Advanced Topics 11
ADVANCED TOPICS
(as opposed to a control descriptor), and 3) the segment is readable and of appropriate privilege level. The privilege check for data segments and non-conforming code segments is that the DPL must be numerically greater than or equal to both the CPL and the selec-tor's RPL. Conforming segments are not checked for privilege level.
VER W provides the same capability as VERR for verifying writability. Like the VERR instruction, VER W loads ZF if the result of the writability check is positive. The instruction checks that the descriptor is within bounds, is a segment descriptor, is writable, and that its DPL is numerically greater or equal to both the CPL and the selector's RPL.
Code segments are never writable, conform-ing or not.
11.3.2 Pointer Integrity: RPL and the
"Trojan Horse Problem"
The Requested Privilege Level (RPL) feature can prevent inappropriate use of pointers that could corrupt the operation of more privi-leged code or data from a less priviprivi-leged level.
A common example is a file system proce-dure, FREAD (file_id, nybytes, buffer-ptr).
This hypothetical procedure reads data from a file into a buffer, overwriting whatever is there. Normally, FREAD would be available at the user level, supplying only pointers to the file system procedures and data located and operating at a privileged level. Normally, such a procedure prevents user-level proce-dures from directly changing the file tables.
However, in the absence of a standard proto-col for checking pointer validity, a user-level procedure could supply a pointer into the file tables in place of its buffer pointer, causing privilege attribute would normally indicate the privilege level of the code which generated the selector. The iAPX 286 hardware will automatically check the RPL of any selector loaded into a segment register or a control register to see if the RPL allows access.
To guard against invalid pointers, the called caller would not be able to access directly, i.e., the RPL is numerically greater than the DPL, then a protection fault will result when loaded into a segment or control register.
The caller's CPL is available in the CS selec-tor that was pushed on the stack as the return address. A special instruction, ARPL, can be used to appropriately adjust the RPL field of the pointer. ARPL (Adjust RPL field of selector instruction) adjusts the. RPL field of a selector to become the larger of its original value and the value of the RPL field in a specified register. The latter is normally loaded from the caller's CS register. If the adjustment changes the selector's RPL, ZF is set; otherwise, the zero flag is cleared.
11.4 NPX CONTEXT SWITCHING
The context of a processor extension (such as the 80287 numerics processor) is not changed by the task switch operation.· A processor extension context need only be changed when a different task attempts to use the processor extension (which still contains the context of a previous task). The 80286 detects the first use of a processor extension after a task switch by causing the processor extension not-present exception (#7). The interrupt handler may then decide whether a context change. is necessary.
ADVANCED TOPICS
The 286 services numeric errors only when it executes wait or escape instructions because the processor extension is running independ-ently. The numerics error from one task may be recorded when the 286 is running a differ-ent task. If the 286 task has changed, it makes sense to defer· handling that error until the original task is restored. For example, inter-rupt handlers that use the NPX should not have their timing upset by a numeric error interrupt that pertains to some earlier process.
It is of little value to service someone else's error.
If the task switch bit is set (bit 3 of MSW) when the CPU begins to execute a wait or escape instruction, the processor-extension not-present exception results (#7). The handler for this interrupt must know who currently "owns" the NPX, i.e., the handler must know the last task to issue a command to the NPX. If the owner is the same as the current task, then it was merely interrupted and the interrupt handler has since returned;
the handler for interrupt 7 simply clears the TS bit, restores the working registers, and returns (restoring interrupts if enabled).
If the recorded owner is different from the region of memory that contains the TSS. The alias segment also contains an area for saving the NPX context, the kernel stack, and certain kernel data. That is, the first 44 bytes in that segment are the 286 context, followed by 94 bytes for the processor extension context,
followed in some cases by the kernel stack and kernel private data areas.
The implied convention is that the stack segment selector points to this data segment alias so that whenever there is an interrupt at level zero and SS is automatically loaded, all of the above information is immediately addressable.
It is assumed that the program example knows about only one data segment that points to a global data area in which it can find the one word NPX owner to begin the processing described. The specific operations needed, and shown in the figure, are listed in table 11-1.
11.5 MULTIPROCESSOR CONSIDERATIONS
As mentioned in Chapter 8, a bus lock is applied during the testing and setting of the task busy bit to ensure that two processors do not invoke the same task at the same time.
However, protection traps and conflicting use of dynamically varying segments or descrip-tors must be addressed by an inter-processor synchronization protocol. The protocol can use the indivisible semaphore operation of the base instruction set. Coordination of inter-rupt and trap vectoring must also be addressed when mUltiple concurrent proces-sors are operating.
The interrupt bus cycles are locked so no interleaving occurs on those cycles. Descrip-tor caching is locked so that a descripDescrip-tor reference cannot be altered while it is being fetched.
When a program changes a descriptor that is shared with other processors, it should broad-cast this fact to the other processors. This broadcasting can be done with an
inter-ADVANCED TOPICS
processor interrupt. The handler for this interrupt must ensure that the segment regis-ters, the LDTR and the TR, are re-Ioaded.
This happens automatically if the interrupt is serviced by a task switch.
segment as not-present while another is using it. Software has to ensure that the descriptors in the segment register caches are updated with the new information. The segment regis-ter caches can be updated by are-entrant procedure that is invoked by an inter-processor interrupt. The handler must ensure that the segment registers, the LDTR and the TR, are re-Ioaded. This happens automati-cally if the interrupt is serviced by a task switch.
Modification of descriptors of shared segments in multi-processor systems may require that the on-chip descriptors also· be updated. For example, one processor may attempt to mark the descriptor of a shared
ASSEMBLER IHVOKED BY: ASM286,86 :FS:SWHPI.A86
L 0 C OBJ LI HE SOURCE
Figure 11-3. Example of NPX Context Switching
ADVANCED TOPICS
Table 11-1. NPX Context Switching
Step Operation Lines
1. Save the working registers 28,29
2. Set up address for kernel work area 30,31
3. Get current task 10 from Task Register 32
4. Clear Task Switch flag to allow NPX work 34
5. Inhibit interrupts 35
6. Compare owner with current task 10 37
If same owner:
7a. Restore working registers 48,49
7b. and return 50
If owner is not current task:
8a. Use owner 10 to save old context in its TSS 42,43,44
8b. Restore context of current task; 45
restore working registers; 46
and return 52