Segment Descriptor

Segment Descriptor

.

Limit(15-0)

Base address(23-0)

ATYPE

sDPL

PLimit(19-16)UXDG

Base address(31-24)

0151639404144474851525663

Gate descriptors (S=0, Type 4,5,6,7,C,F)• Call gate are used to modified privilege levels.• Trap and interrupt gates are used in interrupt

and exception handling.• The task gates are used in multitasking system

Offset (15-0)

Offset(31-16)

Selector

Word count4………0

DPL TypeP 0 0 0 0

058151631

Protected Virtual Address Mode.

Selector offset

Physical address adder

SegmentBase adder

Memoryoperand

Segmentdescriptor

Segment Descriptor• Segments are areas of memory defined by a programmer

and can be a code, data or stack segment.• In 80386 segments need not be all the same size and

aligned. And segments need not be exactly 64 KB long, but we can define them to be any length from 1 byte to 4 GB.

• In 80386 memory segmentation, it is not possible to use a 16-bit segment register to represent all the information related to segment. When multiple privilege levels and intertask protection are required a special structure called a segment descriptor is used.

Segment Descriptor

• The description of a segment includes its base address, length, type, privilege level and some security information.

• The lower base address is specified in bits 16 to 39 and upper 8 bits are specified in bits 56 to 63.

• The lower 16 bits of segments limit are specified in 0-15 and the remaining 4 bits are specified in 48-51.

Types of segment descriptors

segment descriptors

System Non-System

LDT TSS Gate Code Stack Data

Non System Segment descriptors

• Defines data, code, stack segments.• Used by both system and application

programs.• S=1 in access right byte.

Descriptors Bit Position Name Function7

6-5

4

Present (P)

Descriptor PrivilegeLevel (DPL)Segment DescriptorType (S)

P=1 Segment is mapped into physical memoryP=0 No mapping to physical memory exists, base and limit are not used Segment privilege attribute used in privilege tests

S=1 Code or Data segment descriptorS=0 System segment Descriptor or Gate Descriptor

32

1

Executable(E)ExpansionDirection(ED)Writeable(W)

E=0 Data segment descriptor type is :ED=0 Expand Up segmentED=1 Expand Down segmentW= 0 Data segment may not be written intoW= 1 Data segment may be written into

32

1

Executable(E)Conforming(C)

Readable(R)

E=1 Code segment descriptor type is:C=1 Code segment may only be executed When CPL DPL and CPL remains unchangedR=0 Code segment may not be readR=1 Code segment may be read

0 Accessed(A) A=0 Segment has not been accessedA=1 Segment selector has been loaded into segment register or used by selector test instruction

Non System Segment descriptors• P bit indicates whether segment is present in

memory or not. P = 0 -> Segment is not present and P = 1-> Segment is present.

• DPL: defines privilege level of the segment. Used to protect segment from low privilege caller.

Non System Segment descriptors• S: Used to distinguish between non system segment and

system segment descriptors.• S = 1-> Non system segment descriptor.• E: Executable; Used to distinguish between data and code

segments. E=0 -> Data segment including stack. E = 1 -> Code segment.

• ED/C: Expand direction/conforming; When E=0, then this bit functions as ED, ED indicates whether the segment is data or stack. ED = 0 -> Data segment( access segment randomly). Offset address limit. ED = 1 -> Stack segment LIFO.

Non System Segment descriptors• When E =1, then this bit functions as C

( conforming) bit. Used to distinguish between conforming and nonconforming code segments.

• C= 0 -> Non conforming code segment. • C = 1 -> Conforming code segment. • R/W Read/Write. When E= 0( data segment),

then this bit functions as W bit. This bit indicates whether data segment is writable or not.

• W = 0 -> data segment is not writable. W= 1 -> data segment is writable.

Non System Segment descriptors

• When E =1 (code segment) then this bit functions as R bit. This bit indicates whether code segment is readable or not. R = 0 -> code segment is not readable and R = 1 -> code segment is readable.

• A: Accessed; This bit indicates whether the segment is accessed or not. A= 1 -> Segment accessed. This bit is reset by OS periodically. A= 0 -> Segment not accessed

System Segment descriptor Type• All system descriptors are present in GDT while some

system descriptors are present in LDTs.• Normally system segment descriptor are used by OS.• The value of S in right access byte is 0.• Their functions are fixed and specified by Intel.• The type of system descriptor is indicated by type

field.• The system segment descriptors have no Accessed bit,

instead the type field (3 bits) is now extended to 4 bits.• The system segment descriptors contain the

information about tables (LDT), tasks(TSS) and gates (call gate, interrupt gate, task gate, trap gate) of the OS.

System descriptorsName Value Description

Type 0 1 2 3 4 5 6 7 8 9 A B C D E F

Reserved Available 16 bit TSS LDT Busy 16 bit TSS Call Gate Task Gate 16 bit Interrupt gate 16 bit Trap gate Reserved Available 32 bit TSS Reserved Busy 32 bit TSS 32 bit Call Gate Reserved 32 bit Interrupt Gate 32 bit Trap Gate

P 0 1

Descriptor contents are not valid Descriptor contents are valid

DPL 0-3 Descriptor Privilege level 0,1,2, or 3

BASE 32-bit number Base address of special system data segment in memory

LIMIT 20-bit number Offset of last byte in segment from the base

LDT descriptor (s=0, Type 2)

LDT descriptor (s=0, Type 2)

• The LDT descriptors are present in the GDT. They contain the information about the LDT.

• LDT contains the segment descriptors that are unique to a particular task.

• The DPL field of the descriptor is ignored as this descriptor can only be accessed with a privilege level of 0.

• Here type field =2 i.e. it specifies a LDT descriptor.

TSS (Task State Segment) Descriptors (s=0, Type 1, 3, 9 and B)

• Whenever a computer is performing more than one tasks at a time it may also switch between these tasks.

• The task may be a single program or a group of program.

• When one task switches to another task , it stores all the necessary information required to restart the task where it was left. This information is called as the “ state of the task”

• For storing the state of the task the 80386 processor uses a special segment called the “Task State Segment (TSS)”


• The task segment is addressed with the help of TSS descriptor. It contains information about the location, size and privilege level of a TSS.

• A TSS descriptor appears only in GDT and not in IDT or LDT.

• The TSS consists the linkage field for the nest task that permits the nesting of the tasks.


• B bit indicates whether task is busy or not. B=0 : Task is not busy B=1 : Task is busy

Gate descriptors (S=0, Type 4,5,6,7,C,F)

• Whenever 4,5,6,7 is specified in type field it specifies a call gate, task gate, interrupt gate and trap gate respectively.

• All fields are same as specified earlier except the word count, selector and offect.

• The word count field specifies the number of parameters that are to be copied from caller’s stack to the called procedure’s stack.

Gate descriptors (S=0, Type 4,5,6,7,C,F)• Call gate are used to modified privilege levels.• Trap and interrupt gates are used in interrupt

and exception handling.• The task gates are used in multitasking system

Protected Virtual Address Mode

Physical address calculation in the protected virtual address mode

Protected Virtual Address Mode

1) PLs > Pldesc->access to segment allowed.2)MMU checks__> Pdesc determine__> seg

present__> phy mem. 3) exception load__>seg mem return__>

interrupted prog.4) 1st & 2nd step satisfied MMU will add 16 bit

offset.

Descriptor tables and descriptors

Descriptor tables

• The segment descriptors are grouped together and placed in a continuous memory location and this group arrangement is known as descriptor tables .

• It contain 8192 descriptors and max length is 64KB. Each descriptor requires 8 bytes in order to store the data of particular segment.

• There are 3 types of descriptor tables.• 1)GDT 2) LDT 3) IDT

Global Descriptor Table Registor (GDTR) and GDT


• 48 bit register.• Used to point GDT.• Divided into two components viz. Base and limit.• Base value( 32 bit) indicates the starting address of

GDT.• Limit value(16 bit) indicates the size of GDT.• Used by OS only(GDTR).• Initialized in real mode.• Defines characteristics of global address space.• It has no cache register.


• GDT can be used by all programmers to refer to the segment of memory.

• 80386 processor in protected mode can have many LDT’s but only one GDT.

• It may contain special system descriptors.

LIMIT -> 16 bit field. Indicates the length of GDT in terms of bytes. The maximum size of GDT is 65536 bytes.Limit = Size -1e.g. if LIMIT = 00 F F Hthen size of GDT = 256 bytes

BASE -> 32 bit field. Gives 32 bit physical starting address of GDT.

BASE LIMIT

0151647

LDTR and LDT• 16 bit register.• Used as a local selector.• Points LDT descriptor stored in GDT.• GDT contains many LDT descriptors.• E ach LDT has LDT descriptor in GDT.• Points only one LDT descriptor at a time.• Used to change LDT.• Provides 48 bit cache register.• A 48 bit cache register is used to hold current LDT

descriptor.• E ach task may have it’s own LDT and can also be

shared with other tasks.

LDTR• Lower 3 bits are always zeros. Upper 13 bits

are used as Index Value• Index value is multiplied by 8 and added into

base address stored in GDTR.• Physical Address of LDT descriptor in GDT = Base address in GDTR + (Index value8).

13 bit Index Value 0 0 0

02315

LDTR CACH E R E GIST E R• This Register is not available for user.• It holds LDT descriptor of current LDT.• Base address is the physical address of LDT.• Limit indicates the size of LDT. Limit = Size -1• Access right provides protection mechanism.

32 BIT BASE Address of LDT 16 BIT LIMIT AccessRight

Local Descriptor Table• Local Descriptor Table– E ach task can have access to own private

descriptor table(LDT) in addition to GDT.– Contains descriptors that provide access to code

and data in segments of memory.

LIMIT

BASE

LIMIT

BASE

selector

0

0

015

15

15

31

31

GDTR

LDTR

LDTRcache

program invisible

GDT

LDT0

LDTn

···

···

···

LDTR

• The LDT is also called as “private table” which defines a local memory address space for use by the task.

• E ach task can have its own segment of local memory. So there may be many LDT’s in protected mode, say LDT-0 to LDT-n.

• for loading the value in the GDTR, LDTR, IDTR the 80386 provides the instructions LGDT, LLDT, LIDT. Similarly for storing we have SGDT, SLDT and SIDT

Interrupt Descriptor Table• Interrupt Descriptor Table (IDT)– Contains interrupt descriptors, not segment

descriptors.– IDT can also be up to 64KB; But 386 only supports

up to 256 interrupts and exceptions(2KB).

BASE LIMIT

047 16 15

0

255

1

InterruptDescriptor

Table(IDT)

Interrupt Descriptor Table Register(IDTR)MAX: 2k bytes

256 entries

Interrupt Descriptor Table Registor (IDTR) and IDT

IDTR• 48 bit register.• Points IDT.• IDT contains descriptors. Maximum 256.• Consists of base and limit value.• Base address indicates the starting address of IDT.• Limit value indicates the size of IDT.• Used by interrupts and exceptions only.• ISRs are invoked via IDT.• It has no cache register.• The descriptors used in the IDT are called as

“interrupt gates” which gives the beginning of an interrupt-service routine(ISR).

IDTR• Base address is the physical address of IDT.• Limit value indicates the size of IDT.• Limit = Size –1.• The maximum size of IDT is 256 8..

32 bit Base address of IDT Limit 16 bitNot more than 256*8-1

0151647

Logical to physical address translation

. SELECTOR OFFSET

SEGMENTTRANSLATION

PG?

DIR PAGE OFFSET

31 0

PAGETRANSLATION

PHYSICAL ADDRESS

PAGING DISABLED

PAGING ENABLED

LOGICAL ADDRESS

LINEAR ADDRESS

Logical to physical address translation

Memory management• Three components: logical, linear and physical• Transfers logical address into physical address in two steps viz.

segment and Page translation• Logical address consists of segment selector and segment offset.

This address is converted into a linear address. Logical address is also called virtual address.

• Segmentation is a process of converting logical address to a linear address. It provide memory management as well as protection.

• In page translation, the linear address is converted into physical address (optional).

• Segment provides a mechanism of isolating individual code, data and stack modules so that tasks can run on the same processor without interfering with one another.

• Paging provides a mechanism of implementing a conventional demand-paged, virtual memory system. Provides isolation between tasks.

Segment Translation Process

Segment & page Translation Process• In order to generate the 32 bit linear address,

the base address from the descriptor is added to the 32 bit offset. This process is called as segment translation.

• If the paging mechanism is not enabled then the 32 bit linear address is the physical address. But if the paging mechanism is enable then the linear address is transform to physical address. This process is called paging translation. Thus, the logical address is converted to physical address.

Memory management

• Segmentation unit translates the logical address into 32 bit linear address.

• Paging unit converts 32 bit linear address into 32 bit physical address.

• Paging mechanism manages only one segment at a time.

• Paging mechanism manages huge segment.• Semiconductor memory contains segments and

descriptor tables.

Memory management

P aging: Address Translation• It is the second phase of address translation. Here 386

processor converts the linear address that is generated by the segment address translation to physical address.

• This step is optional. It is mandatory only when the OS has to implement 1)multiple virtual 8086 tasks 2)page oriented protection 3) page oriented virtual memory.

• P G =1, physical address space(4GB) consists of 1,048,496 pages. Each page is of 4096 byte (4KB) long.

• The creation of unused section of memory is called as “fragmentation”. In paging process, the fixed size of the page gives fragmentation.

Segmentation & paging

• The 4GB physical address space is organized into segments and segment size is variable from one byte to 4GB.

• There are 1048496 pages in 4GB physical address and page size is 4KB and it is not variable.

• More efficient use of memory with less fragmentation.• Less efficient use of memory with more fragmentation.• The creation of unused section of memory is called as

fragmentation. In paging process, the fixed size of the page gives fragmentation.

Linear to physical address translation

• There are 3 components to the paging mechanism of 80386 : page directory, page table, page itself (page frame or page).

• The page directory & page table are in the table form. They are made up of 32 bit descriptors.

• Each directory and page table must contain 1024 descriptors that make the table or directory 4 KB long.


• A page frame is a 4KB unit of contiguous address of physical memory.

• The format of a linear address (in case of page) is shown in figure below.


• There are three fields in the linear address format: 1) 10- bit directory field. 2) 10-bit page field. 3) 12- bit offset field.• The 10 bit directory field is used as an index into the page

directory.• The 10 bit page field is used as index to the page table

determined by the page directory.• The 12bit offset selects one of the 4096 byte of memory

from the page frame that is determined by the page table.


• The physical address of the current page directory is stored in the CR3 which is referred as PDBR (page directory base register). This register identifies the location of the page directory table in memory.

• Each entry in the page table is 4 byte long and contains the base address of the page table and page frame.

• Register CR3 gives us the base address of page directory.


• Register CR3 gives us the base address of page directory.• Then bits 22 to 31 is used as an offset into this page

directory, which gives an page directory entry. This PDE contains base address of page table. Then bits 12-21 are used as an offset into this page table, this gives us an page table entry. This PTE gives base address of 4 KB page frame and finally bits 0-11 is used as an offset into this page frame, which gives us the required byte i.e. the physical address.

• Paging can be enabled or disabled using the PG bit in register CR0.(bit 31)

TLB• Paging can be speeded up by using a TLB cache.• The TLB cache holds the recent 32 entries of page tables.• Whenever TLB is used, the linear address is checked if it is present in

TLB i.e. a hit. And if it is not present then the earlier procedure is used to translate linear address to physical address.

• The hit rate is about 98% i.e. processor will only have to access two level page structure on 2% of all memory accesses.

• It is essential to flush the entire cache whenever the page tables are changed.

• The page translation cache is invisible for the application programmer, but it is visible for the system programmer.

• The cache can be flushed by the following methods:1) Reloading CR3 with a MOV instruction.2) by task switching to a TSS that having a different CR3 image than the current TSS.

Translation lookaside buffers (page translation process)

Demand paging• The paging mechanism of the 80386 processor is such that it

supports demand paging.• In demand paging system the pages are brought to the memory

only when they are needed.• In demand paging system a part of many different programs can

be stored in many different locations in physical memory. The page faults are used to bring in other pages of the programs as required.

• Demand paging allows the system to create a virtual environment for their programs. The performance of the demand paging system is dependant on the number of pages of a program that resides in memory at a time.

• The actual size and location of program are never known to programmer or program, but everything executes as required.

Block Diagram of MMU

Segmentation and Paging

Memory Management Flat Model

To implement a basic flat memory model with the IA-32 architecture, at least two segment descriptors must be created:• one for referencing a code segment and • one for referencing a data segment• Both segments, however, are mapped to the entire linear address space: that is, both segment descriptors have the same base address value of 0 and the same segment limit of 4 GBytes.

Protected Flat Model

Multi-Segment Model

Segment Registers

Segment Registers• To reduce address translation time and coding complexity, the processor

provides registers for holding up to 6 segment selectors.• Each of these segment registers support a specific kind of memory reference

(code, stack, or data). For virtually any kind of program execution to take place, at least the code-segment (CS), data-segment (DS), and stack-segment (SS) registers must be loaded with valid segment selectors.

• The processor also provides three additional data-segment registers (ES, FS, and GS), which can be used to make additional data segments available to the currently executing program (or task).

• For a program to access a segment, the segment selector for the segment must have been loaded in one of the segment registers. So, although a system can define thousands of segments, only 6 can be available for immediate use.

• Every segment register has a “visible” part and a “hidden” part. (The hidden part is sometimes referred to as a “descriptor cache” or a “shadow register.”)

Segment Registers• When a segment selector is loaded into the visible part of a segment register, the

processor also loads the hidden part of the segment register with the base address, segment limit, and access control information from the segment descriptor pointed to by the segment selector.

• The information cached in the segment register (visible and hidden) allows the processor to translate addresses without taking extra bus cycles to read the base address and limit from the segment descriptor.

• In systems in which multiple processors have access to the same descriptor tables, it is the responsibility of software to reload the segment registers when the descriptor tables are modified.

• Two kinds of load instructions are provided for loading the segment registers:1. Direct load instructions such as the MOV, POP, LDS, LES, LSS, LGS, and LFS instructions. These instructions explicitly reference the segment registers.2. Implied load instructions such as the far pointer versions of the CALL, JMP, and RET instructions, the SYSENTER and SYSEXIT instructions, and the IRET, INTn, INTO and INT3 instructions. These instructions change the contents of the CS register (and sometimes other segment registers) as an incidental part of their operation.

• The MOV instruction can also be used to store visible part of a segment register in a general-purpose register.

Protection Rings

Protection Rings• The center (reserved for the most privileged code, data, and

stacks) is used for the segments containing the critical software, usually the kernel of an operating system.

• Outer rings are used for less critical software.• The processor uses privilege levels to prevent a program or task

operating at a lesser privilege level from accessing a segment with a greater privilege, except under controlled situations.

• To carry out privilege-level checks between code segments and data segments, the processor recognizes the following three types of privilege levels:1) Current privilege level (CPL)2) Descriptor privilege level (DPL)3) Requested privilege level (RPL)

CPL

• The CPL is the privilege level of the currently executing program or task.

• stored in bits 0 and 1 of the CS and SS• Normally, CPL=PLCS from which instructions are being fetched.• The processor changes the CPL when program control is

transferred to a code segment with a different privilege level.• The CPL is treated slightly differently when accessing

conforming code segments• Conforming code segments can be accessed from any privilege

level that is =>(equal to or numerically greater (less privileged) than ) the DPL of the conforming code segment.

DPL

• The DPL is the privilege level of a segment or gate.

• stored in the DPL field of the segment or gate descriptor for the segment or gate.

• When the currently executing code segment attempts to access a segment or gate, the DPL of the segment or gate is compared to the CPL and RPL of the segment or gate selector.

• The DPL is interpreted differently, depending on the type of segment or gate being accessed

RPL• The RPL is an override privilege level that is

assigned to segment selectors.• stored in bits 0 and 1 of the segment selector.• The processor checks the RPL along with the CPL

to determine if access to a segment is allowed.• if the RPL of a segment selector is numerically

greater than the CPL, the RPL overrides the CPL, and vice versa.

• Privilege levels are checked when the segment selector of a segment descriptor is loaded into a segment register.

PRIVILEGE LEVEL CHECKING WHEN ACCESSING DATA SEGMENTS

Privilege Check for Data Access

PRIVILEGE LEVEL CHECKING WHEN ACCESSING DATA SEGMENTS

• To access operands in a data segment, the segment selector for the data segment must be loaded into the data-segment registers (DS, ES, FS, or GS) or into the stack segment register (SS).

• Segment registers can be loaded with the MOV, POP, LDS, LES, LFS, LGS, and LSS instructions.

• Before the processor loads a segment selector into a segment register, it performs a privilege check by comparing the privilege levels of the currently running program or task (the CPL), the RPL of the segment selector, and the DPL of the segment’s segment descriptor.

• The processor loads the segment selector into the segment register if the DPL is numerically greater than or equal to both the CPL and the RPL (DPL>= CPL & RPL).

• Otherwise, a general-protection fault is generated and the segment register is not loaded.

Examples of Accessing Data Segments From Various Privilege Levels

Examples of Accessing Data Segments From Various Privilege Levels

• Figure shows four procedures (located in codes segments A, B, C, and D), each running at different privilege levels and each attempting to access the same data segment.

• The procedure in code segment B is able to access data segment E using segment selector E2, because the CPL of code segment B and the RPL of segment selector E2 are both numerically lower than (more privileged) than the DPL of data segment E. A code segment B procedure can also access data segment E using segment selector E1.

• Similarly for other case in example.

Accessing Data in Code Segments• The following methods of accessing data in code

segments are possible:1)Load a data-segment register with a segment selector for a nonconforming, readable, code segment.2)Load a data-segment register with a segment selector for a conforming, readable, code segment.3)Use a code-segment override prefix (CS) to read a readable, code segment whose selector is already loaded in the CS register.

PRIVILEGE LEVEL CHECKING WHEN LOADING THE SS REGISTER

• Privilege level checking also occurs when the SS register is loaded with the segment selector for a stack segment.

• Here all privilege levels related to the stack segment must match the CPL.

• I.e. the CPL, the RPL of the stack-segment selector, and the DPL of the stack-segment descriptor must be the same (CPL=RPL=DPL).

• If the RPL and DPL are not equal to the CPL, a general-protection exception (#GP) is generated.

PRIVILEGE LEVEL CHECKING WHEN TRANSFERRING PROGRAM CONTROL BETWEEN CODE SEGMENTS

• To transfer program control from one code segment to another, the segment selector for the destination code segment must be loaded into the code-segment register (CS).

• As part of this loading process, the processor examines the segment descriptor for the destination code segment and performs various limit, type, and privilege checks. If these checks are successful, the CS register is loaded, program control is transferred to the new code segment, and program execution begins at the instruction pointed to by the EIP register.

• Program control transfers are carried out with the JMP, CALL, RET etc instructions.

Direct Calls or Jumps to Code Segments(Privilege Check for Control Transfer Without Using a Gate)

Privilege Check for Control Transfer Without Using a Gate

Direct Calls or Jumps to Code Segments(Privilege Check for Control Transfer Without Using a Gate)• The near forms of the JMP, CALL, and RET instructions transfer program

control within the current code segment, so privilege-level checks are not performed.

• The far forms of the JMP, CALL, and RET instructions transfer control to other code segments, so the processor does perform privilege-level checks.

• When transferring program control to another code segment without going through a call gate, the processor examines four kinds of privilege level and type information1) The CPL.2) The DPL of the segment descriptor for the destination code segment that contains the called procedure.3) The RPL of the segment selector of the destination code segment.4) The conforming (C) flag in the segment descriptor for the destination code segment, which determines whether the segment is a conforming (C flag is set) or nonconforming (C flag is clear) code segment.

1st we are taking: Accessing Nonconforming Code Segments

• When accessing nonconforming code segments, the CPL of the calling procedure must be equal to the DPL of the destination code segment (i.e. CPL=DPL); otherwise, the processor generates a general-protection exception (#GP).

• For example see figure :• Code segment C is a nonconforming code segment. A

procedure in code segment A can call a procedure in code segment C (using segment selector C1) because they are at the same privilege level (CPL of code segment A is equal to the DPL of code segment C).

Accessing Nonconforming Code Segments

Examples of Accessing Conforming and Nonconforming Code Segments From Various Privilege Levels

1st we are taking: Accessing Nonconforming Code Segments

• A procedure in code segment B cannot call a procedure in code segment C (using segment selector C2 or C1) because the two code segments are at different privilege levels.

• The RPL of the segment selector that points to a nonconforming code segment has a limited effect on the privilege check.

• The RPL must be numerically less than or equal to the CPL of the calling procedure (RPL<= CPL)for a successful control transfer to occur. So, in the example the RPLs of segment selectors C1 and C2 could legally be set to 0, 1, or 2, but not to 3.

2nd we are taking: Accessing Conforming Code Segments

• When accessing conforming code segments, the CPL of the calling procedure may be numerically equal to or greater than (less privileged) the DPL of the destination code segment(CPL=>DPL); otherwise the processor generates a general-protection exception (#GP) only if the CPL is less than the DPL. (The segment selector RPL for the destination code segment is not checked if the segment is a conforming code segment.)

2nd we are taking: Accessing Conforming Code Segments

• In the example code segment D is a conforming code segment.

• Therefore, calling procedures in both code segment A and B can access code segment D (using either segment selector D1 or D2, respectively), because they both have CPLs that are greater than or equal to the DPL of the conforming code segment.

Accessing a Code Segment Through a Call Gate

Call-Gate Mechanism

Accessing a Code Segment Through a Call Gate

• To access a call gate, a far pointer to the gate is provided as a target operand in a CALL or JMP instruction. The segment selector from this pointer identifies the call gate (See figure); the offset from the pointer is required, but not used or checked by the processor. (The offset can be set to any value.)

• When the processor has accessed the call gate, it uses the segment selector from the call gate to locate the segment descriptor for the destination code segment. (This segment descriptor can be in the GDT or the LDT.)

• It then combines the base address from the code-segment descriptor with the offset from the call gate to form the linear address of the procedure entry point in the code segment.

Privilege Check for Control Transfer with Call Gate

Privilege Check for Control Transfer with Call Gate

• Four different privilege levels are used to check the validity of a program control transfer through a call gate:1)The CPL (current privilege level).2)The RPL (requestor's privilege level) of the call gate’s selector.3)The DPL (descriptor privilege level) of the call gate descriptor.4)The DPL of the segment descriptor of the destination code segment.

• The C flag (conforming) in the segment descriptor for the destination code segment is also checked.

Privilege Check Rules for Call GatesThe privilege checking rules are different depending on whether the control transfer was initiated with a CALL or a JMP instruction,

Example of Accessing Call Gates At Various Privilege Levels


• To access a call gate, the CPL of a calling procedure must be equal to or less than the DPL of the call gate. For example, in Figure call gate A has a DPL of 3.

• So calling procedures at all CPLs (0 through 3) can access this call gate, which includes calling procedures in code segments A, B, and C.

• Call gate B has a DPL of 2, so only calling procedures at a CPL or 0, 1, or 2 can access call gate B, which includes calling procedures in code segments B and C. The dotted line shows that a calling procedure in code segment A cannot access call gate B.


• The RPL of the segment selector to a call gate must satisfy the same test as the CPL of the calling procedure; that is, the RPL must be less than or equal to the DPL of the call gate.

• In the example a calling procedure in code segment C can access call gate B using gate selector B2 or B1, but it could not use gate selector B3 to access call gate B.

• If the privilege checks between the calling procedure and call gate are successful, the processor then checks the DPL of the code-segment descriptor against the CPL of the calling procedure.


• Here, the privilege check rules vary between CALL and JMP instructions.

• Only CALL instructions can use call gates to transfer program control to more privileged (numerically lower privilege level) nonconforming code segments; that is, to nonconforming code segments with a DPL less than the CPL.

• A JMP instruction can use a call gate only to transfer program control to a nonconforming code segment with a DPL equal to the CPL.

• CALL and JMP instruction can both transfer program control to a more privileged conforming code segment; that is, to a conforming code segment with a DPL less than or equal to the CPL.

PRIVILEGED INSTRUCTIONS

Entering real address mode

Switching from real mode to protected mode (OR Entering Protected Mode)

• The 80386 begins its execution in Real mode immediately after RESET signal.

• To enter into the protected mode it is essential to make the PE bit of CRO logic high.

• For entering into the protected mode, it is necessary to maintain Interrupt Descriptor Table (IDt), and Global Descr-iptor Table (GDT) and Local Descr-iptor Table (LDT). Atleast one of these tables should be defined.

• Once the protected mode is enabled, the next instruction should be a JMP to reload CS which will point to valid code segment selector.

• Another Method:• (Step-1)Initialize the IDT and GDT with two TSS descriptors and a code and

data segment.• (Step-2)Then initialize TR to a valid TSS descriptor that is going to cause a

task switch and save the current state in a TSS.• (Step-3) now, we switch to protected mode by using an intersegment JMP

that loads the CS register. And the first JMP to be taken in protected mode is to the TSS defined earlier that loads all registers with value specified in the TSS. Now we are in protected mode.

Returning Back to the Real Mode(OR Leaving Protected Mode)

Task Structure• A task is made up of two parts: a task execution space and a task-

state segment.• The task execution space consists of a code segment, a stack

segment, and one or more data segments.• If an operating system uses the processor’s privilege-level

protection mechanism, the task execution space also provides a separate stack for each privilege level.

• A task is identified by the segment selector for its TSS. When a task is loaded into the processor for execution, the segment selector, base address, limit, and segment descriptor attributes for the TSS are loaded into the task register.

• If paging is implemented for the task, the base address of the page directory used by the task is loaded into control register CR3.

Structure of a Task

Task-State Segment (TSS)

Task-State Segment (TSS)• The task state segment contains storage areas for all of the

80386’s 32 bit registers and the 16 bit register selectors.• The field marked “T” is used for enabling or disabling task

switch trap. The I/O permission bit map is used for I/O permission and finally the backline field is used in order to keep trace of the task chain.

• The fields of a TSS are divided into two main categories: dynamic fields and static fields.

• The processor updates dynamic fields when a task is suspended during a task switch.

• The processor reads the static fields, but does not normally change them. These fields are set up when a task is created.

dynamic fieldsThe following are dynamic fields:• General-purpose register fields — State of the EAX, ECX, EDX,

EBX, ESP, EBP, ESI, and EDI registers prior to the task switch.• Segment selector fields — Segment selectors stored in the ES,

CS, SS, DS, FS, and GS registers prior to the task switch.• EFLAGS register field — State of the EFAGS register prior to

the task switch.• EIP (instruction pointer) field — State of the EIP register prior

to the task switch.• Previous task link field — Contains the segment selector for

the TSS of the previous task. This field permits a task switch back to the previous task by using the IRET instruction.

static fieldsThe following are static fields:• LDT segment selector field — Contains the segment selector

for the task‘s LDT.• CR3 control register field — Contains the base physical address

of the page directory to be used by the task. Control register CR3 is also known as the page directory base register (PDBR).

• Privilege level-0, -1, and -2 stack pointer fields — These stack pointers consist of a logical address made up of the segment selector for the stack segment (SS0, SS1, and SS2) and an offset into the stack (ESP0, ESP1, and ESP2). Note that the values in these fields are static for a particular task; whereas, the SS and ESP values will change if stack switching occurs within the task.

• I/O map base address field (I/O permission bitmap) and “T” field.

Task Register

Task Register• The task register holds the 16-bit segment selector and the entire segment

descriptor (32-bit base address, 16-bit segment limit, and descriptor attributes) for the TSS of the current task.

• This information is copied from the TSS descriptor in the GDT for the current task.

• Figure shows the path the processor uses to access the TSS (using the information in the task register).

• The task register has a visible part (that can be read and changed by user/software) and an invisible part (maintained by the processor and is inaccessible by user/software).

• The segment selector in the visible portion points to a TSS descriptor in the GDT.

• The processor uses the invisible portion of the task register to cache the segment descriptor for the TSS.

• Caching these values in a register makes execution of the task more efficient.• The LTR (load task register) and STR (store task register) instructions load and

read the visible portion of the task register:

Task Register• The LTR instruction loads a segment selector (source

operand) into the task register that points to a TSS descriptor in the GDT.

• It then loads the invisible portion of the task register with information from the TSS descriptor.

• LTR is a privileged instruction that may be executed only when the CPL is 0. It’s used during system initialization to put an initial value in the task register.

• The STR (store task register) instruction stores the visible portion of the task register in a general-purpose register or memory.

• On power up or reset of the processor, segment selector and base address are set to the default value of 0; the limit is set to FFFFH.

TASK SWITCHING

TASK LINKING

Nested Tasks

TASK LINKING• The previous task link field of the TSS (sometimes called

the “backlink”) and the NT flag in the EFLAGS register are used to return execution to the previous task. EFLAGS.NT = 1 indicates that the currently executing task is nested within the execution of another task.

• When a CALL instruction, an interrupt, or an exception causes a task switch: the processor copies the segment selector for the current TSS to the previous task link field of the TSS for the new task; it then sets EFLAGS.NT = 1.

• When a JMP instruction causes a task switch: the new task is not nested. The previous task link field is not used and EFLAGS.NT = 0. Use a JMP instruction to dispatch a new task when nesting is not desired.

Segment Descriptor

Documents

Transcript of Segment Descriptor