Intel 32-bit Architecture - Hadassahcs.hadassah.ac.il/staff/martin/micro_extended/slide10-1.pdf ·...

Microprocessors (A)IA321

Dr. Martin LandHadassah CollegeFall 2004

IA32

Intel 32-bit Architecture



Intel 32-bit Architecture (IA32)

Basic architectural plan for Intel processors

RequirementsBackward compatible with 8086, 80186, and 80286True 32-bit machine (address and integer length)Enable PC to run a modern operating system

IA-32 introduced in 1985All processors from i386 to Pentium 4 follow IA-32Intel introduced a full implementation of UNIX for IA-32



Intel 32-bit Architecture (IA32)

32-bit machine:32-bit internal and external data bus32-bit external address busGeneral registers extended to 32 bit width

EAX, EBX, ECX, EDX, ESP, EBP, ESI, EDI, EIP

Expanded code set (32-bit instructions)

Hardware support for Operating System functions:Task managementVirtual memory and pagingLocal data and protection



Operating Modes

Real ModeLike a fast 8086

Only recognizes 8086 instruction set16-bit integers and address offsets20-bit physical address (can access lowest 1 MB of RAM)

All IA32 processors initialize into real mode

Protected ModeUses full 32-bit features

Can process new 32-bit instructions32-bit integers and physical addresses (can access 4 GB of RAM)Hardware support for Operating System functions

Windows/Linux/UNIX/OS2 run in protected mode

Virtual 86Creates a virtual 8086 environment as a taskCan run multiple V86 tasks at one timeDOS window under Windows runs in V86 mode



General Purpose Registers

AH AL EAX Accumulator BH BL EBX Base CH CL ECX Counter DH DL EDX Data 31 16 15 8 7 0

SP ESP stack pointer BP EBP base pointer SI ESI source index DI EDI destination index IP EIP instruction pointer

31 16 15 0



Segment Registers

Segment Registers Segment Shadow Registers

Code Segment Selector CS Code Segment Descriptor Data Segment Selector DS Data Segment Descriptor Stack Segment Selector SS Stack Segment Descriptor Extra Segment Selector ES Extra Segment Descriptor Data-F Segment Selector FS Data-F Segment Descriptor Data-G Segment Selector GS Data-G Segment Descriptor 15 0 63 0

New data segment registers: FS, GS Selector

Pointer to segment location in memory In Real Mode, Selector = upper 16 bits of physical segment base address In Protected Mode, Selector = index to a Descriptor Table

Descriptor

Information about the segment Descriptor = Segment base address, Segment Size, Segment Type



Segmentation in IA32 Protected Mode

Segment RegisterHolds a pointer to a segmentPointer is called a Segment Selector

Selector contains an index into a look-up tableDescriptor Table is built in Main Memory (RAM)

A Descriptor Table may be global or localTable entries are called segment DescriptorsEach Descriptor defines one segment

Descriptor contains segment base address, segment limit, access rights, and other properties



Segment Address Translation

RAM

+

offset

segmentbase

address

linearaddress

Linear AddressSpace

+

offset

linearaddress

descriptortableselector

segmentbase

address



Tasks in IA32

Each activity under OS is defined as a TaskEach task is allocated a Task Segment

Holds information about Task (context) Defines Local (private) Segments for task: Data/Code/Stack

Every TaskMay access (public and unique) Global Descriptor Table (GDT)May access its (private) Local Descriptor Table (LDT)Selector contains

Table Indicator (TI) to choose LDT or GDTIndex to choose entry (Descriptor) from Descriptor Table



Addressing Table Registers

GDT Register (Global Descriptor Table)

GDT linear base address GDT limit 31 0 15 0

IDT Register (Interrupt Descriptor Table)

IDT linear base address IDT limit 31 0 15 0

LDT Register (Local Descriptor Table) Shadow Register

LDT Segment Selector LDT Segment Descriptor 15 0 63 0

TSS Register (Task State Segment) Shadow Register

TSS Segment Selector TSS Segment Descriptor 15 0 63 0



Preview: Context Switch

Enter new Selector in TSS RegisterCPU uses TSS Selector to fetch TSS DescriptorTSS Descriptor points to Task State Segment (TSS)

Hardware fetches information from TSS:Selectors for CS, DS, ES, SS, FS, GS, and LDTValues for EAX … EDX, EIP, EDI, ESI, EBP, ESP, Flags

CPU uses LDT Selector to fetch LDT DescriptorLDT Descriptor points to Local Descriptor TableCPU uses CS Selector to fetch CS DescriptorCPU uses DS Selector to fetch DS DescriptorCPU fetches all 6 Segment Descriptors

Descriptors: Segment Base Addresses, Sizes, and Access information



Selector Format

Index Table Index (TI)

Request Privilege Level (RPL)

13-bits 1 bit 2 bits 13-bit Index to Descriptor in table 213 = 23 × 210 = 8 × 1 K Descriptor table holds 8 K (8192) Descriptors

Descriptor Address = Table Base Address + Descriptor Offset Descriptor is 8 bytes in length Descriptor Offset = Index × 8 = Index × 10002 = Selector AND FFF8

8 K Descriptors/table × 8 Bytes/Descriptor = 64 KB/table

Table Index TI = 0 for GDT TI = 1 for LDT

Request Privilege Level (RPL): used for protection mechanism



Segment Address Translation

index TI RPL

13 bits 1bit

2bits

GDT

LDT

32-bit segment base address

16-bit selector

32-bit offset

+32-bit linear address

64-bit descriptorAddress



Segment Types

Segment type is written in segment descriptor Code Segments

Program instructionsMay be fetched as instructionsMay be local (to a task) or global

Data SegmentsHolds dataMay be loaded or storedMay be local or global

System SegmentsGDT/LDT/IDT/TSS Occupy separate segmentsNo access by user programs



Descriptor Format8 4 4 8 24 16

Base Access Limit Access Base Limit 31 ... 24 11 ... 8 19 ... 16 7 ... 0 23 ... 0 15 ... 0

63 56 55 52 51 48 47 40 39 16 15 0

11 10 9 8 7 6 5 4 3 2 1 0 G D 0 0 P DPL S TYPE A Code Segment

Access

G 0 0 0 P DPL S TYPE A Data Segment Base: 32-bit segment base address Limit: 20-bit offset limit ⎯ Segment Size = [1 + Limit] × (4096)G Bytes

G= 0 ⇒ Byte Granularity: 220 bytes = 1 MB maximum segment size G= 1 ⇒ 4 KB Granularity: 220 × 4 KB = 4 GB maximum segment size

Code Type: D = 0 for 16-bit code (required for DOS and runs under Windows) D = 1 for 32-bit code (runs under Windows 9x/NT/2000/XP and Linux/UNIX) Present: P = 1 for segment in memory or P = 0 for swapped-out segment DPL: Descriptor Privilege Level System: S = 0 for system segment or S = 1 for user segment Type: Segment type code Access: A = 0 until segment is accessed; A = 1 after access



Type Fields for User Segments (S = 1)

3-bit Type Field Code Segment

Type = 1 C RC = 1 for Conforming code (protection scheme)R = 1 for Readable Code (MOV AX,CS:EA legal)

Data SegmentType = 0 ED WED = 1 for Expand Down (stack segment)W = 0 for Read-Only segment



Segmentation Example ⎯ 1

GDT register = 00 10 00 00 FF FF GDT begins at 00 10 00 00 GDT length is 64 KB

LDT register = 000B LDT register holds LDT selector

0 0 0 B 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1

13-bit index TI

RPL

0 0 0 0 0 0 0 0 0 0 0 0 1 0 11

Index = 1 → 1 × 8 = 8 (000B AND FFF8 = 0008) TI = 0 points to GDT Descriptor address = GDT base + 0008 = 00100000 + 0008 = 00100008h




Lower Part of GDT address 0 1 2 3 4 5 6 7 8 9 A B C D E F

00 10 00 3 00 00 F2 07 08 00 FF FF 00 00 F2 08 08 00 FF FF 00 10 00 2 00 00 F2 05 08 00 FF FF 00 00 F2 06 08 00 FF FF 00 10 00 1 00 00 F8 03 08 00 FF FF 00 00 F8 04 08 00 FF FF 00 10 00 0 00 00 E2 01 08 00 FF FF 00 00 E2 02 08 00 FF FF

Lower Part of LDT address 0 1 2 3 4 5 6 7 8 9 A B C D E F

00 02 08 3 00 00 F2 17 08 00 FF FF 01 81 F2 18 08 00 FF FF 00 02 08 2 00 00 F2 15 08 00 FF FF 00 00 F2 16 08 00 FF FF 00 02 08 1 00 00 F8 13 08 00 FF FF 00 00 F8 14 08 00 FF FF 00 02 08 0 00 00 F2 11 08 00 FF FF 00 00 F2 12 08 00 FF FF




Descriptor at 00100008h to 0010000Fh is

00 0 0 E2 02 08 00 FF FF Base Access Limit Access Base Address Limit

Segment base address = 00 02 08 00 Access = 0E2 = 0000 1110 0010

0 0 0 0 1 1 1 0 0 0 1 0 G 0 0 0 P DPL LDT

G = 0 ⇒ Byte Granularity and Segment Limit = FFFF (64 KB) P = 1 ⇒ Segment is present in RAM S = 0 and Type = 001 ⇒ LDT segment Descriptor is copied to LDT Shadow Register



Segmentation Example ⎯ 4CS:EIP = 001B: 00 00 00 10

0 0 1 B 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1

13-bit index TI

RPL

0 0 0 0 0 0 0 0 0 0 0 1 1 0 11

Descriptor offset in GDT (TI = 0) = index × 8 = 001B AND FFF8 = 0018 GDT base + 0018 = 00100018 Descriptor at 00100018 is copied to CS Shadow Register

00 0 0 F8 04 08 00 FF FF Base Access Limit Access Base Address Limit

Access = 0F8 = 0000 1111 1000

0 0 0 0 1 1 1 1 1 0 0 0 G D 0 0 P DPL code C R A

Segment base address = 00 04 08 00 Segment limit = FFFF bytes Code segment (non-conformable, non-readable, 16-bit code) Linear address = 00 04 08 10



Segmentation Example ⎯ 5DS:BX = 003F:00088010

0 0 3 F 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1

13-bit index TI RPL0 0 0 0 0 0 0 0 0 0 1 1 1 1 11

Descriptor offset in LDT (TI = 1) = index × 8 = 003F AND FFF8 = 0038 LDT base + 0038 = 00 02 08 00 + 00 38 = 00 02 08 38

01 8 1 F2 18 08 00 FF FF Base Access Limit Access Base Address Limit

Access = 8F2 = 1000 1111 0010

1 0 0 0 1 1 1 1 0 0 1 0 G 0 0 0 P DPL data ED W A

Segment base address = 01 18 08 00 G = 1 ⇒ Segment limit = (1FFFF+1)×1000 = 20000000 = 536,870,912 bytes Data segment Offset = 00 08 80 10 < limit = 20 00 00 00 Linear address = 01 18 08 00 + 00 08 80 10 = 01 20 88 10 Descriptor copied to DS Shadow Register



Segment Level Memory Protection



Hiding Segments

Hardware allows Operating System to “hide” segments from applications:

Segment base address is hidden in a descriptorDescriptor is located in GDT or LDT

Only hardware can locate, define, access, or update the GDT and LDT

Under a reasonable OS, a user program cannot run GDT/LDT access instructions

A user program only accesses the segment selector



Local Data and Code Segments

Every task has private segments defined in its LDTLDT selector is stored in the Task State Segment (TSS)

A task's LDT selector is "hidden" from other tasks

Segments defined in LDT are "doubly-hidden"Other Tasks cannot locate or access another Task’s

TSSLDT selectorLDTAny segment defined in its LDT



Hardware Enforcement

For every RAM access:

Hardware compares offset and segment limitAccess denied if offset > segment limit Can be no accidental segment overflow

Hardware checks segment typeCannot write to a segment defined as codeCannot fetch from a data segment Cannot read, write or fetch from a system segment



Access Restrictions by Privilege

Every segment has a classificationDescriptor Protection Level (DPL)Defined in access field of segment descriptorPrivilege level required for access

Every code segment has access rightsPrivilege level of segments it may accessSelector in CS register points to current code segment Current Privilege Level (CPL) = DPL of current CS

Instruction in the current code segment cannot: Access data if data segment's DPL < CPLJump to (or call) a new code segment with DPL < CPL



Protection Rings

• Ring 0 is for the OS kernel• Ring 1 is for less sensitive OS functions• Ring 2 is for protected user functions• Ring 3 is for user programs

3210



Full Access Rules

CS selector points to Code Segment descriptor with access rightsCPL.

The selector contains a Request Privilege Level (RPL) ⎯ usually a copy of the CPL.

An instruction in the current Code Segment can: 1. Access a Data Segment with DPL,2. Jump to (or call) a new Code Segment with DPL,If DPL ≥ max (CPL , RPL)

3210

AccessGranted

AccessDenied



System Calls

User program makes a system call through a Call GateCurrent code jumps or calls to a new CS:EIP in the OSCS selector points to a special descriptor (Call Gate) in the

GDT or LDTCall Gate is loaded to CS Shadow RegisterThe hardware:1. Recognizes the descriptor as a Call Gate2. Loads the Destination Selector from the Call Gate to CS3. Loads the Destination Offset from the Call Gate to EIP 4. Copies parameters according to the Word Count5. System Call runs, with its address hidden from the user



Call Gate Format

16 8 3 5 16 16 destination offset access 0 word

count destination selector destination offset

access byte

bit 7 bit 6,5 bits 4,3,2,1,0 P DPL 01100

selectorCS:EIP

CS Shadow Register (CS descriptor)

systemcall

GDT

call gate

destinationoffset access 0 word

countdestination

selectordestination

offset



The Trojan Horse Problem

User program denied access to a protected segment (DPL < user CPL).

User program passes a pointer (selector) to that segment in a system call.

The OS can access the protected segment.

3210

user

OS

call gate

protecteddata

The selector has a Request Protection Level (RPL) field.The OS sets RPL = user CPL in the selector (pointer). Access is permitted if and only if DPL ≥ max (CPL , RPL).



Paging Address Translation

directory page byte

page tabledirectory base

page tabledirectory

page table main memory

entry

entry

+ +

+

page

byte

directorybase address

page tablebase address

pagebase address



Linear Address

directory = index into directory (4 bytes per entry)

210 =1024 = 1K page table entries per directory

4 bytes per entry ⇒ 4 KB per directory

page table = index into selected page table

4 bytes per entry ⇒ 4 KB per page table

offset = index (of byte) into selected page

212 =4096 = 4K byte per page

210 page tables × 210 page/page table × 212 bytes/page = 232 bytes

1 0 b it s 1 0 b it s 1 2 b it s d ir e c t o r y p a g e t a b le o f f s e t



Entries in Page Directory and Page Table

upper 20 bits of page table physical address

OS reserved 0 D A 0 U/S R/W P

31 12 11 9 8 7 6 5 4 3 2 1 0

D — dirty bit A — accessed

P = 0 = swapped-out P = 1 = present

Segments with DPL = 0,1,2 inherit U/S = 0 (supervisor) Segments with DPL = 3 inherit U/S = 1 (user)

Supervisor code has Read/Write permission for User Read/Write permission for Supervisor data pages

User code has No access to supervisor data pages Read-only access to data pages with R/W = 0 Read/write access to data pages with R/W = 1



Paging ExampleDirectory address = Dir_add = 00010000 h

Linear Address = 00402100 h

00 40 21 00 0000 0000 0100 0000 0010 0001 0000 0000

Directory field = 00000000012 = 001 h

Find 4 byte entry at physical address Dir_add + 4 × 001 = 00010004 h Entry = 12345678 h Entry points to Page Table at PT_add 12345000 h

Page Table Field = 00000000102 = 002 h Find 4 byte entry at physical address PT_add + 4 × 002 = 12345008 h Entry = 9ABCDEF0 h Entry points to Page at P_add 9ABCD000 h

Offset Field = 0001000000002 = 100 h Offset points to byte at physical address P_add + 100 = 9ABCD100 h



Virtual Address to Physical Address

SEGMENT:OFFSETdescriptor

table

descriptor

Linear Base Address+

Offset

index

Linear Address

segment shadow register

cache descriptor in CPU

directory page offset

paging enabled

Physical Address

paging not enabled

Linear Address Physical Address

Translation Lookaside Buffer (TLB)(address cache)



Building Page Tables

Start with Physical Address = Linear Address

Build descriptor tables without concern for paging

Physical address ≠ linear address after swapping

Some important numbers

1 K = 1024 = 400h4 K = 4096 = 1000h

1 M = (1024)2 = 400 × 400 h = 4 × 4 × 10000 h = 10 00 00h



Example Page Layout

32 MB of RAM divided into (32 MB) / (4 KB/page) = 8 K pages

Page First Byte Last Byte 1FFF 01 FF F0 00 01 FF FF FF

... 0003 00 00 30 00 00 00 3F FF 0002 00 00 20 00 00 00 2F FF 0001 00 00 10 00 00 00 1F FF 0000 00 00 00 00 00 00 0F FF

8K = 2 × 4K = 2 × 1000h = 2000h (0000 to 1FFF) 1 page = 4KB = 1000h Bytes (000 to FFF) Page number P begins at P × 1000h



Counting Page Tables

8 Kpages requires (8 Kpages) / (1 K pages/page table) = 8 page tables Page table points to 1 K pages = 400h pages and has entries 000 to 3FFh

Page Points To Pages Table First Last 7 1C00 1FFF 6 1800 1BFF 5 1400 17FF 4 1000 13FF 3 0C00 0FFF 2 0800 0BFF 1 0400 07FF 0 0000 03FF

Page table T points to pages T × 400h to T × 400h + 3FFh Page P is in page table T = int [ P/400 ]



Page Table Directory

Start Directory at address 00 FF FC 00 Start Page Tables at address 01 00 00 00

PT 7 01 00 70 00 01 00 7F FF PT 6 01 00 60 00 01 00 6F FF PT 5 01 00 50 00 01 00 5F FF PT 4 01 00 40 00 01 00 4F FF PT 3 01 00 30 00 01 00 3F FF PT 2 01 00 20 00 01 00 2F FF PT 1 01 00 10 00 01 00 1F FF PT 0 01 00 00 00 01 00 0F FF

Directory 00 FF FC 00 00 FF FF FF



Directory Entries 20 bits 12 bits Entry

Format int (physical address A /1000h ) other stuff

Entry Number

Entry Address

Points to PT

Entry

3FF 00 FF FF FC — — - — — — 8 00 FF FC 20 — — 7 00 FF FC 1C 7 01 00 7x xx 6 00 FF FC 18 6 01 00 6x xx 5 00 FF FC 14 5 01 00 5x xx 4 00 FF FC 10 4 01 00 4x xx 3 00 FF FC 0C 3 01 00 3x xx 2 00 FF FC 08 2 01 00 2x xx 1 00 FF FC 04 1 01 00 1x xx 0 00 FF FC 00 0 01 00 0x xx

1023 = 3FF ⇒ 4× 1023 = 1000 - 4 h = FFC h



Page Table 0 Entries PT 0 points to the first 1 K pages of memory From address 00 00 00 00 To address 00 3F FF FF Each entry points to a 4 KB page Page 0 is at 00 00 00 00 Page 1 is at 00 00 10 00 Page 2 is at 00 00 20 00

Entry Number

Entry Address

Points to Page

Entry

3FF 01 00 0F FC 3FF 00 3F Fx xx - — — — 8 01 00 00 20 8 00 00 8x xx 7 01 00 00 1C 7 00 00 7x xx 6 01 00 00 18 6 00 00 6x xx 5 01 00 00 14 5 00 00 5x xx 4 01 00 00 10 4 00 00 4x xx 3 01 00 00 0C 3 00 00 3x xx 2 01 00 00 08 2 00 00 2x xx 1 01 00 00 04 1 00 00 1x xx 0 01 00 00 00 0 00 00 0x xx



Page Table 1 EntriesPT 1 points to the second 1 K pages of memory From address 00 40 00 00 To address 00 7F FF FF Each entry points to a 4 KB page Page 400 is at 00 40 00 00 Page 401 is at 00 40 10 00 Page 402 is at 00 40 20 00

Entry Number

Entry Address

Points to Page

Entry

3FF 01 00 1F FC 7FF 00 7F Fx xx - — — — 8 01 00 10 20 408 00 40 8x xx 7 01 00 10 1C 407 00 40 7x xx 6 01 00 10 18 406 00 40 6x xx 5 01 00 10 14 405 00 40 5x xx 4 01 00 10 10 404 00 40 4x xx 3 01 00 10 0C 403 00 40 3x xx 2 01 00 10 08 402 00 40 2x xx 1 01 00 10 04 401 00 40 1x xx 0 01 00 10 00 400 00 40 0x xx



Page Table 2 EntriesPT 2 points to the third 1 K pages of memory From address 00 80 00 00 To address 00 BF FF FF Each entry points to a 4 KB page Page 800 is at 00 80 00 00 Page 801 is at 00 80 10 00 Page 802 is at 00 80 20 00

Entry Number

Entry Address

Points to Page

Entry

3FF 01 00 2F FC BFF 00 BF Fx xx - — — — 8 01 00 20 20 808 00 80 8x xx 7 01 00 20 1C 807 00 80 7x xx 6 01 00 20 18 806 00 80 6x xx 5 01 00 20 14 805 00 80 5x xx 4 01 00 20 10 804 00 80 4x xx 3 01 00 20 0C 803 00 80 3x xx 2 01 00 20 08 802 00 80 2x xx 1 01 00 20 04 801 00 80 1x xx 0 01 00 20 00 800 00 80 0x xx



General Rules for this Layout

Page Table PT has entry n pointing to page P

Entry location is 01 00 00 00 + PT × 1000 + 4 × n

Entry points to page P = PT × 400 + n

The entry itself is (PT × 400 + n) × 1000 + xxx

Points to page at base address (PT × 400 + n) × 1000

Byte Physical Address is

A = page base address + offset

A = (PT × 400 + n) × 1000 + offset = PT × 400000 + n × 1000 + offset



Equivalent Shifts

Multiplying by 400000 is a shift left: 0h = 00002 ⇒ × = 4 shifts 100000h = (10h)5 = 5×4 shifts = 20 shifts 4h = 1002 ⇒ 2 shifts left PT × 400000 = PT followed by 22 binary 0’s n × 1000 = n followed by 12 binary 0’s



Linear Address Format

directory page offset10 10 12

12 bits22 bits

Physical Address from page translation is A = PT × 400000 + n × 1000 + offset

PT × 400000 = PT followed by 22 binary 0’s n × 1000 = n followed by 12 binary 0’s

PT n offset10 10 12

12 bits22 bits

Physical Address ≡ Linear Address



Inverse Formulae

[ ] 1000400

4001000

int

400000int

×+×−=

⎥⎦⎤

⎢⎣⎡ ×−=

⎥⎦⎤

⎢⎣⎡=

nPTAoffset

PTAn

APT



Example

A = 00 40 10 04 PT = int[ 00401004/400000] = int[004/4] = 1 n = int[00401 - 400×1] = 1 Offset = 00401004 - [400 + 1] ×1000 = 4

Look at

1st entry in directory to find PT 1 1st entry in PT 1 to find page 401 at address 00401000 Offset 4 in page 401 to find 00401004



Translation Lookaside Buffer (TLB)

Address CacheSaves Linear Address to Physical Address translations32 last accessed linear address

CPU makes two accesses in parallelUsual Directory/PT/Page translationAccess to TLB

If linear address is in TLBTLB responds first and cancels translationTLB catches 98 - 99% of linear address accesses



Status Registers Control Registers

CR0: Options CR1: Reserved CR2: Last Page Fault CR3: Directory Base Address

EFLAG Registers



Interrupt Handling

Interrupt Gate points to the Interrupt Service Routine (ISR)

destination offset access 0 word count

destination selector destination offset

bit 7 bit 6,5 bits 4,3,2,1,0

P DPL 01110

The Interrupt Descriptor Table (IDT) contains the Interrupt Gates The IDT linear base address and limit is in the IDT register



Interrupt Service

Instruction INT n is executed

CS:EIP of next instruction pushed onto stack

Interrupt Gate at address = IDT base + n × 8 loaded to CS Shadow Register

Selector and Offset from Interrupt Gate loaded to CS:EIP

CS:EIP is address of the ISR (interrupt handler)

ISR finishes with IRET, which pops previous CS:EIP

CS:EIP


Instruction INT n

IDT

interrupt gate


countdestination

selectordestination

offset



Hardware Task Creation

Task defined by writing a Task State Segment (TSS)

TSS holds task contextAll register valuesLDT SelectorStatus WordOther OS informationBack link to a previous task

TSS descriptor (normal descriptor) placed in GDT or LDT

TSS Selector (points to TSS descriptor) written in Task Gate

Task Gate placed into GDT, LDT, or IDT



TSS Contents

back link stacks and stack pointers for CPL = 0, 1, 2

task switch to higher privilege level causes switch to a separate stack CR3 EIP

EFLAGS EAX, ECX, EBX, EDX ESP, EBP, ESI, EDI

ES, CS, SS, DS, FS, GS LDT Selector

OS specific information



Task Gate

destination offset access 0 word count

destination selector destination offset

bit 7 bit 6,5 bits 4,3,2,1,0

P DPL 00101



Task Switching by Jump

selectorCS:EIP


JMP

GDTtaskgate


countdestination

selectordestination

offset

TSS Register

TSS descriptor

TSS Shadow Register

TSS

Task ContextAll

CPURegisters



Task Switching by Jump

No nesting ⎯ back link not setCurrent code executes JMP to CS:EIP

CS selector points to Task Gate in GDT or LDTDescriptor (Task Gate) loaded to CS Shadow Register

HardwareRecognizes descriptor as Task GateCopies context of current task to its TSSLoads Destination Selector from Task Gate

to TSS RegisterSelector in TSS Register points to TSS descriptorLoads TSS descriptor to TSS Shadow RegisterLoads new context from new TSSRuns new task from CS:EIP from new task context



Task Switching by Call Instruction

Current code executes CALL to CS:EIPPushes CS:EIP of next instruction onto stackCS selector points to Task Gate in GDT or LDTDescriptor (Task Gate) loaded to CS Shadow Register

HardwareRecognizes descriptor as Task GateCopies context of current task to its TSS

Makes temporary copy of current TSS RegisterLoads Destination Selector to TSS RegisterSelector in TSS Register points to TSS descriptorLoads TSS descriptor to TSS Shadow RegisterLoads context from new TSS to run called taskWrites old TSS Selector into back link of new TSS



Task Switching by Call Instruction

Called task ends with an IRET instruction (or preemption)

The hardware

Copies context of new task to TSS

Loads back link into TSS Register

Selector in TSS Register points to previous TSS descriptor

Loads previous TSS descriptor to TSS Shadow Register

Loads context from previous TSS to restore previous task



New Instructions for IA32

Instruction Description ARPL r/m16,r16 Adjust RPL of r/m16 to not less than RPL of r16 LAR r16,r/m16 Load Access Rights: r16 ← r/m16 masked by FF00H LSL r16,r/m16 Load: r16 ← segment limit, selector r/m16 LSL r32,r/m32 Load: r32 ← segment limit, selector r/m32 SGDT, SIDT m Store GDTR to m, Store IDTR to m SLDT r/m16 Stores segment selector from LDTR in r/m16 STR r/m16 Stores segment selector from Task Register in r/m16 VERR r/m16 Set ZF=1 if segment specified with r/m16 can be read VERW r/m16 Set ZF=1 if segment specified with r/m16 can be written CLTS Clears Task Switch flag in CR0 LGDT m16&32 Load m into GDTR LIDT m16&32 Load m into IDTR LLDT r/m16 Load segment selector r/m16 into LDTR LTR r/m16 Load r/m16 into task register r = register m = memory pointer 16/32 = length in bitsr16={AX, CX, DX, BX, SP, BP, SI, DI}r32={EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI}



Real Mode

Start up mode for every Intel IA 32 processor

Processor runs as very fast 8086

Can access only lowest 1 MB of memory

OS boot code (BIOS) must be in low memory

Uses protected mode hardware in a special way



Shadow Registers

On Selector load, build pseudo-Descriptor: Load Base Address field with Selector × 10hLoad Limit with FFFFhLoad CS Access word with

Load DS Access word with

SS, ES, FS, GS created as data segments

G D 0 0 P DPL S CODE C R A 0 0 0 0 1 00 1 1 0 1 1

G 0 0 0 P DPL S CODE ED W A 0 0 0 0 1 00 1 0 0 1 1



Before Switching To Protected Mode

Build a GDT

At least one Data Segment

At least one Code Segment

Convert 8086 ISR vectors to IA-32 IDT

Build a TSS for OS scheduler

Put Task Gate for TSS into GDT

Build Page Tables and Directory

Linear Address = Physical Addresses

Write Directory Physical Address into TSS

Load GDT register and IDT register



Entering Protected Mode

Set flag PE to enter protected mode

JMP to Task Gate in GDT

Loads Task Register

Selector points to TSS Descriptor

CPU loads scheduler context from TSS

Set flag PG to enable Paging (optional)

OS scheduler is running in Protected Mode with paging

Can create new processes by writing TSSs and GDT entries



Virtual 86 Mode

Create TSS for VM86 taskClear flag PE (protected mode off ⇒ real mode)

Pseudo-Descriptors (real mode type)Can access 1 MB of address spacePrograms run as in 8086

Set flag PG (Paging Enabled)8086 20-bit addresses get re-mapped

All VM86 processes same address space 00000h to FFFFFh

Separate Page Table Directory for each VM86 task20-bit address space re-mapped to individual

32-bit locations



Use of IA32 Resources Under Linux

Hardware/Software issuesMost Linux code

Written in CCompiled for platform independence

PC-specific aspects of Linux source code located in arch/i386

Principal Linux strategies with IA32 • Ignore hardware segmentation• Migration away from hardware task management• Full use of hardware paging



IA32 Segmentation in Linux

Linux prefers a flat 4 GB memory spaceCreate a pseudo-flat address space:Linux writes 4 normal segment descriptors in GDT

Code Segment for kernel mode, with DPL = 0Data Segment for kernel mode, with DPL = 0User Code Segment, with DPL = 3User Data Segment, with DPL = 3

Each descriptor points to entire address range00 00 00 00 to FF FF FF FF

Each base address = 00 00 00 00Each segment limit = F FF FF with granularity G = 1Each segment size is 4 GB



Task Management in Linux

Early Linux kernelFor every task, two system segment descriptors

TSS segment descriptorLDT descriptor

Hardware-based task switchingUses TSS Register pointing to TSS Descriptor to load

context from TSSPlaces TSS Selector directly into TSS Register

Does not use Task Gate mechanism



Task Management in Linux 2.2

For each task

LDT descriptor

TSS segment descriptor

Only 4090 processes may be created:

GDT has room for 8192 entries (8192 × 8 = 64 KB)

12 entries required for user and system segment descriptors

2 entries are created for every task: (8192 - 12) / 2 = 4090



Task Management in Linux 2.4

Software-based task switchingDoes not use IA32 tasks for process creationDefines tasks in UNIX-style task PID tables (no limit on

task number)

Does not write TSS segment descriptors in the GDTOnly defines an LDT if the task requires one

Does not use the Task Gate mechanism

Performs UNIX-style software-based context switching



Paging in Linux

Linux uses the full paging mechanism of IA32Maintains page tables, using a different directory base

address (CR3) for each taskAddress compatibility with 64-bit architectures

Defines a "middle directory"On 64-bit machines

Linear address divided into 3 table fields and 1 offset field

On IA32 machinesMiddle directory field has 0-length (entry points to page table)

Kernel code and data are never swapped outBegin at 2nd megabyte

Physical base address 00 10 00 00



Intel 80386 Microprocessor

Intel 32-bit Architecture - Hadassahcs.hadassah.ac.il/staff/martin/micro_extended/slide10-1.pdf ·...

Documents

Transcript of Intel 32-bit Architecture - Hadassahcs.hadassah.ac.il/staff/martin/micro_extended/slide10-1.pdf ·...