Ring-transitions for EM64T How the CPU can accomplish transitions among its differing privilege-levels in 64-bit mode.

Slides:



Advertisements
Similar presentations
Memory Management Unit
Advertisements

Processor Privilege-Levels
Types of Code Segments Conforming Code Segment
Computer Organization and Architecture
Intel MP.
IA32 Paging Scheme Introduction to the Pentium’s support for “virtual” memory.
Task-Switching How the x86 processor assists with context-switching among multiple program-threads.
Interrupts in Protected-Mode Writing a protected-mode interrupt-service routine for the timer-tick interrupt.
Interrupts in Protected-Mode Writing a protected-mode interrupt-service routine for the timer-tick interrupt.
EM64T ‘fast’ system-calls A look at the requirements for using Intel’s ‘syscall’ and ‘sysret’ instructions in 64-bit mode.
Page-Faults in Linux How can we study the handling of page-fault exceptions?
Exceptions and Interrupts How does Linux handle service- requests from the cpu and from the peripheral devices?
Interrupts in Protected-Mode Writing a protected-mode interrupt-service routine for the timer-tick interrupt.
The various x86 ‘modes’ On understanding key differences among the processor’s several execution-architectures.
Processor Privilege-Levels How the x86 processor accomplishes transitions among its four distinct privilege-levels.
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
Venturing into protected-mode A first look at the CPU registers and instructions which provide the essential supporting infrastructure.
1 Hardware and Software Architecture Chapter 2 n The Intel Processor Architecture n History of PC Memory Usage (Real Mode)
X86 segmentation, page tables, and interrupts 3/17/08 Frans Kaashoek MIT
Memory Management (II)
Task-Switching How the x86 processor assists with context-switching among multiple program-threads.
Setup for VM launch Using ‘vmxwrite’ and ‘vmxread’ for access to state-information in a Virtual Machine Control Structure.
Venturing into protected-mode
Introduction to the Intel x86’s support for “virtual” memory
A ‘protected-mode’ exploration A look at the steps needed to build segment-descriptors for displaying a message while in protected-mode.
Microprocessor Systems Design I Instructor: Dr. Michael Geiger Fall 2012 Lecture 15: Protected mode intro.
OS Spring’04 Introduction Operating Systems Spring 2004.
8086 emulation Using Virtual-8086 mode to execute real-mode procedures in a protected-mode environment.
Interrupts in Protected-Mode Writing a protected-mode interrupt-service routine for the timer-tick interrupt.
UNIT 2 Memory Management Unit and Segment Description and Paging
System Calls 1.
80386DX.
1 Computer System Overview Chapter 1. 2 n An Operating System makes the computing power available to users by controlling the hardware n Let us review.
Cosc 3P92 Week 9 & 10 Lecture slides
Microprocessor system architectures – IA32 segmentation Jakub Yaghob.
Multitasking Mr. Mahendra B. Salunke Asst. Prof. Dept. of Computer Engg., STES SITS, Narhe, Pune-41 STES Sinhgad Institute of Tech. & Science Dept. of.
80386DX.
1 i386 Memory Management Professor Ching-Chi Hsu 1998 年 4 月.
1 CSE451 Architectural Supports for Operating Systems Autumn 2002 Gary Kimura Lecture #2 October 2, 2002.
Virtual 8086 Mode  The supports execution of one or more 8086, 8088, 80186, or programs in an protected-mode environment.  An 8086.
Lecture Topics: 10/29 Architectural support for operating systems –timers –kernel mode –system calls –protected instructions.
Efficient Software Based Fault Isolation Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L Graham Presenter: Maitree kanungo Date:02/17/2010.
Microprocessor system architectures – IA32 tasks Jakub Yaghob.
Segment Descriptor Segments are areas of memory defined by a programmer and can be a code, data or stack segment. In segments need not be all the.
Chapter 14: Protection Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Apr 11, 2005 Chapter 14: Protection Goals.
80386DX.
1 Microprocessors CSE Protected Mode Memory Addressing Remember using real mode addressing we were previously able to address 1M Byte of memory.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
LECTURE 12 Virtual Memory. VIRTUAL MEMORY Just as a cache can provide fast, easy access to recently-used code and data, main memory acts as a “cache”
Microprocessor and Assembly Language Addressing Models
Information Security - 2. Task Switching Every process has an associated Task State Segment, whose starting point is stored in the Task register. A task.
Privilege Check for Control Transfer(Code Access) Control transfers (except interrupts) are accomplished by the instructions JMP, CALL, and RET The "near"
An Interrupt is either a Hardware generated CALL (externally derived from a hardware signal) OR A Software-generated CALL (internally derived from.
Microprocessor and Assembly Language
Anton Burtsev February, 2017
Privilege Levels.
Protection UQ: Explain the protection mechanism of X86 Intel family microprocessor(10 Marks)
Microcomputer Programming
x86 segmentation, page tables, and interrupts
System Segment Descriptor
Practice Six Chapter Eight.
Microprocessor and Assembly Language Addressing Models
Introduction to the Intel x86’s support for “virtual” memory
Architectural Support for OS
CSE 451: Operating Systems Autumn 2003 Lecture 2 Architectural Support for Operating Systems Hank Levy 596 Allen Center 1.
CSE 451: Operating Systems Autumn 2001 Lecture 2 Architectural Support for Operating Systems Brian Bershad 310 Sieg Hall 1.
CSE 451: Operating Systems Winter 2003 Lecture 2 Architectural Support for Operating Systems Hank Levy 412 Sieg Hall 1.
Architectural Support for OS
CPU Structure and Function
CS444/544 Operating Systems II Virtual Memory
Presentation transcript:

Ring-transitions for EM64T How the CPU can accomplish transitions among its differing privilege-levels in 64-bit mode

Rationale The usefulness of protected-mode derives from its ability to enforce restrictions upon software’s freedom to take certain actions Four distinct privilege-levels are supported Organizing concept is “concentric rings” Innermost ring has greatest privileges, and privileges diminish as rings move outward

Four Privilege Rings Ring 3 Ring 2 Ring 1 Ring 0 Least-trusted level Most-trusted level

Suggested purposes Ring0: operating system kernel Ring1: operating system services Ring2: custom extensions Ring3: ordinary user applications

Unix/Linux and Windows Ring0: operating system Ring1: unused Ring2: unused Ring3: application programs

Legal Ring-Transitions A transition from an outer ring to an inner ring is made possible by using a special control-structure (known as a ‘call gate’) The ‘gate’ is defined via a data-structure located in a ‘system’ memory-segment normally not accessible for modifications A transition from an inner ring to an outer ring is not nearly so strictly controlled

Data-sharing Function-calls typically require that two separate routines share some data-values (e.g., parameter-values get passed from the calling routine to the called routine) To support reentrancy and recursion, the processor’s stack-segment is frequently used as a ‘shared-access’ storage-area But among routines with different levels of privilege this could create a “security hole”

An example senario Say a procedure that executes in ring 3 calls a procedure that executes in ring 2 The ring 2 procedure uses a portion of its stack-area to create ‘automatic’ variables that it uses for temporary workspace Upon return, the ring 3 procedure would be able to examine whatever values are left behind in this ring 2 workspace

Data Isolation To guard against unintentional sharing of privileged information, different stacks are provided at each distinct privilege-level Accordingly, any transition from one ring to another must necessarily be accompanied by an mandatory ‘stack-switch’ operation The CPU provides for automatic switching of stacks and copying of parameter-values

Inward ring-transitions Transfers from a ring with lesser privileges to a ring with greater privileges (e.g., from ring3 to ring0) are controlled by a system data-structure known as a ‘call gate’ and normally would be accomplished using an ‘lcall’ instruction (i.e., a ‘long’ call), either “direct” (the target is specified by data in the instruction) or “indirect” (the target is specified by data at a memory-location)

ring3 requires ‘gate’ and ‘TSS’ ring2 ring1 ring0 ‘gate’ structure’s DPL determines whether the inward transition is permitted, and if it is, what will be the new CS and RIP register-values ‘TSS’ structure determines what the new SS and RSP register-values will be, and thus where the old values from SS, RSP, CS, and RIP will get saved for a later ‘return’ from the ‘call’ lcall instruction

64-bit Call-Gate Descriptors offset[ ] code-selectoroffset[ ] reserved (must be 0) gate type P0 DPLDPL 31 0 Legend: P=present (1=yes, 0=no) DPL=Descriptor Prvilege Level (0,1,2,3) code-selector (specifies memory-segment containing procedure code) offset (specifies the procedure’s entry-point within its code-segment) gate-type: (‘0xC’ signifies a 64-bit call-gate when EFER.LMA=1) offset[ ] reserved (must be 0) 12796

64-bit Task-State Segment reserved IST1 ESP0 reserved ESP1 ESP2 reserved IST2 IST3 IST4 IST5 IST6 IST7 reserved I/O MAP BASE 32-bits Reserved bits )must be set to zero)

How CPU finds the TSS GDTR Task State Segment Global Descriptor Table Task Register TR 64-bit Task-State Segment-Descriptor

Outward ring-transitions Transfers from a ring with greater privilege to a ring having lesser privilege (e.g., from ring0 to ring3) are normally accomplished by using an ‘lret’ instruction (i.e., a ‘long’ return) and refer to values on the current stack to specify the changes in contents for registers CS and RIP (for the code transfer) and registers SS and RSP (for the mandatory stack-switch)

ring3 ‘returns’ are less restrictive ring2 ring1 ring0 lret instruction RSP RIP SS CS SS:RIP ring0 stack 64-bits The new values for the CS, RIP, SS, and RSP registers will be taken from the current stack

64-bit memory-addressing Recall that memory-addressing in 64-bit mode uses a ‘flat’ address-space (i.e., no segmentation: all addresses are offsets from zero, and no limit-checking is done) However, page-mapping is in effect, using the 4-level page-table scheme At least one page needs to be “identity- mapped” for the activation or deactivation of the processor’s ‘long’ mode (IA-32e)

New ‘page-mapping’ idea We can simplify our program addressing in 64-bit mode with a ‘non-identity’ mapping: physical address-space virtual address-space demo load-address = 0x10000 demo 0x x x20000 vram 0xB8000 our demo code and data appears twice in virtual space

How we build the map-tables.section.data.align0x1000 level1:entry = 0x10000.rept16.quadentry + 7 entry = entry + 0x1000.endr entry= 0x10000.rept240 entry = entry + 0x1000.quadentry + 7.endr.align0x1000 level2:.quadlevel1 + 0x align0x1000 level3:.quadlevel2 + 0x align0x1000 level4:.quadlevel3 + 0x align0x1000

Our ‘tryring3.s’ demo x86 ‘real-mode’ 16-bit ‘compatibility’ mode CPL=0 mov %cr0 IA-32e mode 64-bit mode CPL=0 64-bit mode CPL=3 direct LJMP indirect LCALL thru callgate LRETQ indirect LJMP begin exit

From 16-bit to 64-bit Once we arrive in IA-32e mode, our first transfer is from 16-bit ‘compatibility’ mode to 64-bit ‘long’ mode For this we can use a long direct jump with a default (i.e., 16-bit) operand-size (thanks to our special page-mapping) ljmp$sel_CS0, $prog64 selector for 64-bit code-segment at privilege-level zero (i.e., ring0) 16-bit offset to our ‘prog64’ label

From 64-bit ring0 to 64-bit ring3 Once we arrive in 64-bit mode, our second transfer is from ring0 to ring3 For this we use a ‘long return’ instruction after setting up our current ring0 stack with the new values for SS, RSP, CS, and RIP, and we specify a quadword operand-size pushq$sel_SS3 pushq$tos3 pushq$sel_CS3 pushq$showmsg lretq selector for writable data-segment at privilege-level three (i.e., ring3) selector for 64-bit code-segment at privilege-level three (i.e., ring3)

From 64-bit ring3 to 64-bit ring0 When we’ve finished our ring3 procedure, we get back to ring0 by using an indirect ‘long call’ through a 64-bit call-gate Our 64-bit TSS must be set up in advance for the accompanying stack-switch lcall*supervisor# indirect long-call supervisor:.long 0, sel_ret# target of the call selector for 64-bit call-gate descriptor accessible at ring3, specifying new register-values for CS and RIP (the new RSP-value comes from the TSS, and the new SS-value will be NULL) a “dummy” operand, required by the syntax for ‘lcall’, but not used by the CPU (since all the needed info is in the call-gate and the Task-State Segment)

From 64-bit code to 16-bit code Finally, for returning to ‘real-mode’, we need to transfer from the 64-bit code in ‘long mode’ to 16-bit code in ‘compatibility mode’ (both ring0, so no privilege-change) For this we use an indirect long jump (as there’s no direct long jump in 64-bit mode) ljmp*departure# indirect long-jump departure:.long prog16, sel_cs0# target of this jump 32-bit offset to our ‘prog16’ label selector for 16-bit code-segment at privilege-level zero (i.e., ring0)

In-class exercise #1 Try some alternative transfer-instructions: –Use LJMPL $sel_C0, $prog64 + 0x10000 in place of LJMP $sel_C0, $prog64 –Use LJMP *supervisor in place of LCALL *supervisor –Use LRETW in place of LRETQ after setting up your stack with word-size values instead of quadword-sized values

In-class exercises #2 and #3 Can you adjust all the virtual addresses in your 64-bit code so that an ‘identity-map’ could be used in this ‘tryring3.s’ demo? Could you adjust all the privilege-levels so that ‘ring2’ gets used instead of ‘ring3’?