Venturing into protected-mode

1
Venturing into protected-mode

• A first look at the CPU registers and
  instructions which provide the essential
  supporting infrastructure

2
A need for Diagnostics

• Upon entering protected-mode, the rules change
  regarding the allowed CPU actions
• Memory-addresses are computed using a different
  set of circuitry within the CPU
• Restrictions are enforced by generating a variety
  of exceptions which interrupt the CPUs normal
  fetch-execute cycle
• We will need to diagnose their causes

3
Memory-addresses

• The first change programmers encounter when the
  CPU is switched into Protected Mode concerns the
  way in which the CPU constructs its
  memory-addresses (i.e., the segment registers
  play a different role)
• Some formerly hidden aspects of those
  segment-registers will come to the fore!
• (Some terminology also gets revised)

4
Real-Mode Addresses
segment
offset
Logical Address

x16
While in Real-Mode, the memory-segments are
all 64-kilobytes in size (and readable/writable)
Operands effective address
Physical Address
5
Protected-Mode Addresses
segment-selector
segment-offset
Logical Address
Segment Descriptor Table
descriptor
Validity is checked by CPU
Segment Base-address
descriptor

(also Segment-Limit and Access Rights)
descriptor
descriptor
Operands effective address
Physical Address
6
Segment-Descriptor Format
63
32
Base31..24
G
D
R S V
A V L
Limit 19..16
P
D P L
S
X
C / D
R / W
A
Base23..16
Base15..0
Limit15..0
0
31
Several instances of this basic
segment-descriptor data-structure will occur in
the Global Descriptor Table (and maybe also in
some Local Descriptor Tables)
7
Hidden part of segment-registers
selector
segment base
segment limit
access rights
The invisible parts of a segment-register
The programmer-visible part of a segment-register
8
Segment-Register cache

• The hidden portions of any segment-register
  will automatically be modified whenever any
  instruction places a new value in a
  segment-registers visible part
• Examples (some obvious, some not)

mov ax, ds new value from a general
register pop es new value from a word in
memory lss tos, esp new value from a
memory-pointer ljmp 0x07C0, main new value
from immediate data int 0x13 new value
from interrupt vector table lret new value
from the stacks memory
9
Illegal segment-values

• In Real-Mode, any 16-bit value was legal to be
  loaded into any segment-register
• But in Protected-Mode, the CPU doesnt allow
  certain 16-bit values to be placed in particular
  segment-registers
• For example the selector for a descriptor that
  isnt executable cannot go into CS, and one
  thats legal for CS cant go in SS

10
Special system registers

• In protected-mode the CPU needs quick access to
  its important data-structures
• Memory-Segment Descriptors
• Interrupt-Gate Descriptors
• Call-Gate Descriptors
• Task-State Descriptors
• Page-Directory and Page-Table Descriptors
• So special CPU registers exist which are
  dedicated to locating these crucial items

11
GDT and IDT

• The two most vital system registers for
  protected-mode execution are
• GDTR (Global Descriptor Table Register)
• IDTR (Interrupt Descriptor Table Register)
• Each of these is 48-bits wide and contains the
  base-address and segment-limit for an array of
  descriptors (the GDT and the IDT)
• Special instructions allow access to these
  registers SGDT/LGDT and SIDT/LIDT

12
48-bit Register-Format
47
16
15
0
Segment Base-Address
Segment Limit
32 bits
16 bits
13
System Relationships
Interrupt Descriptor Table
descriptor
Global Descriptor Table
descriptor
descriptor
descriptor
descriptor
descriptor
descriptor
descriptor
descriptor
descriptor
descriptor
descriptor
descriptor
descriptor
descriptor
descriptor
GDTR
descriptor
descriptor
descriptor
descriptor
IDTR
14
LDT and TSS

• For protected-mode multitasking, the CPU needs to
  access two other data-structures
• The current Local Descriptor Table (LDT)
• The current Task-State Segment (TSS)
• Again, special registers tell the CPU where to
  find these data-structures in memory (assuming
  protected-mode is enabled)
• And special instructions afford access to them
  SLDT/LLDT and STR/LTR

15
Indirection

• Registers LDTR and TR are like segment-registers
  they have a visible part (16-bits) and a hidden
  descriptor-cache part
• The programmer-visible portion of these two
  registers holds a segment-selector (i.e., an
  array-index into the GDT array)
• The hidden portion is updated from the GDT
  whenever these register get loaded

16
System Relationships
Task State Segment
Global Descriptor Table
descriptor
descriptor
TR
descriptor
Local Descriptor Table
descriptor
descriptor
descriptor
descriptor
descriptor
descriptor
descriptor
descriptor
descriptor
descriptor
descriptor
descriptor
descriptor
descriptor
LDTR
descriptor
GDTR
17
Reading LDTR and TR

• The LDTR and TR registers are not able to be
  accessed while executing in real-mode
• An Undefined Opcode exception (INT-6) will be
  generated if SLDT or STR opcodes are encountered
  in a real-mode program
• So to obtain the values in these registers, any
  bootsector program must temporarily enable
  protected-mode

18
Control Register 0

• Register CR0 is the 32-bit version of the MSW
  register (Machine Status Word)
• It contains the PE-bit (Protection Enabled)
• when PE0 the CPU is in real-mode
• when PE1 the CPU is in protected-mode

P G
C D
N W
A M
W P
N E
E T
T S
E M
M P
P E
Machine Status Word
19
Using the LMSW instruction

• You can use the LMSW instruction to turn on the
  PE-bit (enables protected-mode)
• But you cannot use LMSW to turn off PE (i.e., PE
  was a sticky bit in the 80286)
• The Intel 80386 processor introduced a new name
  and enlarged size for the MSW
• Special version of the MOV instruction can
  either enable or disable the PE-bit

20
How to enter protected-mode

• This instruction-sequence turns on PE-bit
• Warning you have to do this with interrupts
• temporarily disabled -- since the real-mode
• Interrupt Vector Table wont work any more

mov cr0, eax get current machine status
bts 0, eax set the image of its
PE-bit mov eax, cr0 now enter protected
mode
21
How to leave protected-mode

• This instruction-sequence turns off PE-bit
• Warning you need to make sure that all of
• the segment-registers have proper access-
• rights and segment-limits in their caches to
• function correctly once back in real-mode!

mov cr0, eax get current machine status
btr 0, eax set the image of its
PE-bit mov eax, cr0 now leave protected
mode
22
An observation

• If we can enter protected-mode, but NOT do
  anything to alter any segment-register, then we
  wont need to construct Tables of
  Segment-Descriptors
• The left-over real-mode descriptor-values will
  still be in any segment-registers cache
• Lets pursue this idea in a program demo

23
Hexadecimal Display

• To display values in registers or memory
  locations, we need to convert from binary numbers
  to character-strings that consist of ascii-codes
  for hexadecimal numerals
• Why? Because hexadecimal values are easier for
  human programmers to grasp and to mentally
  convert into the actual bit-patterns represented
  in the computer -- thereby giving us a way to
  see inside it

24
Conversion Algorithm

• The easiest algorithm to understand uses a
  lookup table for converting nybbles to ascii
  numerals
• 0000? 0 (0x30) 1010? A (0x41)
• 0001? 1 (0x31) 1011? B (0x42)
• 0010? 2 (0x32) 1011? C (0x43)
• 1001? 9 (0x39) 1111? F (0x46)

25
Our Lookup-Table algorithm

• This algorithm converts the lowest nybble in
  AL to a hexadecimal numeral in DL, but it
  clobbers the contents of the BX register

-------------------------------------------------
----------------------------------------- hexlist
.ascii 0123456789ABCDEF array of hex
numerals ----------------------------------------
--------------------------------------------------
Algorithm assumes DS was already is setup to
address hexlist mov al, bl copy
byte-value from AL into BL and 0x0F, bx
clear all but lowest 4-bits in BX mov hex(bx),
dl use BX as array-index for lookup
26
Alternative avoids data-table

• A clever machine-algorithm (by Tim Lopez) that
  exploits subtle aspects of some x86 instructions
  
• No lookup-table is required here just some
  immediate data within the instruction-stream
• -- but it may take some effort to comprehend!

and 0x0F, al isolate lowest nybble in
AL cmp 10, al sets up the
carry-flag for SBB sbb 0x69, al sets
up auxiliary-flag for DAS das
decimal adjustment to result
27
Unmodified segment-registers

• If you can arrange for your program not to change
  any segment-registers while PE1 then your code
  can safely enter and leave protected-mode
  without creating GDT/IDT
• This means you will have to have to make sure no
  interrupts or exceptions can occur while the
  PE-bit is set for protected-mode
• Can use cli and sti to control interrupts
• Avoid exceptions by doing nothing illegal

28
In-class Exercise

• The sysregs.s bootsector demo-program displays
  the current value found in the two 48-bit system
  registers GDTR and IDTR
• Your job is to add modifications that demo
• Modify the sysregs.s bootsector program so it
  will display registers LDTR and TR in addition to
  displaying GDTR and IDTR
• Can you enter and leave protected-mode without
  causing a system crash?