Volume 3A System Programming Guide_ Part 1 (794103), страница 44
Текст из файла (страница 44)
3PROTECTIONinstruction. If the descriptor type is for a code segment or call gate, a call orjump to another code segment is indicated; if the descriptor type is for a TSSor task gate, a task switch is indicated.— On a call or jump through a call gate (or on an interrupt- or exception-handlercall through a trap or interrupt gate), the processor automatically checks thatthe segment descriptor being pointed to by the gate is for a code segment.— On a call or jump to a new task through a task gate (or on an interrupt- orexception-handler call to a new task through a task gate), the processorautomatically checks that the segment descriptor being pointed to by thetask gate is for a TSS.— On a call or jump to a new task by a direct reference to a TSS, the processorautomatically checks that the segment descriptor being pointed to by theCALL or JMP instruction is for a TSS.— On return from a nested task (initiated by an IRET instruction), the processorchecks that the previous task link field in the current TSS points to a TSS.4.4.1Null Segment Selector CheckingAttempting to load a null segment selector (see Section 3.4.2, “Segment Selectors”)into the CS or SS segment register generates a general-protection exception (#GP).A null segment selector can be loaded into the DS, ES, FS, or GS register, but anyattempt to access a segment through one of these registers when it is loaded with anull segment selector results in a #GP exception being generated.
Loading unuseddata-segment registers with a null segment selector is a useful method of detectingaccesses to unused segment registers and/or preventing unwanted accesses to datasegments.4.4.1.1NULL Segment Checking in 64-bit ModeIn 64-bit mode, the processor does not perform runtime checking on NULL segmentselectors. The processor does not cause a #GP fault when an attempt is made toaccess memory where the referenced segment register has a NULL segment selector.4.5PRIVILEGE LEVELSThe processor’s segment-protection mechanism recognizes 4 privilege levels,numbered from 0 to 3. The greater numbers mean lesser privileges.
Figure 4-3shows how these levels of privilege can be interpreted as rings of protection.The center (reserved for the most privileged code, data, and stacks) is used for thesegments containing the critical software, usually the kernel of an operating system.Outer rings are used for less critical software. (Systems that use only 2 of the 4possible privilege levels should use levels 0 and 3.)Vol. 3 4-9PROTECTIONProtection RingsOperatingSystemKernelLevel 0Operating SystemServicesLevel 1Level 2ApplicationsLevel 3Figure 4-3.
Protection RingsThe processor uses privilege levels to prevent a program or task operating at a lesserprivilege level from accessing a segment with a greater privilege, except undercontrolled situations. When the processor detects a privilege level violation, it generates a general-protection exception (#GP).To carry out privilege-level checks between code segments and data segments, theprocessor recognizes the following three types of privilege levels:•Current privilege level (CPL) — The CPL is the privilege level of the currentlyexecuting program or task. It is stored in bits 0 and 1 of the CS and SS segmentregisters. Normally, the CPL is equal to the privilege level of the code segmentfrom which instructions are being fetched.
The processor changes the CPL whenprogram control is transferred to a code segment with a different privilege level.The CPL is treated slightly differently when accessing conforming code segments.Conforming code segments can be accessed from any privilege level that is equalto or numerically greater (less privileged) than the DPL of the conforming codesegment. Also, the CPL is not changed when the processor accesses a conformingcode segment that has a different privilege level than the CPL.•Descriptor privilege level (DPL) — The DPL is the privilege level of a segmentor gate. It is stored in the DPL field of the segment or gate descriptor for thesegment or gate. When the currently executing code segment attempts to accessa segment or gate, the DPL of the segment or gate is compared to the CPL andRPL of the segment or gate selector (as described later in this section).
The DPLis interpreted differently, depending on the type of segment or gate beingaccessed:— Data segment — The DPL indicates the numerically highest privilege levelthat a program or task can have to be allowed to access the segment. For4-10 Vol. 3PROTECTIONexample, if the DPL of a data segment is 1, only programs running at a CPL of0 or 1 can access the segment.— Nonconforming code segment (without using a call gate) — The DPLindicates the privilege level that a program or task must be at to access thesegment. For example, if the DPL of a nonconforming code segment is 0, onlyprograms running at a CPL of 0 can access the segment.— Call gate — The DPL indicates the numerically highest privilege level that thecurrently executing program or task can be at and still be able to access thecall gate.
(This is the same access rule as for a data segment.)— Conforming code segment and nonconforming code segmentaccessed through a call gate — The DPL indicates the numerically lowestprivilege level that a program or task can have to be allowed to access thesegment. For example, if the DPL of a conforming code segment is 2,programs running at a CPL of 0 or 1 cannot access the segment.— TSS — The DPL indicates the numerically highest privilege level that thecurrently executing program or task can be at and still be able to access theTSS.
(This is the same access rule as for a data segment.)•Requested privilege level (RPL) — The RPL is an override privilege level thatis assigned to segment selectors. It is stored in bits 0 and 1 of the segmentselector. The processor checks the RPL along with the CPL to determine if accessto a segment is allowed. Even if the program or task requesting access to asegment has sufficient privilege to access the segment, access is denied if theRPL is not of sufficient privilege level. That is, if the RPL of a segment selector isnumerically greater than the CPL, the RPL overrides the CPL, and vice versa.
TheRPL can be used to insure that privileged code does not access a segment onbehalf of an application program unless the program itself has access privilegesfor that segment. See Section 4.10.4, “Checking Caller Access Privileges (ARPLInstruction),” for a detailed description of the purpose and typical use of the RPL.Privilege levels are checked when the segment selector of a segment descriptor isloaded into a segment register. The checks used for data access differ from thoseused for transfers of program control among code segments; therefore, the twokinds of accesses are considered separately in the following sections.4.6PRIVILEGE LEVEL CHECKING WHEN ACCESSING DATASEGMENTSTo access operands in a data segment, the segment selector for the data segmentmust be loaded into the data-segment registers (DS, ES, FS, or GS) or into the stacksegment register (SS).
(Segment registers can be loaded with the MOV, POP, LDS,LES, LFS, LGS, and LSS instructions.) Before the processor loads a segment selectorinto a segment register, it performs a privilege check (see Figure 4-4) by comparingthe privilege levels of the currently running program or task (the CPL), the RPL of thesegment selector, and the DPL of the segment’s segment descriptor. The processorVol. 3 4-11PROTECTIONloads the segment selector into the segment register if the DPL is numerically greaterthan or equal to both the CPL and the RPL.
Otherwise, a general-protection fault isgenerated and the segment register is not loaded.CS RegisterCPLSegment SelectorFor Data SegmentRPLData-Segment DescriptorPrivilegeCheckDPLFigure 4-4. Privilege Check for Data AccessFigure 4-5 shows four procedures (located in codes segments A, B, C, and D), eachrunning at different privilege levels and each attempting to access the same datasegment.1. The procedure in code segment A is able to access data segment E using segmentselector E1, because the CPL of code segment A and the RPL of segment selectorE1 are equal to the DPL of data segment E.2.
The procedure in code segment B is able to access data segment E using segmentselector E2, because the CPL of code segment B and the RPL of segment selectorE2 are both numerically lower than (more privileged) than the DPL of datasegment E. A code segment B procedure can also access data segment E usingsegment selector E1.3. The procedure in code segment C is not able to access data segment E usingsegment selector E3 (dotted line), because the CPL of code segment C and theRPL of segment selector E3 are both numerically greater than (less privileged)than the DPL of data segment E. Even if a code segment C procedure were to usesegment selector E1 or E2, such that the RPL would be acceptable, it still couldnot access data segment E because its CPL is not privileged enough.4.
The procedure in code segment D should be able to access data segment Ebecause code segment D’s CPL is numerically less than the DPL of data segmentE. However, the RPL of segment selector E3 (which the code segment Dprocedure is using to access data segment E) is numerically greater than the DPLof data segment E, so access is not allowed. If the code segment D procedurewere to use segment selector E1 or E2 to access the data segment, access wouldbe allowed.4-12 Vol. 3PROTECTION3210CodeSegment CCPL=3Lowest PrivilegeSegment Sel.
E3RPL=3CodeSegment ACPL=2Segment Sel. E1RPL=2CodeSegment BCPL=1Segment Sel. E2RPL=1DataSegment EDPL=2CodeSegment DCPL=0Highest PrivilegeFigure 4-5. Examples of Accessing Data Segments From Various Privilege LevelsAs demonstrated in the previous examples, the addressable domain of a program ortask varies as its CPL changes. When the CPL is 0, data segments at all privilegelevels are accessible; when the CPL is 1, only data segments at privilege levels 1through 3 are accessible; when the CPL is 3, only data segments at privilege level 3are accessible.The RPL of a segment selector can always override the addressable domain of aprogram or task.
When properly used, RPLs can prevent problems caused by accidental (or intensional) use of segment selectors for privileged data segments by lessprivileged programs or procedures.It is important to note that the RPL of a segment selector for a data segment is undersoftware control.
For example, an application program running at a CPL of 3 can setthe RPL for a data- segment selector to 0. With the RPL set to 0, only the CPL checks,not the RPL checks, will provide protection against deliberate, direct attempts toviolate privilege-level security for the data segment. To prevent these types of privilege-level-check violations, a program or procedure can check access privilegeswhenever it receives a data-segment selector from another procedure (see Section4.10.4, “Checking Caller Access Privileges (ARPL Instruction)”).4.6.1Accessing Data in Code SegmentsIn some instances it may be desirable to access data structures that are contained ina code segment.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
