PAGE-LEVEL PROTECTION

Protection applies to both segments and pages. When the flat model for memory seg-mentation has been used, page-level protection prevents programs from interfering with each other.

Each memory reference is checked to verify that it satisfies the protection checks. All checks are made before the memory cycle is started; any violation prevents the cycle from starting and results in an exception. Because checks are performed in parallel with address translation, there is no performance penalty. There are two page-level protec-tion checks:

1. Restriction of addressable domain 2. Type checking

A protection violation results in an exception. See Chapter 9 for an explanation of the exception mechanism. This chapter describes the protection violations which lead to exceptions.

6.8.1 Page-Table Entries Hold Protection Parameters

Figure 6-10 highlights the fields of a page table entry which control access to pages. The protection checks are applied for both first- and second-level page tables.

6.8.1.1 RESTRICTING ADDRESSABLE DOMAIN

Privilege is interpreted differently for pages and segments. With segments, there are four privilege levels; ranging from 0 (most privileged) to 3 (least privileged). With pages, there are two levels of privilege:

1. Supervisor level (U/S = 0) - for the operating system, other system software (such as device drivers), and protected system data (such as page tables)

2. User level (U IS = 1) - for application code and data.

The privilege levels used for segmentation are mapped into the privilege levels used for paging. If the CPL is 0, 1, or 2, the processor is running at supervisor level. If the CPL is 3, the processor is running at user level.When the processor is running at 'supervisor level, all pages are accessible. When the processor is running at user level, only pages from the user level are accessible.

RIW READIWRITE U/S USER/SUPERVISOR

240486i64

Figure 6-10. Protection Fields of a Page Table Entry

6.8.1.2 TYPE CHECKING

Only two types of pages are recognized by the protection mechanism:

1. Read-only access (R/W = 0) 2. Read/write access (R/W

=

When the processor is running at supervisor level with the WP bit in the eRO register clear (its state following reset initialization), all pages are both readable and writable (write-prote,ction is ignored). When the processor is running at user level, only pages which belong to user level and are marked for read/write access are writable. User-level pages which are read/write or read-only are readable. Pages from the supervisor level are neither readable nor writable from user level. A general-protection exception is gener-ated on any attempt to violate the protection rules.

Unlike the 386™ DX processor, the i486 processor allows .user-mode pages to be write-protected against supervisor mode access. Setting the WP bit in the CRO register enables supervisor-mode sensitivity to user-mode, write-protected pages. This feature is useful for implementing the copy-on-write strategy used by some operating systems, such as UNIX, for task creation (also called forking or spawning).

When a new task is created, it is possible to copy the entire address space of the parent task. This gives the child task a complete, duplicate set of the parent's· segments and pages. The copy-on-write strategy saves memory space and time by mapping the child's segments and pages to the same segments and pages used by the parent task. A private copy of a page gets created only when one of the tasks writes to the page.

6.8.2 Combining Protection of Both Levels of Page Tables

For anyone page, the protection attributes of its page directory entry (first-level page table) may differ from those of its second-level page table entry. The i486 processor checks the protection for a page by examining the protection specified in both the page directory (first-level page table) and the second-level page table. Table 6-4· shows the protection provided by the possible combinations of protection attributes when the WP bit is clear.

6.8.3 Overrides to Page ~rotection

Certain accesses are checked as if they are privilege-level 0 acc,esses, for any value of CPL:

• Access to segment descriptors (LDT, GDT, TSS and IDT).

• Access to inner stack during a CALL instruction, or exceptions and interrupts, when a change of privilege level occurs.

Table 6-4. Combined Page Directory and Page Table Protection

Page Directory Entry Page Table Entry Combined Effect

Privilege Access Type Privilege Access Type Privilege Access Type

User Read-Only User Read-Only User Read-Only

User Read-Only User Read-Write User Read-Only

User Read-Write User Read-Only User Read-Only

User Read-Write User Read-Write User Read/Write

User Read-Only Supervisor Read-Only User Read-Only

User Read-Only Supervisor Read-Write User Read-Only

User Read-Write Supervisor Read-Only User Read-Only

User Read-Write Supervisor Read-Write User Read/Write

Supervisor Read-Only User Read-Only User Read-Only

Supervisor Read-Only User Read-Write User Read-Only

Supervisor Read-Write User Read-Only User Read-Only

Supervisor Read-Write User Read-Write User Read/Write

Supervisor Read-Only Supervisor Read-Only Supervisor Read/Write

Supervisor Read-Only Supervisor Read-Write Supervisor Read/Write

Supervisor Read-Write Supervisor Read-Only Supervisor Read/Write

Supervisor Read-Write Supervisor Read-Write Supervisor Read/Write