The i/o-sensitive instructionsImpact of IOPL in VM86 modeThe six i/o-sensitive opcodesRole of the VM86 MonitorEmulating ‘pushf’Emulating ‘popf’Emulating ‘iret’Emulating ‘int-n’Steps for ‘int-n’ emulationDemo: ‘emulate.s’In-class exercise #1In-class exercise #2The i/o-sensitive instructionsAn introduction to the software emulation of i/o-sensitive instructions in Virtual-8086 modeImpact of IOPL in VM86 mode•In virtual-8086 mode, if IOPL<3, then any instructions which could alter the IF-bit in the FLAGS register (Interrupt Flag) cause a General Protection fault (Exception 0xD)•This lets the Virtual-8086 Monitor control the actual effect on the CPU Interrupt-Flag•The Monitor can ignore the instruction (by just skipping past it) or it can perform the operation on behalf of the VM86 programThe six i/o-sensitive opcodes•CLI (Clear Interrupt flag)•STI (Set Interrupt flag)•PUSHF (Push Flags register to stack)•POPF (Pop stack to Flags register)•IRET (Return from Interrupt)•INT-n (Software Interrupt)•The 32-bit versions of these instructions are also i/o-sensitive (e.g., PUSHFD / POPFD / IRETD )Role of the VM86 Monitor•The GP-fault handler may need to emulate the actions of the CPU when i/o-sensitive instructions trigger faults in VM86 mode•CLI and STI are simplest to emulate: all the Monitor needs to do is set or clear the IF-bit (bit #9) in the image of the EFLAGS register that the CPU saved on its ring-0 stack, and increment the image of IP by 1Emulating ‘pushf’•To emulate ‘pushf’ the cpu subtracts 2 from the SP-register’s image (to make room for a new word of its ring-3 stack), copies the saved FLAGS-register image from the ring-0 stack to this new word on its ring-3 stack, then add 1 to the IP image to skip past the ‘pushf’ opcode byteEmulating ‘popf’•To emulate ‘popf’ the cpu copies the top word from its ring-3 stack to the lower half of the saved EFLAGS register-image on its ring-0 stack, adds 2 to the SP-register’s image (to discard the copied word), then adds 1 to the IP image (to skip past ‘popf’)Emulating ‘iret’•To emulate ‘iret’ the cpu copies the three topmost words from its ring-3 stack onto the lower halves of the three doublewords on its ring-0 stack which hold the images of the EIP, CS, and EFLAGS registers, adds 6 to the saved SP-register image (to discard the three words just copied)Emulating ‘int-n’•Emulating ‘int-n’ is the most complex of the i/o-sensitive instruction-emulations•We discussed the steps involved during our preceeding lecture (we conducted an in-class exercise that implemented them)•Our next slide briefly review those stepsSteps for ‘int-n’ emulation•Add 2 to the IP register-image (to skip past int-n)•Decrement the SP register-image by 6 (to make room for 3 new words on the ring-3 stack), and the copy saved IF, CS, and FLAGS register-images from the ring-0 stack to these new ring-3 stack locations•Use the interrupt ID-number (the second byte of ‘int-n’ instruction) to find the IVT entry, and copy its two words to the ring-0 stack locations for IP and CS, respectively•Clear bits #8 and #9 of the EFLAGS imageDemo: ‘emulate.s’•We have created a demo-program which incorporates these six emulations that we just discussed: CLI / STI, PUSHF / POPF, and IRET / INT-n.•But real-mode code for Pentium CPUs can also include 32-bit i/o-sensitive instructions (e.g., PUSHFD / POPFD, and IRETD)•These all have the operand-size prefix 0x66 in front of their one-byte opcodesIn-class exercise #1•Add emulations for these three additional i/o-sensitive instructions:•PUSHFD (0x66, 0x9C)•POPFD (0x66, 0x9D)•IRETD (0x66, 0xCF) •You will need to include some code in your VM86 procedure to ‘test’ your emulationsIn-class exercise #2•Our emulation for ‘sti’ actually enables the receipt of device interrupts by the CPU •But we don’t provide interrupt-handlers!•This could easily cause a program crash•A ‘solution’ would be to ‘reflect’ any such interrupts to the real-mode ROM-BIOS interrupt-handlers (similar to emulating software interrupts) •So add this capability to your
View Full Document
Unlocking...