Filter
Top Products
SYSTEM ARCHITECTURE
3.4.2 Privileged Instructions
In addition to defining which segments and
pages it can use, a task's privilege
level
defines the
instructions
it
can execute. The 80386 has a
number of instructions whose execution must be
tightly controlled to prevent serious system
disruption. All of the instructions that load new
values into the system registers are examples of
privileged instructions. Only a task running at
privilege level
0 can execute privileged instruc-
tions,
3.4.3 Segment Protection
The descriptors in a task's
LDTand
GDT
define
the task's logical address space. The segments
defined
in
these tables are theoretically addres-
sable, because the descriptor tables provide the
information necessary to compute a segment's
address. However, an addressable segment may
not
be
accessible to a particular operation
because of the additional protection checks
made by the
80386. The 80386 checks every
segment reference (whether generated by the
execution
of
an instruction or
an
instruction
fetch) to verify that the reference
is
consistent
with the protection attributes of the segment as
described
below.
Privilege
To
access a segment, a program
must be at least as privileged as the
segment.
For
example, a program
running at level 3 can only refer-
ence segments whose privilege level
is
also 3, while a program running
at level
0 can access all segments in
its logical address space.
Limit
A reference to a segment must fall
within the segment's limit. Segment
limits enable the processor to trap
common programming errors such
as stack overflow, bad pointers and
array subscripts, and
bad
call and
jump
addresses. In cases where the
operating system can determine that
3-12
Type
Rights
a reference outside the bounds
of
a
segment
is
not
an
error (stack over-
flow
is
an
example in some systems),
the operating system can extend the
segment (for example, by adding a
page to
it)
and restart the instruction.
Each descriptor contains a type field
that the processor checks for consis-
tency with the instruction
it
is
exccut-
ing. Ordinary segments have a type
of
code
or
data, ena bling the proces-
sor to catch
an
attempt to over-
write
code, for example, the segment
types
manipulated directly
by
applica-
tions are code and data. System
descriptors are also typed
so
the
processor can
verify
when
it
is
switch-
ing tasks, for example, that the
segmcnt named in
Jump
TSS in-
struction
is
in fact a Task State
Segment.
A segment descriptor can
be
marked
with rights that restrict the operations
permitted on the associated segment.
Code segments can
be
marked exe-
cutable
or
executable-and-readable.
Data segments can be marked read-
only or readable-and-writable.
All
ofthe
checks described above depend on the
integrity of descriptors.
If
a task executing its
application code could change a descriptor, the
checks would guarantee nothing.
For
this reason,
an
operating system can restrict access to descrip-
tor tables to privilege
level
0 code.
Note that for sharing, different descriptors for
the same segment (that
is,
aliases) may have
different protection attributes, allowing, for ex-
ample, one task
to
read and write a segment
while another can only read
it.
Aliases also
permit the operating system to override the
protection system when necessary, for example,
to move a code segment.