Intel 80386 manual Protection

3.4.4 Page Protection

Systems that do not make extensive use of segments can instead protect pages. (Page protec- tion can also be applied to sections of large segments.) Like a descriptor, a page table entry has a set of protection attributes; the 80386 checks every reference to the page for confor- mance to these attributes.

A page table entry can be marked with one of two privilege levels, user or supervisor. User level corresponds to privilege level 3 but supervisor pages can only be accessed by tasks running at privilege levels 0, I, or 2. A user page can also be marked read-only or readable-and-writable.

The 80386 checks a page's protection attributes after verifying that an access is consistent with the segment attributes. Thus, page protection is a convenient way for an operating system to apply additional protection to portions of a segment. For example, an operating system can safely store task-related operating system data, such as page tables and file descriptors, in a task's data segment by making the containing pages super- VISor pages.

3.5 System Calls

given privilege level cannot read or write a more privileged data segment or page, neither can a task directly call a more privileged code segment.

To allow a task executing a less-privileged code segment to make a protected system call, the operating system must define one or more entry points. In the 80386, these entry points are called gates (see Figure 3-9). There are two types of gates that can be used to implement operating system entry points, trap gates and call gates. The two gates are generally similar, but the call gate allows the operating system interface to be identical to that of an ordinary procedure. Using call gates, compilers and assembly language programmers can use a single set of conventions to call any procedure, letting the 80386 take care of the extra processing required to change privilege levels. n

ATTRIBUTES

DWORD COUNP1

TYPE~

PRIVILEGE1

PRESENT

11I I ENTRY POINT SELECTOR

ENTRY POINT OFFSET

'DWORDCOUNT APPLIES ONLY TO CALL GATES.

Most operating systems organize their services as a collection of procedures that tasks can call. An unprotected 80386 operating system can place its procedures and application code in a level 0 code segment (or more than one such segment); an application task can then invoke an operating system service with an ordinary Call instruction. Such an approach is fast but relies on the application tasks to be error-free and well- behaved (as they are in embedded systems, for example). Nothing prevents a task running at level 0 from calling an address that is not an operating system entry point; nor is such a task prevented from corrupting operating system data. To protect the operating system, application code and data can be placed in less-privileged privileged segments. Just as a task running at a

Figure 3-9. Principal Gate Fields

As shown in Figure 3-9, a gate contains the logical address of an entry point and a set of attributes. The most important attribute is the gate's privilege level. A gate's privilege level defines the privilege levels that can use the gate; in order to use a gate, a calling procedure must be at least as privileged as the gate. Figure 3-10 shows an example. In this hypothetical system user code is assigned privilege level 3 while the operating system is divided into two levels. The operating system kernel runs at privilege level 0 and the less-critical operating system service procedures run at privilege level 1. (Privilege level 2 is not used.) In this system user code is