page Directory is always page aligned
•
Loading it via a MOV CR3, reg instruction causes the Page Table Entry cache to be flushed and loaded and a task switch through a TSS changes the value of CR0.
Page Directory
•
It is at the most 4KB in size
•
Each directory entry is of four bytes, thus 1024 entries are allowed.
•
The upper 10 bits of the linear address are used as an index to the corresponding page directory entry
•
Page directory entry points to page tables.
Page Directory Entry
Page Tables
•
Each Page Table is 4K bytes and holds up to 1024 Page Table Entries(PTE).
•
PTEs contain the starting address of the page frame and statistical information about the page.

•
The 20 upperbit page frame address is concatenated with the lower 12 bits of the linear address to form the physical address.
•
Page tables can be shared between tasks and swapped to disks.
Page Table Entry
•
P(Present)Bit: indicates if the entry can be used in address translation. P-bit of the currently executed page is always high.
•
A (Accessed) Bit: It is set before any access to the page.
•
D (Dirty) bit: It is set before a write operation to the page is carried out. The D bit is undefined for PDEs.
•
OS Reserved Bits: They are defined by the operating system software.
•
U/S (User/Supervisor)Bit and R/W (Read/Write) Bit: They are used to provide protection. They are decoded as
Translation Lookaside Buffer(TLB)
•
Performance degrades if the processor access two levels of tables for every memory reference.
•
To solve this problem, the Intel386 DX keeps a cache of the most recently accessed pages and this cache is called Translation Lookaside Buffer (TLB).
•
It automatically keeps the most commonly used Page Table Entries.
32-entry TLB coupled with a 4K page size results in the coverage of 128K bytes of memory addresses
Paging Operation
•
The paging unit hardware receives a 32-bit linear address from the segmentation unit.
•
The upper 20 linear address bits are compared with all 32 entries in the TLB to determine if there is a match.
•
If there is a match (i.e. a TLB hit), then the 32-bit physical address is calculated and will be placed on the address bus.

•
However, if PTE entry is not in TLB, the Intel386 DX will read the appropriate PDE
Entry.
•
If P = 1 on PDE (
 the page table is in memory), then the Intel386 DX will read the appropriate PTE and set the Access bit.
•
If P = 1 on PTE (

the page is in memory), then the Intel386 DX will update the Access and Dirty bits as needed and fetch the operand.
Protection Mechanism
•
The Intel386 DX has four levels of protection which isolate and protect user programs from each other and the operating system.
•
The privilege levels control the use of
– privileged instructions
–
I/O instructions
– access to segments
– segment descriptors.
•
Intel386 DX provides protection as part of its integrated Memory Management Unit.
•
It offers an additional type of protection on a page basis, when paging is enabled(using
U/S and R/W fields)
•
The four-level hierarchical privilege system is illustrated as follows.

•
The privilege levels (PL) are numbered 0 through 3.
•
Level 0 is the most privileged or trusted level.
Rules for Privileges
•
Intel 386Dx controls access to both data and procedures according to the following rules:
–
Data stored in a segment with privilege level p can be accessed only by the code executing at a privilege level atleast as privileged as p
–
A code segment/procedure with a privilege level p can only be called by a task executing at the same or lesser privilege level than p
•
There are 3 different types of privilege level entering into the privilege level checks:
–
Current Privilege Level (CPL)
–
Descriptor Privilege Level (DPL)
–
Requestor Privilege Level (RPL)
Current Privilege Level (CPL)
•
CPL is stored in the selector of currently executing code segment register
•
It represents the privilege level(PL) of the currently executing task.
•
It is also PL in the access byte of the descriptor of the code segment.
•
It is also designated as Task Privilege Level(TPL)
Descriptor Privilege Level (DPL)
•
It is the PL of the object which is being attempted to be accessed by the current task
• It is PL of target segment and is contained in the access byte of the descriptor of the segment
•
CPL of current segment is compared with DPL of target and access is allowed if CPL ≥
DPL (not numbers)
Requestor Privilege Level (RPL)
•
It is the lowest two bits of any selector.
•
It can be used to weaken the CPL if desired.
•
The Effective Privilege Level(EPL) is

EPL = max (CPL,RPL) (here numbers)
•
Thus the task becomes less privileged.
Accessing Data Segments
•
Assume that a task needs data from data segment.
•
The privilege levels are checked at the time a selector for the target segment is loaded into the data segment register.
•
Three privilege levels enter into privilege checking mechanism
–
CPL
–
RPL of the selector which specifies target segment
–
DPL of the descriptor of the target segment
Accessing Code Segment
•
Code Segments have to access other code segments when a far call or jump or ret instruction is encountered.
•
There are 2 issues associated with such transfers:
–
If code segment isof lower privilege level, on returning it causes privilege violations(thus this type of access is not possible)
–
Going to code segments of higher privilege level is not permitted but it can be done using gates.
Terminology
•
Confirming code segment:
–
It does not have a privilege level of its own
–
It can be called by programs at any level and then it acquires CPL of the calling program.
–
Bit 2 of access byte of the code segment descriptor specifies if it is a confirming
(C=1) or non-confirming(C=0) segments
–
It is well-suited to handle programs that share code that run at different privilege levels(e.g. shared libraries)

•
Non-confirming code segment:
–
Most of the code segments are non-confirming
–
For these segments, control can be transferred only to executable segments at the same level of privilege
–
But if there is a need to transfer control to higher privilege level (E.g. An application program need to use a system service – If an appln pgm wants to write to disk, device driver s/w is required)
– In this case, an indirect access is allowed through a ‘gate’
Gate
•
There are three types of gates:
–
Task Gate
–
Interrupt Gate
–
Call Gate
•
Let us consider call gate.
•
To allow program to jump to a higher level it must go through call gates(entry points for privilege code)
•
Corresponding security checks will be conducted at those entry points to decide whether the invoking code has sufficient rights
•
These security checks are enforced by operating system
Call Gates
•
Call gates are used to transfer program control to a more privileged level.
•
The call gate descriptor consists of 3 fields:
– the access byte,
– a long pointer(selector and offset) which points to the start of the routine and
– a word count which specifies how many parameters are to be copied from the caller’s stack to the stack of the called routine.
Access Control Policy for Call Gates
• In general, CPL ≤ DPL of call gate (numerically)
•
For a call instruction:
– DPL of the target code segment ≤ CPL(only calls to the more privileged code segment are allowed through gate) (numerically)
•
For a JMP instruction
–
DPL of the target code segment = CPL
•
Return instructions can only return control to a code segment with same or less privilege
• The access is allowed only if the privilege level of calling program is higher than or equal to DPL of gate

Task Switching
•
The multitasking/multiuser OS needs the ability to rapidly switch between tasks or processes
•
Intel 382DX supports this operation by providing a task switch instruction hardware
•
The task switch operation
• saves the entire state of the machine(all of reg.s,address space and a link to previous task),
•
loads a new execution state,
• performs protection checks and
•
execution in the new task
• in about 17 microseconds
•
The task switch operation is invoked by an intersegment JMP or CALL instruction which refers to a TSS or Task Gate Descriptor in GDT or LDT
•
The TSS Descriptor points to a segment containing the entire execution state while a
Task Gate Descriptor contains a TSS Selector
•
Each task must have a TSS associated with it.
•
The current TSS is identified by the Task State Segment Register(TR)
•
TR contains the selector referring to TSS Descriptor that defines the current TSS
•
Returning from a task through IRET makes the current task state to be saved and old task state is restored from TSS

Virtual 8086
•
It allows the execution of 8086 applications while still allowing to take full advantage of protection mechanism
•
It allows simultaneous execution of OS and its applications
Virtual Mode Addressing Mechanism
The segment registers are used as in REAL mode
•
The contents of segment register is shifted by 4 bits and added to offset to form linear address
Paging in Virtual Mode
•
It allows concurrent running of multiple VM tasks and provide protection and OS isolation
•
It is not necessary that paging should be enabled but for multiple tasks it is required
•
Paging allows 20-bit linear address to form 256 pages and can be allocated anywhere in
4GB physical memory
•
Since CR3 is loaded by a task switch, each VM task can use a different mapping scheme to map pages to different physical location
•
The paging hardware allows the sharing of 8086 application.
Protection in Virtual Mode
•
All VM Tasks execute at a privilege level 3.
•
Virtual 8086 mode are subject to all protection checks defined in protection mode
•
An attempt to execute privileged instruction will cause an exemption

Entering and Leaving V-8086 Mode
•
V-8086 mode is entered by
– executing an IRET at level 0 (Interrupts are assigned level0) or
–
A Task switch to an Intel 386DX whose TSS has VM flag set to 1
•
Transition out of V8086 to protected mode occurs at the receipt of an interrupt or exception
Mode Transition in 386DX
Processor Initialization
•
The processor RESET pin invokes reset initialization.
•
After RESET is asserted, some registers of the processor are set to known states. (the contents of EIP are sufficient to allow software to begin execution)
•
Then software can build data structures in memory -GDT and IDT tables- which are used by system and application software.

•
The state of the CR0 register is 60000010H and it puts the processor into real-address mode with paging disabled
•
In real-address mode, the rule is base = selector * 16
•
However, after reset the base portion of the CS register behaves differently:
–
the CS selector is F000H and
–
the CS base is FFFF0000H.
•
As a result, after reset, the first instruction being fetched and executed is at physical address: CS.base + EIP = FFFFFFF0H.
•
This address locates EPROM with initialization code and it is 16 bytes below the uppermost address of physical memory.
•
Ensure that no far jump or call is made until initialization is complete.
•
The first far jump/call in real mode causes a new value to CS selector and sets the value of CS base to 20 bits only and address would be in the space of 0 to 1MB.
Switching to Protected Mode
•
Before switching to protected mode, a minimum set of system data structures must be created and the GDT, IDT, and TR registers must be initialized
•
Once these tables are created, system software can perform the steps to switch into protected mode.
•
Protected mode is entered by setting the PE bit in the CR0 register.
•
MOV CR0 instruction is used to set this bit.
•
After entering protected mode, segment registers hold the contents they had in real mode.
•
Software should reload all segment registers.
•
Execution in protected mode begins with a CPL of 0.
Structure of a V86 Task
•
A V-86 task consists
–
Partly of 8086 program
–
Partly of 80386 code that serves as the VM (Virtual Machine)monitor

•
To run V86 mode 8086 program needs:
–
A V-86 monitor
–
Operating System Services
V86 Monitor
•
It is an 80386 code that executes at level 0
•
It consists primarily of initialization and exception handling procedures.
Entering and Leaving V86 Mode
•
The processor can enter V86 by two means:
•
Case 1:
–
A task switch to an 80386 task loads the image of EFLAGS from the new TSS.
–
The TSS of the new task contains the VM flag
–
VM = 1 of the new EFLAGS indicates that the new task is executing 8086 instructions and therefore the segment registers from the TSS forms base
•
Case 2: addresses as 8086 would.
–
An IRET from a procedure of an 80386 task loads the image of EFLAGS from the stack
–
VM = 1 indicates that the procedure to which control is being returned is an 8086 procedure
–
The CPL at the time the IRET is executed must be zero, else the processor does not change VM.
•
The processor leaves V86 mode when an interrupt or exception occurs.
•
Case 1:
–
The interrupt or exception causes a task switch which loads EFLAGS from the
TSS of the new task.

–
If the new TSS is an 80386 TSS and VM bit is 0 in the EFLAGS, then the processor
• clears the VM bit of EFLAGS
•
loads the segment registers from the new TSS and
•
begins executing the instructions of the new task according to 80386 protected-mode semantics.
•
Case 2:
–
The interrupt or exception vectors to a privilege-level zero procedure.
–
The processor stores the current setting of EFLAGS on the stack, then clears the
VM bit.
–
The interrupt or exception handler, therefore, executes as 80386 protected-mode code
Architecture of 80386
•
The internal architecture of 80386 is divided into three sections:
1.
Central Processing Unit
2.
Memory Management Unit
3.
Bus Interface unit

Central Processing Unit
•
The CPU is further divided into:
–
Instruction Unit
–
Execution Unit
•
Instruction Unit:
–
It decodes the opcode bytes received from the 16-byte instruction queue and arranges them into a 3-decoded instruction queue.
–
After decoding it is passed to control section for deriving necessary control signals
•
Execution Unit:
–
It has 8 general purpose and 8 special purpose registers which either handles data or addresses
–
The 64-bit barrel shifter increases the speed of all shift, rotate, multiply and divide operations
–
The multiply/divide logic implements the bit-shift-rotate algorithms to complete the operations in minimum time(Even 32bit multiplication is done in 1µs)
•
Element of the EU
–
Arithmetic/logic unit (ALU)
•
Performs the operation identified by ADD, SUB, AND, etc.
–
Flags register
•
Holds status and control information
–
General-purpose registers
•
Holds address or data information
–
Control ROM
•
Contains microcode sequences that define operations performed by machine instructions
–
Special multiply, shift, and barrel shift hardware
•
Accelerate multiply, divide, and rotate operations
Memory Management Unit
•
MMU consists of a segmentation unit and paging unit
•
Segmentation Unit:
–
It allows the use of two address components - segment and offset – for relocability and sharing of data
–
It allows a maximum segment size of 4GB
– It provides a 4-level protection mechanism for protecting and isolating system’s code and data from those of application program
–
The limit and attribute PLA checks segment limits and attributes at segment level to avoid invalid accesses to code and data in memory segment.
•
Paging Unit
–
It organizes physical memory in terms of pages of 4KB size

–
It works under the control of segmentation unit
–
It converts linear addresses into physical addresses
–
The control and attribute PLA checks privileges at page level.
Bus Interface Unit
•
It has a prioritizer to resolve the priority of various bus requests. This controls the access of the bus
•
The address driver drives the bus enable and address signals A
2
– A
31
.
•
The pipeline/bus size unit handles the control signals for pipelining and dynamic bus sizing units
•
The data buffers interface the internal data bus with system bus
Signal Interface of 80386DX
•
Signals are arranged by functional groups.
•
The # symbol indicates active low signal.
•
When no # is present, the signal is active high.
•
Example: M/IO#
•
High voltage indicates memory is selected
•
Low voltage indicates I/O is selected


Clock (CLK2):
–
It is divided by two internally to generate the internal processor clock.
–
The phase of internal processor clock can be synchronized to a known phase.

Data Bus (D0 through D31):
–
It has three-state bidirectional signals.
–
It can transfer data on 32- and 16-bit buses using a data bus sizing feature.

Address Bus (A2 through A31)
–
Provides three-state outputs
–
It provides physical memory addresses or I/O port addresses.
–
It is capable of addressing 4 gigabytes of physical memory space and 64 kilobytes of I/O address space for programmed I/O
 Byte Enable Outputs( BE0#±BE3#)
– enable 4 memory banks
– indicates which bytes of the 32-bit data bus are involved with the current transfer.
–
BE0# applies to D0-D7
–
BE1# applies to D8-D15
–
BE2# applies to D16-D23
–
BE3# applies to D24-D31
–
No. of Byte Enables asserted indicates physical size of operand being transferred
(1, 2, 3, or 4 bytes).

Bus Cycle Definition Signals (W/R#, D/C#, M/IO# , LOCK#)
– three-state outputs
–
W/R# :distinguishes b/w write and read cycles.
–
D/C# :distinguishes b/w data and control cycles.
–
M/IO# :distinguishes b/w memory and I/O cycles.
–
LOCK# :distinguishes b/w locked and unlocked bus cycles. It enables CPU to prevent other bus masters (like coprocessor) from gaining the control of system bus.

Bus Control Signals(ADS#,READY#,NA#,BS16#):
– indicates when a bus cycle has begun and allow other system hardware to control address pipelining, data bus width and bus cycle termination.
–
ADDRESS STATUS (ADS#) : indicates that a valid address is driven at
80386DX pins.
–
TRANSFER ACKNOWLEDGE (READY#) : indicates that the previous bus cycle is complete and bus is ready for next bus cycle. It is useful for interfacing slow peripherals
–
NEXT ADDRESS REQUEST (NA#) : This is used to enable address pipelining. It indicates that the system is prepared to accept the next address even if the end of the current cycle is not being acknowledged on READY#.

–
BUS SIZE 16 (BS16#) : Asserting this input constrains current bus cycle to use only the lower-order half (D0-D15) of data bus, corresponding to BE0# and
BE1#.
Bus Arbitration Signals (HOLD, HLDA)
•
BUS HOLD REQUEST (HOLD):
–
This input indicates some other device requires bus mastership.
–
HOLD must remain asserted as long as any other device is a local bus master.
–
HOLD is not recognized while RESET is asserted. (i.e. RESET has priority over
HOLD and places the bus into an idle state rather than hold acknowledge state)
–
HOLD is level-sensitive.
•
BUS HOLD ACKNOWLEDGE (HLDA):
–
This output indicates 80386 has relinquished control of its local bus in response to
HOLD asserted and it is in Bus Hold Acknowledge state.
–
This state offers near-complete signal isolation ( It is the only signal being driven by 80386)
–
The other output signals (D0-D31, BE0#-BE3#, A2-A31, W/R#, D/C#,M/IO#,
LOCK# and ADS#) are in a high-impedance state so the requesting bus master may control them.
Coprocessor Interface Signals (PEREQ, BUSY#, ERROR#)
•
COPROCESSOR REQUEST (PEREQ) :
–
This input signal indicates a coprocessor request for a data operand to be transferred to/from memory by the Intel386 DX.
–
Since Intel386 DX has internally stored the coprocessor opcode being executed, it performs the requested data transfer with the correct direction and memory address.
–
PEREQ is level-sensitive
•
COPROCESSOR BUSY (BUSY#) :
–
This input indicates that coprocessor is still executing an instruction and is not yet able to accept another.
–
When the Intel386 DX encounters any coprocessor instruction which operates on numeric stack ( e.g load, pop or arithmetic operation) or WAIT instruct n
this input is first sampled until it is seen to be negated.
–
This sampling of BUSY# input prevents overrunning the execution of a previous coprocessor instruction.
–
BUSY# is level-sensitive
•
COPROCESSOR ERROR (ERROR#) :
–
This input signal indicates that the previous coprocessor instruction generated a coprocessor error of a type not masked by coprocessor's control register.

Interrupt Signals (INTR, NMI, RESET)
•
MASKABLE INTERRUPT REQUEST (INTR):
–
This input indicates a request for interrupt service, which can be masked by Flag
Register IF bit.
–
When processor responds to INTR input, it performs two interrupt acknowledge cycles and at the end of second, it latches an 8-bit interrupt vector on D0-D7 to identify source of interrupt.
–
INTR is level-sensitive
–
To assure recognition of an INTR request, INTR should remain asserted until the first interrupt acknowledge bus cycle begins.
•
NON-MASKABLE INTERRUPT REQUEST(NMI):
–
This input indicates a request for interrupt service which cannot be masked by software.
–
The NMI request is always processed according to the pointer or gate in slot 2 of the interrupt table.
–
Because of fixed NMI slot, no interrupt acknowledge cycles are performed when processing NMI.
–
NMI is rising edge-sensitive
–
Once NMI processing has begun, no additional NMIs are processed until the next
IRET instruction, which is typically the end of the NMI service routine.
•
RESET (RESET) :
–
This input signal suspends any operation in progress and places the Intel386 DX in a known reset state.
–
The Intel386 DX is reset by asserting RESET for 15 or more CLK2 periods
–
When RESET is asserted, all other input pins are ignored, and all other bus pins are driven to an idle bus state.
–
If RESET and HOLD are both asserted at a point in time, RESET takes priority.
–
RESET is level-sensitive
–
This input is automatically sampled by the Intel386 DX when a coprocessor instruction is encountered, and if asserted it generates exception 16 to access the error-handling software.
–
ERROR# is level-sensitive

Table 5-3. Idle Bus State During Reset
•
Vcc: These are system power supply lines
•
GND: These are return lines for the power supply