1

80186• 80186 contains 8086 processor and

several additional functional chips:– clock generator– 2 independent DMA channels– PIC– 3 programmable 16-bit timers

• more a microcontroller than a microprocessor

• used mostly in industrial control applications

2

80286INTRODUCTION

3

Salient features of 80286

• High performance microprocessor with memory management and protection

– 80286 is the first member of the family of advanced microprocessors with built-in/on-chip memory management and protection abilities primarily designed for multi-user/multitasking systems

• Available in 12.5MHz, 10MHz & 8MHz clock frequencies

4

Salient features of 80286 bus and memory sizes cont…

Microprocessor Data bus width

Address bus width

Memory size

8086 16 20 1M

80186 16 20 1M

80286 16 24 16M

The 80286 CPU, with its 24-bit address bus is able to address 16MB of physical memory.

1GB of virtual memory for each task

5

Salient features of 80286 Operating ModesIntel 80286 has 2 operating modes: Real Address Mode :

80286 is just a fast 8086 --- up to 6 times faster

All memory management and protection mechanisms are disabled

286 is object code compatible with 8086 Protected Virtual Address Mode

80286 works with all of its memory management and protection capabilities with the advanced instruction set.

it is source code compatible with 8086

6

Salient features of 80286 cont…

286 includes special instructions to support operating system.for example, one instruction can

i) ends the current taskii) save its statesiii) switch to a new task iv) load its states andv) begin executing the new

task housed in 68-pin package

7

80286 INTERNAL ARCHITECTURE

8

8086

EU

BIU

EU

BIU

802868085

IU

AU

9

10

Functional Parts

1. Bus Interface unit

2. Instruction unit

3. Execution unit

4. Address unit

11

Bus Interface Unit• Performs all memory and I/O read and

write operations.• Take care of communication between

CPU and a coprocessor.• Transmit the physical address over

address bus A0 – A23.

• Prefetcher module in the bus unit performs this task of prefetching.

• Bus controller controls the prefetcher module.

• Fetched instructions are arranged in a 6 – byte prefetch queue.

12

Instruction Unit

• Receive arranged instructions from 6 byte prefetch queue.

•

• Instruction decoder decodes up to 3 prefetched instruction and are latched them onto a decoded instruction queue.

•

• Output of the decoding circuit drives a control circuit in the Execution unit.

13

Execution unit

• EU executes the instructions received from the decoded instruction queue sequentially.

• Contains Register Bank.• contains one additional special register called

Machine status word (MSW) register --- lower 4 bits are only used.

• ALU is the heart of execution unit.

• After execution ALU sends the result either over data bus or back to the register bank.

14

• Calculate the physical addresses of the instruction and data that the CPU want to access

• Address lines derived by this unit may be used to address different peripherals.

• Physical address computed by the address unit is handed over to the BUS unit.

Address Unit

15

Register organization of 80286

• The 80286 CPU contains the same set of registers, as in 8086.

– Eight 16-bit general purpose registers.

– Four 16 bit segment registers.

– One Flag register.

– One Instruction pointer.

plus– one new 16-bit machine status word (MSW)

register

16

17

Flag Register

New to 286

18

IOPL – Input Output Privilege Level flags (bit D12 and D13)– IOPL is used in protected mode operation

to select the privilege level for I/O devices. IF the current privilege level is higher or more trusted than the IOPL, I/O executed without hindrance.

– If the IOPL is lover than the current privilege level, an interrupt occurs, causing execution to suspend.

– Note that IPOL 00 is the highest or more trusted; and IOPL 11 is the lowest or least trusted.

19

NT – Nested task flag (bit D14)– When set, it indicates that one system task

has invoked another through a CALL instruction as opposed to a JMP.

– For multitasking this can be manipulated to our advantage

20

Machine Status Word Register• Consist of four flags

– PE,

– MP,

– EM and

– TS

• LMSW & SMSW instruction are available in the instruction set of 80286 to write and read the MSW in real address mode.

are for the most part used to indicate whether a processor extension (co-processor) ispresent in the system or not

21

Machine Status Word...

22

PE - Protection enableProtection enable flag places the

80286 in protected mode, if set. this can only be cleared by resetting the CPU.

MP – Monitor processor extension flag allows WAIT instruction to

generate a processor extension.

23

EM – Emulate processor extension flag,if set , causes a processor extension

absent exception and permits the emulation of processor extension by CPU.

TS – Task switch if set, this flag indicates the next

instruction using extension will generate exception 7, permitting the CPU to test whether the current processor extension is for current task.

24

80286 signals• 68 pins are there, instead of 40 in 8086

• data and address bus are de-multiplexed

• mostly like 8086 with some differences

25

80286 signals...• some new signals are provided for

special jobs like connecting co-processor with 286– 4 pins are provided to interface 286 with a

co-processor– they are

• PEREQ [Processor Extension REQuest]• PEACK [Processor Extension ACKnowledge]• BUSY• ERROR

26

80286 signals...• PEREQ [Processor Extension REQuest]

– Input signal to µP– Asserted by co-processor to tell µP to

perform data transfer to or from memory for it

27

80286 signals...• PEACK [Processor Extension ACKnowledge]

– Output signal– Used to let the co-processor know that the data

transfer has started– Data transfer are done through µP so that the

co-processor can use the protection and virtual memory capability

28

80286 signals...• BUSY

– Input signal– Same as TEST of 8086– Enters in a WAIT loop till µP finds a high

from co-processor

29

80286 signals...• ERROR

– Input signal– If a co-processor finds some error during

processing, it will let µP know through this line

30

80286 Memory Organization

• Same as 8086

• Uses odd and even banks

31

Addressing Modes

• Same as 8086

32

INSTRUCTION SET

• Same as 8086 with some additional instructions

33

Additional Instructions of Intel 80286

Sl no

Instruction Purpose

1. CLTS Clear the task – switched bit

2. LDGT Load global descriptor table register

3. SGDT Store global descriptor table register

4. LIDT Load interrupt descriptor table register

5. SIDT Store interrupt descriptor table register

6. LLDT Load local descriptor table register

7. SLDT Store local descriptor table register

8. LMSW Load machine status register

9. SMSW Store machine status register

34

Sl no

Instruction Purpose

10. LAR Load access rights

11. LSL Load segment limit

12. SAR Store access right

13. ARPL Adjust requested privilege level

14. VERR Verify a read access

15. VERW Verify a write access

35

CLTS The clear task – switched flag instruction clears the TS

(Task - switched) flag bit to a logic 0.

LAR The load access rights Instruction reads the segment

descriptor and place a copy of the access rights byte into a 16 bit register.

LSL The load segment limit instruction Loads a user –

specified register with the segment limit.

36

VERRThe verify for read access instruction verifies that a

segment can de read.

VERWThe verify for write access instruction is used to verify

that a segment can be written.

ARPLThe Adjust request privilege level instruction is used to

test a selector so that the privilege level of the requested selector is not violated.

37

INTERRUPT• Same as 8086 but defines more

dedicated/internal interrupts– Uses from type 5 to type 13 and type 16

38

39

THAT’S ALL FOR TODAY

40

80286 Memory Addressing

Memory management is supported by a hardware unit called Memory management unit.

Intel’s 80286 is the first CPU to incorporate the Integrated memory management unit.

41

80286 Memory Addressing

Function of memory management unit :1. To ensure smooth execution of the program by

SWAPPING IN data from secondary memory to physical memory

SWAPPING OUT data from physical memory to secondary memory

2. Important aspect of memory management is Data Protection or unauthorized access prevention done with the help of segmented memory

42

REAL MODE MEMORY ADDRESSING

• 80286 operates in either the

– real or

– protected mode.

• Real mode operation allows addressing of only the first 1M byte of memory space—even in Pentium 4 or Core2 microprocessor.

– the first 1M byte of memory is called the real memory, conventional memory, or DOS memory system

43

Segments and Offsets

• All real mode memory addresses must consist of a segment address plus an offset address.

– segment address defines the beginning address of any 64K-byte memory segment

– offset address selects any location within the 64K byte memory segment

44

PROTECTED MODE MEMORY ADDRESSING

• Allows access to data and programs located within & above the first 1M byte of memory.

• Protected mode is where Windows operates.

• In place of a segment address, the segment register contains a selector that selects a descriptor from a descriptor table.

• The descriptor describes the memory segment’s location, length, and access rights.

45

Selectors and Descriptors

• The descriptor is located in the segment register & describes the location, length, and access rights of the segment of memory. – it selects one of 8192 descriptors from one

of two tables of descriptors• In protected mode, this segment number can

address any memory location in the systemfor the code segment.

• Indirectly, the register still selects a memory segment, but not directly as in real mode.

46

• Global descriptors contain segment definitions that apply to all programs.

• Local descriptors are usually unique to an application. – a global descriptor might be called a system

descriptor, and local descriptor an application descriptor

• Following slide shows the format of a descriptor for the 80286 – each descriptor is 8 bytes in length– global and local descriptor tables are a

maximum of 64K bytes in length

47

The 80286 descriptors

48

• The base address of the descriptor indicates the starting location of the memory segment.– the paragraph boundary limitation is removed in

protected mode– segments may begin at any address

• The G, or granularity bit allows a segment length of 4K to 4G bytes in steps of 4K bytes. – 32-bit offset address allows segment lengths of

4G bytes– 16-bit offset address allows segment lengths of

64K bytes.

49

• Operating systems operate in a 16- or 32-bit environment.

• DOS uses a 16-bit environment.

• Most Windows applications use a 32-bit environment called WIN32.

• MSDOS/PCDOS & Windows 3.1 operating systems require 16-bit instruction mode.

• Instruction mode is accessible only in a protected mode system such as Windows Vista.

50

• The access rights byte controls access to the protected mode segment. – describes segment function in the system and

allows complete control over the segment– if the segment is a data segment, the direction of

growth is specified

• If the segment grows beyond its limit, the operating system is interrupted, indicatinga general protection fault.

• You can specify whether a data segmentcan be written or is write-protected.

51

Figure 2–7  The access rights byte for the 80286 through Core2 descriptor.

52

• Descriptors are chosen from the descriptor table by the segment register. – register contains a 13-bit selector field, a table

selector bit, and requested privilege level field

• The TI bit selects either the global or the local descriptor table.

• Requested Privilege Level (RPL) requests the access privilege level of a memory segment. – If privilege levels are violated, system normally

indicates an application or privilege level violation

53

Figure 2–8  The contents of a segment register during protected mode operation of the 80286 through Core2 microprocessors.

54

• Figure 2–9 shows how the segment register, containing a selector, chooses a descriptor from the global descriptor table.

• The entry in the global descriptor table selects a segment in the memory system.

• Descriptor zero is called the null descriptor, must contain all zeros, and may not be used for accessing memory.

55

Figure 2–9  Using the DS register to select a description from the global descriptor table. In this example, the DS register accesses memory locations

00100000H–001000FFH as a data segment.

56

Program-Invisible Registers • Global and local descriptor tables are found

in the memory system.• To access & specify the table addresses,

80286–Core2 contain program-invisible registers. – not directly addressed by software

• Each segment register contains a program-invisible portion used in the protected mode. – often called cache memory because cache is

any memory that stores information

57

Figure 2–10  The program-invisible register within the 80286–Core2 microprocessors.

58

• When a new segment number is placed in a segment register, the microprocessor accesses a descriptor table and loads the descriptor into the program-invisible portion of the segment register. – held there and used to access the memory

segment until the segment number is changed

• This allows the microprocessor to repeatedly access a memory segment without referring to the descriptor table.– hence the term cache

59

• The GDTR (global descriptor table register) and IDTR (interrupt descriptor table register) contain the base address of the descriptor table and its limit. – when protected mode operation desired, address

of the global descriptor table and its limit are loaded into the GDTR

• The location of the local descriptor table is selected from the global descriptor table. – one of the global descriptors is set up to

address the local descriptor table

60

• To access the local descriptor table, the LDTR (local descriptor table register) is loaded with a selector. – selector accesses global descriptor table, & loads

local descriptor table address, limit, & access rights into the cache portion of the LDTR

• The TR (task register) holds a selector, which accesses a descriptor that defines a task. – a task is most often a procedure or application

• Allows multitasking systems to switch tasksto another in a simple and orderly fashion.

61

62

Protected Mode

• Memory Segmentation and Privilege Levels• Definition of a segment• Segment selectors • Local Descriptor Tables• Segment Aliasing, Overlapping• Privilege protection• Defining Privilege Levels• Changing Privilege levels

63

Protected Mode Registers• LDTR – Local Descriptor Table Register –

16 bits

• GDTR – Global Descriptor Table Register – 48 bits

• IDTR – Interrupt Descriptor Table Register – 48 bits

• TR – Task register – 16 bits

64

Protected Mode Addressing• mov [DS:1000], EAX• Let value of DS be 0x10. This is used to select

a segment descriptor in a descriptor table.• The segment descriptor contains information

about the base address of the segment, to which 1000 is added to get the effective address.

• The value stored in DS is called a selector.• Henceforth we discuss protected mode.

65

Protected Mode Addressing

SELECTOR OFFSET

Descriptor Table

Base Address

Linear Address

Logical Address

Segment Descriptor

66Intra and Inter process Protection

•A process always executes from Code segment. It should not execute by accessing from adjoining Data or stack area or any other code area too.

•A stack should not overgrow into adjoining segments

Every segment is specified a start address and limit.

Architecture checks if limit is not exceeded.

CS

ES

SS

500

1000

1500

2000

jmp CS:250 //This is finejmp CS:501 //This is a violation as limit is 500mov [ES:498], AX //This is finemov [ES:498], EAX //This is a violation!!!PUSH AX //Let SP be 498, it is finePUSH EAX //Let SP be 498, violationPOP AX //Let SP be 2, it is finePOP EAX //Let SP be 2, Violation!!!

67

Interprocess Protection

Process 1 CS

Process 1 DS

Process 2 CS

Process 2 SS

Process 2 DS

Process 1 SS

CS

DS

SS

Process 1 should be prevented from loading CS, such that it can access the code of Process 2

Similarly for the DS,SS, ES, FS and GS

Privilege levels: [0-3] assigned to each segment.

0: Highest privilege

3: Lowest privilege

68

Privilege levels and Protection• Every segment has an associated privilege level

and hence any code segment will have an associated privilege level.

• The CPL (Current Privilege Level) of a process is the privilege level of the code segment, the code stored in which, it is executing.

• A process can access segments that have privilege levels numerically greater than or equal to (less privileged than) its CPL.

69

Protection Implementation• Every segment is associated with a descriptor

stored in a descriptor table.• The privilege level of any segment is stored in its

descriptor.• The descriptor table is maintained in memory

and the starting location of the table is pointed to by a Descriptor Table Register (DTR).

• The segment register stores an offset into this table.

70

Structure of a Descriptor

71

Updating Segment registers

• Segment registers (DS, ES, SS, GS and FS) are updated by normal MOV instructions.– MOV AX, 0x10 ; MOV DS, AX

• The above command is successful if and only if the descriptor stored at the offset 0x10 in the descriptor table has a privilege level numerically greater than or equal to the CPL.

• A process with CPL = 3 cannot load the segment descriptor of CPL <= 2, and hence cannot access the segments.

72

Updating segment registers

• The code segment register is updated by normal jump/call operations.– jmp 0x20:0x1000– This updates the CS by 0x20, provided the

descriptor stored at offset 0x20 has a privilege level numerically greater than or equal to CPL

• Other modes of updating CS register– Numerically higher to lower Privilege Levels using

CALL gates – useful for system calls.– Any privilege level to any other privilege level

using task switch.

73

Descriptor Tables• There are two descriptor tables

– Global Descriptor Tables– Local Descriptor Tables

• The global descriptor table’s base address is stored in GDTR

• The local descriptor table’s base address is stored in LDTR

• The two privileged instructions LGDT and LLDT loads the GDTR and LDTR.

74

Structure of a Selector

Index T1

0215

T1 = 0 GDT

= 1 LDT

Since segment descriptors are each 8 bytes, the last three bits of the selector is zero, in which one of them is used for LDT/GDT access.

75

Two process each of PL = 3 should be allotted segments such that one should not access the segments of other.

GDTR GDT

All descriptors in GDT have

PL = 0,1,2

LDTRLDTR

Per process Per process

If at all each process should access memory, it has to use the descriptors in its LDTR only and it cannot change the LDTR/LDT/GDTR/GDT contents as they would be maintained in a higher privileged memory area.

76

Did You Note!!• There is an 100 % degradation in Memory

access time – because every memory access is two accesses now, one for getting the base address and another for actually accessing the data.

• A solution indeed: Along with the segment registers, keep a shadow registers which stores additional necessary information.

77

Base Address, Limit, DPL.

Segment selector

Visible part Hidden part

CS

SS

DS

ES

FS

GS

78

Be Careful

0x10 20

120

Descriptor Table

Base Address

Linear Address

Logical Address

Base = 100

Changing Base

Linear address will still be 120

Have to execute

mov DS,0x10 again to get the answer as 220, as this would update the hidden part

Base = 200

add [DS:20],eax

79

Virtual Memory and Paging• It is always enough if the next instruction

to be executed and the data needed to execute the same are available in the memory.

• The complete code and data segment need not be available.

• Use of paging to realize the stuff!• By using segmentation the processor

calculates an 32-bit effective address.

80

Task Switching• There are different types of descriptors in a

Descriptor table.• One of them is a task state segment descriptor.• jmp 0x10:<don’t’care> and that 0x10 points to a

TGD, then the current process context is saved and the new process pointed out by the task state segment descriptor is loaded.

• A perfect context switch.• TSS descriptor only in a GDT.

81

Task State Segment

82

Task Switching• Every process has an associated Task

State Segment, whose starting point is stored in the Task register.

• A task switch happens due to a jmp or call instruction whose segment selector points to a Task state segment descriptor, which in turn points to the base of a new task state segment

83

Task Switching process

84

Interrupt Handling

• Processor generates interrupts that index into a Interrupt Descriptor Table, whose base is stored in IDTR and loaded using the privileged instruction LIDT.

• The descriptors in IDT can be – Interrupt gate: ISR handled as a normal call

subroutine – uses the interrupted processor stack to save EIP,CS, (SS, ESP in case of stack switch – new stack got from TSS).

– Task gate: ISR handled as a task switch• Needed for stack fault in CPL = 0 and double faults.

85

Interrupt Handling

• Processor handles a total of 255 interrupts• 0-31 are used by machine or reserved• 32-255 are user definable• 0 – Divide error, goes to first descriptor in IDT• 1 – Debug• 8 – Double Fault• 12 – Stack Segment fault• 13 – General Protection Fault• 14 – Page Fault

86

Legacy Issues

• 16-bit code in 32-bit architecture• Address override prefix – 16-bit or 32-bit

addresses in a 32-bit or 16-bit code segment• Operand override prefix

– Same opcode for say, add EAX,EBX and add AX,BX

– Distinguished by the operand override prefix – 16-bit or 32-bit operands in a 32-bit ot 16-bit code segment

• D flag in the code segment descriptor tells the size of the code segment, which is used above.

87

x86 Memory Management

• To learn– Segmentation details– Privilege levels and switching

88

Memory Segmentation• Segment Descriptors

– 80886 to 80386+• In 8086, the program is not expected to generate a

non-existent memory address. If it does, then the processor shall try to access the same and read bogus data, or crash

• In 80386+ (and above) the segment attributes (base, limit, privilege etc) are programmable and no matter how privileged the code may be, it cannot access an area of memory unless that area is described to it.

89

Segment Descriptors• Describes a segment using 64-bits (0-63)

• Must be created for every segment

• Is created by the programmer

• Determines a segment’s base address (32-bits) (Bits 16-39, 56-63)

• Determines a segment’s size (20-bits) (Bits 0-15, 48-51)

90

Segment Descriptors (Cont’d)• Defines whether a segment is a system

segment (=0) or non-system (=1) (code, data or stack) segment (System bit) (Bit 44)

• Determines a segment’s use/type (3-bits) (Bits 41-43) after the above classification

• Determines a segment’s privilege level (2 bits) (Bits 45-46) – DPL (Descriptor Privilege Level) Bits

91

Segment Descriptor (Cont’d)

• Accessed (A)-bit: Bit 40, automatically set and not cleared by the processor when a memory reference is made to the segment described by this descriptor.

• Present (P)-bit: Bit 47, indicates whether the segment described by this descriptor is currently available in physical memory or not.

• Bits 40-47 of the descriptor is called the Access Right Byte of the descriptor.

• User (U)-bit and X bit: Bit 52 (U-bit) not used and Bit 53 (X-bit) reserved by Intel

92

Segment Descriptor (Cont’d)• Default size (D)-bit: Bit 54, when this bit is

cleared, operands contained within this segment are assumed to be 16 bits in size. When it is set, operands are assumed to be 32-bits.

• Granularity (G)-bit: Bit 55, when this bit is cleared the 20-bit limit field is assumed to be measured in units of 1byte. If it is set, the limit field is in units of 4096 bytes.

93

Types of non-system segment descriptors

• System bit S = 1– 000 – Data, Read only– 001 – Data, Read/Write– 010 – expand down, Read only– 011 – expand down, Read/Write– 100 – Code, Execute only – 101 – Code, Execute/Read– 110 – Conforming Code, Execute only– 111 - Conforming Code, Execute/Read

94

Descriptor Tables• Descriptors are stored in three tables:

– Global descriptor table (GDT)• Maintains a list of most segments• May contain special “system” descriptors• The first descriptor is a null descriptor

– Interrupt descriptor table (IDT)• Maintains a list of interrupt service routines

– Local descriptor table (LDT)• Is optional• Extends range of GDT• Is allocated to each task when multitasking is enabled• The first descriptor is a null descriptor

95

Locations of the tables• In Memory• Pointed out by GDTR, LDTR and IDTR for the

GDT, LDT and IDT respectively.• The GDTR and IDTR are 48-bits in length, the

first 16-bits (least significant) storing the size (limit) of the table and the remaining storing a 32-bit address pointing to the base of the tables

• Limit = (no. of descriptors * 8) - 1• LLDT stores a 16-bit selector pointing to an entry

in the GDT.

96

Segment Selectors• Out of several segments described in your GDT and

LDT, which of the segment(s) that are currently being used are pointed to by the 16-bit CS,DS,ES,FS,GS and SS registers.

• Each store a selector• Since descriptors are at 8-byte boundaries, the 16-bit

selectors store the first most significant 13 bits to point to the corresponding descriptor.

• The bit 2 is the T1 bit, which when 0 (1) implies the selector is pointing to a descriptor in GDT (LDT).

• The bits (0-1) – are the Request Privilege Level (RPL) bits used for privilege assignments.

97

Loading Segment Selectors into segment registers

• Whenever segment registers are loaded, the following rules are checked by the processor and if violated an exception is raised thus giving high degree of memory protection

• Rule 1: Index field of the selector within limits of the GDT/LDT to be accessed – else raise a General Protection Fault exception.

98

Loading Segment Selectors into segment registers

• Rule 2: Loading a selector into DS,ES,FS or GS that points to a non-readable segment results in an exception

• Rule 3: For loading into SS, the segment pointed to should be readable and writable

• Rule 4: For loading into CS, the segment should be executable type

• Rule 5: Privilege level check rules to be described later

99

Loading segment selectors• All segment registers except CS may be

loaded using MOV, LDS, LES, LFS, LGS and LSS.

• The CS is loaded using a JMP or a CALL instruction – discussed later

100

Local Descriptor Table• Is defined by a system descriptor (S=0) in

GDT which is pointed to by the LDT.

Limit

15-0

Base Address

23-0

0000010PLimit

19-16

0000Base

Address

31-24

The 64-bit descriptor in GDT

101

Privilege levels• The need is to prevent

– Users from interfering with one another– Users from examining secure data– Program bugs from damaging other programs– Program bugs from damaging data– Malicious attempts to compromise system

integrity– Accidental damage to data

102

Privilege Protection• Continuous checking by the processor on

whether the application is privileged enough to– Type 1: Execute certain instructions– Type 2: Reference data other than its own– Type 3: Transfer control to code other than its own

• To manage this every segment has a privilege level called the DPL (Descriptor Privilege Level) Bits 45,46

103

Descriptor Privilege Level• Privilege levels apply to entire segments

• The privilege level is defined in the segment descriptor

• The privilege level of the code segment determines the Current Privilege Level (CPL)

104

Type 1: Privilege Checking• Privileged Instructions

1. Segmentation and Protection Based (HLT, CLTS, LGDT, LIDT, LLDT, LTR, moving data to Control, Debug and Test registers)

2. Interrupt flag based (CLI, STI, IN, INS, OUT, OUTS)3. Peripheral IO based

First two types of privileged instructions can be executed only when CPL = 0, that is, these instructions can be in code segment with DPL = 0.

105

I/O instructions• The I/O based privileged instructions are

executed only if CPL <= IOPL in EFLAGS register.

• To add to the security the POPF/POPFD instructions which load values into the EFLAGS shall not touch the IOPL bit or IF bit if CPL > 0.

106

Type 2: Privilege Checking• Reference data other than its own• Load a selector into a DS, ES, FS and GS iff

max(RPL,CPL) <= DPL– RPL may weaken your privilege level– Decreasing RPL will not strengthen your privilege

level – Why?– Why to decrease RPL – will discuss later

• Load a descriptor into a stack iff DPL = CPL• All these are in addition to the rules for loading segment

selector, that were stated in Slides 87 and 88.

107

Type 3: Privilege Checking• Transfer control to code other than its

own. Essentially load a new selector into CS register

• jmp across code segments with same DPL– jmp <selector>:<offset of instruction from

start of the new segment>– call <selector>:<offset of instruction from start

of the new segment>

108

Type 3: Privilege Checking• The above jmp, call and ret may be used

• To move between code segments provided the destination segment is– A code segment (executable permission)– Defined with the same privilege level– Marked present

109

Changing Privilege levels• Control transfer from a code of some PL to

another code with some other different PL.• Using conforming code segments or a special

segment descriptor called call gates.• Conforming code segments confirms with the

privilege level of the calling code. So if a control transfer happens from segment S to a confirming segment T, the privilege of T would be the privilege of S.

110

Conforming Code Segment• The DPL of conforming code segment descriptor

<= CPL of invoking code.• Therefore, CPL = 2 can invoke DPL = 1.• CPL = 2 cannot invoke code with DPL = 3.• Why?

– If not, you JMP back or RET to the source code segment after executing the conforming code segment. This should permit return from a numerically low privilege code to a numerically high privilege code, without check.

111

CALL GATE descriptor• Is defined by a system descriptor (S=0) in

GDT which is used by the JMP or CALL.

Destination Offset

15-0

Destination Selector (16 bits)

WC00001100P, DPLDestination offset

31-16

The 64-bit descriptor in GDT

•Not only the selector for the target code segment, but also the offset in the code segment from which you should start executing is specified. The source code segment can only use it like a black-box

112

Calling Higher privileged code

SEGCALL OFFSETSEGCALL OFFSET

Correct Incorrect

Gate – Sel + offset

Code Desc

Code Seg Code Seg

Code Desc

113

Call Gates• Are defined like segment descriptors

• Occupy a slot in the descriptor tables

• Provide the only means to alter the current privilege level

• Define entry points to other privilege levels

• Must be invoked using a CALL Instruction

114

Call Gate accessibility• Target DPL <= Max (RPL, CPL) <= Gate

DPL

• For eg. CPL = 2 and the target PL = 0, you should use a Gate with PL = 2 or 3

115

Privilege levels and Stacks• The stack PL = CPL always• When changing the CPL, the processor

automatically changes the stack!!!• How – using the Task State Segment (TSS)• The base of the TSS is stored in a Task register

(TR) which is updated by the privileged instruction LTR

• The TSS associates a stack for each code for each of the privilege levels 0, 1 and 2

116

Task Switching process

117

118

• 80286 and above contain program-invisible registers to control and operate protected memory. – and other features of the microprocessor

119

2–4  MEMORY PAGING • The memory paging mechanism allows any

physical memory location to be assigned to any linear address.

• Iinear address is defined as the address generated by a program.

• Physical address is the actual memory location accessed by a program.

• With memory paging, the linear address is invisibly translated to any physical address.

120

Paging Registers • The paging unit is controlled by the contents

of the microprocessor’s control registers.

• Beginning with Pentium, an additional control register labeled CR4 controls extensions to the basic architecture.

• See Figure 2–11 for the contents of control registers CR0 through CR4.

121

Figure 2–11  The control register structure of the microprocessor.

122

• The linear address, as generated by software, is broken into three sections that are used to access the page directory entry, page table entry, and memory page offset address.

• Figure 2–12 shows the linear address and its makeup for paging.

• When the program accesses a location between 00000000H and 00000FFFH, the microprocessor physically addresses location 00100000H–00100FFFH.

123

Figure 2–12  The format for the linear address (a) and a page directory or page table entry (b).

124

• Intel has incorporated a special type of cache called TLB (translation look-aside buffer). – because repaging a 4K-byte section of memory

requires access to the page directory and a page table, both located in memory

• The 80486 cache holds the 32 most recent page translation addresses. – if the same area of memory is accessed, the

address is already present in the TLB – This speeds program execution

• Pentium contains separate TLBs for each of their instruction and data caches.

125

The Page Directory and Page Table • Only one page directory in the system.

• The page directory contains 1024 doubleword addresses that locate up to 1024 page tables.

• Page directory and each page table are 4K bytes in length.

• Figure 2–13 shows the page directory, a few page tables, and some memory pages.

126

Figure 2–13  The paging mechanism in the 80386 through Core2 microprocessors.

127

• DOS and EMM386.EXE use page tables to redefine memory between locations C8000H–EFFFFH as upper memory blocks. – done by repaging extended memory to backfill

conventional memory system to allow DOS access to additional memory

• Each entry in the page directory corresponds to 4M bytes of physical memory.

• Each entry in the page table repages 4K bytes of physical memory.

• Windows also repages the memory system.

128

Figure 2–14  The page directory, page table 0, and two memory pages. Note how the address of page 000C8000–000C9000 has been moved to 00110000–

00110FFF.

129

2–5  Flat Mode Memory • A flat mode memory system is one in which there

is no segmentation. – does not use a segment register to address a location

in the memory

• First byte address is at 00 0000 0000H; the last location is at FF FFFF FFFFH. – address is 40-bits

• The segment register still selects the privilege level of the software.

130

• Real mode system is not available if the processor operates in the 64-bit mode.

• Protection and paging are allowed in the 64-bit mode.

• The CS register is still used in the protected mode operation in the 64-bit mode.

• Most programs today are operated in the IA32 compatible mode.– current software operates properly, but this will

change in a few years as memory becomeslarger and most people have 64-bit computers

131

Figure 2–15  The 64-bit flat mode memory model.

132

SUMMARY• The programming model of the 8086

through 80286 contains 8- and 16-bit registers.

• The programming model of the 80386 and above contains 8-, 16-, and 32-bit extended registers as well as two additional 16-bit segment registers: FS and GS.

133

SUMMARY• 8-bit registers are AH, AL, BH, BL, CH, CL,

DH, and DL.

• 16-bit registers are AX, BX, CX, DX, SP, BP, DI, and SI.

• The segment registers are CS, DS, ES, SS, FS, and GS.

• 32-bit extended registers are EAX, EBX, ECX, EDX, ESP, EBP, EDI, and ESI.

(cont.)

134

SUMMARY• The 64-bit registers in a Pentium 4 with 64-

bit extensions are RAX, RBX, RCX, RDX, RSP, RBP, RDI, RSI, and R8 through R15.

• In addition, the microprocessor contains an instruction pointer (IP/EIP/RIP) and flag register (FLAGS, EFLAGS, or RFLAGS).

• All real mode memory addresses are a combination of a segment address plus an offset address.

(cont.)

135

SUMMARY• The starting location of a segment is

defined by the 16-bit number in the segment register that is appended with a hexadecimal zero at its rightmost end.

• The offset address is a 16-bit number added to the 20-bit seg-ment address to form the real mode memory address.

• All instructions (code) are accessed by the combination of CS (segment ad-dress) plus IP or EIP (offset address).

(cont.)

136

SUMMARY• Data are normally referenced through a

combination of the DS (data segment) and either an offset address or the contents of a register that contains the offset address.

• The 8086-Core2 use BX, DI, and SI as default offset registers for data if 16-bit registers are selected.

• The 80386 and above can use the 32-bit registers EAX, EBX, ECX, EDX, EDI, and ESI as default offset registers for data.

(cont.)

137

SUMMARY• Protected mode operation allows memory

above the first 1M byte to be accessed by the 80286 through the Core2 microprocessors.

• This extended memory system (XMS) is accessed via a segment address plus an offset address, just as in the real mode.

• In the protected mode, the segment starting address is stored in a descriptor that is selected by the segment register.

(cont.)

138

SUMMARY• A protected mode descriptor contains a

base address, limit, and access rights byte.

• The base address locates the starting address of the memory segment; the limit defines the last location of the segment.

• The access rights byte defines how the memory segment is accessed via a program.

(cont.)

139

SUMMARY• The 80286 microprocessor allows a

memory segment to start at any of its 16M bytes of memory using a 24-bit base address.

• The 80386 and above allow a memory segment to begin at any of its 4G bytes of memory using a 32-bit base address.

• This allows an 80286 memory segment limit of 64K bytes, and an 80386 and above mem-ory segment limit of either 1M bytes.

(cont.)

140

SUMMARY• The segment register contains three fields

of information in the protected mode.

• The leftmost 13 bits of the segment register address one of 8192 descriptors from a descriptor table.

• The program-invisible registers are used by the 80286 and above to access the descriptor tables.

(cont.)

141

SUMMARY• Each segment register contains a cache

portion that is used in protected mode to hold the base address, limit, and access rights acquired from a descriptor.

• The cache allows the microprocessor to access the memory segment without again referring to the descriptor table until the segment register's contents are changed.

(cont.)

142

SUMMARY• A memory page is 4K bytes in length. The

linear address, as generated by a program, can be mapped to any physical address through the paging mechanism found within the 80386 through the Pentium 4.

• Memory paging is accomplished through control registers CR0 and CR3.

• The PG bit of CR0 enables paging, and the contents of CR3 addresses the page directory.

(cont.)

143

SUMMARY• The page directory contains up to 1024

page table addresses that are used to access paging tables.

• The page table contains 1024 entries that locate the physical address of a 4K-byte memory page.

• The TLB (translation look-aside buffer) caches the 32 most recent page table translations.

(cont.)

144

SUMMARY• The flat mode memory contains 1T byte of

memory using a 40-bit address.

• In the future, Intel plans to increase the address width to 52 bits to access 4P bytes of memory.

• The flat mode is only available in the Pentium 4 and Core2 that have their 64-bit extensions enabled.

145

146

MicroprocessorsCSE – 341EEE – 365

\\server2\tsr\Spring\CSE\CSE341

http://groups.google.com/group/bucse341

http://faculty.bracu.ac.bd/~faruqe/faruqe@bracu.ac.bd

147

Flags

NT (nested task) – The nested task flag is used to indicated that the current task is nested within another task in protected mode operation. This flag is when the task I nested by software.

148

Flags

RF(resume) – The resume flag is used with debugging to control the resumption of execution after the next instruction.

VM (virtual mode) – The VM flag bit selects virtual mode operation in a protected mode system. A virtual mode system allows multiple DOS memory partitions that are 1M byte in length to coexist in the memory system. Essentially, this allows the system program to execute multiple DOS programs.

149

Flags

AC (alignment check) – This flag is activates if a word or a double work is addressed on a non-word or non-double word boundary. Only the 80486SX microprocessor contains the alignment check bit that is primarily used by its companion numeric coprocessor, the 80487SX, for synchronization.

VIF (Virtual Interrupt flag) – The VIF is a copy of the interrupt flag bit available to the Pentium – P4 microprocessor. This is used in multitasking environments to provide the operating system with virtual interrupt flags and interrupt pending information.

150

Flags

ID (identification) – The ID flag indicated that the Pentium-P4 microprocessors support CPUID instruction. The CPU ID instruction provides the systems with information about the Pentium microprocessor, about as its version number and the manufacturer.

151

Segment Register

CS (Code) – The code segment is a section of memory that holds the code used by the microprocessor. The code segment registers defines the starting address of the section of memory holding code.

In read mode operation, it defines the start of the 64K-byte section of the memory in protected mode, it selects a description that describes the starting address and length of a section of memory holding code.

The code segment is limited to 64K bytes in the 8088-80268 and 4 GB in the 80386 and above when these microprocessors operate in the protected mode.

152

DS (Data) – The data section contains most data used by a program. Data are accessed in the data segment by an offset address of the contests of other registers that hold the offset address.

ES (extra) – The extra segment is used to hold information about string transfer and manipulation

SS (Stack) – The stack segment defines the area of memory used for the stack. The stack entry point is determined by the stack segment and stack pointer registers. The BP registers also addresses data within the stack segment.

FS and GS – These are supplement segment registers available in the 80386 and above microprocessors to allow two additional memory segments for access by programs.

153

Real Mode Memory Addressing

80286 and above operate in either the read or protected mode. Only the 8086 and 8088 operate exclusively in the real mode.

Real mode operation allows the microprocessor to address only the first 1Mbyte of memory space called either real memory or conventional memory.

Even if P4 is running in real mode it can address only 1Mbyte.

This real mode feature is partially responsible for the success of the Intel family of microprocessors.

Code written for 80868088 is upward compatible and will work on 80286 and others without any upgrades.

154

Segment and Offsets

Combination of a segment address and an offset address access a memory location in the real mode.

The segment address located within one segment register defines the beginning address of any 64K-byte memory segment.

The offset address is also held in a register and selects any location within the 64K byte memory segment.

155

FFFFF

1FFFF

1F000

10000

00000

1000

Segment Register

Offset = F000

Offset is also sometimes referred to as displacement

156

The segment register in the previous example contained 1000H yet it addresses a segment starting at location 10000H.

In real mode ever value in the segment register is appended with a 0H on its rightmost end.

Because of the append, real mode segments can begin only at 16-byte boundary in the memory system.This 16-byte boundary is called a paragraph.

Also because we know hat in real mode segment of memory is 60K in length, the ending address is found by adding FFFFH.

157

What is the ending address of the segment, whose address is defined as 3000H in the segment register?

A segment with segment address of 1000H and offset address of 2000H may also be written as 1000:2000.

What is the actual memory location for 1200:300?

In 80286 (with special circuitry) and the 80386 through P4 an extra 64K minus 16 bytes is addressable when the segment address is FFFFH and the HIMEM>SYS driver is installed in the system. This extra area 0FFFF0H – 10FFEFH is referred to as high memory.

158

Some addressing modes combine more than one register and an offset value to form an offset address.

Find the actual memory location being pointed to if the segment address is given as 4000H and the two offset registers hold offset values F000H and 3000H.

159

Default Segment and Offset Registers

There are some default segment and settings that are used.

For example CS:IP or CS:EIP is used to find the location of the instruction the microprocessor fetches to be executed next.

If code segment register contains the value 1400H and EIP contains 00001200H. What is the actual physical location of the next instruction.?

160

Default Segment and Offset Registers

Another default combination is implemented by the Stack.

Stack uses the SS (Stack Segment) to give the base address and then the offset is defined by the SP (Stack pointer) or BP(Base Pointer)

Stack uses the SS (Stack Segment) to give the base address and then the offset is defined by the SP (Stack pointer) or BP(Base Pointer)NOTE: In real mode only rightmost 16 bits of the extended register address a location within the memory segment. Placing a number larger than FFFFH into an offset register while in real mode causes the system to halt and indicate an addressing error.

161

Segmentation

Remember that 8086-80286 microprocessors allow four memory segments and 80386 and above allow six memory segments.

Memory segments can touch or even overlap if 64K bytes of memory are not required for a segment.

Think of a segment as a windows that can be moved over any area of the memory to access data or code within that area.

162

GENERAL SEGMENTATION EXAMPLE: PAGE 60

OVERLAPPING EXAMPLE PAGE 61

Segment and offset addressing scheme seems complicated. But, it has its advantages.

What could be its advantage ?

163

Relocate-able programs:

A program that can be places into any area of memory and executed without changing.

Relocate-able data:

Data that can be moved to any part of the memory and can still be used without making changes to the program that use such data.

This is ideal for use in general-purpose computer system in which not all machines contain the same memory areas.

The structure of the personal computer memory structure is different form machine to machine requiring relocate able software and data.

164

Is this enough for today ?

165

166

MicroprocessorsCSE - 341

167

Protected Mode Memory Addressing

Remember using real mode addressing we were previously able to address 1M Byte of memory.

Using Protected Mode memory addressing locations above the 1M byte boundary can be addressed.

The Protected Memory scheme still uses base address and index address to calculate actual memory locations but, this is done in a different way from what we had done previously.

168

The offset address is still used as previously, to find the memory location within the segment that we are interested in.

The use of the base or the segment address has changed a bit.

The segment register now contains a selector rather than the “actual” base address of the segment.

An additional table called a descriptor table uses the selector as an index to provide additional information known as descriptor.

The descriptor describes:

• location

•Length

•Access rights

For the segment of interest.

169

The actual instructions used for both real mode memory access and protected mode memory access may remain the same.

This is because again the value stored in the segment register and the index register are used to obtain the actual memory location.

The difference in the two modes comes the from way the microprocessor interprets the data present in the two registers to perform the memory location calculations.

Another difference is that the offset address can be a 32-bit number instead of a 16 bit number in the protected mode. A 32 bit offset address allows the microprocessor to access data within a segment that can be 4G bytes in length.

170

There are two descriptor tables. Global Descriptor table and local descriptor table.

Each table contains 8192 descriptors.

Global descriptors contain segment definitions that apply to all programs. – System Descriptor.

Local Descriptors provide information that are unique to an application. – Application Descriptor.

Because each table contains 8192 descriptors, there are a total of 16384 descriptors available to any application.

This also now means that up to 16384 memory segments could be described to be used by each application.

171

Why do you think we have only 8192 descriptors and not 64K ?

80286 Descriptor

00000000 00000000

Access Rights

Base (B23-B16)

Base (B15 – B0)

Limit (L15 –L0)

80386 through P4 Descriptor

Base

(B31-B24)

G D 0 A

V

Limit

(L19-L16)

Access Rights

Base (B23-B16)

Base (B15 – B0)

Limit (L15 –L0)

172

Base Address – Starting location of the memory segment.

80826 has 24 bits allocated to storing the base address.

16 MB Memory locations.

80386 and above use 32 bits for storing the base address.

4GB of memory locations.

80286 is Upward computable because its MSB above the 24 bits are 0000

173

AV – Available

AV =1 – Available

AV =0 – Not Available.

D = Data access

D = 1 – The instructions are in 32bits and the registers are 32 bits.

D = 0 – The instructions are 16 bit instructions compatible with 8086-80286

174

Access Rights bytes- Control access to protected mode memory segment. This byte describes how the segment functions in the system.

7 6 5 4 3 2 1 0

P DPL S E ED/C R/W A

A = 0 – Segment Not AccessedA =1 – Segment has been accessed

E = 0 Descriptor describes data segmentED = 0 Segment expands upwards ED =1 Segment expands downward W = 0 Data may not be writtenW =1 Data may be written

175

E = 1 Descriptor describes code segmentC =0 Ignore descriptor privilege levelC =1 Abide by privilege levelR=0 Code segment may not be readR =1 Code segment may be read

S =0 System descriptorS =1 Code or data segment descriptor

DLP = sets the descriptor privilege level ( 00 – 11)

P = 0 Descriptor is undefinedP =1 Segment contains a valid base and limit

176

Selector TI RPL

15 3 2 1 0

Selector – Selects one of the 8192 descriptors.

TI – Chooses either the global descriptor table or the local table.T1 = 0 – Global descriptor tableT1 =1 – Local descriptor table

RPL – Requested privilege level.

00 – highest11 - lowest

177

DS

0008

Descriptor 0Descriptor 1Descriptor 2Descriptor 3Descriptor 4Descriptor 5Descriptor 6Descriptor 7Descriptor 8Descriptor 9

Descriptor 10Descriptor 11

178

DS

0008

FF00000010

1460000

Data Segment

100000

1000FF

179

Note : Descriptor 0 is called null descriptor and may not be used for accessing memory.

Just like the stack the addresses of these descriptor tables have to be specified for the microprocessor.

For this purpose 80286 and above microprocessors contain program invisible registers.

These registers are not directly addressed by software and hence are given this name.

These registers are used to control the microprocessor when operating in protected mode.

180

CS

DS

ES

SS

FS

GS

Segment Registers Descriptor Cache

Base Address Limit Access

TR

LDTR

Base Address Limit Access

Descriptor Table addresses

GDTR Base Address Limit

IDTR

181

The program invisible parts are known as CACHE.

DO NOT confuse with cache memory L1 and L2.

Once a code segment is loaded with the base address of the segment the descriptor cache is loaded with the details.

The details are not changed until the value in the code segment register is updated. This increases efficiency as the values in the cache descriptor can be reused.

Hence, the term cache is used for the invisible registers.

182

GDTR – Global descriptor table register.

The base address of the descriptor table and its limit. The limit of each descriptor table is 16 bits because the maximum length of the table is 64K bytes.

When protected mode operation in desired the values are loaded in the GDTR .

IDTR – Interrupt descriptor table register.

The base address of the descriptor table and its limit. The limit of each descriptor table is 16 bits because the maximum length of the table is 64K bytes.

When protected mode operation in desired the values of the IDTR must also be initialized. We will deal with this later.

183

LDTR – Local descriptor table register.

The LDTR does not hold the direct address of the local descriptor table. Instead it hold a selector just as the segment registers.

The selector selects a descriptor in the global address table which points to the location of the local descriptor table. The base address of the LDT is then loaded in the LDTR.

TR – Task Register

Holds a selector which access a descriptor that defines a task. Task can be procedure or application program. The descriptor for the task is stored in the GDT so access can be controlled. Task register allows fast context switching helping in tasks that are often used or in multi-programming.