250 likes | 385 Views
Lect 7: Protected-Mode SW Architecture III. Restricting Control Transfers. Intrasegment Jump and Call limit check Intersegment Jump and Call the operand selects the descriptor of another executable segment (Case 1) the operand selects a call gate descriptor (Case 2) Case 1
E N D
Restricting Control Transfers • Intrasegment Jump and Call • limit check • Intersegment Jump and Call • the operand selects the descriptor of another executable segment (Case 1) • the operand selects a call gate descriptor (Case 2) • Case 1 • CPL = DPL or CPL> DPL if the selected code segment is confirming segment
1 1 2 2 3 Jmp Call Ret 3 E E Jmp Call Ret E Intersegment Intrasegment DPL =1 Conforming Code Seg 1 E 2 E 3 E Calling a Confirming Segment Restricting Control Transfers 16-bit visible selector Invisible Descriptor CPL CS Privilege check by CPU Data Segment Descriptor 23 16 15 8 7 0 32 24 DPL S TYPE AVL LIMIT 19..16 A 4 BASE 31..24 G X 0 P BASE 23..16 7 1 R C A 1 DPL W E 0 3 SEGMENT LIMIT 15 .. 0 SEGMENT BASE 15 .. 0 0
Gate Descriptors • Call Gates • Trap Gates • Interrupt Gates • Task Gates • Call Gates • To define an entry point of a procedure • To specify the privilege level required to enter a procedure 23 16 15 8 7 0 32 24 DWORD COUNT 4 0 0 0 P DPL 0 TYPE OFFSET 31..16 7 3 OFFSET 15 .. 0 SELECTOR 0
Gate Descriptors • Type : • 4 Call Gate • 5 Task Gate • 6 Interrupt Gate • 7 Trap Gate • P =0 : Descriptor contents are not valid =1 : Descriptor contents are valid • WORD COUNT : Number of double words to copy from caller’s stack to called procedure’s stack. Call Gate only
Call Gate Mechanism • Call gate: control transfers to more privileged levels or to the same privilege level • Call : to more privileged levels • JMP : same privilege level or to a confirming code segment with the same or a more privileged level
OFFSET DPL CNT SELECTOR OFFSET Call-gate operation OPCODE OFFSET SELECTOR CALL (NOT USED) INDEX RPL DESCRIPTOR TABLE GATE DESCRIPTOR EXECUTABLE SEGMENT BASE BASE EXECUTABLE SEGMENT DESCRIPTOR BASE
1 E E 2 G 3 E G Call-gate operation • JMP • nonconforming segment • MAX(CPL, RPL) £ gate DPL • destination code segment DPL = CPL • CALL (JMP instruction to a confirming segment) • MAX(CPL, RPL) £ gate DPL • destination code segment DPL £ CPL 1 E G 2 G E 3 E
OFFSET DPL CNT SELECTOR OFFSET Call-gate operation 16-bit visible selector Invisible Descriptor CPL CS Target Segment Selector Privilege check by CPU RPL INDEX GATE DESCRIPTOR Executable Segment Descriptor 23 16 15 8 7 0 32 24 AVL LIMIT 19..16 DPL S TYPE A 4 BASE 31..24 G X 0 P BASE 23..16 7 1 R C A 1 DPL W E 0 3 SEGMENT LIMIT 15 .. 0 SEGMENT BASE 15 .. 0 0
Instructions reserved for the Operating System • Privileged Instructions (CPL =0) • CLTS : clear task switched flag • HLT • LGDT, LIDT, LLDT, LMSW, LTR • Move to/from CRn • Move to/from DRn • Move to/from TRn • Sensitive Instructions • I/O instructions (not CPL =0)
Instructions reserved for the Operating System • Instructions for Pointer Validation • Isolation between privilege levels • check if the supplier of the pointer is allowed to access the segment (ARPL) • check if the segment type is compatible with its use LAR, LSL, VERR, VERW • check if the pointer offset exceeds the segment limit • Pointer Integrity and RPL • present accidental use of pointers which crash more privileged code from a less privileged level • Example: FREAD(file-id, n-bytes, buff-ptr) * bad buff-ptr ARPL buff-ptr : privilege level of the caller a copy of the caller’s CS register on the stack
MULTITASKING • Task : • a program module ( the execution of a sequence of steps) which is running, or waiting to run while another program is running • invoked by an interrupt, exception, jump, or call • A program : logical entity that can have many representations: ex) a source code file or object program file • A program becomes a task when it is actually available for execution Available to all tasks GDT Kernel Data DBMS Kernel Code LDT LDT stack Code data Compiler Code FORTRAN Compiler Editor Code Editor
MULTITASKING • Two types of task-related descriptors • Task Sate Segment(TSS) descriptor • Task Gate • Task Switch • new environment • not re-entrant • does not push anything on the stack • processor state information - TSS
Multitasking • Registers and Data Structures • Task State Segments • TSS descriptors • Task Register • Task Gate descriptors • Use of the multitasking mechanism is optional • Task State Segment • Dynamic Fields: the processor updates with each task switch • general registers • segment registers • flag registers • EIP • the selector for the TSS of the previous task
Multitasking • Static Fields: the processor reads, but does not change • LDT selector • stacks for privilege levels 0, 1, and 2 • T-bit (debug trap bit): cause the processor to raise a debug exception when a task switch occurs • I/O permission bit map
23 16 15 8 7 32 0 24 AVL TYPE1 0 B 1 4 LIMIT 19..16 BASE 31..24 G X 0 P DPL 0 BASE 23..16 7 3 0 SEGMENT LIMIT 15 .. 0 SEGMENT BASE 15 .. 0 Multitasking • TSS Descriptor • Busy Bit : whether the task is busy • Task is not reentrant • Limit ³ 67H (size: 68H: 104) • TSS descriptor : only in the GDT
Task Gate Descriptor • Task Gate Descriptor • The RPL of the TSS selector in the Gate descriptor is not used • The DPL of the destination TSS descriptor is not used • DPL ³ CPL and the selector’s RPL 23 16 15 8 7 32 0 24 0 0 1 0 1 P DPL Reserved 4 Reserved 7 Reserved TSS selector 3 0
Multitasking • Task Switching • Jump or Call to a TSS descriptor • Jump or Call to a Task Gate • Interrupt or Exception indexes to a Task Gate in the IDT • IRET when the NT flag is set
Input/Output • Input/Output Model • Method of addressing I/O ports • Instructions which perform I/O operations • The I/O Protection Mechanism • I/O Instructions • IN, OUT • INS, OUTS (Block I/O) • Protection and I/O • Two protection mechanism • The IOPL field in the EFLAGS - I/O instructions • I/O permission bit map of a TSS - individual ports • * separated I/O address space Vs. memory mapped I/O address space
Input/Output • I/O privilege levels • Typical protection ring model: 0 or 1 have access to the I/O instructions • Instructions can be executed only if CPL ³ IOPL • IN, INS, OUT, OUTS, CLI, STI : “I/O sensitive” instructions • IOPL : can be changed only with the POPF and IRET • No procedure may change its IOPL unless it is running at privilege level 0. • Violation : No exception, the IOPL simply remains unchanged • IF Flag : The POPF also may be used to change the state of the IF flag(as can the CLI and STI) • IOPL-Sensitive, No exception
Input/Output • I/O Permission Bit Map • Exceptions for references to specific I/O addresses • The limit of the TSS - the limit on the size of the I/O permission bit map • If CPL £ IOPL in the protected mode, the processor allows I/O operations to proceed. • If CPL > IOPL, or if the processor is operating in the Virtual 86 mode, the processor checks the I/O permission bit map. • If any of the corresponding I/O permission bits equals 0, the proceed. Otherwise, GP(0) occurs
Virtual 8086 Mode • 8086 Applications • 80386 Real Mode and 80386 Virtual 8086 Mode • Entering and Leaving Virtual 8086 Mode • an IRET(at CPL =0) or Task Switch (at any level) to a 386 DX task whose 386 DX TSS has a FLAGS image containing a 1 in the VM bit position while the processor is in the protected mode • POPF does not affect the VM bit, even if the processor in Protected mode or level 0 • Structure of a Virtual-8086 Task • The task must be represented by a 32-bit TSS (not a 16-bit TSS) • A virtual-8086 Monitor • 32-bit protected-mode code which runs at level 0 • initialization, exception-handling procedures, and I/O emulation in order to virtualized the PC platform • Operating system service
Virtual 8086 Mode 8086 application program 386 DX CPU Application Program #4 GP Fault #1 Virtual 8086 Mode Monitor 8086 OS #2 #3 386 CPU OS File open routines Privilege Level 0 8086 Application makes “open file call” causes General Protection Fault Virtual Monitor intercepts call.(#1) Calls 386 DX OS (#2) 386 OS opens file returns control to 8086 OS (#3) 8086 OS returns control to application (#4) Transparent to Application Privilege Level 3 8086 application program