Date post: | 21-Aug-2018 |
Category: |
Documents |
Upload: | trinhkhanh |
View: | 212 times |
Download: | 0 times |
Microprocessors (A)IA321
Dr. Martin LandHadassah CollegeFall 2004
IA32
Intel 32-bit Architecture
Microprocessors (A)IA322
Dr. Martin LandHadassah CollegeFall 2004
Intel 32-bit Architecture (IA32)
Basic architectural plan for Intel processors
RequirementsBackward compatible with 8086, 80186, and 80286True 32-bit machine (address and integer length)Enable PC to run a modern operating system
IA-32 introduced in 1985All processors from i386 to Pentium 4 follow IA-32Intel introduced a full implementation of UNIX for IA-32
Microprocessors (A)IA323
Dr. Martin LandHadassah CollegeFall 2004
Intel 32-bit Architecture (IA32)
32-bit machine:32-bit internal and external data bus32-bit external address busGeneral registers extended to 32 bit width
EAX, EBX, ECX, EDX, ESP, EBP, ESI, EDI, EIP
Expanded code set (32-bit instructions)
Hardware support for Operating System functions:Task managementVirtual memory and pagingLocal data and protection
Microprocessors (A)IA324
Dr. Martin LandHadassah CollegeFall 2004
Operating Modes
Real ModeLike a fast 8086
Only recognizes 8086 instruction set16-bit integers and address offsets20-bit physical address (can access lowest 1 MB of RAM)
All IA32 processors initialize into real mode
Protected ModeUses full 32-bit features
Can process new 32-bit instructions32-bit integers and physical addresses (can access 4 GB of RAM)Hardware support for Operating System functions
Windows/Linux/UNIX/OS2 run in protected mode
Virtual 86Creates a virtual 8086 environment as a taskCan run multiple V86 tasks at one timeDOS window under Windows runs in V86 mode
Microprocessors (A)IA325
Dr. Martin LandHadassah CollegeFall 2004
General Purpose Registers
AH AL EAX Accumulator BH BL EBX Base CH CL ECX Counter DH DL EDX Data 31 16 15 8 7 0
SP ESP stack pointer BP EBP base pointer SI ESI source index DI EDI destination index IP EIP instruction pointer
31 16 15 0
Microprocessors (A)IA326
Dr. Martin LandHadassah CollegeFall 2004
Segment Registers
Segment Registers Segment Shadow Registers
Code Segment Selector CS Code Segment Descriptor Data Segment Selector DS Data Segment Descriptor Stack Segment Selector SS Stack Segment Descriptor Extra Segment Selector ES Extra Segment Descriptor Data-F Segment Selector FS Data-F Segment Descriptor Data-G Segment Selector GS Data-G Segment Descriptor 15 0 63 0
New data segment registers: FS, GS Selector
Pointer to segment location in memory In Real Mode, Selector = upper 16 bits of physical segment base address In Protected Mode, Selector = index to a Descriptor Table
Descriptor
Information about the segment Descriptor = Segment base address, Segment Size, Segment Type
Microprocessors (A)IA327
Dr. Martin LandHadassah CollegeFall 2004
Segmentation in IA32 Protected Mode
Segment RegisterHolds a pointer to a segmentPointer is called a Segment Selector
Selector contains an index into a look-up tableDescriptor Table is built in Main Memory (RAM)
A Descriptor Table may be global or localTable entries are called segment DescriptorsEach Descriptor defines one segment
Descriptor contains segment base address, segment limit, access rights, and other properties
Microprocessors (A)IA328
Dr. Martin LandHadassah CollegeFall 2004
Segment Address Translation
RAM
+
offset
segmentbase
address
linearaddress
Linear AddressSpace
+
offset
linearaddress
descriptortableselector
segmentbase
address
Microprocessors (A)IA329
Dr. Martin LandHadassah CollegeFall 2004
Tasks in IA32
Each activity under OS is defined as a TaskEach task is allocated a Task Segment
Holds information about Task (context) Defines Local (private) Segments for task: Data/Code/Stack
Every TaskMay access (public and unique) Global Descriptor Table (GDT)May access its (private) Local Descriptor Table (LDT)Selector contains
Table Indicator (TI) to choose LDT or GDTIndex to choose entry (Descriptor) from Descriptor Table
Microprocessors (A)IA3210
Dr. Martin LandHadassah CollegeFall 2004
Addressing Table Registers
GDT Register (Global Descriptor Table)
GDT linear base address GDT limit 31 0 15 0
IDT Register (Interrupt Descriptor Table)
IDT linear base address IDT limit 31 0 15 0
LDT Register (Local Descriptor Table) Shadow Register
LDT Segment Selector LDT Segment Descriptor 15 0 63 0
TSS Register (Task State Segment) Shadow Register
TSS Segment Selector TSS Segment Descriptor 15 0 63 0
Microprocessors (A)IA3211
Dr. Martin LandHadassah CollegeFall 2004
Preview: Context Switch
Enter new Selector in TSS RegisterCPU uses TSS Selector to fetch TSS DescriptorTSS Descriptor points to Task State Segment (TSS)
Hardware fetches information from TSS:Selectors for CS, DS, ES, SS, FS, GS, and LDTValues for EAX … EDX, EIP, EDI, ESI, EBP, ESP, Flags
CPU uses LDT Selector to fetch LDT DescriptorLDT Descriptor points to Local Descriptor TableCPU uses CS Selector to fetch CS DescriptorCPU uses DS Selector to fetch DS DescriptorCPU fetches all 6 Segment Descriptors
Descriptors: Segment Base Addresses, Sizes, and Access information
Microprocessors (A)IA3212
Dr. Martin LandHadassah CollegeFall 2004
Selector Format
Index Table Index (TI)
Request Privilege Level (RPL)
13-bits 1 bit 2 bits 13-bit Index to Descriptor in table 213 = 23 × 210 = 8 × 1 K Descriptor table holds 8 K (8192) Descriptors
Descriptor Address = Table Base Address + Descriptor Offset Descriptor is 8 bytes in length Descriptor Offset = Index × 8 = Index × 10002 = Selector AND FFF8
8 K Descriptors/table × 8 Bytes/Descriptor = 64 KB/table
Table Index TI = 0 for GDT TI = 1 for LDT
Request Privilege Level (RPL): used for protection mechanism
Microprocessors (A)IA3213
Dr. Martin LandHadassah CollegeFall 2004
Segment Address Translation
index TI RPL
13 bits 1bit
2bits
GDT
LDT
32-bit segment base address
16-bit selector
32-bit offset
+32-bit linear address
64-bit descriptorAddress
Microprocessors (A)IA3214
Dr. Martin LandHadassah CollegeFall 2004
Segment Types
Segment type is written in segment descriptor Code Segments
Program instructionsMay be fetched as instructionsMay be local (to a task) or global
Data SegmentsHolds dataMay be loaded or storedMay be local or global
System SegmentsGDT/LDT/IDT/TSS Occupy separate segmentsNo access by user programs
Microprocessors (A)IA3215
Dr. Martin LandHadassah CollegeFall 2004
Descriptor Format8 4 4 8 24 16
Base Access Limit Access Base Limit 31 ... 24 11 ... 8 19 ... 16 7 ... 0 23 ... 0 15 ... 0
63 56 55 52 51 48 47 40 39 16 15 0
11 10 9 8 7 6 5 4 3 2 1 0 G D 0 0 P DPL S TYPE A Code Segment
Access
G 0 0 0 P DPL S TYPE A Data Segment Base: 32-bit segment base address Limit: 20-bit offset limit ⎯ Segment Size = [1 + Limit] × (4096)G Bytes
G= 0 ⇒ Byte Granularity: 220 bytes = 1 MB maximum segment size G= 1 ⇒ 4 KB Granularity: 220 × 4 KB = 4 GB maximum segment size
Code Type: D = 0 for 16-bit code (required for DOS and runs under Windows) D = 1 for 32-bit code (runs under Windows 9x/NT/2000/XP and Linux/UNIX) Present: P = 1 for segment in memory or P = 0 for swapped-out segment DPL: Descriptor Privilege Level System: S = 0 for system segment or S = 1 for user segment Type: Segment type code Access: A = 0 until segment is accessed; A = 1 after access
Microprocessors (A)IA3216
Dr. Martin LandHadassah CollegeFall 2004
Type Fields for User Segments (S = 1)
3-bit Type Field Code Segment
Type = 1 C RC = 1 for Conforming code (protection scheme)R = 1 for Readable Code (MOV AX,CS:EA legal)
Data SegmentType = 0 ED WED = 1 for Expand Down (stack segment)W = 0 for Read-Only segment
Microprocessors (A)IA3217
Dr. Martin LandHadassah CollegeFall 2004
Segmentation Example ⎯ 1
GDT register = 00 10 00 00 FF FF GDT begins at 00 10 00 00 GDT length is 64 KB
LDT register = 000B LDT register holds LDT selector
0 0 0 B 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1
13-bit index TI
RPL
0 0 0 0 0 0 0 0 0 0 0 0 1 0 11
Index = 1 → 1 × 8 = 8 (000B AND FFF8 = 0008) TI = 0 points to GDT Descriptor address = GDT base + 0008 = 00100000 + 0008 = 00100008h
Microprocessors (A)IA3218
Dr. Martin LandHadassah CollegeFall 2004
Segmentation Example ⎯ 2
Lower Part of GDT address 0 1 2 3 4 5 6 7 8 9 A B C D E F
00 10 00 3 00 00 F2 07 08 00 FF FF 00 00 F2 08 08 00 FF FF 00 10 00 2 00 00 F2 05 08 00 FF FF 00 00 F2 06 08 00 FF FF 00 10 00 1 00 00 F8 03 08 00 FF FF 00 00 F8 04 08 00 FF FF 00 10 00 0 00 00 E2 01 08 00 FF FF 00 00 E2 02 08 00 FF FF
Lower Part of LDT address 0 1 2 3 4 5 6 7 8 9 A B C D E F
00 02 08 3 00 00 F2 17 08 00 FF FF 01 81 F2 18 08 00 FF FF 00 02 08 2 00 00 F2 15 08 00 FF FF 00 00 F2 16 08 00 FF FF 00 02 08 1 00 00 F8 13 08 00 FF FF 00 00 F8 14 08 00 FF FF 00 02 08 0 00 00 F2 11 08 00 FF FF 00 00 F2 12 08 00 FF FF
Microprocessors (A)IA3219
Dr. Martin LandHadassah CollegeFall 2004
Segmentation Example ⎯ 3
Descriptor at 00100008h to 0010000Fh is
00 0 0 E2 02 08 00 FF FF Base Access Limit Access Base Address Limit
Segment base address = 00 02 08 00 Access = 0E2 = 0000 1110 0010
0 0 0 0 1 1 1 0 0 0 1 0 G 0 0 0 P DPL LDT
G = 0 ⇒ Byte Granularity and Segment Limit = FFFF (64 KB) P = 1 ⇒ Segment is present in RAM S = 0 and Type = 001 ⇒ LDT segment Descriptor is copied to LDT Shadow Register
Microprocessors (A)IA3220
Dr. Martin LandHadassah CollegeFall 2004
Segmentation Example ⎯ 4CS:EIP = 001B: 00 00 00 10
0 0 1 B 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1
13-bit index TI
RPL
0 0 0 0 0 0 0 0 0 0 0 1 1 0 11
Descriptor offset in GDT (TI = 0) = index × 8 = 001B AND FFF8 = 0018 GDT base + 0018 = 00100018 Descriptor at 00100018 is copied to CS Shadow Register
00 0 0 F8 04 08 00 FF FF Base Access Limit Access Base Address Limit
Access = 0F8 = 0000 1111 1000
0 0 0 0 1 1 1 1 1 0 0 0 G D 0 0 P DPL code C R A
Segment base address = 00 04 08 00 Segment limit = FFFF bytes Code segment (non-conformable, non-readable, 16-bit code) Linear address = 00 04 08 10
Microprocessors (A)IA3221
Dr. Martin LandHadassah CollegeFall 2004
Segmentation Example ⎯ 5DS:BX = 003F:00088010
0 0 3 F 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1
13-bit index TI RPL0 0 0 0 0 0 0 0 0 0 1 1 1 1 11
Descriptor offset in LDT (TI = 1) = index × 8 = 003F AND FFF8 = 0038 LDT base + 0038 = 00 02 08 00 + 00 38 = 00 02 08 38
01 8 1 F2 18 08 00 FF FF Base Access Limit Access Base Address Limit
Access = 8F2 = 1000 1111 0010
1 0 0 0 1 1 1 1 0 0 1 0 G 0 0 0 P DPL data ED W A
Segment base address = 01 18 08 00 G = 1 ⇒ Segment limit = (1FFFF+1)×1000 = 20000000 = 536,870,912 bytes Data segment Offset = 00 08 80 10 < limit = 20 00 00 00 Linear address = 01 18 08 00 + 00 08 80 10 = 01 20 88 10 Descriptor copied to DS Shadow Register
Microprocessors (A)IA3222
Dr. Martin LandHadassah CollegeFall 2004
Segment Level Memory Protection
Microprocessors (A)IA3223
Dr. Martin LandHadassah CollegeFall 2004
Hiding Segments
Hardware allows Operating System to “hide” segments from applications:
Segment base address is hidden in a descriptorDescriptor is located in GDT or LDT
Only hardware can locate, define, access, or update the GDT and LDT
Under a reasonable OS, a user program cannot run GDT/LDT access instructions
A user program only accesses the segment selector
Microprocessors (A)IA3224
Dr. Martin LandHadassah CollegeFall 2004
Local Data and Code Segments
Every task has private segments defined in its LDTLDT selector is stored in the Task State Segment (TSS)
A task's LDT selector is "hidden" from other tasks
Segments defined in LDT are "doubly-hidden"Other Tasks cannot locate or access another Task’s
TSSLDT selectorLDTAny segment defined in its LDT
Microprocessors (A)IA3225
Dr. Martin LandHadassah CollegeFall 2004
Hardware Enforcement
For every RAM access:
Hardware compares offset and segment limitAccess denied if offset > segment limit Can be no accidental segment overflow
Hardware checks segment typeCannot write to a segment defined as codeCannot fetch from a data segment Cannot read, write or fetch from a system segment
Microprocessors (A)IA3226
Dr. Martin LandHadassah CollegeFall 2004
Access Restrictions by Privilege
Every segment has a classificationDescriptor Protection Level (DPL)Defined in access field of segment descriptorPrivilege level required for access
Every code segment has access rightsPrivilege level of segments it may accessSelector in CS register points to current code segment Current Privilege Level (CPL) = DPL of current CS
Instruction in the current code segment cannot: Access data if data segment's DPL < CPLJump to (or call) a new code segment with DPL < CPL
Microprocessors (A)IA3227
Dr. Martin LandHadassah CollegeFall 2004
Protection Rings
• Ring 0 is for the OS kernel• Ring 1 is for less sensitive OS functions• Ring 2 is for protected user functions• Ring 3 is for user programs
3210
Microprocessors (A)IA3228
Dr. Martin LandHadassah CollegeFall 2004
Full Access Rules
CS selector points to Code Segment descriptor with access rightsCPL.
The selector contains a Request Privilege Level (RPL) ⎯ usually a copy of the CPL.
An instruction in the current Code Segment can: 1. Access a Data Segment with DPL,2. Jump to (or call) a new Code Segment with DPL,If DPL ≥ max (CPL , RPL)
3210
AccessGranted
AccessDenied
Microprocessors (A)IA3229
Dr. Martin LandHadassah CollegeFall 2004
System Calls
User program makes a system call through a Call GateCurrent code jumps or calls to a new CS:EIP in the OSCS selector points to a special descriptor (Call Gate) in the
GDT or LDTCall Gate is loaded to CS Shadow RegisterThe hardware:1. Recognizes the descriptor as a Call Gate2. Loads the Destination Selector from the Call Gate to CS3. Loads the Destination Offset from the Call Gate to EIP 4. Copies parameters according to the Word Count5. System Call runs, with its address hidden from the user
Microprocessors (A)IA3230
Dr. Martin LandHadassah CollegeFall 2004
Call Gate Format
16 8 3 5 16 16 destination offset access 0 word
count destination selector destination offset
access byte
bit 7 bit 6,5 bits 4,3,2,1,0 P DPL 01100
selectorCS:EIP
CS Shadow Register (CS descriptor)
systemcall
GDT
call gate
destinationoffset access 0 word
countdestination
selectordestination
offset
Microprocessors (A)IA3231
Dr. Martin LandHadassah CollegeFall 2004
The Trojan Horse Problem
User program denied access to a protected segment (DPL < user CPL).
User program passes a pointer (selector) to that segment in a system call.
The OS can access the protected segment.
3210
user
OS
call gate
protecteddata
The selector has a Request Protection Level (RPL) field.The OS sets RPL = user CPL in the selector (pointer). Access is permitted if and only if DPL ≥ max (CPL , RPL).
Microprocessors (A)IA3232
Dr. Martin LandHadassah CollegeFall 2004
Paging Address Translation
directory page byte
page tabledirectory base
page tabledirectory
page table main memory
entry
entry
+ +
+
page
byte
directorybase address
page tablebase address
pagebase address
Microprocessors (A)IA3233
Dr. Martin LandHadassah CollegeFall 2004
Linear Address
directory = index into directory (4 bytes per entry)
210 =1024 = 1K page table entries per directory
4 bytes per entry ⇒ 4 KB per directory
page table = index into selected page table
4 bytes per entry ⇒ 4 KB per page table
offset = index (of byte) into selected page
212 =4096 = 4K byte per page
210 page tables × 210 page/page table × 212 bytes/page = 232 bytes
1 0 b it s 1 0 b it s 1 2 b it s d ir e c t o r y p a g e t a b le o f f s e t
Microprocessors (A)IA3234
Dr. Martin LandHadassah CollegeFall 2004
Entries in Page Directory and Page Table
upper 20 bits of page table physical address
OS reserved 0 D A 0 U/S R/W P
31 12 11 9 8 7 6 5 4 3 2 1 0
D — dirty bit A — accessed
P = 0 = swapped-out P = 1 = present
Segments with DPL = 0,1,2 inherit U/S = 0 (supervisor) Segments with DPL = 3 inherit U/S = 1 (user)
Supervisor code has Read/Write permission for User Read/Write permission for Supervisor data pages
User code has No access to supervisor data pages Read-only access to data pages with R/W = 0 Read/write access to data pages with R/W = 1
Microprocessors (A)IA3235
Dr. Martin LandHadassah CollegeFall 2004
Paging ExampleDirectory address = Dir_add = 00010000 h
Linear Address = 00402100 h
00 40 21 00 0000 0000 0100 0000 0010 0001 0000 0000
Directory field = 00000000012 = 001 h
Find 4 byte entry at physical address Dir_add + 4 × 001 = 00010004 h Entry = 12345678 h Entry points to Page Table at PT_add 12345000 h
Page Table Field = 00000000102 = 002 h Find 4 byte entry at physical address PT_add + 4 × 002 = 12345008 h Entry = 9ABCDEF0 h Entry points to Page at P_add 9ABCD000 h
Offset Field = 0001000000002 = 100 h Offset points to byte at physical address P_add + 100 = 9ABCD100 h
Microprocessors (A)IA3236
Dr. Martin LandHadassah CollegeFall 2004
Virtual Address to Physical Address
SEGMENT:OFFSETdescriptor
table
descriptor
Linear Base Address+
Offset
index
Linear Address
segment shadow register
cache descriptor in CPU
directory page offset
paging enabled
Physical Address
paging not enabled
Linear Address Physical Address
Translation Lookaside Buffer (TLB)(address cache)
Microprocessors (A)IA3237
Dr. Martin LandHadassah CollegeFall 2004
Building Page Tables
Start with Physical Address = Linear Address
Build descriptor tables without concern for paging
Physical address ≠ linear address after swapping
Some important numbers
1 K = 1024 = 400h4 K = 4096 = 1000h
1 M = (1024)2 = 400 × 400 h = 4 × 4 × 10000 h = 10 00 00h
Microprocessors (A)IA3238
Dr. Martin LandHadassah CollegeFall 2004
Example Page Layout
32 MB of RAM divided into (32 MB) / (4 KB/page) = 8 K pages
Page First Byte Last Byte 1FFF 01 FF F0 00 01 FF FF FF
... 0003 00 00 30 00 00 00 3F FF 0002 00 00 20 00 00 00 2F FF 0001 00 00 10 00 00 00 1F FF 0000 00 00 00 00 00 00 0F FF
8K = 2 × 4K = 2 × 1000h = 2000h (0000 to 1FFF) 1 page = 4KB = 1000h Bytes (000 to FFF) Page number P begins at P × 1000h
Microprocessors (A)IA3239
Dr. Martin LandHadassah CollegeFall 2004
Counting Page Tables
8 Kpages requires (8 Kpages) / (1 K pages/page table) = 8 page tables Page table points to 1 K pages = 400h pages and has entries 000 to 3FFh
Page Points To Pages Table First Last 7 1C00 1FFF 6 1800 1BFF 5 1400 17FF 4 1000 13FF 3 0C00 0FFF 2 0800 0BFF 1 0400 07FF 0 0000 03FF
Page table T points to pages T × 400h to T × 400h + 3FFh Page P is in page table T = int [ P/400 ]
Microprocessors (A)IA3240
Dr. Martin LandHadassah CollegeFall 2004
Page Table Directory
Start Directory at address 00 FF FC 00 Start Page Tables at address 01 00 00 00
PT 7 01 00 70 00 01 00 7F FF PT 6 01 00 60 00 01 00 6F FF PT 5 01 00 50 00 01 00 5F FF PT 4 01 00 40 00 01 00 4F FF PT 3 01 00 30 00 01 00 3F FF PT 2 01 00 20 00 01 00 2F FF PT 1 01 00 10 00 01 00 1F FF PT 0 01 00 00 00 01 00 0F FF
Directory 00 FF FC 00 00 FF FF FF
Microprocessors (A)IA3241
Dr. Martin LandHadassah CollegeFall 2004
Directory Entries 20 bits 12 bits Entry
Format int (physical address A /1000h ) other stuff
Entry Number
Entry Address
Points to PT
Entry
3FF 00 FF FF FC — — - — — — 8 00 FF FC 20 — — 7 00 FF FC 1C 7 01 00 7x xx 6 00 FF FC 18 6 01 00 6x xx 5 00 FF FC 14 5 01 00 5x xx 4 00 FF FC 10 4 01 00 4x xx 3 00 FF FC 0C 3 01 00 3x xx 2 00 FF FC 08 2 01 00 2x xx 1 00 FF FC 04 1 01 00 1x xx 0 00 FF FC 00 0 01 00 0x xx
1023 = 3FF ⇒ 4× 1023 = 1000 - 4 h = FFC h
Microprocessors (A)IA3242
Dr. Martin LandHadassah CollegeFall 2004
Page Table 0 Entries PT 0 points to the first 1 K pages of memory From address 00 00 00 00 To address 00 3F FF FF Each entry points to a 4 KB page Page 0 is at 00 00 00 00 Page 1 is at 00 00 10 00 Page 2 is at 00 00 20 00
Entry Number
Entry Address
Points to Page
Entry
3FF 01 00 0F FC 3FF 00 3F Fx xx - — — — 8 01 00 00 20 8 00 00 8x xx 7 01 00 00 1C 7 00 00 7x xx 6 01 00 00 18 6 00 00 6x xx 5 01 00 00 14 5 00 00 5x xx 4 01 00 00 10 4 00 00 4x xx 3 01 00 00 0C 3 00 00 3x xx 2 01 00 00 08 2 00 00 2x xx 1 01 00 00 04 1 00 00 1x xx 0 01 00 00 00 0 00 00 0x xx
Microprocessors (A)IA3243
Dr. Martin LandHadassah CollegeFall 2004
Page Table 1 EntriesPT 1 points to the second 1 K pages of memory From address 00 40 00 00 To address 00 7F FF FF Each entry points to a 4 KB page Page 400 is at 00 40 00 00 Page 401 is at 00 40 10 00 Page 402 is at 00 40 20 00
Entry Number
Entry Address
Points to Page
Entry
3FF 01 00 1F FC 7FF 00 7F Fx xx - — — — 8 01 00 10 20 408 00 40 8x xx 7 01 00 10 1C 407 00 40 7x xx 6 01 00 10 18 406 00 40 6x xx 5 01 00 10 14 405 00 40 5x xx 4 01 00 10 10 404 00 40 4x xx 3 01 00 10 0C 403 00 40 3x xx 2 01 00 10 08 402 00 40 2x xx 1 01 00 10 04 401 00 40 1x xx 0 01 00 10 00 400 00 40 0x xx
Microprocessors (A)IA3244
Dr. Martin LandHadassah CollegeFall 2004
Page Table 2 EntriesPT 2 points to the third 1 K pages of memory From address 00 80 00 00 To address 00 BF FF FF Each entry points to a 4 KB page Page 800 is at 00 80 00 00 Page 801 is at 00 80 10 00 Page 802 is at 00 80 20 00
Entry Number
Entry Address
Points to Page
Entry
3FF 01 00 2F FC BFF 00 BF Fx xx - — — — 8 01 00 20 20 808 00 80 8x xx 7 01 00 20 1C 807 00 80 7x xx 6 01 00 20 18 806 00 80 6x xx 5 01 00 20 14 805 00 80 5x xx 4 01 00 20 10 804 00 80 4x xx 3 01 00 20 0C 803 00 80 3x xx 2 01 00 20 08 802 00 80 2x xx 1 01 00 20 04 801 00 80 1x xx 0 01 00 20 00 800 00 80 0x xx
Microprocessors (A)IA3245
Dr. Martin LandHadassah CollegeFall 2004
General Rules for this Layout
Page Table PT has entry n pointing to page P
Entry location is 01 00 00 00 + PT × 1000 + 4 × n
Entry points to page P = PT × 400 + n
The entry itself is (PT × 400 + n) × 1000 + xxx
Points to page at base address (PT × 400 + n) × 1000
Byte Physical Address is
A = page base address + offset
A = (PT × 400 + n) × 1000 + offset = PT × 400000 + n × 1000 + offset
Microprocessors (A)IA3246
Dr. Martin LandHadassah CollegeFall 2004
Equivalent Shifts
Multiplying by 400000 is a shift left: 0h = 00002 ⇒ × = 4 shifts 100000h = (10h)5 = 5×4 shifts = 20 shifts 4h = 1002 ⇒ 2 shifts left PT × 400000 = PT followed by 22 binary 0’s n × 1000 = n followed by 12 binary 0’s
Microprocessors (A)IA3247
Dr. Martin LandHadassah CollegeFall 2004
Linear Address Format
directory page offset10 10 12
12 bits22 bits
Physical Address from page translation is A = PT × 400000 + n × 1000 + offset
PT × 400000 = PT followed by 22 binary 0’s n × 1000 = n followed by 12 binary 0’s
PT n offset10 10 12
12 bits22 bits
Physical Address ≡ Linear Address
Microprocessors (A)IA3248
Dr. Martin LandHadassah CollegeFall 2004
Inverse Formulae
[ ] 1000400
4001000
int
400000int
×+×−=
⎥⎦⎤
⎢⎣⎡ ×−=
⎥⎦⎤
⎢⎣⎡=
nPTAoffset
PTAn
APT
Microprocessors (A)IA3249
Dr. Martin LandHadassah CollegeFall 2004
Example
A = 00 40 10 04 PT = int[ 00401004/400000] = int[004/4] = 1 n = int[00401 - 400×1] = 1 Offset = 00401004 - [400 + 1] ×1000 = 4
Look at
1st entry in directory to find PT 1 1st entry in PT 1 to find page 401 at address 00401000 Offset 4 in page 401 to find 00401004
Microprocessors (A)IA3250
Dr. Martin LandHadassah CollegeFall 2004
Translation Lookaside Buffer (TLB)
Address CacheSaves Linear Address to Physical Address translations32 last accessed linear address
CPU makes two accesses in parallelUsual Directory/PT/Page translationAccess to TLB
If linear address is in TLBTLB responds first and cancels translationTLB catches 98 - 99% of linear address accesses
Microprocessors (A)IA3251
Dr. Martin LandHadassah CollegeFall 2004
Status Registers Control Registers
CR0: Options CR1: Reserved CR2: Last Page Fault CR3: Directory Base Address
EFLAG Registers
Microprocessors (A)IA3252
Dr. Martin LandHadassah CollegeFall 2004
Interrupt Handling
Interrupt Gate points to the Interrupt Service Routine (ISR)
destination offset access 0 word count
destination selector destination offset
bit 7 bit 6,5 bits 4,3,2,1,0
P DPL 01110
The Interrupt Descriptor Table (IDT) contains the Interrupt Gates The IDT linear base address and limit is in the IDT register
Microprocessors (A)IA3253
Dr. Martin LandHadassah CollegeFall 2004
Interrupt Service
Instruction INT n is executed
CS:EIP of next instruction pushed onto stack
Interrupt Gate at address = IDT base + n × 8 loaded to CS Shadow Register
Selector and Offset from Interrupt Gate loaded to CS:EIP
CS:EIP is address of the ISR (interrupt handler)
ISR finishes with IRET, which pops previous CS:EIP
CS:EIP
CS Shadow Register (CS descriptor)
Instruction INT n
IDT
interrupt gate
destinationoffset access 0 word
countdestination
selectordestination
offset
Microprocessors (A)IA3254
Dr. Martin LandHadassah CollegeFall 2004
Hardware Task Creation
Task defined by writing a Task State Segment (TSS)
TSS holds task contextAll register valuesLDT SelectorStatus WordOther OS informationBack link to a previous task
TSS descriptor (normal descriptor) placed in GDT or LDT
TSS Selector (points to TSS descriptor) written in Task Gate
Task Gate placed into GDT, LDT, or IDT
Microprocessors (A)IA3255
Dr. Martin LandHadassah CollegeFall 2004
TSS Contents
back link stacks and stack pointers for CPL = 0, 1, 2
task switch to higher privilege level causes switch to a separate stack CR3 EIP
EFLAGS EAX, ECX, EBX, EDX ESP, EBP, ESI, EDI
ES, CS, SS, DS, FS, GS LDT Selector
OS specific information
Microprocessors (A)IA3256
Dr. Martin LandHadassah CollegeFall 2004
Task Gate
destination offset access 0 word count
destination selector destination offset
bit 7 bit 6,5 bits 4,3,2,1,0
P DPL 00101
Microprocessors (A)IA3257
Dr. Martin LandHadassah CollegeFall 2004
Task Switching by Jump
selectorCS:EIP
CS Shadow Register (CS descriptor)
JMP
GDTtaskgate
destinationoffset access 0 word
countdestination
selectordestination
offset
TSS Register
TSS descriptor
TSS Shadow Register
TSS
Task ContextAll
CPURegisters
Microprocessors (A)IA3258
Dr. Martin LandHadassah CollegeFall 2004
Task Switching by Jump
No nesting ⎯ back link not setCurrent code executes JMP to CS:EIP
CS selector points to Task Gate in GDT or LDTDescriptor (Task Gate) loaded to CS Shadow Register
HardwareRecognizes descriptor as Task GateCopies context of current task to its TSSLoads Destination Selector from Task Gate
to TSS RegisterSelector in TSS Register points to TSS descriptorLoads TSS descriptor to TSS Shadow RegisterLoads new context from new TSSRuns new task from CS:EIP from new task context
Microprocessors (A)IA3259
Dr. Martin LandHadassah CollegeFall 2004
Task Switching by Call Instruction
Current code executes CALL to CS:EIPPushes CS:EIP of next instruction onto stackCS selector points to Task Gate in GDT or LDTDescriptor (Task Gate) loaded to CS Shadow Register
HardwareRecognizes descriptor as Task GateCopies context of current task to its TSS
Makes temporary copy of current TSS RegisterLoads Destination Selector to TSS RegisterSelector in TSS Register points to TSS descriptorLoads TSS descriptor to TSS Shadow RegisterLoads context from new TSS to run called taskWrites old TSS Selector into back link of new TSS
Microprocessors (A)IA3260
Dr. Martin LandHadassah CollegeFall 2004
Task Switching by Call Instruction
Called task ends with an IRET instruction (or preemption)
The hardware
Copies context of new task to TSS
Loads back link into TSS Register
Selector in TSS Register points to previous TSS descriptor
Loads previous TSS descriptor to TSS Shadow Register
Loads context from previous TSS to restore previous task
Microprocessors (A)IA3261
Dr. Martin LandHadassah CollegeFall 2004
New Instructions for IA32
Instruction Description ARPL r/m16,r16 Adjust RPL of r/m16 to not less than RPL of r16 LAR r16,r/m16 Load Access Rights: r16 ← r/m16 masked by FF00H LSL r16,r/m16 Load: r16 ← segment limit, selector r/m16 LSL r32,r/m32 Load: r32 ← segment limit, selector r/m32 SGDT, SIDT m Store GDTR to m, Store IDTR to m SLDT r/m16 Stores segment selector from LDTR in r/m16 STR r/m16 Stores segment selector from Task Register in r/m16 VERR r/m16 Set ZF=1 if segment specified with r/m16 can be read VERW r/m16 Set ZF=1 if segment specified with r/m16 can be written CLTS Clears Task Switch flag in CR0 LGDT m16&32 Load m into GDTR LIDT m16&32 Load m into IDTR LLDT r/m16 Load segment selector r/m16 into LDTR LTR r/m16 Load r/m16 into task register r = register m = memory pointer 16/32 = length in bitsr16={AX, CX, DX, BX, SP, BP, SI, DI}r32={EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI}
Microprocessors (A)IA3262
Dr. Martin LandHadassah CollegeFall 2004
Real Mode
Start up mode for every Intel IA 32 processor
Processor runs as very fast 8086
Can access only lowest 1 MB of memory
OS boot code (BIOS) must be in low memory
Uses protected mode hardware in a special way
Microprocessors (A)IA3263
Dr. Martin LandHadassah CollegeFall 2004
Shadow Registers
On Selector load, build pseudo-Descriptor: Load Base Address field with Selector × 10hLoad Limit with FFFFhLoad CS Access word with
Load DS Access word with
SS, ES, FS, GS created as data segments
G D 0 0 P DPL S CODE C R A 0 0 0 0 1 00 1 1 0 1 1
G 0 0 0 P DPL S CODE ED W A 0 0 0 0 1 00 1 0 0 1 1
Microprocessors (A)IA3264
Dr. Martin LandHadassah CollegeFall 2004
Before Switching To Protected Mode
Build a GDT
At least one Data Segment
At least one Code Segment
Convert 8086 ISR vectors to IA-32 IDT
Build a TSS for OS scheduler
Put Task Gate for TSS into GDT
Build Page Tables and Directory
Linear Address = Physical Addresses
Write Directory Physical Address into TSS
Load GDT register and IDT register
Microprocessors (A)IA3265
Dr. Martin LandHadassah CollegeFall 2004
Entering Protected Mode
Set flag PE to enter protected mode
JMP to Task Gate in GDT
Loads Task Register
Selector points to TSS Descriptor
CPU loads scheduler context from TSS
Set flag PG to enable Paging (optional)
OS scheduler is running in Protected Mode with paging
Can create new processes by writing TSSs and GDT entries
Microprocessors (A)IA3266
Dr. Martin LandHadassah CollegeFall 2004
Virtual 86 Mode
Create TSS for VM86 taskClear flag PE (protected mode off ⇒ real mode)
Pseudo-Descriptors (real mode type)Can access 1 MB of address spacePrograms run as in 8086
Set flag PG (Paging Enabled)8086 20-bit addresses get re-mapped
All VM86 processes same address space 00000h to FFFFFh
Separate Page Table Directory for each VM86 task20-bit address space re-mapped to individual
32-bit locations
Microprocessors (A)IA3267
Dr. Martin LandHadassah CollegeFall 2004
Use of IA32 Resources Under Linux
Hardware/Software issuesMost Linux code
Written in CCompiled for platform independence
PC-specific aspects of Linux source code located in arch/i386
Principal Linux strategies with IA32 • Ignore hardware segmentation• Migration away from hardware task management• Full use of hardware paging
Microprocessors (A)IA3268
Dr. Martin LandHadassah CollegeFall 2004
IA32 Segmentation in Linux
Linux prefers a flat 4 GB memory spaceCreate a pseudo-flat address space:Linux writes 4 normal segment descriptors in GDT
Code Segment for kernel mode, with DPL = 0Data Segment for kernel mode, with DPL = 0User Code Segment, with DPL = 3User Data Segment, with DPL = 3
Each descriptor points to entire address range00 00 00 00 to FF FF FF FF
Each base address = 00 00 00 00Each segment limit = F FF FF with granularity G = 1Each segment size is 4 GB
Microprocessors (A)IA3269
Dr. Martin LandHadassah CollegeFall 2004
Task Management in Linux
Early Linux kernelFor every task, two system segment descriptors
TSS segment descriptorLDT descriptor
Hardware-based task switchingUses TSS Register pointing to TSS Descriptor to load
context from TSSPlaces TSS Selector directly into TSS Register
Does not use Task Gate mechanism
Microprocessors (A)IA3270
Dr. Martin LandHadassah CollegeFall 2004
Task Management in Linux 2.2
For each task
LDT descriptor
TSS segment descriptor
Only 4090 processes may be created:
GDT has room for 8192 entries (8192 × 8 = 64 KB)
12 entries required for user and system segment descriptors
2 entries are created for every task: (8192 - 12) / 2 = 4090
Microprocessors (A)IA3271
Dr. Martin LandHadassah CollegeFall 2004
Task Management in Linux 2.4
Software-based task switchingDoes not use IA32 tasks for process creationDefines tasks in UNIX-style task PID tables (no limit on
task number)
Does not write TSS segment descriptors in the GDTOnly defines an LDT if the task requires one
Does not use the Task Gate mechanism
Performs UNIX-style software-based context switching
Microprocessors (A)IA3272
Dr. Martin LandHadassah CollegeFall 2004
Paging in Linux
Linux uses the full paging mechanism of IA32Maintains page tables, using a different directory base
address (CR3) for each taskAddress compatibility with 64-bit architectures
Defines a "middle directory"On 64-bit machines
Linear address divided into 3 table fields and 1 offset field
On IA32 machinesMiddle directory field has 0-length (entry points to page table)
Kernel code and data are never swapped outBegin at 2nd megabyte
Physical base address 00 10 00 00
Microprocessors (A)IA3273
Dr. Martin LandHadassah CollegeFall 2004
Intel 80386 Microprocessor