PROTECTION

Task privilege is a dynamic value. It is derived from the code segment currently being executed. Task privilege can change only when a control transfers to a different code segment.

Descriptor privilege, including code segment privilege, is assigned when the descriptor (and any associ- ated segment) is created. The system designer assigns privilege directly when the system is constructed with the system builder (see the 80286 Builder User's GUide) or indirectly via a loader.

Each task operates at only one privilege level at any given moment: namely that of the code segment being executed. (The conforming segments discussed in section 11.2 permit some flexibility in this regard.) However, as figure 7-6 indicates, the task may contain segments at one, two, three, or four levels, all of which are to be used at appropriate times. The privilege level of the task, then, changes under the carefully enforced rules for transfer of control from one code segment to another.

The descriptor privilege attribute is stored in the access byte of a descriptor and is called the Descrip- tor Privilege Level (DPL). Task privilege is called the Current Privilege Level (CPL). The least signif- icant two bits of the CS register specify the CPL.

A few general rules of privilege can be stated before the detailed discussions of later sections. Data access is restricted to those data segments whose privilege level is the same as or less privileged (numer- ically greater) than the current privilege level (CPL). Direct code access, e.g., via call or jump, is restricted to code segments of equal privilege. A gate (section 7.5.1) is required for access to code at more privileged levels..

7.4 SEGMENT DESCRIPTOR

Although the format of access control information, discussed below, is similar for both data and code segment descriptors, the rules for accessing data segments differ from those for transferring control to code segments. Data: segments are meant to be accessible from many privilege levels, e.g., from other programs at the same level or from deep within the operating system. The main restriction is that they cannot be accessed by less privileged code.

Code segments, on the other hand, are meant to be executed at a single privilege level. Transfers of control that cross privilege boundaries are tightly restricted, requiring the use of gates. Control trans- fers wiihin a privilege level can also usc gates, but they are not required. Control transfers are discussed in section 7.5.

Protection checks are automatically invoked at several points in selecting and using new segments. The process of addressing memory begins when the currently executing program attempts to load a selector into one of the segment registers. As discussed in Chapter 6, the selector has the form shown in figure 7-7.

When a new Sli;;lticiuf is loaded intv a segment regigter, the p!0~eSSOr ~~r.esses the associated descriptor to perform the necessary loading and privilege checks.

The protection mechanism verifies that the selector points to a valid descriptor type for" the segment register (see section 7.4.1). After verifying the descriptor type, the CPU compares the privilege level of the task (CPL) to the privilege level in the descriptor (DPL) before loading the descriptor's infor- mation into the cache.

The general format of the eight bits in the segment descriptor's access rights byte is shown in table 7-1.

7-10

Page 136
Image 136
Intel 80287, 80286 manual Segment Descriptor