Processor Privilege-LevelsRationaleFour Privilege RingsSuggested purposesUnix/Linux and WindowsLegal Ring-TransitionsData-sharingAn example senarioData IsolationCall-Gate DescriptorsAn Interprivilege CallWhat does the CPU do?Sequence of CPU’s actionsThe missing info?Diagram of the relationshipsReturn to an Outer RingDemo-program: ‘tryring1.s’Data-structures neededIn-class Exercise #1System Segment-DescriptorsIn-class exercise #2Processor Privilege-LevelsHow the x86 processor accomplishes transitions among its four distinct privilege-levelsRationale•The usefulness of protected-mode derives from its ability to enforce restrictions upon software’s freedom to take certain actions•Four distinct privilege-levels are supported•Organizing concept is “concentric rings” •Innermost ring has greatest privileges, and privileges diminish as rings move outwardFour Privilege RingsRing 3Ring 2Ring 1Ring 0Least-trusted levelMost-trusted levelSuggested purposesRing0: operating system kernelRing1: operating system servicesRing2: custom extensionsRing3: ordinary user applicationsUnix/Linux and WindowsRing0: operating systemRing1: unusedRing2: unusedRing3: application programsLegal Ring-Transitions•A transition from an outer ring to an inner ring is made possible by using a special control-structure (known as a ‘call gate’)•The ‘gate’ is defined via a data-structure located in a ‘system’ memory-segment normally not accessible for modifications •A transition from an inner ring to an outer ring is not nearly so strictly controlledData-sharing•Function-calls typically require that two separate routines share some data-values (e.g., parameter-values get passed from the calling routine to the called routine)•To support reentrancy and recursion, the processor’s stack-segment is frequently used as a ‘shared-access’ storage-area•But among routines with different levels of privilege this could create a “security hole”An example senario•Say a procedure that executes in ring 3 calls a procedure that executes in ring 2•The ring 2 procedure uses a portion of its stack-area to create ‘automatic’ variables that it uses for temporary workspace•Upon return, the ring 3 procedure would be able to examine whatever values are left behind in this ring 2 workspaceData Isolation•To guard against unintentional sharing of privileged information, different stacks are provided at each distinct privilege-level•Accordingly, any transition from one ring to another must necessarily be accompanied by an mandatory ‘stack-switch’ operation•The CPU provides for automatic switching of stacks and copying of parameter-valuesCall-Gate Descriptorsoffset[ 31..16 ]code-selector offset[ 15..0 ]gatetypeP 0DPLparametercount63 3231 0Legend:P=present (1=yes, 0=no) DPL=Descriptor Prvilege Level (0,1,2,3)code-selector (specifies memory-segment containing procedure code)offset (specifies the procedure’s entry-point within its code-segment)parameter count (specifies how many parameter-values will be copied)gate-type (‘0x4’ means a 16-bit call-gate, ‘0xC’ means a 32-bit call-gate)•When a lesser privileged routine wants to invoke a more privileged routine, it does so by using a ‘far call’ machine-instruction (also known as a “long call” in the GNU assembler’s terminology)•In ‘as’ assembly language: lcall $callgate-selector, $0An Interprivilege Call0x9A(ignored) callgate-selectoropcode offset-field segment-fieldWhat does the CPU do?•When CPU fetches a far-call instruction, it will use that instruction’s ‘selector’ value to look up a descriptor in the GDT (or in the current LDT)•If it’s a ‘call-gate’ descriptor, and if access is allowed (i.e., if CPL  DPL), then the CPU will perform a complex sequence of actions which will accomplish the requested ‘ring-transition’ •CPL (Current Privilege Level) is based on least significant 2-bits in register CS (also in SS)Sequence of CPU’s actions- pushes the current SS:SP register-values onto a new stack-segment- copies the specified number of parameters from the old stack onto the new stack- pushes the updated CS:IP register-values onto the new stack- loads new values into registers CS:IP (from the callgate-descriptor) and into SS:SPThe missing info?•Where do the new values for SS:SP come from? (They’re not found in the call-gate)•They’re from a special system-segment, known as the TSS (Task State Segment)•The CPU locates its TSS by referring to the value in register TR (Task Register)Diagram of the relationshipsTASKSTATESEGMENTNEWSTACKSEGMENTstack-pointerOLDSTACKSEGMENTparamsparamsSS:SPDescriptor-Tablegate-descriptorcall-instructionTSS-descriptorTRCS:IPGDTRold code-segmentnew code-segmentcalled procedureReturn to an Outer Ring•Use the far-return instruction: ‘lret’ –Restores CS:IP from the current stack–Restores SS:SP from the current stack•Or use the far-return instruction: ‘lret $n’–Restores CS:IP from the current stack–Discards n parameter-bytes from that stack–Restores SS:SP from that current stackDemo-program: ‘tryring1.s’•We have created a short program to show how this ring-transition mechanism works•It enters protected-mode (at ring0)•It ‘returns’ to a procedure in ring1•Procedure shows a confirmation-message•The ring1 procedure then ‘calls’ to ring0•The ring0 procedure exits protected-modeData-structures needed•Global Descriptor Table needs to contain the protected-mode segment-descriptors and also the ‘call-gate’ descriptor–Code-segments for Ring0 and Ring1–Stack-segments for Ring0 and Ring1–Data-segment (for Ring1 to write to VRAM)–Task-State Segment (for the ring0 SS:SP)–Call-Gate Descriptor (for the ‘lcall’ to ring0)In-class Exercise #1•Modify the ‘tryring1.s’ demo so that it uses a 32-bit call-gate and a 32-bit TSSTSS for 80286 (16-bits)024SP1SP2SS2681012SP0SS0SS1ESP0ESP1ESP2SS0SS1SS2TSS for 80386 (32-bits)04812162024… …System Segment-DescriptorsBase[ 15..0 ] Limit[ 15..0 ]reserved=0Limit[19..16]Base[ 31..24 ] Base[ 23..16 ]typeDPLP 0Type-codes for system-segments: 0 = reserved 1 = 16-bit TSS (available) 2 = LDT 3 = 16-bit TSS (busy) 8 = reserved 9 = 32-bit TSS (available) A = reserved B = 32-bit TSS (busy)S-bit is zeroIn-class exercise #2•Modify the ‘tryring1.s’ demo so that it first enters ring2, then calls to ring1 from ring2 (but returns to