1 / 56

Sinhgad College of Engineering Dept. of Information Technology Class - SE

Sinhgad College of Engineering Dept. of Information Technology Class - SE. Processor Architecture & Interfacing ( 214447). Unit II 80386 Protected Mode – Address Translation & Protection Mechanism. Protected Memory Management and Address Translation.

sweatt
Download Presentation

Sinhgad College of Engineering Dept. of Information Technology Class - SE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sinhgad College of EngineeringDept. of Information TechnologyClass - SE Processor Architecture & Interfacing (214447) Unit II 80386 Protected Mode – Address Translation & Protection Mechanism

  2. Protected Memory Management and Address Translation • Virtual Address and Virtual Address Space • virtual address : selector(16-bit): offset(32-bit) • 214(16,384 = 16K) unique segments of memory, each of which has a maximum size of 4G bytes • Total virtual address space = 246 , 64 TB 0 47 32 31 offset selector T I RPL INDEX

  3. Protected Memory Management and Address Translation • Segment Partitioning of the Virtual Address Space Local segment 8191 Local address space 32 Terabytes Local segment 1 Virtual Address Space 64 Terabytes Local segment 0 Global segment 8191 Global address space 32 Terabytes Global segment 1 Global segment 0

  4. Application Program : a collection of tasks • task: a group of program routines that together perform a specific function • A task can activate both global and local segments of memory Task 1 Local Address Space Task 1 Virtual Address Space Global Address Space Task 3 Virtual Address Space Task 2 Virtual Address Space Task 2 Local Address Space Task 3 Local Address Space

  5. Physical Address Space and Virtual-to-Physical Address Translation Address Translation process is divided into 1. Segment translation 2. Page translation SELECTOR OFFSET LOGICAL ADDRESS SEGMENT TRANSLATION PG? PAGING DISABLED PAGING ENABLED 31 0 DIR PAGE OFFSET LINEAR ADDRESS PAGE TRANSLATION PHYSICAL ADDRESS

  6. Segmentation Virtual to Physical Address Translation OFFSET SELECTOR LOGICAL ADDRESS Selector Offset(EBX) (DS) SEGMENT TRANSLATION Data Segment PAGING DISABLED PG? Operand PAGINGENABLED 0 31 LINEARADDRESS DIR PAGE OFFSET PAGE TRANSLATION Data Segment Descriptor Cache Register Segment Descriptor LDT PHYSICAL ADDRESS

  7. 1. Segment translation SCOE

  8. Page 1,048495 4KB Page 1,048,494 4KB . . Physical Address space . . Page 1 4KB Page 0 4KB 2. Paging Memory Management Segmentation : 4GB physical memory -- organized into segments that can be any size from 1 byte to 4G byte Paging: 1,048,496 pages that are each 4K(4096) bytes long SELECTOR OFFSET LOGICAL ADDRESS SEGMENT TRANSLATION PAGING DISABLED PG? PAGING ENABLED 0 31 LINEAR ADDRESS DIR PAGE OFFSET PAGE TRANSLATION PHYSICAL ADDRESS

  9. Linear Address Format • TLB (Translation Lookaside Buffer) • maintaining 32 sets of table entries • 128 KB of paged memory are always directly accessible DIR PAGE OFFSET 31 22 21 12 11 0 Page Frame Operand Translation lookaside buffer (TLB) Page table entry Page table Page directory entry Page directory table PDBR(CR3)

  10. Memory Segmentation Segment Descriptors 80886 to 80386+ In 8086, the program is not expected to generate a non-existent memory address. If it does, then the processor shall try to access the same and read bogus data, or crash In 80386+ (and above) the segment attributes (base, limit, privilege etc) are programmable and no matter how privileged the code may be, it cannot access an area of memory unless that area is described to it.

  11. Insight into 80386+ segments Segments are Areas of memory Defined by the programmer Used for different purposes, such as code, data and stack Segments are not All the same size Necessarily paragraph aligned Limited to 64KB

  12. Segment Descriptors Describes a segment using 64-bits (0-63) 4 Words / 8 bytes Must be created for every segment Is created by the programmer Determines a segment’s base address (32-bits) Determines a segment’s size (20-bits) Determines segments attributes.

  13. Segment Descriptors (Cont’d) Segment Descriptor format

  14. Segment Descriptors (Cont’d) BASE ADDRESS (32-bits) (Bits 16-39, 56-63) : Defines the location of the segment within the 4 gigabyte linear address space. SEGMENTS LIMIT (20-bits) (Bits 0-15, 48-51) : Defines the size of the segment. Size = limit + 1. The processor interprets the limit field in units of 1 byte or 4 KBs, depending on the setting of the granularity bit: GRANULARITY (G) Bit, Bit 55 : Specifies the units with which the LIMIT field is interpreted. When the bit is clear, the limit is interpreted in units of one byte; when set, the limit is interpreted in units of 4 Kilobytes. DEFAULT SIZE (D)-bit, Bit 54: When this bit is cleared, operands contained within this segment are assumed to be 16 bits in size. When it is set, operands are assumed to be 32-bits. AVAILABLE (AVL) bit, Bit 52 : Available for system programmers.

  15. Segment Descriptor (Cont’d) Access Right Byte - Bits 40-47 : Present (P), Bit 47 : Indicates whether the segment described by this descriptor is currently available in physical memory or not. Descriptor Privilege Level(DPL) (2 bits) (Bits 45 - 46) : Determines a segment’s privilege level System bit (S), Bit 44 : Defines whether a segment is a system segment (=0) or non-system (=1) (code, data or stack) segment Type Field, Bits 40 - 43 (Type) (3 bits) (Bits 41 - 43) : Determines a segment’s use/type after the above classification. Accessed (A), Bit 40 : Automatically set and not cleared by the processor when a memory reference is made to the segment described by this descriptor.

  16. Non System Segment Descriptors – TYPE Non System Segment types ( S = 1 )

  17. ARB – Data or Stack / Code seg. descriptor SCOE

  18. System Segment Descriptors (S=0)- TYPE SCOE

  19. System Segment Descriptors Ex.(Cont’d) System Segment types ( S = 0 ) LDT Descriptor

  20. D-bit for different descriptors Code segment D = 0 then 16-bit 80286 code D = 1 then 32-bit 80386+ code Stack Segment D = 0 then stack operations are 16-bit wide, SP is used as a stack pointer, maximum stack size is FFFF (64 KB) D = 1 then stack operations are 32-bit wide, ESP is used as a stack pointer, maximum stack size is FFFFFFFF (4 GB) FFFF Addressable area FFFF Limit Addressable area Limit Non-stack Base Base Stack/expand-down • All offsets must be greater than limit. • In stack descriptor, D and G bits are to be the same, else contradiction.

  21. Ex. SCOE

  22. Ex. SCOE

  23. Page Directory Entry • The Page Directory is 4K bytes long and allows • up to 1024 Page Directory Entries. • Each Page Directory Entry contains the address • of the next level of tables, the Page Tables and • information about the page table. • Page Directory Entry (PDE) SCOE

  24. Page Directory Entry • Page Table address. • A ( Accessed): Sets if read or write access occurs to an address covered by the entry. • D bit is undefined for PDE. • P ( Present ) :If set , the pointed page is present in physical • memory. • U/S ( User /Supervisor) : These are used for protection. If set the memory page that this PDE covers are accessible from all privilege levels. If clear only PL0,1and 2. • R/W (Read/Write) : SCOE

  25. Page Table Entry • The Page table is 4K bytes long and allows up to 1024 Page table Entries. • Each Page Table Entry contains the address of the page frame, and information about the page frame. • Page Table Entry (PTE) SCOE

  26. Protected-Mode System-Control Instruction Set SCOE

  27. Protected-Mode System-Control Instruction Set SCOE

  28. 80386 Protected Mode – Protection Mechanism SCOE

  29. Why Protection ?… • The purpose of the protection features of the 80386 is • To prevent users from interfering each other. • To prevent program bugs from damaging data. • To prevent Malicious attempts to compromise system integrity. • To prevent accidental damage to data. • To help to detect and identify bugs in hundreds or thousands of program modules. • To help debug applications run faster and make them more robust. SCOE

  30. So for protection … • The 80386 contains mechanisms to verify memory accesses and instruction execution for conformance to protection criteria. These mechanisms may be used or ignored, according to system design objectives. • The protection hardware of the 80386 is an integral part of the memory management hardware. • Also by privilege Protection. SCOE

  31. Protection Rings SCOE

  32. Loading Segment Selectors into segment registers Whenever segment registers are loaded, the following rules are checked by the processor and if violated an exception is raised thus giving high degree of memory protection Rule 1: Index field of the selector within limits of the GDT/LDT to be accessed – else raise a General Protection Fault exception. Rule 2: The selector references the correct descriptor table. Rule 3: The descriptor is of the correct type Loading a selector into DS,ES,FS or GS that points to a non-readable segment results in an exception For loading into SS, the segment pointed to should be readable and writable For loading into CS, the segment should be executable type Rule 4: The selector uses the correct privilege level. Discussed later in detail. All segment registers except CS may be loaded using MOV, LDS, LES, LFS, LGS and LSS. The CS is loaded using a JMP or a CALL instruction

  33. Privilege Protection Continuous checking by the processor on whether the application is privileged enough to Type 1: Execute certain instructions Type 2: Reference data other than its own Type 3: Transfer control to code other than its own To manage this every segment has a privilege level called the DPL (Descriptor Privilege Level) Bits 45,46

  34. Privilege Level – DPL, CPL, RPL DPL : The privilege level is defined in the segment descriptor, DPL field.( The descriptor has no privilege level assigned to it.) Privilege levels apply to entire segments CPL : At the given point , the processors privilege level is determined by the DPL of the code Segment from which it is currently fetching and executing code , this is referred as Current privilege level (CPL) RPL : Requestors Privilege level ( Seg. Selector) RPL is the two least significant bits in the segment selector. The Least Privilege Principle At ring 0, you can do whatever you want. Can we put some limit on it, such that we only use the least privilege that is needed? we can drop the privilege temporarily How to achieve the Least Privilege Principle: RPL. RPL is usually less than or equal to CPL. When RPL = 0, RPL will have no effect.

  35. Type 1: Execute certain instructions Privileged Instructions Instructions that modify the interrupt flag ,alter segmentation, perform peripheral I/O or affect the protection mechanism are privileged instructions. Segmentation and Protection Based (HLT, CLTS, LGDT, LIDT, LLDT, LTR, moving data to Control, Debug and Test registers) Interrupt flag based & Peripheral IO based (CLI, STI, IN, INS, OUT, OUTS)

  36. Privileged Instructions SCOE

  37. Privileged instructions First type of privileged instructions can be executed only when CPL = 0, that is, these instructions can be in code segment with DPL = 0. The I/O based privileged instructions are executed only if CPL <= IOPL in EFLAGS register. To add to the security the POPF/POPFD instructions which load values into the EFLAGS shall not touch the IOPL bit or IF bit if CPL > 0.

  38. Type 2: Reference data other than its own Used with applications in a multi-tasking environment share data. Programs are not allowed to read or write data items that have a higher privilege level however applications can use data at the same or lower privilege level. With stack segments it is more restrictive.(CPL=DPL of stack Des) This is achieved by two ways 1] Whenever selector is loaded in data segment register, CPU checks if max(RPL,CPL) <= DPL (RPL may weaken your privilege level ) and if not true then 386 rejects the selector immediately. 2] When selector makes a memory reference 80386 checks whether the type of access you are requesting( read or write) is allowed for that segment.

  39. Privilege check for data SCOE

  40. Privilege check for data

  41. Type 3: Transfer control to code other than its own The DPL of the target descriptor must be similar value. i.e. Numerically, Target DPL = Max (RPL or CPL) Otherwise 80386 generates a general protection fault. Essentially load a new selector into CS register Many programs in multitasking share pieces of code such as run time libraries. Programs are not allowed to CALL or JMP to code segment That have different privilege level. Another segment must be a code segment (executable permission) and marked present. To move between code segments requires inter-segment JMP, CALL or RET instruction.

  42. Changing Privilege levels Control transfer from a code of some PL to another code with different PL. There are 2 ways to implement inter- privilege level transfer. 1) Simple - Conforming Code Segments 2) Complex - Call Gates Conforming code segments confirms with the privilege level of the calling code. So if a control transfer happens from segment S to a confirming segment T, the privilege of T would be the privilege of S.

  43. Conforming Code Segment These are type 6 and 7 system descriptors. Privilege Check for Control Transfer without Using a Gate Policy: CPL = DPL of code segment CPL > DPL (allowed if the conforming bit is 1, but when the conforming bit is 0, this is not allowed) CPL = 2 can invoke DPL = 1. CPL = 2 cannot invoke code with DPL = 3. You can transfer control across or up not down Why can't we access code with a higher DPL (i.e., lower privilege)? It is easy to jump (lower the CPL) to the code with higher DPL, but it is difficult to return back, because on returning, we jump from a lower privileged ring to a higher privileged ring. This violates the mandatory access control policy. Why can’t we jump to code with a lower DPL (i.e., higher privilege)? For security reasons, we cannot do this. However, we definitely need this. For example, we want to access device driver code, which should be in segments with a higher privilege.

  44. ---

  45. Call Gates These are type 5 special system descriptor. Acts as an interface layer between code segments at different privilege levels. Provide the only means to alter the current privilege level Define entry points to other privilege levels Must be invoked using a CALL Instruction Occupy a slot in the descriptor tables. Are defined like segment descriptors but do not describe a memory segment.

  46. CALL GATE descriptor Is defined by a system descriptor (S=0) in GDT which is used by the JMP or CALL.

  47. CALL GATE descriptor Call-Gate Descriptor contains the following information: Destination selector - Code segment to be accessed through segment descriptor Destination offset - Entry point for a procedure in the specified code segment DPL – (call gate PL) Privilege level required for a caller trying to access the procedure WC ( Word Parameter Count) - if a stack switch occurs, it specifies the number of optional parameters to be copied between stacks. How to use call gates? Call xxxxxx xxxxxx specifies the call gate entry in the GDT From the table, the entry point of the procedure will be obtained. DPL of the gate descriptor allows the CPU to decide whether the invocator can enter the gate.

  48. Call gate mechanism

  49. Calling Higher privileged code CALL SEG OFFSET Code Seg Code Seg Code Desc CALL SEG OFFSET Gate – Sel + offset CodeDesc Incorrect way Correct way

  50. Call Gate accessibility Access Control Policy for Call Gates CPL ≤ DPL of the call gate. For CALL: DPL of the target code segment ≤ CPL (only calls to the more privileged code segment are allowed). Why can't we CALL a less privileged code segment using Gates? Still returning will be a problem, because returning will be from the less privileged code to the more privileged code, and it violates the mandatory access control. Target DPL <= Max (RPL, CPL) <= Gate DPL For eg. CPL = 2 and the target PL = 0, you should use a Gate with PL = 2 or 3

More Related