Protected mode gets its name from the 386's privilege protection. Each program has a privilege level, or PL, from zero to three. Programs at PL0 can execute any instruction and access any data. Programs at PL3 can't execute certain instructions; they also can't access data that belong to more privileged programs. Each segment descriptor has a Descriptor Privilege Level (DPL) that the 386 uses for protection. The 386 also controls which programs can execute I/O instructions.
A privilege hierarchy is important for supporting modern operating systems. In a typical operating system, the main kernel runs at PL0. Other parts of the operating system might run at PL1. Device drivers can run at PL2; they need to do direct device I/O. User programs in this system would run at PL3. This scheme has many advantages. In particular, a malicious program can't damage the operating system or other user programs.
PL0 programs alone can execute the following instructions: •HLT •CLTS •LGDT •LIDT •LLDT •LTR •LMSW •MOV (to/from control/debug/test registers) On 486 systems •INVD •WBINVD •INVLPG On Pentium and above •RDMSR •WRMSR •RDTSC
The IOPL field in the EFLAGS register allows the operating system to control who can do I/O. These two bits determine the minimum privilege level a program must have to execute I/O instructions (CLI, STI, IN, INS, OUT and OUTS). If IOPL is zero, only PL0 programs can do I/O. If IOPL is 3, all programs can execute I/O instructions. Only a PL0 program can modify the IOPL flags. When other programs modify the flags, IOPL doesn't change! Leaving IOPL=3 makes life easy for DOS Extenders, but it can cause major problems since real-mode programs mostly use direct I/O.
A program's privilege level is equal to the RPL field of the selector in the CS register. This is the current privilege level or CPL. You can't directly modify the CS register so that it has a different RPL. The same holds true for SS as well.
Programs can't load a sgement register with just any selector. When a data segment register (DS, ES, FS or GS) is loaded, the 386 checks the DPL against the program's CPL and the selector's RPL. The 386 first compares the CPL to the RPL. The largest one becomes the effective privilege level (EPL). If the DPL is greater than ot equal to the EPL, the 386 loads the sgment register; otherwise an error occurs.
The SS register must be loaded with a segment whose DPL and CPL are equal. The 386 also checks to make sure a stack segment is readable, writeable and present.
The 386 provides a special stack segment type. You can also use a plain data segment for a stack, if you wish. A stack segment's limit field indicates the lowest legal offset in the segment.
It is always valid to load a null selector (0 through 3) into a segment register. However, any attempt to access memory via the selector will cause an error as expected.
|
|