Volume 3A System Programming Guide_ Part 1 (794103), страница 51
Текст из файла (страница 51)
If theprocessor is currently operating at a CPL of 0, 1, or 2, it is in supervisor mode; if it isoperating at a CPL of 3, it is in user mode. When the processor is in supervisor mode,it can access all pages; when in user mode, it can access only user-level pages. (Notethat the WP flag in control register CR0 modifies the supervisor permissions, asdescribed in Section 4.11.3, “Page Type.”)Note that to use the page-level protection mechanism, code and data segments mustbe set up for at least two segment-based privilege levels: level 0 for supervisor codeand data segments and level 3 for user code and data segments. (In this model, thestacks are placed in the data segments.) To minimize the use of segments, a flatmemory model can be used (see Section 3.2.1, “Basic Flat Model”).Here, the user and supervisor code and data segments all begin at address zero inthe linear address space and overlay each other.
With this arrangement, operatingsystem code (running at the supervisor level) and application code (running at theuser level) can execute as if there are no segments. Protection between operatingsystem and application code and data is provided by the processor’s page-levelprotection mechanism.4.11.3Page TypeThe page-level protection mechanism recognizes two page types:••Read-only access (R/W flag is 0).Read/write access (R/W flag is 1).4-40 Vol. 3PROTECTIONWhen the processor is in supervisor mode and the WP flag in register CR0 is clear (itsstate following reset initialization), all pages are both readable and writable (writeprotection is ignored).
When the processor is in user mode, it can write only to usermode pages that are read/write accessible. User-mode pages which are read/write orread-only are readable; supervisor-mode pages are neither readable nor writablefrom user mode. A page-fault exception is generated on any attempt to violate theprotection rules.Starting with the P6 family, Intel processors allow user-mode pages to be writeprotected against supervisor-mode access. Setting CR0.WP = 1 enables supervisormode sensitivity to user-mode, write protected pages. Supervisor pages which areread-only are not writable from any privilege level (if CR0.WP = 0). This supervisorwrite-protect feature is useful for implementing a “copy-on-write” strategy used bysome operating systems, such as UNIX*, for task creation (also called forking orspawning).
When a new task is created, it is possible to copy the entire address spaceof the parent task. This gives the child task a complete, duplicate set of the parent'ssegments and pages. An alternative copy-on-write strategy saves memory space andtime by mapping the child's segments and pages to the same segments and pagesused by the parent task.
A private copy of a page gets created only when one of thetasks writes to the page. By using the WP flag and marking the shared pages as readonly, the supervisor can detect an attempt to write to a user-level page, and can copythe page at that time.4.11.4Combining Protection of Both Levels of Page TablesFor any one page, the protection attributes of its page-directory entry (first-levelpage table) may differ from those of its page-table entry (second-level page table).The processor checks the protection for a page in both its page-directory and thepage-table entries.
Table 4-3 shows the protection provided by the possible combinations of protection attributes when the WP flag is clear.4.11.5Overrides to Page ProtectionThe following types of memory accesses are checked as if they are privilege-level 0accesses, regardless of the CPL at which the processor is currently operating:••Access to segment descriptors in the GDT, LDT, or IDT.Access to an inner-privilege-level stack during an inter-privilege-level call or acall to in exception or interrupt handler, when a change of privilege level occurs.4.12COMBINING PAGE AND SEGMENT PROTECTIONWhen paging is enabled, the processor evaluates segment protection first, thenevaluates page protection.
If the processor detects a protection violation at eitherthe segment level or the page level, the memory access is not carried out and anVol. 3 4-41PROTECTIONexception is generated. If an exception is generated by segmentation, no pagingexception is generated.Page-level protections cannot be used to override segment-level protection. Forexample, a code segment is by definition not writable.
If a code segment is paged,setting the R/W flag for the pages to read-write does not make the pages writable.Attempts to write into the pages will be blocked by segment-level protection checks.Page-level protection can be used to enhance segment-level protection. Forexample, if a large read-write data segment is paged, the page-protection mechanism can be used to write-protect individual pages.Table 4-3. Combined Page-Directory and Page-Table ProtectionPage-Directory EntryPage-Table EntryCombined EffectPrivilegeAccess TypePrivilegeAccess TypePrivilegeAccess TypeUserRead-OnlyUserRead-OnlyUserRead-OnlyUserRead-OnlyUserRead-WriteUserRead-OnlyUserRead-WriteUserRead-OnlyUserRead-OnlyUserRead-WriteUserRead-WriteUserRead/WriteUserRead-OnlySupervisorRead-OnlySupervisorRead/Write*UserRead-OnlySupervisorRead-WriteSupervisorRead/Write*UserRead-WriteSupervisorRead-OnlySupervisorRead/Write*UserRead-WriteSupervisorRead-WriteSupervisorRead/WriteSupervisorRead-OnlyUserRead-OnlySupervisorRead/Write*SupervisorRead-OnlyUserRead-WriteSupervisorRead/Write*SupervisorRead-WriteUserRead-OnlySupervisorRead/Write*SupervisorRead-WriteUserRead-WriteSupervisorRead/WriteSupervisorRead-OnlySupervisorRead-OnlySupervisorRead/Write*SupervisorRead-OnlySupervisorRead-WriteSupervisorRead/Write*SupervisorRead-WriteSupervisorRead-OnlySupervisorRead/Write*SupervisorRead-WriteSupervisorRead-WriteSupervisorRead/WriteNOTE:* If CR0.WP = 1, access type is determined by the R/W flags of the page-directory and page-tableentries.
IF CR0.WP = 0, supervisor privilege permits read-write access.4-42 Vol. 3PROTECTION4.13PAGE-LEVEL PROTECTION AND EXECUTE-DISABLEBITIn addition to page-level protection offered by the U/S and R/W flags, enhanced PAEenabled paging structures (see Section 3.10.3, “Enhanced Paging Data Structures”)provide the execute-disable bit. This bit offers additional protection for data pages.An Intel 64 or IA-32 processor with the execute disable bit capability can preventdata pages from being used by malicious software to execute code.
This capability isprovided in:••32-bit protected mode with PAE enabled.IA-32e mode.While the execute disable bit capability does not introduce new instructions, it doesrequire operating systems to use a PAE-enabled environment and establish a pagegranular protection policy for memory pages.If the execute disable bit of a memory page is set, that page can be used only asdata. An attempt to execute code from a memory page with the execute-disable bitset causes a page-fault exception.The page sizes and physical address sizes supported by execute disable bit capabilityare shown in Table 4-4.
Existing page-level protection mechanisms (see Section4.11, “Page-Level Protection”) continue to apply to memory pages independent ofthe execute-disable bit setting.Table 4-4. Page Sizes and Physical Address Sizes Supported byExecute-Disable Bit CapabilityPG Flag,CR0PAE Flag,CR4PS Flag,PDECPUID FeatureFlag ECX[IA-32e]Page SizePhysical Address Size11004 KBytesImplementation specific11102 MBytesImplementation specific11014 KBytes40 Bits11112 MBytes40 Bits4.13.1Detecting and Enabling the Execute-Disable Bit CapabilityDetect the presence of the execute disable bit capability using the CPUID instruction.CPUID.80000001H. EDX[bit 20] = 1 indicates the bit is available.If the bit is available and PAE is enabled, enable the execute disable bit capability bysetting the IA32_EFER.NXE[bit 11] = 1.
IA32_EFER is available ifCPUID.80000001H.EDX[bit 20 or 29] = 1.If the execute disable bit capability is not available, a write to IA32_EFER.NXEproduces a #GP exception. See Table 4-5.Vol. 3 4-43PROTECTIONTable 4-5. Extended Feature Enable MSR (IA32_EFER)63:121110987:10ReservedExecutedisable bitenable (NXE)IA-32e modeactive (LMA)ReservedIA-32e modeenable (LME)ReservedSysCall enable(SCE)4.13.2Execute-Disable Bit Page ProtectionThe execute-disable bit in paging structures enhances page protection for datapages.
Memory pages that contain data cannot be used to execute code ifIA32_EFER.NXE =1 and the execute-disable bit of the memory page is set. Table 4-6lists the valid usage of a page in relation to the value of execute-disable bit (bit 63)of the corresponding entry in each level of the paging structures. Execute-disable bitprotection can be activated using the execute-disable bit at any level of the pagingstructure, irrespective of the corresponding entry in other levels. When executedisable-bit protection is not activated, the page can be used as code or data.Table 4-6. IA-32e Mode Page Level Protection Matrixwith Execute-Disable Bit CapabilityExecute Disable Bit Value (Bit 63)PML4PDPPDEValid UsagePTEBit 63 = 1 ***Data*Bit 63 = 1**Data**Bit 63 = 1*Data***Bit 63 = 1DataBit 63 = 0Bit 63 = 0Data/CodeBit 63 = 0 Bit 63 = 0NOTES:* Value not checked.In legacy PAE-enabled mode, Table 4-7 and Table 4-8 show the effect of setting theexecute-disable bit for code and data pages.4-44 Vol.
3PROTECTIONTable 4-7. Legacy PAE-Enabled 4-KByte Page Level Protection Matrixwith Execute-Disable Bit CapabilityExecute Disable Bit Value (Bit 63) Valid UsagePDEPTEBit 63 = 1*Data*Bit 63 = 1DataBit 63 = 0Bit 63 = 0Data/CodeNOTE:* Value not checked.Table 4-8. Legacy PAE-Enabled 2-MByte Page Level Protectionwith Execute-Disable Bit CapabilityExecute Disable Bit Value (Bit 63) Valid UsagePDEBit 63 = 1DataBit 63 = 0Data/Code4.13.3Reserved Bit CheckingThe processor enforces reserved bit checking in paging data structure entries. Thebits being checked varies with paging mode and may vary with the size of physicaladdress space.Table 4-9 shows the reserved bits that are checked when the execute disable bitcapability is enabled (CR4.PAE = 1 and IA32_EFER.NXE = 1).
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
