Advanced Topics 11
CHAPTER 11 ADVANCED TOPICS~
This chapter describes some of the advanced topics as virtual memory management, restartable instructions, special segment attributes, and the validation of descriptors and pointers.
11.1 VIRTUAL MEMORY MANAGEMENT When access to a segment is requested and memory (swapping or overwriting another segment if necessary), or to terminate execu-tion of the requesting program if this is not possible.
The accessed bit (bit 0) of the access byte is provided in both executable and data segment descriptors to support segment usage profil-ing. Whenever the descriptor is accessed by the iAPX 286 hardware, the A-bit will be set in memory. This applies to selector test instructions (described below) as well as to the loading of a segment register. The reading of the access byte and the restoration of it with
Not-present exceptions occur only on segment register load operations, gate accesses, and
task switches. The saved instruction pointer refers to the first byte of the violating instruction. All other aspects of the saved machine state are exactly as they were before execution of the violating instruction began.
After the fault handler clears up the fault condition and performs an IRET, the program continues to execute. The only external indication of a segment swap is the additional execution time.
11.2 SPECIAL SEGMENT ATTRIBUTES 11.2.1 Conforming Code Segments Code segments intended for use at potentially different privilege levels need an attribute that permits them to emulate the privilege level of the calling task. Such segments are termed
"conforming" segments. Conforming segments are also useful for interrupt-driven error routines that need only be as privileged as the routine that caused the error.
A conforming code segment has bit 2 of its access byte set to 1. This means it can be referenced by a CALL or JMP instruction in a task of equal or lesser privilege, i.e., CPL of the task is numerically greater than or equal to DPL of this segment. CPL does not change when executing the conforming code segment.
A conforming segment continues to use the stack from the CPL. This is the only case in which the DPLof a code segment can be numerically less than the CPL. If bit 2 is a 0, the segment is not conforming and can be referenced only by a task ofCPL=DPL.
Inter-segment Returns that refer to conform-ing code segments use the RPL field of the code selector of the return address to deter-mine the new CPL. The RPL becomes the new CPL if the conforming code segment DPL:5RPL.
ADVANCED TOPICS
If a conforming segment is readable, it can be read from any privilege level without restric-tion. This is the only exception to the protec-tion rules. This allows constants to be stored with conforming code. For example, a read-only look-up table can be embedded in a conforming code segment that can be used to convert system-wide logical ID's into charac-ter strings that represent those logical entities.
11.2.2 Expand-Down Data Segments If bit 2 in the access byte of a data segment is 1, the segment is an expand-down segment.
All the offsets that reference such a segment must be strictly greater than the segment limit, as opposed to normal data segments (bit 2=0) where all offsets must be less than or equal to the segment limit. Figure 11-1 shows an expand-down segment.
The size of the expand down segment can be changed by changing either the base or the limit. An expand down segment with Limit=O will have a size of 216-1 bytes.
With a limit value of FFFFH, the expand down segment will have a size of 0 bytes. In an expand down segment, the base
+
offsetBASE + FFFEH -..,==~
BASE + OFFSET
> BASE + LIMIT
BASE + LIMIT -.f'~~~
BASE
EXPAND DOWN SEGMENT
Figure 11-1. Expand-Down Segment
11-2
value should always be greater than the base
+
limit value. Therefore, a full size segment (216 bytes) can only be obtained by using an expand up segment.The operating system should check the Expand-Down bit when a protection fault indicates that the limit of a data segment has been reached. If the Expand-Down bit is not set, the operating system should increase the segment limit; if it is set, the limit should be lowered. This supplies more room in either case (assuming the segment is not write-protected, i.e., that bit 1 is not 0). In some cases, if the operating system can ascertain that there is not enough room to expand the data segment to meet the need that caused the fault, it can move the data segment to a region of memory where there is enough room. See figure 11-2.
11.3 POINTER VALIDATION
Pointer validation is an important part of locating programming errors. Pointer valida-tion is· necessary for maintaining isolavalida-tion between the privilege levels. Pointer valida-tion consists of the following steps:
1. Check if the supplier of the pointer is entitled to access the segment.
2. Check if the segment type is appropriate to its intended use.
3. Check if the pointer violates the segment limit.
The iAPX 286 hardware automatically performs checks 2 and 3 during instruction execution, while software must assist in performing the first check. This point is discussed in section 11. 3.2. Software can explicitly perform steps 2 and 3 to check for potential violations (rather than causing an exception). The unprivileged instructions LSL, LAR, VERR, and VER Ware provided for this purpose.
ADVANCED TOPICS
BASE + 10000H
STACK SEG.B
BASE + 10000H NEW BASE
+ NEW LIMIT
STACK SEG.B
OLD BASE NEW BASE
+ OLD LIMIT
OLD BASE SEG.A
Figure 11·2. Dynamic Segment Relocation and Expansion of Segment limit
The load access rights (LAR) instruction obtains the access rights byte of a descriptor pointed to by the selector used in the instruc-tion. If that selector is visible at the CPL, the instruction loads the access byte into the specified destination register as the higher byte (the low byte is zero) and the zero flag is set. Once loaded, the access bits can be tested. System segments such as a task state segment or a descriptor table cannot be read or modified. This instruction is used to verify that a pointer refers to a segment of the proper privilege level and type. If the RPL or CPL is greater than DPL, or the selector is outside the table limit, no access value is returned and the zero flag is cleared.
Conforming code segments may be accessed from any RPL or CPL.
Additional parameter checking can be performed via the load segment limit (LSL) instruction. If the descriptor denoted by the given selector (in memory or a register) is visible at the CPL, LSL loads the specified register with a word that consists of the limit field of that descriptor. This can only be done for segments, task state segments, and local
descriptor tables (i.e., words from control descriptors are inaccessible). Interpreting the limit is a function of the segment type. For example, downward expandable data segments treat the limit differently than code segments do.
For both LAR and LSL, the zero flag (ZF) is set if the loading was performed; otherwise, the zero flag is cleared. Both instructions are undefined in real address mode, causing an invalid opcode exception (interrupt #6).
11.3.1 Descriptor Validation
The iAPX 286 has two instructions, VERR and VER W, which determine whether a selector points to a segment that can be read or written at the current privilege level.
Neither instruction causes a protection fault if the result is negative.
VERR verifies a segment for reading and loads ZF with 1 if that segment is readable from the current privilege level. The valida-tion process checks that: 1) the selector points to a descriptor within the bounds of the GDT or LDT, 2) it denotes a segment descriptor
ADVANCED TOPICS
(as opposed to a control descriptor), and 3) the segment is readable and of appropriate privilege level. The privilege check for data segments and non-conforming code segments is that the DPL must be numerically greater than or equal to both the CPL and the selec-tor's RPL. Conforming segments are not checked for privilege level.
VER W provides the same capability as VERR for verifying writability. Like the VERR instruction, VER W loads ZF if the result of the writ ability check is positive. The instruction checks that the descriptor is within bounds, is a segment descriptor, is writable, and that its DPL is numerically greater or equal to both the CPL and the selector's RPL.
Code segments are never writable, conform-ing or not.
11.3.2 Pointer Integrity: RPL and the
"Trojan Horse Problem"
The Requested Privilege Level (RPL) feature can prevent inappropriate use of pointers that could corrupt the operation of more privi-leged code or data from a less priviprivi-leged level.
A common example is a file system proce-dure, FREAD (file_id, nybytes, buffer-ptr).
This hypothetical procedure reads data from a file into a buffer, overwriting whatever is 'there. Normally, FREAD would be available at the user level, supplying only pointers to the file system procedures and data located and operating ata privileged level. Normally, such a procedure prevents user-level proce-dures from directly changing the file tables.
However, in the absence of a standard proto-col for .checking pointer validity, a user-level procedure could supply a pointer into the file tables in place of its buffer pointer, causing privilege attribute would normally indicate the privilege level of the code which generated the selector. The iAPX 286 hardware will automatically check the RPL of any selector loaded into a segment register or a control register to see if the RPL allows access.
To guard against invalid pointers, the called procedure need only ensure that all selectors passed to it have an RPL at least as high (numerically) as the original caller's CPL.
This indicates that the selectors were not more trusted than their supplier. If one of the selectors is used to access a segment that the caller would not be able to access directly, i.e., the RPL is numerically greater than the DPL, then a protection fault will result when loaded into a segment or control register.
The caller's CPL is available in the CS selec-tor that was pushed on the stack as the return address. A special instruction; ARPL, can· be used to appropriately adjust the RPL field of the pointer. ARPL (Adjust RPL field of selector instruction) adjusts the RPL field of a selector to become the larger of its original value and the value of the RPL field in a specified register. The latter is normally loaded from the caller's CS register which can be found on the stack. If the adjustment changes the selector's RPL, ZF is set; other-wise, the zero flag is cleared.
11.4 NPXCONTEXT SWITCHING
The context of a processor extension (such as the 80287 numerics processor) is not changed by the task switch operation. A processor extension context need only be changed when a different task attempts to use the processor extension (which still contains the context of a previous task). The 80286 detects the first use of a processor extension after a task switch by causing the processor extension not-present exception (#7) if the TS bit is set. The inter-rupt handler may then decide whether a context change is necessary.
ADVANCED TOPICS
The 286 services numeric errors only when it executes wait or escape instructions because the processor extension is running independ-ently. Therefore, the numerics error from one task may not be recorded until the 286 is running a different task. If the 286 task has changed, it makes sense to defer handling that error until the original task is restored. For example, interrupt handlers that use the NPX should not have their timing upset by a numeric error interrupt that pertains to some earlier process. It is of little value to service someone else's error. .
If the task switch bit is set (bit 3 of MSW) when the CPU begins to execute a wait or escape instruction, the processor-extension not-present exception results (#7). The handler for this interrupt must know who currently "owns" the NPX, i.e., the handler must know the last task to issue a command to the NPX. If the owner is the same as the current task, then it was merely interrupted and the interrupt handler has since returned;
the handler for interrupt 7 simply clears the TS bit, restores the working registers, and returns (restoring interrupts if enabled).
If the recorded owner is different from the region of memory that contains the TSS. The alias segment also contains an area for saving the NPX context, the kernel stack, and certain kernel data. That is, the first 44 bytes in that segment are the 286 context, followed by 94 bytes for the processor extension context,
followed in some cases by the kernei stack and kernel private data areas.
The implied convention is that the stack segment selector points to this data segment alias so that whenever there is an interrupt at level zero and SS is automatically loaded, all of the above information is immediately addressable.
It is assumed that the program example knows about only one data segment that points to a global data area in which it can find the one word NPX owner to begin the processing described. The specific operations needed, and shown in the figure, are listed in table 11-1.
11.5 MULTIPROCESSOR CONSIDERATIONS
As mentioned in Chapter 8, a bus lock is applied during the testing and setting of the task busy bit to ensure that two processors do not invoke the same task at the same time.
However, protection traps and conflicting use of dynamically varying segments or descrip-tors must be addressed by an inter-processor synchronization protocol. The protocol can use the indivisible semaphore operation of the base instruction set. Coordination of inter-rupt and trap vectoring must also be addressed when multiple concurrent proces-sors are operating.
The interrupt bus cycles are locked so no interleaving occurs on those cycles. Descrip-tor caching is locked so that a descripDescrip-tor reference cannot be altered while it is being fetched.
When a program changes a descriptor that is shared with other processors, it should broad-cast this fact to the other processors. This broadcasting can be done with an
inter-ADVANCED TOPICS
processor interrupt. The handler for this interrupt must ensure that the segment regis-ters, the LDTR and the TR, are re-Ioaded.
This happens automatically if the interrupt is serviced by a task switch.
segment as not-present while another is using it. Software has to ensure that the descriptors in the segment register caches are updated with the new information. The segment regis-ter caches can be updated by are-entrant procedure that is invoked by an inter-processor interrupt. The handler must ensure that the segment registers, the LDTR and the TR, are re-Ioaded. This happens automati-cally if the interrupt is serviced by a task switch.
Modification of descriptors of shared segments in multi-processor systems may require that the on-chip descriptors also be updated. For example, one processor may attempt to mark the descriptor of a shared
ASSEJl18LER INVOKED BY: ASJI!28S,B6 :F5:5WMPX.AB6 LOC OBJ Ho Interrupt! IIllowed!
LII5 t_npx_word cllnnot chllnge due to 0 ther 1 nter rupt! IIf ter t hi! pOint. Return to interrupted progrllm
54 kernel_code end!
.1.
WARttlHG "60, lIHE '54, SEGr'1EHT COHTAIHS PRIVILEGED IHSTRUCTIOHS55 end
Figure 11-3. Example of NPX Context Switching
11-6
ADVANCED TOPICS
Table 11-1. NPX Context Switching
Step Operation Lines
(Figure 11-3)
1. Save the working registers 28,29
2. Set up address for kernel work area 30,31
3. Get current task 10 from Task Register 32
4. Clear Task Switch flag to allow NPX work 34
5. Inhibit interrupts 35
6. Compare owner with current task 10 37
If same owner:
7a. Restore working registers 48,49
7b. and return 50
If owner is not current task:
8a. Use owner 10 to save old context in its TSS 42,43,44
8b. Restore context of current task; 45
restore working registers; 46
and return 52
11.6 SHUTDOWN
Shutdown occurs when a severe error condi-tion prevents further processing. Shutdown is very similar to HLT in that the iAPX 286
stops executing instructions. The 80286 externally signals shutdown as a Halt bus cycle with Al =0. The NMI or RESET input will force the 80286 out of shutdown. The INTR input is ignored during shutdown.