Protected Mode Tutorial

Protected mode programming tutorial

Table of ContentsContents1 Introduction to Protected Mode

1.1 A Brief Introduction to Protected Mode1.2 The Benefits of Using Protected Mode

2 Addressing in Real Mode3 Registers in the 803864 The Real Mode Vector Table5 Hardware Interrupts6 Keyboard and the A20 Line7 Segment Selectors and Descriptors

7.1 Segment Selectors7.2 Tables Required in Protected Mode7.3 Descriptors

8 Protected Mode Privileges8.1 Data Access

9 How Multitasking Works10 Exceptions on the 80386 Processor11 Memory Management Unit (MMU)12 Virtual 8086 (V86/VM86) Mode13 Interrupt Handling in Protected Mode14 Working in Protected Mode

Node:Top, Next:Introduction,

ContentsThis documentation was written as a part of the CSD course project in which I had build aprotected mode bootable debugger.I found a lot of information on the web and in the intelmanuals.This is my attempt to collate it so as to be useful to a beginner. The document is designedas a tutorial and is intended to be a starting reference. The documentation contains detailedinformation about protected mode. Starters who wish to merely touch upon "protected modeprogramming" should generally read only the introduction, while others who require moreinformation can get into the depths.

If you have other questions, you can mail me.

Introduction: Introduction to Protected ModeRM Addressing: Real Mode Addressing

Protected mode tutorial http://prodebug.sourceforge.net/pmtut.html

1 of 20 16/02/12 10:08 PM

80386 Registers: The 80386 RegistersRM Vector Table: The Real Mode Interrupt Vector TableHardware Interrupts: Hardware InterruptsKeyboard: The Keyboard and the A20 LineSelectors and Descriptors: Segment Selectors and DescriptorsProtected Mode Privileges: Protected Mode PrivilegesMultitasking: How Multitasking WorksExceptions: Exceptions on the 80386 ProcessorMMU: Memory Management UnitV86 Mode: Virtual 8086 ModeInterrupt Handling: Interrupt Handling in Protected ModeWorking in Protected Mode: Working in Protected Mode

Node:Introduction, Next:RM Addressing, Previous:Top, Up:Top

1 Introduction to Protected ModeQuick look: A Brief Look at Protected ModeAdvantages: The Benefits of Using Protected Mode

Node:Quick look, Next:Advantages, Up:Introduction

1.1 A Brief Introduction to Protected ModeWhat is Protected Mode?

The 80386+ provides many new features to overcome the deficiencies of 8086 which has almostno support for memory protection, virtual memory, multitasking, or memory above 640K, and alsoremains compatible with the 8086 family. In DJGPP, the 386, 486, etc. are considered to beidentical. The points made about the 386 apply to all its successors as well.

The 8086 runs in only one mode - the real mode. When Intel engineers designed the 286, theywanted to support extra features that would be incompatible with the 8086. They also wanted tomaintain 8086 compatibility. To satisfy these requirements, the 286 uses two modes - Real Modeand Protected Mode. Real mode, the default, makes the chip act like an 8086 with only minorenhancements. There is a huge difference when it comes to protected mode. Almost all programsdesigned to run on an 8086 won't run under protected mode without major changes. DOS is one ofthese programs.

The 386 has all the features of the 8086 and 286, with many more enhancements. The default, asin the earlier processors, is real mode. Like the 286, the 386 can operate in protected mode.However, the protected mode on 386 is vastly different internally. Protected mode on the 386offers the programmer better protection and more memory than on the 286. The 386 also supportsa third mode, Virtual 8086 (V86) mode. In V86 mode, the 386 operates in protected mode butallows some programs it is running to use a simulated real-mode environment. That meansprograms like DOS can run in protected mode without the need for switching between real andprotected modes. The V86 mode has several advantages over real mode which are mentioned in


2 of 20 16/02/12 10:08 PM

the chapters that follow.

Node:Advantages, Previous:Quick look, Up:Introduction

1.2 The Benefits of Using Protected ModeAll the 386's special features become available in the processor's protected mode. Some of theextra powers of this mode are mentioned here...

Access to 4 gigabytes of memory - This is the most obvious difference between protected modeand real mode. Protected mode programs can use up to 4 GB of memory for data, code and stackspace. Using some undocumented features of the 8086 processors, it is possible for real-modeprograms to access memory above the 1MB limit for data storage. However, using thesetechniques for code and stack space is generally impractical. Of course, you probably won't have4GB of memory installed on your system. That brings us to the next feature.

Virtual memory - The Memory Management Unit (MMU) on the 386 allows virtual memory tobe implemented, which makes a program think that it has 4GB of memory when it has less(actually much less). The 386 and special operating system software simulate the extra memoryusing a mass storage (like a hard disk drive). Of course, you need about 4GB of free disk storagespace, but that's another problem.

Address translation - The MMU also allows addresses to be translated, or mapped, before use.For example, you might want to translate all references to a 4KB block at a segment B800H (theCGA text buffer) to a data buffer in your program. Later, your program could copy the buffer tothe screen. This is useful when redirecting the output of a program that directly writes to thescreen. Translation can also simulate expanded memory without an expanded memory board. Butthere are also certain functions in the later versions of EMS which can't be emulated by the MMU.But you will hardly require those functions even if your program is advanced.

Programs work with logical addresses. The 386 converts these logical addresses into 32-bit linear(non-segmented addresses). The MMU then converts linear addresses to physical addresses. If theMMU isn't active, linear and physical addresses are equivalent. Applying this terminology to realmode, the address B800:0010 is a logical address. Its equivalent linear address is B8010H. Sincereal mode doesn't use the MMU, the physical address is the same as the linear address.

Improved segmentation - In real mode, all segments are 64KB long and are in fixed locations. Inprotected mode, segments can be as short as one byte or as long as 4GB. The function__djgpp_nearptr_enable() uses this feature. Attempting to access memory past the end of asegment will cause an error. If the segment is 4GB long, then the addresses get wrapped if aprogram tries to access beyond the 4GB limit. Segments may start off at any location. In addition,the programmer determines each segment's intended use, which the 386 enforces. That is, if theprogram attempts to write data into a segment meant for code, the 386 will force an error. You alsocan define a segment that covers the entire address range of 4GB and effectively dispense withsegments altogether. All memory references are then via 32-bit non-segmented pointers. These flatpointers correspond directly to linear addresses.

Memory protection - The 386 allows memory to be protected. For example, a user's programmay not be able to overwrite operating system data. This, combined with the checks on segments,


3 of 20 16/02/12 10:08 PM

protects programs against bugs that would crash the computer.

Process protection - In a similar fashion to memory protection, different programs (or parts of aprogram) can be protected from each other. One program might not have access to anotherprogram's data, while the operating system might have access to everyone's data. Conversely, userprograms may have only limited access to the operating system's data. This is actuallyimplemented using the page protection mechanism provided by the MMU.

32-bit registers - All general-purpose registers on the 386 are 32-bits wide. Except for the E prefix(ex: EAX instead of AX), these registers have the same names as in the 8086. Two new segmentregisters (FS and GS) are also available; they are accessible from all modes but are most useful inprotected mode programs. Real-mode programs can also access these 32-bit registeres, but theywon't use them for indexing purposes. And using 32-bit registers in protected mode (32-bitprotected mode) will cut down the size of the code generally.

Improved addressing modes - In real mode, programs can only form addresses with constantvalues, the BX or BP register, and the SI or DI register. In protected mode programs, any registercan form addresses. An index can include a scale factor of two, four or eight. This allows you towrite instructions like MOV EBX, [EDI][EAX*8]+2.

Multitasking support - The 386 has special provisions to save the current processor state andswitch to a new task (known as context switch). A single instruction can switch contexts rapidly.This has important ramifications for operating systems and real-time processing. The 386 alsosupports nested tasks. A task can return to its original task using a back-link.

Hardware debugging - The 386 has special hardware for implementing single-step code and databreakpoints. This hardware is available in real mode with some special techniques.

Node:RM Addressing, Next:80386 Registers, Previous:Introduction, Up:Top

2 Addressing in Real ModeIn the 8086-type processors, memory is organized into bytes (8 bits=1 byte). When dealing withquantities larger than eight bits, the 8086 stores the least significant byte in the lowest address.While that sounds logical, it's confusing when you're reading listings or memory dumps becausethe numbers seem backwards. For instance, the computer stores the word B800H as two bytes:00H followed by B8H.

The Intel family of processors use a memory-addressing technique known as segmentation. Asegment is a region of memory. The computer can handle multiple segments. In real mode (the onein which DOS normally runs), each segment is 64K long and there are 65536 possible segments.But these segments overlap so that each starts 16 bytes after the one before it. This is why DOScannot address more than 1MB directly (65536 * 16 = 1048576 = 1MB). The 8086 and 8088 canonly address 1MB anyway. The 286, 386+ can accomodate much more memory, but DOS cannotaccess it directly.

Segments are numbered from 0000H to FFFFH. Since each segment is 64KB long, we use a valuecalled an offset, to specify the byte we want to address. A complete 8086 address always contains


4 of 20 16/02/12 10:08 PM

a segment and an offset.

If a segment is 0040H and the offset is 0102H, we write0040:0102. Because segments overlap every 16 (10H) bytes, address0000:0010 is identical to address 0001:0000. Likewise 0040:0000 is thesame as address 0000:0400, which is the same as 0020:0200. The computeralso stores segmented addresses ``backwards''. For instance, 0040:1234appears like this in the computer's memory (in hex):

34 12 40 00

To verify that all the addresses above are the same, convert them tolinear addresses. To convert a segmented address to linear address,multiply the segment value by 16 (10H) and add the offset.

So, we have (all in hex)

0040 * 10 + 0000 = 004000000 * 0 + 0400 = 004000020 * 10 + 0200 = 00400

all of which ultimately point to the same area of memory.

Node:80386 Registers, Next:RM Vector Table, Previous:RM Addressing, Up:Top

3 Registers in the 80386The 80386 has four general-purpose registers, a flags register, six segment registers, two indexregisters, a stack segment register and pointer, base register and an instruction pointer register. Inaddition to these, there are other special registers on the 386, namely:

GDTR (Global Descriptor Table Register)IDTR (Interrupt Descriptor Table Register)LDTR (Local Descriptor Table Register)TR (Task Register)CR0-CR3 (Control Registers)DR0-DR7 (Debug Registers)

The figure below shows most of these registers and their significance. As you can see, the 386+have a variety of special registers. They usually aren't useful under DOS, but we'll see some ofthem when we look at protected mode extensions to DOS.


5 of 20 16/02/12 10:08 PM

Node:RM Vector Table, Next:Hardware Interrupts, Previous:80386 Registers, Up:Top

4 The Real Mode Vector TableThe 8086 family of processors can respond to 256 different interrupts. Starting at location0000:0000 is a table of addresses for each interrupt. Each entry in this interrupt vector table is fourbytes long, enough for a segment and an offset. So, we have 1024 bytes or 1K reserved for theReal Mode Interrupt vector table. If the processor receives an interrupt 2 (INT 2), for example, itsaves the flags and current values of CS and IP on the stack. It then obtains the address stored atlocation 0000:0008 and executes the interrupt service routine (ISR) at that address. An IRETinstruction in the ISR signals the end of the interrupt1 and causes the processor to resume what itwas doing before the interrupt.

Node:Hardware Interrupts, Next:Keyboard, Previous:RM Vector Table, Up:Top

5 Hardware Interrupts


6 of 20 16/02/12 10:08 PM

A hardware interrupt is a special signal from an I/O device to the computer. This signal informsthe computer that the I/O device requires attention. The processor will normally stop whatever it isdoing to service the interrupt. When the interrupt completes, the processor resumes executionwhere it left off.

Hardware interrupts can come from various sources. For example, every time you press or releasea key, you generate an interrupt. Other interrupts originate from the clock, printer, serial port, diskdrives and so on. The processor itself causes some interrupts. INT 0 for instance, occurs when aprogram attempts to divide by zero. These are all hardware interrupts. Hardware interrupt handlingis perhaps one of the most important functions in protected mode. Badly written hardwareinterrupt handlers can cause disasters.

The 8259 Programmable Interrupt Controller (PIC) on the motherboard manages all hardwareinterruptrs. These controllers take interrupt signals from various devices and convert them tospecific interrupts for the processor.

Tha table below shows the hardware interrupts in real mode with their corresponding PIC interruptrequest inputs (known as IRQ lines). Do not confuse IRQ numbers with interrupt numbers. Forexample, the keyboard connects to IRQ1, which sends INT 9 to the CPU. The PICs can bereprogrammed to generate different interrupt numbers for each IRQ. This technique is generallyused by screen trapping programs and also by DOS Extenders such as go32.

The PICs also control the priority of interrupts. For example, the clock (on IRQ 0) has a higherpriority than the keyboard (IRQ 1). If the processor is servicing a clock interrupt, the PIC won'tgenerate an interrupt for the keyboard until the clock's ISR resets the PIC. On the other hand, theclock can interrupt the keyboard's ISR. The PICs can be programmed to use a variety of priorityschemes, but this is rarely, if ever, seen in PC programming.

The AT's extra PIC connects to the IRQ 2 of the first PIC. Therefore, the extra PIC's IRQs (8through 15) have the same priority as IRQ 2. Disabling IRQ 2 disabled all of the second PICsinterrupts.

Interrupt IRQ Number Description00H - Divide by zero or divide overflow02H - NMI (Non-maskable Interrupt)04H - Overflow (generated by INTO)08H 0 System timer09H 1 Keyboard0AH 2 Interrupt from second PIC0BH 3 COM20CH 4 COM10DH 5 LPT20EH 6 Floppy Disk0FH 7 LPT170H 8 Real Time Clock71H 9 General I/O72H 10 General I/O


7 of 20 16/02/12 10:08 PM

73H 11 General I/O74H 12 General I/O75H 13 Coprocessor76H 14 Hard Disk77H 15 General I/O

You can stop interrupts from disturbing an important section of code in several ways. The CLIinstruction disables all interrupts except the nonmaskable interrupt NMI since the NMI, whichdoes not go through a PIC cannot be disabled this way2. In addition, PICs can be reprogrammed toturn off specific interrupts.

Node:Keyboard, Next:Selectors and Descriptors, Previous:Hardware Interrupts, Up:Top

6 Keyboard and the A20 LineNormally, we would expect the 80386 to wrap addresses in real mode. Anticipating this, the ATmotherboard designers routed the A20 line through the keyboard controller. Ordinarily, thecontroller blocks A20 from reaching the memory chips. A special command to the keyboardcontroller can enable the A20, and another command can disable it again later. This so-called A20gate is essential to accessing extended memory, whether in real or protected mode3.

Node:Selectors and Descriptors, Next:Protected Mode Privileges, Previous:Keyboard, Up:Top

7 Segment Selectors and DescriptorsSegment Selectors: Segment SelectorsTables: Tables Required in Protected ModeDescriptors: Descriptors

Node:Segment Selectors, Next:Tables, Up:Selectors and Descriptors

7.1 Segment SelectorsUnderstanding segments is the key to understanding protected mode. Protected mode segmentshave little in common with real-mode segments. A protected-mode segment register holds a 16-bitsegment selector (see the figure below). Unlike in real mode, the selector has nothing to do withthe segment's location in memory. Instead, the value in the register is an index into a table ofsegment descriptors. Each descriptor defines one segment and determines where the segmentresides, the segment type, and other important parameters such as the access rights.


8 of 20 16/02/12 10:08 PM

The selector contains three fields. The lowest two bits (RPL) pertain to the 386's protectionmechanism which is explained shortly. The next bit, TI, determines which table of descriptorsdefines the segment.

There are three segment descriptor tables:

The Global Descriptor Table (GDT)1.The Interrupt Descriptor Table (IDT)2.The Local Descriptor Table (LDT)3.

Segment selectors never refer to the IDT. If TI is zero, the segment's definition is in the GDT. If itis one, the LDT contains the definition.

Node:Tables, Next:Descriptors, Previous:Segment Selectors, Up:Selectors and Descriptors

7.2 Tables Required in Protected ModeEach descriptor table can hold upto 8192 descriptors. The INDEX bits (bits 15 through bit 3) in theselector determine which descriptor to use.

The GDTR and IDTR registers determine the location of the GDT and IDT respectively. Eachcontains a 32-bit address and a 16-bit limit. The limit is one less than the length of the table inbytes. The GDTR and IDTR are 48-bit registers. The address is linear rather than a segment-offsetpair. Each table can contain upto 64KB or 8192 descriptors.

The GDT, as its name implies, is global; even when the system is multitasking, all tasks share theGDT. This is also true of the IDT - each task uses the same one. If one task changes the GDT orIDT, all tasks are affected.

The LDTR determines the location of the LDT. Unlike the GDT, each task usually has its ownLDT. Unlike the GDTR, the LDTR does not contain a 48-bit address and limit. Instead, it holds asegment selector that must point to a special entry in the GDT. This GDT entry points to the LDT.The GDT may contain pointer to several LDTs.

The IDT is analogous to the real-mode interrupt vector table. Each descriptor defines the responseto one of the 256 possible interrupts. Even though the IDT can contain upto 8192 descriptors, anymore than 256 is a waste.

The figure below show the logical format of a basic descriptor table entry. Also, other special


9 of 20 16/02/12 10:08 PM

types of descriptors are also shown.


10 of 20 16/02/12 10:08 PM

Node:Descriptors, Previous:Tables, Up:Selectors and Descriptors

7.3 DescriptorsTwo fields in the segment descriptor are particularly interesting. The P bit (bit 47) determineswhether the segment is present. An operating system can clear this bit to create a virtual segment.When a program tries to use a virtual segment, the 386 generates an error. The operating systemcan then load the segment from the disk and try again. When P is clear, bits 0 through 39 and 48through 63 can contain any values. The operating system could store a disk address here, forexample. But this is unsuitable is the segment size is large. Fortunately, the 386 provides a betterway to use virtual memory.

The other interesting field is the A bit (bit 40). The 386 sets this bit when any program writes tothe segment. Our crude virtual memory system might use this bit to decide whether it should writea segment to disk before making it absent and reusing its space.

Another question is how a descriptor can specify a segment from one byte to 4GB long. The limitfield given is only 20 bits. This is where the G bit (bit 55) comes into play. If G is zero, the limitfield corresponds to one segment's maximum legal offset (one less than its length). If G is one,however, the 386 shifts the limit field 12 places left to make a 32-bit limit. The 386 fills the bottom


11 of 20 16/02/12 10:08 PM

12-bits with ones.

For example

If a dscriptor has a limit field of one and G is one, the actual limitis 1FFFH. When G is one and limit is zero, the limit is FFFFH.

This scheme allows us to specify a segment with a length of less than 1 Mbyte or a multiple of 4Kbytes. When G is zero, the segment can range from one byte to 1 Mbyte long. When G is one,the segment can range from 4 Kbytes to 4 Gbytes in length (in 4 Kbytes steps).

It is possible to create two or more descriptors that point to the same area of memory. Anoperating system, for example, might load a file into a data segment and jump to a code segmentthat starts in the same place. This process is known as aliasing. The operating system must havesome way of loading the GDT and other tables. Therefore, it will usually have a data segment aliasto the GDT. Some systems set up a data segment that covers all 4GB of memory. Tables can thenbe written directly with that data sgement. Operating systems rarely allow user programs to accessthe GDT, IDT and other system tables directly.

The processor reserves the first slot of the GDT. The selector for this slot is the null selector, andusing it always causes an error. The null selector's descriptors should be all zeros. Non-zero valueswork but you never know ;-).

Node:Protected Mode Privileges, Next:Multitasking, Previous:Selectors and Descriptors, Up:Top

8 Protected Mode PrivilegesProtected mode gets its name from the 386's privilege protection. Each program has a privilegelevel, or PL, from zero to three. Programs at PL0 can execute any instruction and access any data.Programs at PL3 can't execute certain instructions; they also can't access data that belong to moreprivileged programs. Each segment descriptor has a Descriptor Privilege Level (DPL) that the 386uses for protection. The 386 also controls which programs can execute I/O instructions.

A privilege hierarchy is important for supporting modern operating systems. In a typical operatingsystem, the main kernel runs at PL0. Other parts of the operating system might run at PL1. Devicedrivers can run at PL2; they need to do direct device I/O. User programs in this system would runat PL3. This scheme has many advantages. In particular, a malicious program can't damage theoperating system or other user programs.

PL0 programs alone can execute the following instructions:

•HLT•CLTS•LGDT•LIDT•LLDT•LTR•LMSW•MOV (to/from control/debug/test registers)

On 486 systems

•INVD


12 of 20 16/02/12 10:08 PM

•WBINVD•INVLPG

On Pentium and above

•RDMSR•WRMSR•RDTSC

The IOPL field in the EFLAGS register allows the operating system to control who can do I/O.These two bits determine the minimum privilege level a program must have to execute I/Oinstructions (CLI, STI, IN, INS, OUT and OUTS). If IOPL is zero, only PL0 programs can do I/O.If IOPL is 3, all programs can execute I/O instructions. Only a PL0 program can modify the IOPLflags. When other programs modify the flags, IOPL doesn't change! Leaving IOPL=3 makes lifeeasy for DOS Extenders, but it can cause major problems since real-mode programs mostly usedirect I/O.

A program's privilege level is equal to the RPL field of the selector in the CS register. This is thecurrent privilege level or CPL. You can't directly modify the CS register so that it has a differentRPL. The same holds true for SS as well.

8.1 Data AccessPrograms can't load a sgement register with just any selector. When a data segment register (DS,ES, FS or GS) is loaded, the 386 checks the DPL against the program's CPL and the selector'sRPL. The 386 first compares the CPL to the RPL. The largest one becomes the effective privilegelevel (EPL). If the DPL is greater than ot equal to the EPL, the 386 loads the sgment register;otherwise an error occurs.

The SS register must be loaded with a segment whose DPL and CPL are equal. The 386 alsochecks to make sure a stack segment is readable, writeable and present.

The 386 provides a special stack segment type. You can also use a plain data segment for a stack,if you wish. A stack segment's limit field indicates the lowest legal offset in the segment.

It is always valid to load a null selector (0 through 3) into a segment register. However, anyattempt to access memory via the selector will cause an error as expected.

Node:Multitasking, Next:Exceptions, Previous:Protected Mode Privileges, Up:Top

9 How Multitasking WorksThe 386, as mentioned earlier, has support for multitasking, i.e. running several processesconcurrently. In reality, however, they do not run concurrently. It only appears to the user asthough they were all running at the same time.

The 386 uses the Task State Segments (TSSs) to support multitasking. The TSS descriptor pointsto a buffer which must be at least 104 bytes long. In addition to multitasking, TSSs can also beused for hardware interrupt handling (using task gates in the IDT). The TSS selector is neither


13 of 20 16/02/12 10:08 PM

readable nor writeable. Generally, a TSS alias is created, which is nothing but a "data type"segment pointing to the TSS buffer. TSS selectors always appear in the GDT, never in LDT orIDT. However, as mentioned above, task gates may appear in the IDT. The processor uses the TSSselector internally.

Since a multitasking switch requires the processor state to be saved, the buffer mostly contains thecontents of the hardware registers. When a task switch occurs, the processor saves various detailsin the TSS buffer automatically. This process is very quick and hence not many CPU cycles arewasted in switching to a new task. Before a task is initially started, the operating system has to fillin certain entries in the TSS buffer.

Notice the slots for stack segments and pointers for PL0, PL1 and PL2 near the top of the TSS. Aprogram must maintain separate tasks for each privilege ring it may use. In particular the PL0stack segments and pointers are a must. Otherwise, the processor may shut down due to a doublefault in case of an interrupt.

A task switch may occur during a "far jump" or a "far call". The offset of the call or jump is simplyignored. The values in the TSS are loaded into the registers and the new task beings to execute.The selector referred by the jump or call must be a TSS selector or a task gate. The task gatecontains the TSS selector. But unlike the TSS selector, the task gate may occur in the GDT, IDT orLDT. The EPL must always be less than or equal to the TSS's DPL as in case of the normalsegment selectors.

The 386 also supports nested tasks. It handles nested tasks using the NT bit in the EFLAGSregister. Whenever a task "calls" another task, the 386 stores the old task's TSS selector in the"back-link" field of the new TSS. Also, the NT bit in the EFLAGS register is set. When the newtask wishes to return to the old one, it issues an IRET instruction4.

The TSS aren't reentrant. Whenever a task is running, the 386 sets the BUSY bit in the TSSselector to indicate this. This is done to prevent recurive calling of tasks.

As mentioned earlier, the TSS must be at least 104 bytes long. The size of the TSS may extend toany size. The 386 contains a pointer to an I/O bitmap in the last field. The size of this bitmap isusually 8K, but may be lesser. The I/O bitmap is optional. If the size of the I/O bitmap is lesser,entries past the end of this bitmap are considered as "1s". Each bit in the I/O bitmap corresponds toone I/O port. If a task tries to do I/O, the 386 checks the task's CPL against the IOPL. If the CPL isless than or equal to the IOPL, access is granted, otherwise the 386 checks the I/O bitmap. If thebit corresponding to the I/O port used is zero, the 386 allows access, otherwise it denies access. Abitmap should always end with 0FFh.


14 of 20 16/02/12 10:08 PM

Node:Exceptions, Next:MMU, Previous:Multitasking, Up:Top

10 Exceptions on the 80386 ProcessorThe 386 has support for 256 interrupts (or exceptions) just as in the 8086. The Interrupt Descriptortable (IDT) contains the definition for each of these interrupts. The IDT can have 8192 entries. Butif more than 256 of these entries are present, they simply remain unused. The IDT may containtrap gates, interrupt gates or task gates. A trap gate is one that does not clear interrupts beforeentering the exception handler. However, an interrupt gates disables all interrupts before enteringthe handler. Details about task gates have been given elsewhere in this document. SeeMultitasking.

Interrupts may be caused due to external hardware (which comes through the PIC. See HardwareInterrupts.), may be caused by the processor itself, or may be a software interrupt. Carefullyhandling processor generated and hardware interrupts is one of the major tasks of an operating


15 of 20 16/02/12 10:08 PM

system. Slightest errors in these interrupt handlers may result in disasters and blue screens ;-).

The processor generated 386 exceptions can be classified into faults, traps and aborts.

A fault is a correctable error. Most invalid operations result in faults. When a fault occurs, theCS:EIP points to the instruction that caused the fault. Faults are considered to be the least seriousexceptions. The most common of these faults is the "General Protection Fault (GPF)".

Traps accur whenever a software interrupt occurs. Software interrupts are caused due to theexecution of INT and INTO instructions. When a trap occurs, the CS:EIP points to the instructionfollowing the actual instruction that caused the trap.5 The system cannot restart traps.

Aborts are serious errors that indicate that there may be a severe problem with the operatingsystem itself. The Double Fault and FPU Overrun are considered as aborts.

The table below shows the various exceptions with their classifications:

Exception (#num) TypeDivide Error (0) FaultDebug (1) F/TrapBreakpoint (3) TrapOverflow (4) TrapBounds Check (5) FaultBad Opcode (6) FaultNo Coprocessor (7) FaultDouble Fault (8) AbortCoprocessor Overrun (9) AbortInvalid TSS Segment (0A) FaultSegment not Present (0B) FaultStack Fault (0C) FaultGeneral Protection Fault (0D) FaultPage Fault (0E) FaultCoprocessor Error (10) Fault

Node:MMU, Next:V86 Mode, Previous:Exceptions, Up:Top

11 Memory Management Unit (MMU)The 386 has at least two facilities to support memory management. They are:

Segmentation1.Paging2.

Among the two types, use of the segmentation mechanism is a must, while paging is optional tothe user. Paging provides a mechanism to implement virtual memory used by almost all operating


16 of 20 16/02/12 10:08 PM

systems today. CWSDPMI, the official DJGPP DPMI server, uses this too. The advantage of usingthe paging mechanism is that you can restrict access to specific portions of the memory, while thatwould be hard to do with a segmentation scheme. You can enable paging using the CR0 register.Segments are used to keep track of data, code and the stack a certain program is using. However,an operating system might also use a single selector that covers the entire 4GB of addressablespace and described earlier in this document. See Advantages.

Enabling paging, however isn't as simple as setting bit 31 of CR0. You need to set up the PageDirectory Entries and the Page Table Entries, the PDEs and PTEs. The PDEs and PTEs areactually tables which are used to convert the logical address into the physical address. SeeAdvantages.

As with most other functionality, only PL0 programs can activate the MMU. User programs neverknow that an MMU exists! The pages are classified as User/System. PL0 programs can access anypage. PL3 programs can access a "User" page, but not a system page. Since 4GB of memory isoften not available on most systems, the page tables for these aren't usually setup. Thecorresponsding entries in the PDEs are marked as "not present".

The MMU uses two types of tables to translate addresses - the Page Directory Entry and the Pagetable Entries. Each PDE corresponds to 4 Megabytes of contiguous memory. The PDE contains apointer to the starting of the coressponding pgae tables. These PTEs can be used to set permissionsfor 4K blocks within the PDEs 4M area. The PTEs also contain the actual physical address. Notethat the PDE contains the Physical Address of the page tables. To translate a linear address into aphysical address, the MMU looks at bits 31-22 of the linear address. This is used to select the PDEin concern. Bits 21-12 are used to select one of the 1024 PTEs in the page table selected. Thelower 12 bits form the lower 12-bits of the physical address.

Now, the question is how the MMU finds where the Page Directories are present. The CR3 registerholds the base address of the PDEs. Hence, it is also known as the PDBR (Page Directory BaseRegister)6

Node:V86 Mode, Next:Interrupt Handling, Previous:MMU, Up:Top

12 Virtual 8086 (V86/VM86) Mode


17 of 20 16/02/12 10:08 PM

As mentioned earlier in this document, the 80386 has a third mode called the V86 mode. In thismode, the 80386 behaves exactly like an 8086 with a few minor exceptions. In V86 mode, theCPU may not issue any of the privileged instructions such as LGDT, LIDT, LLDT, SLDT, ARPL,LAR, LSL, LTR, VERR, VERW, INVD, WBINVD, WRMSR, RDMSR, etc. However, unlike thereal mode, the MMU is active in the V86 mode. Therefore, the operating system still has controlover a V86 task, although it runs just like in real mode. Since privileged instructions cannot beexecuted, the OS can prevent system crashes or malicious programs from destroying any data.

A task is said to be a V86 task when the VM bit in the EFLAGS register is set. Only a PL0program can set this bit. The bit can also be set in the TSS before the task is executed. Theadvantage of a having a V86 task rather than a real mode task is obvious - it's due to securityreasons. The other reason is that the time taken by the CPU to switch from protected mode to realmode is considerable and greatly slows down the program. By running the program in V86 mode,the program is actually executed faster.

A V86 task, just like a real mode program, uses segments and offsets rather than a selector:offsetpair. It can access 1MB of memory. A V86 task always runs at PL3. They can do I/O only if theIOPL is 3 or if the TSS bitmap allows them to do so. If IOPL is less than 3, then the CPUgenerates a General Protection Fault whenever the V86 task attempts to execute the followinginstructions - CLI, STI, INT, IRET, LOCK, PUSHF and POPF.

Node:Interrupt Handling, Next:Working in Protected Mode, Previous:V86 Mode, Up:Top

13 Interrupt Handling in Protected ModeInterrupt Handling is one of the most important tasks of any operating system. In particular,without handling the hardware interrupts correctly, anything could happen. The system could crashor cause unusual problems. This section gives an overview of interrupt handling in ProtectedMode and V86 Mode.

Interrupt handling in Protected Mode has been mentioned previously in this document. SeeExceptions.

Interrupt handling in V86 mode is slighly more complex. Although the processor is in V86 mode,the interrupt handling still occurs in protected mode. Since the segment registers will mostprobably contain garbage values for the selectors, the 386 zeros all segment registers beforecalling the appropriate interrupt handler. Keep in mind that we're talking of hardware interruptshere, not the ones generated by the INT instruction. The SS will contain the selector for the PL0stack in the Task State Segment. The structure of the VM86 stack frame which is pushed into thePL0 stack is as shown in the figure below.


18 of 20 16/02/12 10:08 PM

When the General Protection Fault occurs, it can be either due to the fact that a V86 task wasinterrupted or it could be due to an interrupt in a true protected mode program. To differentiatebetween the two, the handler can look at the EFLAGS register to check if a V86 task was running.If a V86 task generated the interrupt, the interrupt handler can look at the offending instruction.Once the cause of interrupt is known, the operating system can choose to emulate the instruction(instructions like CLI, STI, etc.). or simply terminate the program or take any other action.

Node:Working in Protected Mode, Next:Protected Mode Tutorial, Previous:Interrupt Handling,Up:Top

14 Working in Protected ModeWorking in Protected Mode requires that you first switch to protected mode. To switch toprotected mode and do some real work, you need to follow these steps:

Setup the Global Descriptor Table (GDT)1.Setup the Interrupt Descriptor Table (IDT)2.Reprogram the PICs so that they generate different interrupts3.Setup the TSS4.Setup Page Tables and CR3 (perhaps you may not require this)5.Set bit 0 of CR06.Load the Task Register (TR)7.Jump to the TSS selector8.

Setting up the GDT and IDT should be easy. Create the descriptors and then load GDTR with theaddress and length of the table.

Setting up the TSS can be easy, too, if you follow a neat procedure. Finally, do a far jump to theTSS and that should do it.


19 of 20 16/02/12 10:08 PM

Footnotes

In reality, this hardly happens. Most BIOSes and even DOS, sometimes, use instructionslike RETF 2, making this INT-IRET sequence unreliable enough for simulating interrupts inV86 mode. A work-around is to use a special VM86 stack-frame which is takes care of allthis.

1.

By definition the 8086 can't mask the NMI. On the PC, the motherboard, however, doeshave the ciruitary to prevent an NMI from occurring. You will rarely need to disable theNMI. On the ATs, the motherboard controls it with port 70H. Clearing bit 7 of this port willcut off NMI.

2.

Many programs get access to memory beyond the 1 MB limit by simply enabling the A20.With the A20 enabled, the addresses won't wrap around, so they can access around 64K ofmemory above the 1MB limit without getting to real mode. But then, this can cause severalproblems with memory managers, so it must be carefully done

3.

The IRET instruction in the 386's protected mode has a much different meaning than what ithas in real mode. To return from an interrupt handler in protected mode, IRETD is used.

4.

Traps have nothing to do with trap gates. A trap can be handled using an interrupt gate or atrap gate.

5.

Note that the PDE and all PTEs must lie on the beginning of a 4K block.6.


20 of 20 16/02/12 10:08 PM

Protected Mode Tutorial

Documents

Transcript of Protected Mode Tutorial