Volume 3A System Programming Guide_ Part 1 (794103), страница 43
Текст из файла (страница 43)
3PROTECTIONprocedure. The term current privilege level (CPL) refers to the setting of thisfield.•User/supervisor (U/S) flag — (Bit 2 of a page-directory or page-table entry.)Determines the type of page: user or supervisor.•Read/write (R/W) flag — (Bit 1 of a page-directory or page-table entry.)Determines the type of access allowed to a page: read only or read-write.Figure 4-1 shows the location of the various fields and flags in the data, code, andsystem- segment descriptors; Figure 3-6 shows the location of the RPL (or CPL) fieldin a segment selector (or the CS register); and Figure 3-14 shows the location of theU/S and R/W flags in the page-directory and page-table entries.Vol. 3 4-3PROTECTIONData-Segment Descriptor31Base 31:2424 23 22 21 20 1916 15 14 13 12 11AG B 0 VLDPLLimit19:1631P08 7TypeBase 23:1641 0 E W A16 150Base Address 15:00Segment Limit 15:000Code-Segment Descriptor31Base 31:2424 23 22 21 20 1916 15 14 13 12 11AG D 0 VLDPLLimit19:1631P08 7TypeBase 23:1641 1 C R A16 150Base Address 15:00Segment Limit 15:000System-Segment Descriptor3124 23 22 21 20 19Base 31:24G03116 15 14 13 12 11Limit19:16PDPL008 7TypeBase 23:1616 15Base Address 15:00AAVLBCDDPLAccessedAvailable to Sys.
Programmer’sBigConformingDefaultDescriptor Privilege Level40Segment Limit 15:00EGRLIMITWP0Expansion DirectionGranularityReadableSegment LimitWritablePresentReservedFigure 4-1. Descriptor Fields Used for ProtectionMany different styles of protection schemes can be implemented with these fieldsand flags. When the operating system creates a descriptor, it places values in thesefields and flags in keeping with the particular protection style chosen for an operatingsystem or executive.
Application program do not generally access or modify thesefields and flags.4-4 Vol. 3PROTECTIONThe following sections describe how the processor uses these fields and flags toperform the various categories of checks described in the introduction to this chapter.4.2.1Code Segment Descriptor in 64-bit ModeCode segments continue to exist in 64-bit mode even though, for address calculations, the segment base is treated as zero. Some code-segment (CS) descriptorcontent (the base address and limit fields) is ignored; the remaining fields functionnormally (except for the readable bit in the type field).Code segment descriptors and selectors are needed in IA-32e mode to establish theprocessor’s operating mode and execution privilege-level.
The usage is as follows:•IA-32e mode uses a previously unused bit in the CS descriptor. Bit 53 is definedas the 64-bit (L) flag and is used to select between 64-bit mode and compatibilitymode when IA-32e mode is active (IA32_EFER.LMA = 1). See Figure 4-2.— If CS.L = 0 and IA-32e mode is active, the processor is running in compatibility mode.
In this case, CS.D selects the default size for data and addresses.If CS.D = 0, the default data and address size is 16 bits. If CS.D = 1, thedefault data and address size is 32 bits.— If CS.L = 1 and IA-32e mode is active, the only valid setting is CS.D = 0. Thissetting indicates a default operand size of 32 bits and a default address sizeof 64 bits. The CS.L = 1 and CS.D = 1 bit combination is reserved for futureuse and a #GP fault will be generated on an attempt to use a code segmentwith these bits set in IA-32e mode.•In IA-32e mode, the CS descriptor’s DPL is used for execution privilege checks(as in legacy 32-bit mode).Vol. 3 4-5PROTECTIONCode-Segment Descriptor3124 23 22 21 20 1916 15 14 13 12 11AG D L VLDPLP8 70Type41 1 C R A0310AAVLCDDPLLAccessedAvailable to Sys.
Programmer’sConformingDefaultDescriptor Privilege Level64-Bit FlagGRPGranularityReadablePresentFigure 4-2. Descriptor Fields with Flags used in IA-32e Mode4.3LIMIT CHECKINGThe limit field of a segment descriptor prevents programs or procedures fromaddressing memory locations outside the segment. The effective value of the limitdepends on the setting of the G (granularity) flag (see Figure 4-1). For datasegments, the limit also depends on the E (expansion direction) flag and the B(default stack pointer size and/or upper bound) flag. The E flag is one of the bits inthe type field when the segment descriptor is for a data-segment type.When the G flag is clear (byte granularity), the effective limit is the value of the20-bit limit field in the segment descriptor.
Here, the limit ranges from 0 to FFFFFH(1 MByte). When the G flag is set (4-KByte page granularity), the processor scalesthe value in the limit field by a factor of 212 (4 KBytes). In this case, the effectivelimit ranges from FFFH (4 KBytes) to FFFFFFFFH (4 GBytes).
Note that when scalingis used (G flag is set), the lower 12 bits of a segment offset (address) are not checkedagainst the limit; for example, note that if the segment limit is 0, offsets 0 throughFFFH are still valid.For all types of segments except expand-down data segments, the effective limit isthe last address that is allowed to be accessed in the segment, which is one less thanthe size, in bytes, of the segment. The processor causes a general-protection exception any time an attempt is made to access the following addresses in a segment:••A byte at an offset greater than the effective limitA word at an offset greater than the (effective-limit – 1)4-6 Vol. 3PROTECTION••A doubleword at an offset greater than the (effective-limit – 3)A quadword at an offset greater than the (effective-limit – 7)For expand-down data segments, the segment limit has the same function but isinterpreted differently. Here, the effective limit specifies the last address that is notallowed to be accessed within the segment; the range of valid offsets is from (effective-limit + 1) to FFFFFFFFH if the B flag is set and from (effective-limit + 1) to FFFFHif the B flag is clear.
An expand-down segment has maximum size when the segmentlimit is 0.Limit checking catches programming errors such as runaway code, runawaysubscripts, and invalid pointer calculations. These errors are detected when theyoccur, so identification of the cause is easier. Without limit checking, these errorscould overwrite code or data in another segment.In addition to checking segment limits, the processor also checks descriptor tablelimits. The GDTR and IDTR registers contain 16-bit limit values that the processoruses to prevent programs from selecting a segment descriptors outside the respective descriptor tables.
The LDTR and task registers contain 32-bit segment limit value(read from the segment descriptors for the current LDT and TSS, respectively). Theprocessor uses these segment limits to prevent accesses beyond the bounds of thecurrent LDT and TSS. See Section 3.5.1, “Segment Descriptor Tables,” for more information on the GDT and LDT limit fields; see Section 5.10, “Interrupt Descriptor Table(IDT),” for more information on the IDT limit field; and see Section 6.2.4, “TaskRegister,” for more information on the TSS segment limit field.4.3.1Limit Checking in 64-bit ModeIn 64-bit mode, the processor does not perform runtime limit checking on code ordata segments. However, the processor does check descriptor-table limits.4.4TYPE CHECKINGSegment descriptors contain type information in two places:••The S (descriptor type) flag.The type field.The processor uses this information to detect programming errors that result in anattempt to use a segment or gate in an incorrect or unintended manner.The S flag indicates whether a descriptor is a system type or a code or data type.
Thetype field provides 4 additional bits for use in defining various types of code, data,and system descriptors. Table 3-1 shows the encoding of the type field for code anddata descriptors; Table 3-2 shows the encoding of the field for system descriptors.Vol. 3 4-7PROTECTIONThe processor examines type information at various times while operating onsegment selectors and segment descriptors. The following list gives examples oftypical operations where type checking is performed (this list is not exhaustive):•When a segment selector is loaded into a segment register — Certainsegment registers can contain only certain descriptor types, for example:— The CS register only can be loaded with a selector for a code segment.— Segment selectors for code segments that are not readable or for systemsegments cannot be loaded into data-segment registers (DS, ES, FS, andGS).— Only segment selectors of writable data segments can be loaded into the SSregister.•When a segment selector is loaded into the LDTR or task register — For example:— The LDTR can only be loaded with a selector for an LDT.— The task register can only be loaded with a segment selector for a TSS.•When instructions access segments whose descriptors are alreadyloaded into segment registers — Certain segments can be used by instructions only in certain predefined ways, for example:— No instruction may write into an executable segment.— No instruction may write into a data segment if it is not writable.— No instruction may read an executable segment unless the readable flag isset.•When an instruction operand contains a segment selector — Certaininstructions can access segments or gates of only a particular type, for example:— A far CALL or far JMP instruction can only access a segment descriptor for aconforming code segment, nonconforming code segment, call gate, taskgate, or TSS.— The LLDT instruction must reference a segment descriptor for an LDT.— The LTR instruction must reference a segment descriptor for a TSS.— The LAR instruction must reference a segment or gate descriptor for an LDT,TSS, call gate, task gate, code segment, or data segment.— The LSL instruction must reference a segment descriptor for a LDT, TSS, codesegment, or data segment.— IDT entries must be interrupt, trap, or task gates.•During certain internal operations — For example:— On a far call or far jump (executed with a far CALL or far JMP instruction), theprocessor determines the type of control transfer to be carried out (call orjump to another code segment, a call or jump through a gate, or a taskswitch) by checking the type field in the segment (or gate) descriptor pointedto by the segment (or gate) selector given as an operand in the CALL or JMP4-8 Vol.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
