1 80186 80186 contains 8086 processor and several additional functional chips: –clock generator...
-
Upload
eric-bridges -
Category
Documents
-
view
254 -
download
3
Transcript of 1 80186 80186 contains 8086 processor and several additional functional chips: –clock generator...
1
80186• 80186 contains 8086 processor and
several additional functional chips:– clock generator– 2 independent DMA channels– PIC– 3 programmable 16-bit timers
• more a microcontroller than a microprocessor
• used mostly in industrial control applications
2
80286INTRODUCTION
3
Salient features of 80286
• High performance microprocessor with memory management and protection
– 80286 is the first member of the family of advanced microprocessors with built-in/on-chip memory management and protection abilities primarily designed for multi-user/multitasking systems
• Available in 12.5MHz, 10MHz & 8MHz clock frequencies
4
Salient features of 80286 bus and memory sizes cont…
Microprocessor Data bus width
Address bus width
Memory size
8086 16 20 1M
80186 16 20 1M
80286 16 24 16M
The 80286 CPU, with its 24-bit address bus is able to address 16MB of physical memory.
1GB of virtual memory for each task
5
Salient features of 80286 Operating ModesIntel 80286 has 2 operating modes: Real Address Mode :
80286 is just a fast 8086 --- up to 6 times faster
All memory management and protection mechanisms are disabled
286 is object code compatible with 8086 Protected Virtual Address Mode
80286 works with all of its memory management and protection capabilities with the advanced instruction set.
it is source code compatible with 8086
6
Salient features of 80286 cont…
286 includes special instructions to support operating system.for example, one instruction can
i) ends the current taskii) save its statesiii) switch to a new task iv) load its states andv) begin executing the new
task housed in 68-pin package
7
80286 INTERNAL ARCHITECTURE
8
8086
EU
BIU
EU
BIU
802868085
IU
AU
9
10
Functional Parts
1. Bus Interface unit
2. Instruction unit
3. Execution unit
4. Address unit
11
Bus Interface Unit• Performs all memory and I/O read and
write operations.• Take care of communication between
CPU and a coprocessor.• Transmit the physical address over
address bus A0 – A23.
• Prefetcher module in the bus unit performs this task of prefetching.
• Bus controller controls the prefetcher module.
• Fetched instructions are arranged in a 6 – byte prefetch queue.
12
Instruction Unit
• Receive arranged instructions from 6 byte prefetch queue.
•
• Instruction decoder decodes up to 3 prefetched instruction and are latched them onto a decoded instruction queue.
•
• Output of the decoding circuit drives a control circuit in the Execution unit.
13
Execution unit
• EU executes the instructions received from the decoded instruction queue sequentially.
• Contains Register Bank.• contains one additional special register called
Machine status word (MSW) register --- lower 4 bits are only used.
• ALU is the heart of execution unit.
• After execution ALU sends the result either over data bus or back to the register bank.
14
• Calculate the physical addresses of the instruction and data that the CPU want to access
• Address lines derived by this unit may be used to address different peripherals.
• Physical address computed by the address unit is handed over to the BUS unit.
Address Unit
15
Register organization of 80286
• The 80286 CPU contains the same set of registers, as in 8086.
– Eight 16-bit general purpose registers.
– Four 16 bit segment registers.
– One Flag register.
– One Instruction pointer.
plus– one new 16-bit machine status word (MSW)
register
16
17
Flag Register
New to 286
18
IOPL – Input Output Privilege Level flags (bit D12 and D13)– IOPL is used in protected mode operation
to select the privilege level for I/O devices. IF the current privilege level is higher or more trusted than the IOPL, I/O executed without hindrance.
– If the IOPL is lover than the current privilege level, an interrupt occurs, causing execution to suspend.
– Note that IPOL 00 is the highest or more trusted; and IOPL 11 is the lowest or least trusted.
19
NT – Nested task flag (bit D14)– When set, it indicates that one system task
has invoked another through a CALL instruction as opposed to a JMP.
– For multitasking this can be manipulated to our advantage
20
Machine Status Word Register• Consist of four flags
– PE,
– MP,
– EM and
– TS
• LMSW & SMSW instruction are available in the instruction set of 80286 to write and read the MSW in real address mode.
are for the most part used to indicate whether a processor extension (co-processor) ispresent in the system or not
21
Machine Status Word...
22
PE - Protection enableProtection enable flag places the
80286 in protected mode, if set. this can only be cleared by resetting the CPU.
MP – Monitor processor extension flag allows WAIT instruction to
generate a processor extension.
23
EM – Emulate processor extension flag,if set , causes a processor extension
absent exception and permits the emulation of processor extension by CPU.
TS – Task switch if set, this flag indicates the next
instruction using extension will generate exception 7, permitting the CPU to test whether the current processor extension is for current task.
24
80286 signals• 68 pins are there, instead of 40 in 8086
• data and address bus are de-multiplexed
• mostly like 8086 with some differences
25
80286 signals...• some new signals are provided for
special jobs like connecting co-processor with 286– 4 pins are provided to interface 286 with a
co-processor– they are
• PEREQ [Processor Extension REQuest]• PEACK [Processor Extension ACKnowledge]• BUSY• ERROR
26
80286 signals...• PEREQ [Processor Extension REQuest]
– Input signal to µP– Asserted by co-processor to tell µP to
perform data transfer to or from memory for it
27
80286 signals...• PEACK [Processor Extension ACKnowledge]
– Output signal– Used to let the co-processor know that the data
transfer has started– Data transfer are done through µP so that the
co-processor can use the protection and virtual memory capability
28
80286 signals...• BUSY
– Input signal– Same as TEST of 8086– Enters in a WAIT loop till µP finds a high
from co-processor
29
80286 signals...• ERROR
– Input signal– If a co-processor finds some error during
processing, it will let µP know through this line
30
80286 Memory Organization
• Same as 8086
• Uses odd and even banks
31
Addressing Modes
• Same as 8086
32
INSTRUCTION SET
• Same as 8086 with some additional instructions
33
Additional Instructions of Intel 80286
Sl no
Instruction Purpose
1. CLTS Clear the task – switched bit
2. LDGT Load global descriptor table register
3. SGDT Store global descriptor table register
4. LIDT Load interrupt descriptor table register
5. SIDT Store interrupt descriptor table register
6. LLDT Load local descriptor table register
7. SLDT Store local descriptor table register
8. LMSW Load machine status register
9. SMSW Store machine status register
34
Sl no
Instruction Purpose
10. LAR Load access rights
11. LSL Load segment limit
12. SAR Store access right
13. ARPL Adjust requested privilege level
14. VERR Verify a read access
15. VERW Verify a write access
35
CLTS The clear task – switched flag instruction clears the TS
(Task - switched) flag bit to a logic 0.
LAR The load access rights Instruction reads the segment
descriptor and place a copy of the access rights byte into a 16 bit register.
LSL The load segment limit instruction Loads a user –
specified register with the segment limit.
36
VERRThe verify for read access instruction verifies that a
segment can de read.
VERWThe verify for write access instruction is used to verify
that a segment can be written.
ARPLThe Adjust request privilege level instruction is used to
test a selector so that the privilege level of the requested selector is not violated.
37
INTERRUPT• Same as 8086 but defines more
dedicated/internal interrupts– Uses from type 5 to type 13 and type 16
38
39
THAT’S ALL FOR TODAY
40
80286 Memory Addressing
Memory management is supported by a hardware unit called Memory management unit.
Intel’s 80286 is the first CPU to incorporate the Integrated memory management unit.
41
80286 Memory Addressing
Function of memory management unit :1. To ensure smooth execution of the program by
SWAPPING IN data from secondary memory to physical memory
SWAPPING OUT data from physical memory to secondary memory
2. Important aspect of memory management is Data Protection or unauthorized access prevention done with the help of segmented memory
42
REAL MODE MEMORY ADDRESSING
• 80286 operates in either the
– real or
– protected mode.
• Real mode operation allows addressing of only the first 1M byte of memory space—even in Pentium 4 or Core2 microprocessor.
– the first 1M byte of memory is called the real memory, conventional memory, or DOS memory system
43
Segments and Offsets
• All real mode memory addresses must consist of a segment address plus an offset address.
– segment address defines the beginning address of any 64K-byte memory segment
– offset address selects any location within the 64K byte memory segment
44
PROTECTED MODE MEMORY ADDRESSING
• Allows access to data and programs located within & above the first 1M byte of memory.
• Protected mode is where Windows operates.
• In place of a segment address, the segment register contains a selector that selects a descriptor from a descriptor table.
• The descriptor describes the memory segment’s location, length, and access rights.
45
Selectors and Descriptors
• The descriptor is located in the segment register & describes the location, length, and access rights of the segment of memory. – it selects one of 8192 descriptors from one
of two tables of descriptors• In protected mode, this segment number can
address any memory location in the systemfor the code segment.
• Indirectly, the register still selects a memory segment, but not directly as in real mode.
46
• Global descriptors contain segment definitions that apply to all programs.
• Local descriptors are usually unique to an application. – a global descriptor might be called a system
descriptor, and local descriptor an application descriptor
• Following slide shows the format of a descriptor for the 80286 – each descriptor is 8 bytes in length– global and local descriptor tables are a
maximum of 64K bytes in length
47
The 80286 descriptors
48
• The base address of the descriptor indicates the starting location of the memory segment.– the paragraph boundary limitation is removed in
protected mode– segments may begin at any address
• The G, or granularity bit allows a segment length of 4K to 4G bytes in steps of 4K bytes. – 32-bit offset address allows segment lengths of
4G bytes– 16-bit offset address allows segment lengths of
64K bytes.
49
• Operating systems operate in a 16- or 32-bit environment.
• DOS uses a 16-bit environment.
• Most Windows applications use a 32-bit environment called WIN32.
• MSDOS/PCDOS & Windows 3.1 operating systems require 16-bit instruction mode.
• Instruction mode is accessible only in a protected mode system such as Windows Vista.
50
• The access rights byte controls access to the protected mode segment. – describes segment function in the system and
allows complete control over the segment– if the segment is a data segment, the direction of
growth is specified
• If the segment grows beyond its limit, the operating system is interrupted, indicatinga general protection fault.
• You can specify whether a data segmentcan be written or is write-protected.
51
Figure 2–7 The access rights byte for the 80286 through Core2 descriptor.
52
• Descriptors are chosen from the descriptor table by the segment register. – register contains a 13-bit selector field, a table
selector bit, and requested privilege level field
• The TI bit selects either the global or the local descriptor table.
• Requested Privilege Level (RPL) requests the access privilege level of a memory segment. – If privilege levels are violated, system normally
indicates an application or privilege level violation
53
Figure 2–8 The contents of a segment register during protected mode operation of the 80286 through Core2 microprocessors.
54
• Figure 2–9 shows how the segment register, containing a selector, chooses a descriptor from the global descriptor table.
• The entry in the global descriptor table selects a segment in the memory system.
• Descriptor zero is called the null descriptor, must contain all zeros, and may not be used for accessing memory.
55
Figure 2–9 Using the DS register to select a description from the global descriptor table. In this example, the DS register accesses memory locations
00100000H–001000FFH as a data segment.
56
Program-Invisible Registers • Global and local descriptor tables are found
in the memory system.• To access & specify the table addresses,
80286–Core2 contain program-invisible registers. – not directly addressed by software
• Each segment register contains a program-invisible portion used in the protected mode. – often called cache memory because cache is
any memory that stores information
57
Figure 2–10 The program-invisible register within the 80286–Core2 microprocessors.
58
• When a new segment number is placed in a segment register, the microprocessor accesses a descriptor table and loads the descriptor into the program-invisible portion of the segment register. – held there and used to access the memory
segment until the segment number is changed
• This allows the microprocessor to repeatedly access a memory segment without referring to the descriptor table.– hence the term cache
59
• The GDTR (global descriptor table register) and IDTR (interrupt descriptor table register) contain the base address of the descriptor table and its limit. – when protected mode operation desired, address
of the global descriptor table and its limit are loaded into the GDTR
• The location of the local descriptor table is selected from the global descriptor table. – one of the global descriptors is set up to
address the local descriptor table
60
• To access the local descriptor table, the LDTR (local descriptor table register) is loaded with a selector. – selector accesses global descriptor table, & loads
local descriptor table address, limit, & access rights into the cache portion of the LDTR
• The TR (task register) holds a selector, which accesses a descriptor that defines a task. – a task is most often a procedure or application
• Allows multitasking systems to switch tasksto another in a simple and orderly fashion.
61
62
Protected Mode
• Memory Segmentation and Privilege Levels• Definition of a segment• Segment selectors • Local Descriptor Tables• Segment Aliasing, Overlapping• Privilege protection• Defining Privilege Levels• Changing Privilege levels
63
Protected Mode Registers• LDTR – Local Descriptor Table Register –
16 bits
• GDTR – Global Descriptor Table Register – 48 bits
• IDTR – Interrupt Descriptor Table Register – 48 bits
• TR – Task register – 16 bits
64
Protected Mode Addressing• mov [DS:1000], EAX• Let value of DS be 0x10. This is used to select
a segment descriptor in a descriptor table.• The segment descriptor contains information
about the base address of the segment, to which 1000 is added to get the effective address.
• The value stored in DS is called a selector.• Henceforth we discuss protected mode.
65
Protected Mode Addressing
SELECTOR OFFSET
Descriptor Table
Base Address
Linear Address
Logical Address
Segment Descriptor
66Intra and Inter process Protection
•A process always executes from Code segment. It should not execute by accessing from adjoining Data or stack area or any other code area too.
•A stack should not overgrow into adjoining segments
Every segment is specified a start address and limit.
Architecture checks if limit is not exceeded.
CS
ES
SS
500
1000
1500
2000
jmp CS:250 //This is finejmp CS:501 //This is a violation as limit is 500mov [ES:498], AX //This is finemov [ES:498], EAX //This is a violation!!!PUSH AX //Let SP be 498, it is finePUSH EAX //Let SP be 498, violationPOP AX //Let SP be 2, it is finePOP EAX //Let SP be 2, Violation!!!
67
Interprocess Protection
Process 1 CS
Process 1 DS
Process 2 CS
Process 2 SS
Process 2 DS
Process 1 SS
CS
DS
SS
Process 1 should be prevented from loading CS, such that it can access the code of Process 2
Similarly for the DS,SS, ES, FS and GS
Privilege levels: [0-3] assigned to each segment.
0: Highest privilege
3: Lowest privilege
68
Privilege levels and Protection• Every segment has an associated privilege level
and hence any code segment will have an associated privilege level.
• The CPL (Current Privilege Level) of a process is the privilege level of the code segment, the code stored in which, it is executing.
• A process can access segments that have privilege levels numerically greater than or equal to (less privileged than) its CPL.
69
Protection Implementation• Every segment is associated with a descriptor
stored in a descriptor table.• The privilege level of any segment is stored in its
descriptor.• The descriptor table is maintained in memory
and the starting location of the table is pointed to by a Descriptor Table Register (DTR).
• The segment register stores an offset into this table.
70
Structure of a Descriptor
71
Updating Segment registers
• Segment registers (DS, ES, SS, GS and FS) are updated by normal MOV instructions.– MOV AX, 0x10 ; MOV DS, AX
• The above command is successful if and only if the descriptor stored at the offset 0x10 in the descriptor table has a privilege level numerically greater than or equal to the CPL.
• A process with CPL = 3 cannot load the segment descriptor of CPL <= 2, and hence cannot access the segments.
72
Updating segment registers
• The code segment register is updated by normal jump/call operations.– jmp 0x20:0x1000– This updates the CS by 0x20, provided the
descriptor stored at offset 0x20 has a privilege level numerically greater than or equal to CPL
• Other modes of updating CS register– Numerically higher to lower Privilege Levels using
CALL gates – useful for system calls.– Any privilege level to any other privilege level
using task switch.
73
Descriptor Tables• There are two descriptor tables
– Global Descriptor Tables– Local Descriptor Tables
• The global descriptor table’s base address is stored in GDTR
• The local descriptor table’s base address is stored in LDTR
• The two privileged instructions LGDT and LLDT loads the GDTR and LDTR.
74
Structure of a Selector
Index T1
0215
T1 = 0 GDT
= 1 LDT
Since segment descriptors are each 8 bytes, the last three bits of the selector is zero, in which one of them is used for LDT/GDT access.
75
Two process each of PL = 3 should be allotted segments such that one should not access the segments of other.
GDTR GDT
All descriptors in GDT have
PL = 0,1,2
LDTRLDTR
Per process Per process
If at all each process should access memory, it has to use the descriptors in its LDTR only and it cannot change the LDTR/LDT/GDTR/GDT contents as they would be maintained in a higher privileged memory area.
76
Did You Note!!• There is an 100 % degradation in Memory
access time – because every memory access is two accesses now, one for getting the base address and another for actually accessing the data.
• A solution indeed: Along with the segment registers, keep a shadow registers which stores additional necessary information.
77
Base Address, Limit, DPL.
Segment selector
Visible part Hidden part
CS
SS
DS
ES
FS
GS
78
Be Careful
0x10 20
120
Descriptor Table
Base Address
Linear Address
Logical Address
Base = 100
Changing Base
Linear address will still be 120
Have to execute
mov DS,0x10 again to get the answer as 220, as this would update the hidden part
Base = 200
add [DS:20],eax
79
Virtual Memory and Paging• It is always enough if the next instruction
to be executed and the data needed to execute the same are available in the memory.
• The complete code and data segment need not be available.
• Use of paging to realize the stuff!• By using segmentation the processor
calculates an 32-bit effective address.
80
Task Switching• There are different types of descriptors in a
Descriptor table.• One of them is a task state segment descriptor.• jmp 0x10:<don’t’care> and that 0x10 points to a
TGD, then the current process context is saved and the new process pointed out by the task state segment descriptor is loaded.
• A perfect context switch.• TSS descriptor only in a GDT.
81
Task State Segment
82
Task Switching• Every process has an associated Task
State Segment, whose starting point is stored in the Task register.
• A task switch happens due to a jmp or call instruction whose segment selector points to a Task state segment descriptor, which in turn points to the base of a new task state segment
83
Task Switching process
84
Interrupt Handling
• Processor generates interrupts that index into a Interrupt Descriptor Table, whose base is stored in IDTR and loaded using the privileged instruction LIDT.
• The descriptors in IDT can be – Interrupt gate: ISR handled as a normal call
subroutine – uses the interrupted processor stack to save EIP,CS, (SS, ESP in case of stack switch – new stack got from TSS).
– Task gate: ISR handled as a task switch• Needed for stack fault in CPL = 0 and double faults.
85
Interrupt Handling
• Processor handles a total of 255 interrupts• 0-31 are used by machine or reserved• 32-255 are user definable• 0 – Divide error, goes to first descriptor in IDT• 1 – Debug• 8 – Double Fault• 12 – Stack Segment fault• 13 – General Protection Fault• 14 – Page Fault
86
Legacy Issues
• 16-bit code in 32-bit architecture• Address override prefix – 16-bit or 32-bit
addresses in a 32-bit or 16-bit code segment• Operand override prefix
– Same opcode for say, add EAX,EBX and add AX,BX
– Distinguished by the operand override prefix – 16-bit or 32-bit operands in a 32-bit ot 16-bit code segment
• D flag in the code segment descriptor tells the size of the code segment, which is used above.
87
x86 Memory Management
• To learn– Segmentation details– Privilege levels and switching
88
Memory Segmentation• Segment Descriptors
– 80886 to 80386+• In 8086, the program is not expected to generate a
non-existent memory address. If it does, then the processor shall try to access the same and read bogus data, or crash
• In 80386+ (and above) the segment attributes (base, limit, privilege etc) are programmable and no matter how privileged the code may be, it cannot access an area of memory unless that area is described to it.
89
Segment Descriptors• Describes a segment using 64-bits (0-63)
• Must be created for every segment
• Is created by the programmer
• Determines a segment’s base address (32-bits) (Bits 16-39, 56-63)
• Determines a segment’s size (20-bits) (Bits 0-15, 48-51)
90
Segment Descriptors (Cont’d)• Defines whether a segment is a system
segment (=0) or non-system (=1) (code, data or stack) segment (System bit) (Bit 44)
• Determines a segment’s use/type (3-bits) (Bits 41-43) after the above classification
• Determines a segment’s privilege level (2 bits) (Bits 45-46) – DPL (Descriptor Privilege Level) Bits
91
Segment Descriptor (Cont’d)
• Accessed (A)-bit: Bit 40, automatically set and not cleared by the processor when a memory reference is made to the segment described by this descriptor.
• Present (P)-bit: Bit 47, indicates whether the segment described by this descriptor is currently available in physical memory or not.
• Bits 40-47 of the descriptor is called the Access Right Byte of the descriptor.
• User (U)-bit and X bit: Bit 52 (U-bit) not used and Bit 53 (X-bit) reserved by Intel
92
Segment Descriptor (Cont’d)• Default size (D)-bit: Bit 54, when this bit is
cleared, operands contained within this segment are assumed to be 16 bits in size. When it is set, operands are assumed to be 32-bits.
• Granularity (G)-bit: Bit 55, when this bit is cleared the 20-bit limit field is assumed to be measured in units of 1byte. If it is set, the limit field is in units of 4096 bytes.
93
Types of non-system segment descriptors
• System bit S = 1– 000 – Data, Read only– 001 – Data, Read/Write– 010 – expand down, Read only– 011 – expand down, Read/Write– 100 – Code, Execute only – 101 – Code, Execute/Read– 110 – Conforming Code, Execute only– 111 - Conforming Code, Execute/Read
94
Descriptor Tables• Descriptors are stored in three tables:
– Global descriptor table (GDT)• Maintains a list of most segments• May contain special “system” descriptors• The first descriptor is a null descriptor
– Interrupt descriptor table (IDT)• Maintains a list of interrupt service routines
– Local descriptor table (LDT)• Is optional• Extends range of GDT• Is allocated to each task when multitasking is enabled• The first descriptor is a null descriptor
95
Locations of the tables• In Memory• Pointed out by GDTR, LDTR and IDTR for the
GDT, LDT and IDT respectively.• The GDTR and IDTR are 48-bits in length, the
first 16-bits (least significant) storing the size (limit) of the table and the remaining storing a 32-bit address pointing to the base of the tables
• Limit = (no. of descriptors * 8) - 1• LLDT stores a 16-bit selector pointing to an entry
in the GDT.
96
Segment Selectors• Out of several segments described in your GDT and
LDT, which of the segment(s) that are currently being used are pointed to by the 16-bit CS,DS,ES,FS,GS and SS registers.
• Each store a selector• Since descriptors are at 8-byte boundaries, the 16-bit
selectors store the first most significant 13 bits to point to the corresponding descriptor.
• The bit 2 is the T1 bit, which when 0 (1) implies the selector is pointing to a descriptor in GDT (LDT).
• The bits (0-1) – are the Request Privilege Level (RPL) bits used for privilege assignments.
97
Loading Segment Selectors into segment registers
• Whenever segment registers are loaded, the following rules are checked by the processor and if violated an exception is raised thus giving high degree of memory protection
• Rule 1: Index field of the selector within limits of the GDT/LDT to be accessed – else raise a General Protection Fault exception.
98
Loading Segment Selectors into segment registers
• Rule 2: Loading a selector into DS,ES,FS or GS that points to a non-readable segment results in an exception
• Rule 3: For loading into SS, the segment pointed to should be readable and writable
• Rule 4: For loading into CS, the segment should be executable type
• Rule 5: Privilege level check rules to be described later
99
Loading segment selectors• All segment registers except CS may be
loaded using MOV, LDS, LES, LFS, LGS and LSS.
• The CS is loaded using a JMP or a CALL instruction – discussed later
100
Local Descriptor Table• Is defined by a system descriptor (S=0) in
GDT which is pointed to by the LDT.
Limit
15-0
Base Address
23-0
0000010PLimit
19-16
0000Base
Address
31-24
The 64-bit descriptor in GDT
101
Privilege levels• The need is to prevent
– Users from interfering with one another– Users from examining secure data– Program bugs from damaging other programs– Program bugs from damaging data– Malicious attempts to compromise system
integrity– Accidental damage to data
102
Privilege Protection• Continuous checking by the processor on
whether the application is privileged enough to– Type 1: Execute certain instructions– Type 2: Reference data other than its own– Type 3: Transfer control to code other than its own
• To manage this every segment has a privilege level called the DPL (Descriptor Privilege Level) Bits 45,46
103
Descriptor Privilege Level• Privilege levels apply to entire segments
• The privilege level is defined in the segment descriptor
• The privilege level of the code segment determines the Current Privilege Level (CPL)
104
Type 1: Privilege Checking• Privileged Instructions
1. Segmentation and Protection Based (HLT, CLTS, LGDT, LIDT, LLDT, LTR, moving data to Control, Debug and Test registers)
2. Interrupt flag based (CLI, STI, IN, INS, OUT, OUTS)3. Peripheral IO based
First two types of privileged instructions can be executed only when CPL = 0, that is, these instructions can be in code segment with DPL = 0.
105
I/O instructions• The I/O based privileged instructions are
executed only if CPL <= IOPL in EFLAGS register.
• To add to the security the POPF/POPFD instructions which load values into the EFLAGS shall not touch the IOPL bit or IF bit if CPL > 0.
106
Type 2: Privilege Checking• Reference data other than its own• Load a selector into a DS, ES, FS and GS iff
max(RPL,CPL) <= DPL– RPL may weaken your privilege level– Decreasing RPL will not strengthen your privilege
level – Why?– Why to decrease RPL – will discuss later
• Load a descriptor into a stack iff DPL = CPL• All these are in addition to the rules for loading segment
selector, that were stated in Slides 87 and 88.
107
Type 3: Privilege Checking• Transfer control to code other than its
own. Essentially load a new selector into CS register
• jmp across code segments with same DPL– jmp <selector>:<offset of instruction from
start of the new segment>– call <selector>:<offset of instruction from start
of the new segment>
108
Type 3: Privilege Checking• The above jmp, call and ret may be used
• To move between code segments provided the destination segment is– A code segment (executable permission)– Defined with the same privilege level– Marked present
109
Changing Privilege levels• Control transfer from a code of some PL to
another code with some other different PL.• Using conforming code segments or a special
segment descriptor called call gates.• Conforming code segments confirms with the
privilege level of the calling code. So if a control transfer happens from segment S to a confirming segment T, the privilege of T would be the privilege of S.
110
Conforming Code Segment• The DPL of conforming code segment descriptor
<= CPL of invoking code.• Therefore, CPL = 2 can invoke DPL = 1.• CPL = 2 cannot invoke code with DPL = 3.• Why?
– If not, you JMP back or RET to the source code segment after executing the conforming code segment. This should permit return from a numerically low privilege code to a numerically high privilege code, without check.
111
CALL GATE descriptor• Is defined by a system descriptor (S=0) in
GDT which is used by the JMP or CALL.
Destination Offset
15-0
Destination Selector (16 bits)
WC00001100P, DPLDestination offset
31-16
The 64-bit descriptor in GDT
•Not only the selector for the target code segment, but also the offset in the code segment from which you should start executing is specified. The source code segment can only use it like a black-box
112
Calling Higher privileged code
SEGCALL OFFSETSEGCALL OFFSET
Correct Incorrect
Gate – Sel + offset
Code Desc
Code Seg Code Seg
Code Desc
113
Call Gates• Are defined like segment descriptors
• Occupy a slot in the descriptor tables
• Provide the only means to alter the current privilege level
• Define entry points to other privilege levels
• Must be invoked using a CALL Instruction
114
Call Gate accessibility• Target DPL <= Max (RPL, CPL) <= Gate
DPL
• For eg. CPL = 2 and the target PL = 0, you should use a Gate with PL = 2 or 3
115
Privilege levels and Stacks• The stack PL = CPL always• When changing the CPL, the processor
automatically changes the stack!!!• How – using the Task State Segment (TSS)• The base of the TSS is stored in a Task register
(TR) which is updated by the privileged instruction LTR
• The TSS associates a stack for each code for each of the privilege levels 0, 1 and 2
116
Task Switching process
117
118
• 80286 and above contain program-invisible registers to control and operate protected memory. – and other features of the microprocessor
119
2–4 MEMORY PAGING • The memory paging mechanism allows any
physical memory location to be assigned to any linear address.
• Iinear address is defined as the address generated by a program.
• Physical address is the actual memory location accessed by a program.
• With memory paging, the linear address is invisibly translated to any physical address.
120
Paging Registers • The paging unit is controlled by the contents
of the microprocessor’s control registers.
• Beginning with Pentium, an additional control register labeled CR4 controls extensions to the basic architecture.
• See Figure 2–11 for the contents of control registers CR0 through CR4.
121
Figure 2–11 The control register structure of the microprocessor.
122
• The linear address, as generated by software, is broken into three sections that are used to access the page directory entry, page table entry, and memory page offset address.
• Figure 2–12 shows the linear address and its makeup for paging.
• When the program accesses a location between 00000000H and 00000FFFH, the microprocessor physically addresses location 00100000H–00100FFFH.
123
Figure 2–12 The format for the linear address (a) and a page directory or page table entry (b).
124
• Intel has incorporated a special type of cache called TLB (translation look-aside buffer). – because repaging a 4K-byte section of memory
requires access to the page directory and a page table, both located in memory
• The 80486 cache holds the 32 most recent page translation addresses. – if the same area of memory is accessed, the
address is already present in the TLB – This speeds program execution
• Pentium contains separate TLBs for each of their instruction and data caches.
125
The Page Directory and Page Table • Only one page directory in the system.
• The page directory contains 1024 doubleword addresses that locate up to 1024 page tables.
• Page directory and each page table are 4K bytes in length.
• Figure 2–13 shows the page directory, a few page tables, and some memory pages.
126
Figure 2–13 The paging mechanism in the 80386 through Core2 microprocessors.
127
• DOS and EMM386.EXE use page tables to redefine memory between locations C8000H–EFFFFH as upper memory blocks. – done by repaging extended memory to backfill
conventional memory system to allow DOS access to additional memory
• Each entry in the page directory corresponds to 4M bytes of physical memory.
• Each entry in the page table repages 4K bytes of physical memory.
• Windows also repages the memory system.
128
Figure 2–14 The page directory, page table 0, and two memory pages. Note how the address of page 000C8000–000C9000 has been moved to 00110000–
00110FFF.
129
2–5 Flat Mode Memory • A flat mode memory system is one in which there
is no segmentation. – does not use a segment register to address a location
in the memory
• First byte address is at 00 0000 0000H; the last location is at FF FFFF FFFFH. – address is 40-bits
• The segment register still selects the privilege level of the software.
130
• Real mode system is not available if the processor operates in the 64-bit mode.
• Protection and paging are allowed in the 64-bit mode.
• The CS register is still used in the protected mode operation in the 64-bit mode.
• Most programs today are operated in the IA32 compatible mode.– current software operates properly, but this will
change in a few years as memory becomeslarger and most people have 64-bit computers
131
Figure 2–15 The 64-bit flat mode memory model.
132
SUMMARY• The programming model of the 8086
through 80286 contains 8- and 16-bit registers.
• The programming model of the 80386 and above contains 8-, 16-, and 32-bit extended registers as well as two additional 16-bit segment registers: FS and GS.
133
SUMMARY• 8-bit registers are AH, AL, BH, BL, CH, CL,
DH, and DL.
• 16-bit registers are AX, BX, CX, DX, SP, BP, DI, and SI.
• The segment registers are CS, DS, ES, SS, FS, and GS.
• 32-bit extended registers are EAX, EBX, ECX, EDX, ESP, EBP, EDI, and ESI.
(cont.)
134
SUMMARY• The 64-bit registers in a Pentium 4 with 64-
bit extensions are RAX, RBX, RCX, RDX, RSP, RBP, RDI, RSI, and R8 through R15.
• In addition, the microprocessor contains an instruction pointer (IP/EIP/RIP) and flag register (FLAGS, EFLAGS, or RFLAGS).
• All real mode memory addresses are a combination of a segment address plus an offset address.
(cont.)
135
SUMMARY• The starting location of a segment is
defined by the 16-bit number in the segment register that is appended with a hexadecimal zero at its rightmost end.
• The offset address is a 16-bit number added to the 20-bit seg-ment address to form the real mode memory address.
• All instructions (code) are accessed by the combination of CS (segment ad-dress) plus IP or EIP (offset address).
(cont.)
136
SUMMARY• Data are normally referenced through a
combination of the DS (data segment) and either an offset address or the contents of a register that contains the offset address.
• The 8086-Core2 use BX, DI, and SI as default offset registers for data if 16-bit registers are selected.
• The 80386 and above can use the 32-bit registers EAX, EBX, ECX, EDX, EDI, and ESI as default offset registers for data.
(cont.)
137
SUMMARY• Protected mode operation allows memory
above the first 1M byte to be accessed by the 80286 through the Core2 microprocessors.
• This extended memory system (XMS) is accessed via a segment address plus an offset address, just as in the real mode.
• In the protected mode, the segment starting address is stored in a descriptor that is selected by the segment register.
(cont.)
138
SUMMARY• A protected mode descriptor contains a
base address, limit, and access rights byte.
• The base address locates the starting address of the memory segment; the limit defines the last location of the segment.
• The access rights byte defines how the memory segment is accessed via a program.
(cont.)
139
SUMMARY• The 80286 microprocessor allows a
memory segment to start at any of its 16M bytes of memory using a 24-bit base address.
• The 80386 and above allow a memory segment to begin at any of its 4G bytes of memory using a 32-bit base address.
• This allows an 80286 memory segment limit of 64K bytes, and an 80386 and above mem-ory segment limit of either 1M bytes.
(cont.)
140
SUMMARY• The segment register contains three fields
of information in the protected mode.
• The leftmost 13 bits of the segment register address one of 8192 descriptors from a descriptor table.
• The program-invisible registers are used by the 80286 and above to access the descriptor tables.
(cont.)
141
SUMMARY• Each segment register contains a cache
portion that is used in protected mode to hold the base address, limit, and access rights acquired from a descriptor.
• The cache allows the microprocessor to access the memory segment without again referring to the descriptor table until the segment register's contents are changed.
(cont.)
142
SUMMARY• A memory page is 4K bytes in length. The
linear address, as generated by a program, can be mapped to any physical address through the paging mechanism found within the 80386 through the Pentium 4.
• Memory paging is accomplished through control registers CR0 and CR3.
• The PG bit of CR0 enables paging, and the contents of CR3 addresses the page directory.
(cont.)
143
SUMMARY• The page directory contains up to 1024
page table addresses that are used to access paging tables.
• The page table contains 1024 entries that locate the physical address of a 4K-byte memory page.
• The TLB (translation look-aside buffer) caches the 32 most recent page table translations.
(cont.)
144
SUMMARY• The flat mode memory contains 1T byte of
memory using a 40-bit address.
• In the future, Intel plans to increase the address width to 52 bits to access 4P bytes of memory.
• The flat mode is only available in the Pentium 4 and Core2 that have their 64-bit extensions enabled.
145
146
MicroprocessorsCSE – 341EEE – 365
\\server2\tsr\Spring\CSE\CSE341
http://groups.google.com/group/bucse341
http://faculty.bracu.ac.bd/~faruqe/[email protected]
147
Flags
NT (nested task) – The nested task flag is used to indicated that the current task is nested within another task in protected mode operation. This flag is when the task I nested by software.
148
Flags
RF(resume) – The resume flag is used with debugging to control the resumption of execution after the next instruction.
VM (virtual mode) – The VM flag bit selects virtual mode operation in a protected mode system. A virtual mode system allows multiple DOS memory partitions that are 1M byte in length to coexist in the memory system. Essentially, this allows the system program to execute multiple DOS programs.
149
Flags
AC (alignment check) – This flag is activates if a word or a double work is addressed on a non-word or non-double word boundary. Only the 80486SX microprocessor contains the alignment check bit that is primarily used by its companion numeric coprocessor, the 80487SX, for synchronization.
VIF (Virtual Interrupt flag) – The VIF is a copy of the interrupt flag bit available to the Pentium – P4 microprocessor. This is used in multitasking environments to provide the operating system with virtual interrupt flags and interrupt pending information.
150
Flags
ID (identification) – The ID flag indicated that the Pentium-P4 microprocessors support CPUID instruction. The CPU ID instruction provides the systems with information about the Pentium microprocessor, about as its version number and the manufacturer.
151
Segment Register
CS (Code) – The code segment is a section of memory that holds the code used by the microprocessor. The code segment registers defines the starting address of the section of memory holding code.
In read mode operation, it defines the start of the 64K-byte section of the memory in protected mode, it selects a description that describes the starting address and length of a section of memory holding code.
The code segment is limited to 64K bytes in the 8088-80268 and 4 GB in the 80386 and above when these microprocessors operate in the protected mode.
152
DS (Data) – The data section contains most data used by a program. Data are accessed in the data segment by an offset address of the contests of other registers that hold the offset address.
ES (extra) – The extra segment is used to hold information about string transfer and manipulation
SS (Stack) – The stack segment defines the area of memory used for the stack. The stack entry point is determined by the stack segment and stack pointer registers. The BP registers also addresses data within the stack segment.
FS and GS – These are supplement segment registers available in the 80386 and above microprocessors to allow two additional memory segments for access by programs.
153
Real Mode Memory Addressing
80286 and above operate in either the read or protected mode. Only the 8086 and 8088 operate exclusively in the real mode.
Real mode operation allows the microprocessor to address only the first 1Mbyte of memory space called either real memory or conventional memory.
Even if P4 is running in real mode it can address only 1Mbyte.
This real mode feature is partially responsible for the success of the Intel family of microprocessors.
Code written for 80868088 is upward compatible and will work on 80286 and others without any upgrades.
154
Segment and Offsets
Combination of a segment address and an offset address access a memory location in the real mode.
The segment address located within one segment register defines the beginning address of any 64K-byte memory segment.
The offset address is also held in a register and selects any location within the 64K byte memory segment.
155
FFFFF
1FFFF
1F000
10000
00000
1000
Segment Register
Offset = F000
Offset is also sometimes referred to as displacement
156
The segment register in the previous example contained 1000H yet it addresses a segment starting at location 10000H.
In real mode ever value in the segment register is appended with a 0H on its rightmost end.
Because of the append, real mode segments can begin only at 16-byte boundary in the memory system.This 16-byte boundary is called a paragraph.
Also because we know hat in real mode segment of memory is 60K in length, the ending address is found by adding FFFFH.
157
What is the ending address of the segment, whose address is defined as 3000H in the segment register?
A segment with segment address of 1000H and offset address of 2000H may also be written as 1000:2000.
What is the actual memory location for 1200:300?
In 80286 (with special circuitry) and the 80386 through P4 an extra 64K minus 16 bytes is addressable when the segment address is FFFFH and the HIMEM>SYS driver is installed in the system. This extra area 0FFFF0H – 10FFEFH is referred to as high memory.
158
Some addressing modes combine more than one register and an offset value to form an offset address.
Find the actual memory location being pointed to if the segment address is given as 4000H and the two offset registers hold offset values F000H and 3000H.
159
Default Segment and Offset Registers
There are some default segment and settings that are used.
For example CS:IP or CS:EIP is used to find the location of the instruction the microprocessor fetches to be executed next.
If code segment register contains the value 1400H and EIP contains 00001200H. What is the actual physical location of the next instruction.?
160
Default Segment and Offset Registers
Another default combination is implemented by the Stack.
Stack uses the SS (Stack Segment) to give the base address and then the offset is defined by the SP (Stack pointer) or BP(Base Pointer)
Stack uses the SS (Stack Segment) to give the base address and then the offset is defined by the SP (Stack pointer) or BP(Base Pointer)NOTE: In real mode only rightmost 16 bits of the extended register address a location within the memory segment. Placing a number larger than FFFFH into an offset register while in real mode causes the system to halt and indicate an addressing error.
161
Segmentation
Remember that 8086-80286 microprocessors allow four memory segments and 80386 and above allow six memory segments.
Memory segments can touch or even overlap if 64K bytes of memory are not required for a segment.
Think of a segment as a windows that can be moved over any area of the memory to access data or code within that area.
162
GENERAL SEGMENTATION EXAMPLE: PAGE 60
OVERLAPPING EXAMPLE PAGE 61
Segment and offset addressing scheme seems complicated. But, it has its advantages.
What could be its advantage ?
163
Relocate-able programs:
A program that can be places into any area of memory and executed without changing.
Relocate-able data:
Data that can be moved to any part of the memory and can still be used without making changes to the program that use such data.
This is ideal for use in general-purpose computer system in which not all machines contain the same memory areas.
The structure of the personal computer memory structure is different form machine to machine requiring relocate able software and data.
164
Is this enough for today ?
165
166
MicroprocessorsCSE - 341
167
Protected Mode Memory Addressing
Remember using real mode addressing we were previously able to address 1M Byte of memory.
Using Protected Mode memory addressing locations above the 1M byte boundary can be addressed.
The Protected Memory scheme still uses base address and index address to calculate actual memory locations but, this is done in a different way from what we had done previously.
168
The offset address is still used as previously, to find the memory location within the segment that we are interested in.
The use of the base or the segment address has changed a bit.
The segment register now contains a selector rather than the “actual” base address of the segment.
An additional table called a descriptor table uses the selector as an index to provide additional information known as descriptor.
The descriptor describes:
• location
•Length
•Access rights
For the segment of interest.
169
The actual instructions used for both real mode memory access and protected mode memory access may remain the same.
This is because again the value stored in the segment register and the index register are used to obtain the actual memory location.
The difference in the two modes comes the from way the microprocessor interprets the data present in the two registers to perform the memory location calculations.
Another difference is that the offset address can be a 32-bit number instead of a 16 bit number in the protected mode. A 32 bit offset address allows the microprocessor to access data within a segment that can be 4G bytes in length.
170
There are two descriptor tables. Global Descriptor table and local descriptor table.
Each table contains 8192 descriptors.
Global descriptors contain segment definitions that apply to all programs. – System Descriptor.
Local Descriptors provide information that are unique to an application. – Application Descriptor.
Because each table contains 8192 descriptors, there are a total of 16384 descriptors available to any application.
This also now means that up to 16384 memory segments could be described to be used by each application.
171
Why do you think we have only 8192 descriptors and not 64K ?
80286 Descriptor
00000000 00000000
Access Rights
Base (B23-B16)
Base (B15 – B0)
Limit (L15 –L0)
80386 through P4 Descriptor
Base
(B31-B24)
G D 0 A
V
Limit
(L19-L16)
Access Rights
Base (B23-B16)
Base (B15 – B0)
Limit (L15 –L0)
172
Base Address – Starting location of the memory segment.
80826 has 24 bits allocated to storing the base address.
16 MB Memory locations.
80386 and above use 32 bits for storing the base address.
4GB of memory locations.
80286 is Upward computable because its MSB above the 24 bits are 0000
173
AV – Available
AV =1 – Available
AV =0 – Not Available.
D = Data access
D = 1 – The instructions are in 32bits and the registers are 32 bits.
D = 0 – The instructions are 16 bit instructions compatible with 8086-80286
174
Access Rights bytes- Control access to protected mode memory segment. This byte describes how the segment functions in the system.
7 6 5 4 3 2 1 0
P DPL S E ED/C R/W A
A = 0 – Segment Not AccessedA =1 – Segment has been accessed
E = 0 Descriptor describes data segmentED = 0 Segment expands upwards ED =1 Segment expands downward W = 0 Data may not be writtenW =1 Data may be written
175
E = 1 Descriptor describes code segmentC =0 Ignore descriptor privilege levelC =1 Abide by privilege levelR=0 Code segment may not be readR =1 Code segment may be read
S =0 System descriptorS =1 Code or data segment descriptor
DLP = sets the descriptor privilege level ( 00 – 11)
P = 0 Descriptor is undefinedP =1 Segment contains a valid base and limit
176
Selector TI RPL
15 3 2 1 0
Selector – Selects one of the 8192 descriptors.
TI – Chooses either the global descriptor table or the local table.T1 = 0 – Global descriptor tableT1 =1 – Local descriptor table
RPL – Requested privilege level.
00 – highest11 - lowest
177
DS
0008
Descriptor 0Descriptor 1Descriptor 2Descriptor 3Descriptor 4Descriptor 5Descriptor 6Descriptor 7Descriptor 8Descriptor 9
Descriptor 10Descriptor 11
178
DS
0008
FF00000010
1460000
Data Segment
100000
1000FF
179
Note : Descriptor 0 is called null descriptor and may not be used for accessing memory.
Just like the stack the addresses of these descriptor tables have to be specified for the microprocessor.
For this purpose 80286 and above microprocessors contain program invisible registers.
These registers are not directly addressed by software and hence are given this name.
These registers are used to control the microprocessor when operating in protected mode.
180
CS
DS
ES
SS
FS
GS
Segment Registers Descriptor Cache
Base Address Limit Access
TR
LDTR
Base Address Limit Access
Descriptor Table addresses
GDTR Base Address Limit
IDTR
181
The program invisible parts are known as CACHE.
DO NOT confuse with cache memory L1 and L2.
Once a code segment is loaded with the base address of the segment the descriptor cache is loaded with the details.
The details are not changed until the value in the code segment register is updated. This increases efficiency as the values in the cache descriptor can be reused.
Hence, the term cache is used for the invisible registers.
182
GDTR – Global descriptor table register.
The base address of the descriptor table and its limit. The limit of each descriptor table is 16 bits because the maximum length of the table is 64K bytes.
When protected mode operation in desired the values are loaded in the GDTR .
IDTR – Interrupt descriptor table register.
The base address of the descriptor table and its limit. The limit of each descriptor table is 16 bits because the maximum length of the table is 64K bytes.
When protected mode operation in desired the values of the IDTR must also be initialized. We will deal with this later.
183
LDTR – Local descriptor table register.
The LDTR does not hold the direct address of the local descriptor table. Instead it hold a selector just as the segment registers.
The selector selects a descriptor in the global address table which points to the location of the local descriptor table. The base address of the LDT is then loaded in the LDTR.
TR – Task Register
Holds a selector which access a descriptor that defines a task. Task can be procedure or application program. The descriptor for the task is stored in the GDT so access can be controlled. Task register allows fast context switching helping in tasks that are often used or in multi-programming.