Message board for the users of flat assembler.
> OS Construction > Privilege Levels 1 and 2 and Page Translation
Nistix 12 Jun 2012, 20:15
Please, help me clarify one thing.
Example of linear address space for some operating system:
high part (FFFF:8000:0000:0000 - FFFF:FFFF:FFFF:FFFF) - kernel code and very important data structures for all system
low part (0 - 7FFF:FFFF:FFFF) - user-space
Entries in PML4, PDPTs, PDTs, PTs for low part we have U/S flags are 1s, for low part they are zeroes.
So, any code with CPL=3 can't access any data/code in higher half linear memory.
Code with CPL=1 and CPL=2 has access to them !!!
In Intel Architectures Software Developer Manuals (Chapter 4. Page Translation , 4.6 Access rights) :
"all accesses performed while the CPL is less than 3 are supervisor-mode accesses"
So, for example, if I want to make some drivers in my own operating systems working with CPL=1 for more security and stability, it will be no result,
because any driver with CPL=1 or 2 can access ALL system structures and can read/write to them.
What reason for using levels 1 and 2 ?
|12 Jun 2012, 20:15||
Bargest 12 Jun 2012, 20:32
IA-32 is very... strange architecture. There is no reason for using 1 and 2 rings. Windows, Linux don't use them at all. There is no sense in using them just because if driver has access to I/O ports (it must have), it controlls system. For example, system memory can be overwritten using DMA-mode of different devices.
I wanted to use protection, based on read-only pages (read-only protection checks for supervisor is controlled by a bit WP in CR0, this register can be changed only from 0-ring), but I realized it is too slow: frequently switching CR0 will kill performance.
|12 Jun 2012, 20:32||
Nistix 12 Jun 2012, 21:27
Oops. This bug completely destroys my dreams. I've already made so much in my own system, but too late noticed it.
|12 Jun 2012, 21:27||
revolution 13 Jun 2012, 01:20
It is always possible that external hardware can bypass the internal CPU privilege checks. Search for firewire hacks to see it in full force. But this is no fault of the CPU.
Rings 1 and 2 were designed for a different era of OSes. The (now) old 80286 was the first x86 CPU to incorporate protection and at that time rings 0-3 made sense for the type of uses that the CPU was being used for.
Today things are different.
|13 Jun 2012, 01:20||
edfed 13 Jun 2012, 08:20
the reason for os to don't use rings 1 & 2 can be more the fact that not every cpu architectures support them, and maybe because OS companies don't design their systems with the same security model than intel does.
then, if you want, you can try to design using the 4 levels. i think it will give pretty good security results if it is well made.
|13 Jun 2012, 08:20||
Nistix 13 Jun 2012, 10:07
Using 4 privilege levels has a reason only in 32-bit Protected Mode, because we can use DPL field in code and data-segment descriptors, also we can set base address and limit for this descriptors.
AMD64 Architecture complety removes segmentation:
"A data-segment-descriptor DPL field is ignored in 64-bit mode, and segment-privilege checks are not performed on data segments."
(http://support.amd.com/us/Processor_TechDocs/24593_APM_v2.pdf , page 89)
We cannot set Base, Limit, DPL for any data descriptor in 64-bit Long Mode !
All processes in Long Mode (64-bit) use only one selector, because there are no differences in its content.
That's why no reason use CPL=1 or 2 in fully 64-bit OS. Code with CPL=1,2 will use the same data-descriptor as code CPL=0, so access to pages while translation will be identical.
|13 Jun 2012, 10:07||
shutdownall 13 Jun 2012, 13:14
I think, that's what you wanted.
But only why you have choosen CPL2 for your system/kernal.
Any Task with DPL <= CPL can access ressources.
That's the sense of it.
You need a more hierachical structure.
If you choose to start your system (kernel) with CPL0 the tasks with CPL1 or CPL2 will have no more access to it.
Just a convention what supervisor mode is.
The rule is, DPL <= CPL for access.
Not any driver can access CPL0. CPL1 or CPL2 can not. Intel could have been more clear in the documents. The reason for Level 0-3 is a finer granularity in the system software. So could do a concept like this:
CPL0 => Kernel
CPL1 => General System Services
CPL2 => More Specific System Drivers
CPL3 => User tasks/programs
But up to you.
Can also use only CPL0 and CPL3. Or CPL1 and CPL2.
I can advise following book for planing operating systems based on x86 architecture:
Echtzeit-Multitasking - Memory Management und System Design im Protected Mode der x86/Pentium-Architektur
from Klaus-Dieter Thies
But is in german language written.
|13 Jun 2012, 13:14||
Bargest 13 Jun 2012, 15:02
Some systems have User-mode drivers. For exmaple, in Win8 some long-lasting drivers moved from the kernel-mode to user-mode. These dirivers have special interface for reading/writing system structures. This provides more security and easier way of writing drivers (system does not crash after any small bug occurs).
But many small and time-critical drivers still in 0-ring.
|13 Jun 2012, 15:02||
< Last Thread | Next Thread >
Copyright © 1999-2023, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.
Website powered by rwasa.