Interface Hardware-Software
Aula 4-2
Protected Mode Mechanisms
Prof. Dr. Stefan Michael Blawid
IHS - §4 ProMo Mech 2
Tópicos
1) Recapitulation
2) Access to Data and Stack Segments 3) Jumps, Calls and Privilege Checks 4) Call gates
IHS - §4 ProMo Mech 3
Tópicos
1) Recapitulation
2) Access to Data and Stack Segments 3) Jumps, Calls and Privilege Checks 4) Call gates
IHS - §4 ProMo Mech 4
Segment Descriptor
IHS - §4 ProMo Mech 5
Using Selectors
IHS - §4 ProMo Mech 6
Validity Checks Before Loading Descriptor
IHS - §4 ProMo Mech 7
Pre-Load Privilege Check for Data Access
Future Data Segment Cache
Current Code Segment Cache
Data Segment Register
IHS - §4 ProMo Mech 8
CPL, RPL and DPL
CPL (Current Privilege Level)
Privilege level of the currently running code
It is found in the CS and SS register (in the hidden part = cache) RPL (Requestor Privilege Level)
Code privilege level that originates from the selector Found in the selector
Can be changed with specific instructions DPL (Descriptor Privilege Level)
Segment or gate privilege level Found in the descriptor
IHS - §4 ProMo Mech 9
Example
Assume that the code is fetched from a non-conforming code segment with a DPL=2d=CPL
Selector: RPL = 2d, TI=1d (LDT), Index = 2534d
If the fetched data segment from the LDT has DPL=2d, the
corresponding eight bytes are loaded into the invisible part of DS
mov AL, [0100] verifies that
CPL==DPL of DS;
The offset 0100H is smaller than the DS limit
IHS - §4 ProMo Mech 10
Tópicos
1) Recapitulation
2) Access to Data and Stack Segments
3) Jumps, Calls and Privilege Checks 4) Call gates
IHS - §4 ProMo Mech 11
Data Segment Access
Data segment selectors must be loaded into DS, ES, FS, GS, or SS registers with instructions like mov, pop, lds, les, lfs, lgs, etc.
IHS - §4 ProMo Mech 12
Examples
IHS - §4 ProMo Mech 13
Stack Segment Access
IHS - §4 ProMo Mech 14
Tópicos
1) Recapitulation
2) Access to Data and Stack Segments
3) Jumps, Calls and Privilege Checks
IHS - §4 ProMo Mech 15
Access to Code Segments
Transfer of control may result in change of executed code segment When there are inter-segment detours
Transfer instructions: call (far), ret (far), jmp (far), int, iret,
sysenter, sysexit, etc.
A privilege check is required to determine that the code in the
original CS is allowed to jump to or call code within the target CS No privilege check on near calls or near jumps
Code segment access rules differ from data access rules The rules are different for
Accessing non-conforming code segments Accessing conforming code segments
IHS - §4 ProMo Mech 16
CPL Definition
The privilege level, i.e., the DPL (!), of the currently active CS from which the instructions are fetched
One exception: The currently active CS is conforming (C-Bit=1 in the CS descriptor)
The CPL is given by the CS DPL that called the currently active CS
Without the use of a call gate, effectively the CPL does not change when control is transferred to a new CS
IHS - §4 ProMo Mech 17
Access to Code Segments (wo Gates)
Information verified on this type of access: CPL, RPL, Destination DPL, Destination C-Bit
IHS - §4 ProMo Mech 18
Access to Non-Conforming Code Segments
Most code segments are non-conforming:
Control transfer can only occur between same-privilege segments (except when a gate is used)
IHS - §4 ProMo Mech 19
Example for valid access
IHS - §4 ProMo Mech 20
Examples for Invalid Access
IHS - §4 ProMo Mech 21
Access to Conforming Code Segments
Allows to make calls from a lower privilege segment to a routine located on a higher privilege segment
CPL does not change
IHS - §4 ProMo Mech 22
Example of Valid Access
IHS - §4 ProMo Mech 23
Example of Invalid Access
IHS - §4 ProMo Mech 24
Jumping from a Higher-to-Lesser Privilege
iret can do the trick:
1) Push the desired initial values for CS:EIP, SS:EIP and EFLAGS on the current stack
2) Execute iret
Since the CS selector value on the stack indicates the “return” to a lesser privilege, SS:EIP is also loaded from the stack
3) The new CS selector points to a CS descriptor with a lower privilege DPL that becomes the new CPL
4) The new SS selector points to a SS descriptor with a lower privilege DPL
IHS - §4 ProMo Mech 25
Tópicos
1) Recapitulation
2) Access to Data and Stack Segments 3) Jumps, Calls and Privilege Checks
IHS - §4 ProMo Mech 26
Gates Types
Call Gates
Used to control access to routines of a different code segment Located in GDT or LDT
Interrupt Gates and Trap Gates
Used to control access to interrupt routines Located in IDT
Task Gates
Used to control access between different tasks that not
necessarily consist of just one set of code and data segments Located in GDT
IHS - §4 ProMo Mech 27
Example Scenario
OS kernel may include a privilege zero CS containing procedures designed to handle requests from other programs The service routines shall only be accessed by sufficiently privileged callers
➡ Need different “portals” to control the access to each procedure within the CS
IHS - §4 ProMo Mech 28
Call Gates
Allows to control which parts of one code segment can be accessed by another code segment
Safer form of transfer of control Main Functions:
Specifies the code segment to access
Specifies the entry point for a routine in the specified code segment
Determines the required privilege level of the caller attempting to access the routine
If a stack change occurs, specifies the number of parameters to copy between the stacks
IHS - §4 ProMo Mech 29
The Call Gate Descriptor
Target Code-Segment Selector (16 bits)
Specifies the descriptor of the code segment to be accessed This selector is loaded in CS on transfer of control
Target Code-Segment Offset (32 bits)
Specifies the entry point for a routine in the specified code segment
IHS - §4 ProMo Mech 30
The Call Gate Descriptor (cont.)
P (Present): Indicating that the descriptor is valid
DPL (Descriptor Privilege Level): Defines the minimum privilege level to use the gate
Type = 100b indicates a call gate descriptor
Parameter count: Number (0 - 31) of dwords to copy from the caller’s stack to the stack of the called procedure
IHS - §4 ProMo Mech 31
Far Call through a Call Gate
IHS - §4 ProMo Mech 32
Control Transfer with Call Gates
A far pointer to the gate is provided as the target operand in a call or
jmp statement: The selector of this pointer (first 16 bits) identifies the
IHS - §4 ProMo Mech 33
Typical Use of Call Gates: Operating System
OS has services (routines) that can be used by both application programs and the OS itself
Call Gates can be defined for routines that allow access to all privilege levels (e.g. I/O routines)
More privileged call gates can be defined for routines that can only be called by the OS (e.g. driver initialization routines)
IHS - §4 ProMo Mech 34
Access to Code Segments with Gates
Information verified on this type of access: CPL, RPL (selector to the call gate), DPLg (descriptor of the call gate), DPLs (descriptor of the target code segment)
IHS - §4 ProMo Mech 35
Access to Conforming Code Segments
Current segment privilege level must be greater than or equal to call gate descriptor
IHS - §4 ProMo Mech 36
Access to Non-Conforming Code Segments
Rules differ slightly if jmp or call is used for a call gate when target segment is non-conforming
IHS - §4 ProMo Mech 37
Example of Valid Access
If call is made to a higher privilege non-conforming segment, a stack swap occurs
IHS - §4 ProMo Mech 38
Example of an Invalid Access
IHS - §4 ProMo Mech 39
Stack change
Stack change occurs for two reasons
Prevent the most privileged routine from failing to execute properly due to insufficient stack space
Prevent lower privilege routines from interfering with higher privilege routines through shared stacks
The OS is responsible for creating stacks and stack descriptors of all privilege levels that are used (by a task) and for storing pointers to it in the Task State Segment (TSS)
TSS is pointed to by a type of system descriptor maintained in GDT
Even if the OS is not multitasking, but if it runs in protected mode, it is required to create at least one TSS
IHS - §4 ProMo Mech 40
Stack Change between Different PL Routines
IHS - §4 ProMo Mech 41
Overview
IHS - §4 ProMo Mech 42
Using Call Gates Nowadays
Call gates fell out of use some time ago Especially after Pentium
Today's operating systems allow access to larger privilege-level routines through official interfaces with system calls
Accessible through system interrupts, e.g., int 80H (Linux) … … or through instructions like sysenter (32-bit) or syscall (64-bit)
However, a special type of Call Gate is used for calling interrupt handling routines