Protection and Multitasking in 80386
UNIT-III Protection and
Multitasking
3.1 Privilege levels:
•
The need is to
prevent
–
Users from
interfering with one another
–
Users from
examining secure data
–
Program bugs
from damaging other programs
–
Program bugs
from damaging data
–
Malicious
attempts to compromise system integrity
–
Accidental
damage to data
Descriptor Privilege Level:
•
Privilege levels
apply to entire segments
•
The privilege
level is defined in the segment descriptor
•
The privilege
level of the code segment determines the Current Privilege Level (CPL)
3.2 OVERVIEW OF
80386 PROTECTION MECHANISMS:
Protection in
the 80386 has five aspects:
1. Type checking
2. Limit
checking
3. Restriction
of addressable domain
4. Restriction
of procedure entry points
5. Restriction
of instruction set
3.3 SEGMENT-LEVEL
PROTECTION:
•
All
above five aspects of protection apply to segment translation.
•
The
segment is the unit of protection, and segment descriptors store protection
parameters.
•
Segment
registers hold the protection parameters of the currently addressable segments.
1. TYPE CHECKING:
The TYPE field
of a descriptor has two functions:
1. It distinguishes among different descriptor formats.
2. It specifies the intended usage of a segment.
•
The
80386 has descriptors for special segments used by the operating system and for
gates.
•
Table
1 lists all the types defined for system segments and gates.
2. LIMIT
CHECKING:
•
The
limit field of a segment descriptor is used by the processor to prevent
programs from addressing outside the segment.
•
The
processor's interpretation of the limit depends on the setting of the G
(granularity) bit.
•
For
data segments, the processor's interpretation of the limit depends also on the
E-bit (expansion-direction bit) and the B-bit (big bit).
•
When
G= 0, the actual limit is the value of the 20-bit limit field as it appears in
the descriptor.
•
In
this case, the limit may range from 0 to OFFFFFH (2^20 - 1 or 1 megabyte).
•
When
G= 1, the processor appends 12 low-order one-bits to the value in the limit
field.
•
In
this case the actual limit may range from OFFFH (2^12 - 1 or 4 kilobytes) to
OFFFFFFFFH (2^32 - 1 or 4 gigabytes).
•
For all types of
segments except expand-down data segment, the value of the limit is one less
than the size of the segment.
•
The processor
causes a general protection exception in any of these cases:
ü Attempt to access a memory byte at an address
>limit.
ü Attempt to access a memory word at an address
>limit
ü Attempt to
access a memory double word at an address >(limit-2).
•
For
expand-down data segments, the limit has the same function but is interpreted
differently.
•
In
these cases the range of valid addresses is from limit + 1 to either 64K (2^32
-1) (4 Gbytes) depending on the B-bit.
•
An
expand-down segment has maximum size when the limit is zero.
•
Since
each descriptor is eight bytes long, the limit value is N * 8 - 1 for a table
that can contain up to N descriptors.
3. Restriction
of addressable domain
Restricting Access to Data:
•
To address
operands in memory, an 80386 program must load the selector of a data segment
into a data-segment register CS, DS, ES, FS, GS, SS).
•
The processor
automatically evaluates access to a data segment by comparing privilege levels.
•
The evaluation
is performed at the time a selector for the descriptor of the target segment is
loaded into the data-segment register.
•
three different
privilege levels enter into this type of privilege check:
1. The CPL (current privilege level).
2. The RPL (requestor's privilege level) of the
selector used to specify the target segment.
3. The DPL of the descriptor of the target segment.
4. Restriction
of procedure entry points
•
The
"near" forms of the RET instruction transfer control within the
current code segment and therefore are subject only to limit checking.
•
The
"far" form of the RET instruction pops the return pointer that was
pushed onto the stack by a prior far CALL instruction.
•
The checks shown
in Table 3 are made, and CS:EIP and SS:ESP are loaded with their former values
that were saved on the stack.
SF: Stack Fault, GP: General Protection Exception, NP:
Segment Not Present Exception, N: Immediate Operand of RET N instruction.
5. Restriction
of instruction set
•
The instructions
that affect system data structures can only be executed when CPL is zero.
•
If the CPU
encounters one of these instructions when CPL is greater than zero, it signals
a general protection exception.
•
These
instructions include:
CLTS- Clear Task-Switched Flag
HLT -Halt Processor
LGDT -Load GDT Register
LIDT -Load IDT Register
LLDT -Load LDT Register
LMSW -Load Machine Status W
LTR -Load Task Register
MOV to/from CRn -Move to Control Register n
MOV to/from DRn -Move to Debug Register n
MOV to/from TRn -Move to Test Register n
Instructions for Pointer Validation:
•
Pointer
validation is an important part of locating programming errors.
•
The unprivileged
instructions are LAR, LSL, VERR, and VERW.
1) LAR
(Load Access Rights) is used to verify that a pointer refers to a segment of
the proper privilege level and type.
2)
LSL (Load Segment Limit) allows software to test the limit of a descriptor.
3) VERR
(Verify for Reading) verifies a segment for reading and loads ZF with I if that
segment is readable from the current privilege level.
4) VERW
(Verify for Writing) provides the same capability as VERR for verifying writ
ability.
3.4 PAGE-LEVEL
PROTECTION
Two kinds of
protection are related to pages:
1. Restriction of addressable
domain.
2. Type checking.
•
Page-Table Entries Hold Protection Parameters
1.
RESTRICTING ADDRESSABLE DOMAIN:
•
The
concept of privilege for pages is implemented by assigning each page to one of
two levels:
1. Supervisor level (U IS = 0
)-for the operating system and other systems software and related data.
2. User level (U IS = 1 )-for
applications procedures and data.
•
The
current level (U or S) is related to CPL.
•
If
CPL is 0, 1, or 2, the processor is executing at supervisor level.
•
If
CPL is 3, the processor is executing at user level.
•
When
the processor is executing at supervisor level, all pages are addressable.
•
When
the processor is executing at user level, only pages that belong to the user
level are addressable.
2.
TYPE CHECKING
At the level of page
addressing, two types are defined:
1. Read-only
access (R/W=O)
2. Read/write
access (R/W = 1)
•
When
the processor is executing at supervisor level, all pages are both readable and
writable.
•
When
the processor is executing at user level, only pages that belong to user level
and are marked for read/write access are writable;
•
Pages
that belong to supervisor level are neither readable nor writable from user
level.
3.5 COMBINING
PAGE AND SEGMENT PROTECTION
•
When
paging is enabled, the 80386 first evaluates segment protection, then evaluates
page protection.
•
If
the processor detects a protection violation at either the segment or the page level,
the requested operation cannot proceed; a protection exception occurs instead.
•
For
example, it is possible to define a large data segment which has some subunits
that are read-only and other subunits that are read-write.
•
In
this case, the page directory (or page table) entries for the read-only
subunits would have the U/S and R/W bits set to x0, indicating no write
rights for all the pages described by that directory entry (or for individual
pages).
•
Table
5 shows the effective protection provided by the possible combinations of
protection attributes.
3.6 Multitasking
Components involved in multitasking:
1.
Task state
segment
2.
Task state
segment descriptor
3.
Task register
4. Task gate
descriptor
1. Task State Segment (TSS) :
Two classes of TSS format
Static set
It is that where processor reads but does not change.
This set includes the fields that
store:
• The selector of the task's LDT.
• The register (PDBR) that contains the base
address of the task's page directory (read only when paging is enabled).
• Pointers to the stacks for
privilege levels 0-2.
• The T-bit (debug trap bit) which causes the
processor to raise a debug exception
• The I/O map base
Dynamic set
Ø That where processor updates with
each switch from the task.
Ø This set includes the fields that
store:
• The general registers (EAX, ECX, EDX, EBX,
ESP, EBP, ESI, EDI).
• The segment registers (ES, CS,
SS, DS, FS, GS).
• The flags register (EFLAGS).
• The instruction pointer (EIP).
• The selector of the TSS of the
previously executing task (updated only when a return is expected).
2. Task state segment descriptor
3.Task Register
•
The task
register (TR) identifies the currently executing task by pointing to the TSS.
•
Figure shows the path by which the processor
accesses the current TSS.
•
The task
register has both a "visible" portion (i.e., can be read and changed
by instructions) and an "invisible" portion (maintained by the
processor to correspond to the visible portion; cannot be read by any
instruction).
•
The selector in the visible portion selects a
TSS descriptor in the GDT
•
Processor uses
the invisible portion to cache the base and limit values from the TSS
descriptor.
•
Holding the base
and limit in a register makes execution of the task more efficient, because the
processor does not need to repeatedly fetch these values from memory when it
references the TSS of the current task.
•
The instructions
L TR and STR are used to modify and read the visible portion of the task
register. Both instructions take one operand, a 16-bit selector located in
memory or in a general register.
4.Task gate descriptor
•
A task gate
descriptor provides an indirect, protected reference to a TSS. Figure 5
illustrates the format of a task gate descriptor.
•
The SELECTOR
field of a task gate must refer to a TSS descriptor. The value of the RPL in
this selector is not used by the processor.
•
The DPL field of
a task gate controls the right to use the descriptor to cause a task switch.
•
A procedure may
not select a task gate descriptor unless the maximum of the selector's RPL and
the CPL of the procedure is numerically less than or equal to the DPL of the
descriptor.
3.7 Task Switching
The 80386 switches execution to another task in any of
four cases:
•
1. The current
task executes a JMP or CALL that refers to a TSS descriptor.
•
2. The current
task executes a JMP or CALL that refers to a task gate.
•
3. An interrupt
or exception vectors to a task gate in the IDT.
•
4. The current
task executes an IRET when the NT flag is set.
•
The CPU can
perform a ‘context-switch’ to save the current values of all its registers (in
the memory-area referenced by the TR register), and to load new values into all
its registers (from the memory-area specified a new Task-State Segment
selector)
A task switching operation involves these steps:
1.
Checking that
the current task is allowed to switch to the designated task
2.
Checking that
the TSS descriptor of the new task is marked present and has a valid limit
3.
Saving the state
of the current task
4.
Loading the task
register with the selector of the incoming task’s TSS descriptor
5.
Loading the
incoming task’s state from its TSS and resuming execution
3.8 Task Linking
•
The back-link
field of the TSS and the NT (nested task) bit of the flag word together allow
the 80386 to automatically return to a task that CALLed another task or was
interrupted by another task.
•
When a CALL instruction, an interrupt
instruction, an external interrupt, or an exception causes a switch to a new
task, the 80386 automatically fills the back-link of the new TSS with the
selector of the outgoing task's TSS and, at the same time, sets the NT bit in
the new task's flag register.
•
The NT flag indicates whether the back-link
field is valid.
•
The new task
releases control by executing an IRET instruction. When interpreting an IRET,
the 80386 examines the NT flag. If NT is set, the 80386 switches back to the
task selected by the back-link field.
3.9 Task Address Space
•
The LDT selector
and PDBR fields of the TSS give software systems designers flexibility in
utilization of segment and page mapping features of the 80386.
•
By appropriate choice of the segment and page
mappings for each task, tasks may share address spaces, may have address spaces
that are largely distinct from one another, or may have any degree of sharing
between these two extremes.
•
The ability for
tasks to have distinct address spaces is an important aspect of 80386
protection.
•
A module in one
task cannot interfere with a module in another task if the modules do not have
access to the same address spaces.
The flexible memory
management features of the 80386 allow systems designers to assign areas of
shared address space to those modules of different tasks that are designed to
cooperate with each other
Code Optimization
ReplyDeleteThree Stage Production
Classification of Visible-Surface Detection Algorithms
Crystal and FDD
Link State Routing Algorithm
Computer Architecture
Web Design Issues
Call Routing in GSM with Block Diagram
Window-To-Viewport Coordinate Transformation
XML Evaluation Techniques
ReplyDeleteBlock Diagram 8259A
LR parsing
RPC Implementation Issues
Touch Panels
Multiprogramming Concept with Context switching
Sutherland Hodgeman Polygon Clipping
Conflict Serializability
Relocating Loaders