flat assembler
Message board for the users of flat assembler.
Index
> OS Construction > switching to ring3 Goto page 1, 2 Next |
Author |
|
egos 10 Feb 2010, 12:54
Firstly, look at Intel manuals.
Then add to GDT code & data segment descriptors for user mode (with DPL=3) and jump to user code by retf (or iret) instruction with proper code & data segment selectors (with RPL=3) stored in the stack. |
|||
10 Feb 2010, 12:54 |
|
asmmsa 10 Feb 2010, 13:49
doesnt work.
iret only want to return to equal cpl. Bochs is exiting with the following message: [CPU0 ] check_cs(0x0018): conforming code seg descriptor dpl > cpl, dpl=3, cpl=0 could you give me simple example of calling code in ring3 from ring0? |
|||
10 Feb 2010, 13:49 |
|
ouadji 10 Feb 2010, 15:12
a Call Gate ? |
|||
10 Feb 2010, 15:12 |
|
asmmsa 10 Feb 2010, 15:27
Please dont throw random terms at me.
Im really confused about this gdt/idt stuff. Well 30 years of backward compatibility is not easy to learn. gdt has 1 special bit, wich define if the segment is code/data, or special segment such as call gate. Quote: The DPL field indicates the so what, i want to change my CPL to HIGHER (ring0 to ring3). Why must i go through DPL? Please give me sample code of calling something at diffrent ring, and i will be ok. Is call gate only way to lower CPL? i dont think so, every time i return from interrupt its ring0 > ring3. What am i missing? |
|||
10 Feb 2010, 15:27 |
|
asmmsa 10 Feb 2010, 15:35
i get it now
Quote: For example, in Figure 5-15, call gate A has a DPL of 3. So calling procedures at but what about iret/retf? it works under all OS, why not for me? |
|||
10 Feb 2010, 15:35 |
|
ouadji 10 Feb 2010, 17:02
"Call gate", a random term ? http://www.ivanlef0u.tuxfamily.org/?p=86 <--- in French, but very interesting! http://www.intel.com/Assets/PDF/manual/253668.pdf <-- (Intel book 3A) page 5-22 (chap 5.8.4) |
|||
10 Feb 2010, 17:02 |
|
baldr 10 Feb 2010, 17:30
asmmsa
Several conditions have to be met: 1. RPL of selector on stack should be not less than CPL (i.e. same or less-privileged). 2. DPL of it's descriptor should be not greater than RPL of selector on stack (or equal if that segment is not conforming). These conditions are mirrored conditions for inter-privilege-level call/jmp (RPL of selector on stack was CPL of caller). Can you show a sample of failing code? Value of selector in cs and on stack, and corresponding segment descriptor — that would be enough. |
|||
10 Feb 2010, 17:30 |
|
asmmsa 10 Feb 2010, 20:08
i know this code is *SIMPLE* but its just a test, i wont make os like that.
its just testing things, nothing serious. Code: use16 org 0x7C00 lgdt fword [gdt] ;load GDTR, will setup table later mov eax,cr0 inc al mov cr0,eax jmp 0x0008:start ;flush CS cache and reset it use32 ;now cpu in protected mode mode start: mov ax,0x0010 ;data segment mov ds,ax mov eax,TSS_DATA ;TSS mov word [TSS+2],ax ;i hope i didnt mixed this up ror eax,16 mov byte [TSS+4],al mov byte [TSS+7],ah ror eax,16 mov dword [eax+0x04],0 ;esp0, 0 is valid address used by ivt. mov word [eax+0x0A],0x0010 ;ss0, i use ring0 r/w selector mov dword [eax+0x38],0 ;esp ring3. i can use same stack for both mov word [eax+0x52],0x0020 ;ss ring3 mov ax,0x0028 ltr ax ;load TR. note that bochs doesnt throw error here. load success. push 0x0018 ;ring3 push ring3_eip retf ;fucked ; ;Bochs is exiting with the following message: ;[CPU0 ] check_cs(0x0018): non-conforming code seg descriptor dpl != cpl, dpl=3, cpl=0 ; ;or, i know that conforming has nothing to do with it.... ; ;Bochs is exiting with the following message: ;[CPU0 ] check_cs(0x0018): conforming code seg descriptor dpl > cpl, dpl=3, cpl=0 ; ; ring3_eip: mov word [0x000b8000],0x0F40 ;simple test to check if i made it here cli hlt gdt: dw 47 dd gdttable gdttable: dq 0 ;0 execute db 0xFF, 0xFF, 0x00, 0x00, 0x00, 10011000b, 11001111b, 0x00 ;8 read_write db 0xFF, 0xFF, 0x00, 0x00, 0x00, 10010010b, 11001111b, 0x00 ;10 ring3_execute db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11111100b, 11001111b, 0x00 ;18 ring3_read_write db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11110010b, 11001111b, 0x00 ;20 TSS db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11101001b, 10001111b, 0x00 ;28 TSS_DATA: rb 0x64 db 510 - ($ - $$) dup 0, 0x55, 0xAA |
|||
10 Feb 2010, 20:08 |
|
baldr 10 Feb 2010, 20:17
asmmsa,
0x0018 is ring 0 selector (RPL==0). Ring 3 selector for ring3_execute descriptor and corresponding segment is 0x001B. |
|||
10 Feb 2010, 20:17 |
|
asmmsa 10 Feb 2010, 21:50
this code was wrong very
Last edited by asmmsa on 10 Feb 2010, 22:59; edited 1 time in total |
|||
10 Feb 2010, 21:50 |
|
asmmsa 10 Feb 2010, 22:59
Code: use16 org 0x7C00 lgdt fword [gdt] mov eax,cr0 inc al mov cr0,eax jmp 0x0008:start use32 start: mov ax,0x0010 mov ds,ax mov ss,ax mov esp,stack0 mov eax,TSS_DATA mov word [TSS+2],ax ror eax,16 mov byte [TSS+4],al mov byte [TSS+7],ah ror eax,16 mov dword [eax+0x38],stack3 mov word [eax+0x52],0x0023 mov dword [eax+0x04],stack0 mov word [eax+0x0A],0x0010 mov ax,0x0028 ltr ax push 0x00000023 push stack3 push 0x0000001B push ring3_eip retf ring3_eip: mov word [0x000b8000],0x0F40 jmp $ cli hlt gdt: dw 47 dd gdttable gdttable: dq 0 ;0 execute db 0xFF, 0xFF, 0x00, 0x00, 0x00, 10011000b, 11001111b, 0x00 ;8 read_write db 0xFF, 0xFF, 0x00, 0x00, 0x00, 10010010b, 11001111b, 0x00 ;10 ring3_execute db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11111000b, 11001111b, 0x00 ;18 ring3_read_write db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11110010b, 11001111b, 0x00 ;20 TSS db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11101001b, 10001111b, 0x00 ;28 TSS_DATA: rb 0x64 rb 0x20 stack0: rb 0x20 stack3: db 510 - ($ - $$) dup 0, 0x55, 0xAA ive managed to write this. strictly by the manual, still doesnt work. im getting general protection fault. WTF! tell me thats wrong, i have no basic understanding of that crap, i really dont know whats the diffrence between TSS based saving and pushing on stack! |
|||
10 Feb 2010, 22:59 |
|
asmmsa 10 Feb 2010, 23:26
ok i did it.
forgot that DS is nullified when changing privileges, so i was making null ds write. overriden with ss and works fine! thx for he... umm take that back, i did it myself. |
|||
10 Feb 2010, 23:26 |
|
Coddy41 10 Feb 2010, 23:33
> thx for he... umm take that back, i did it myself.
Are you sure? It looks like allot of help was given... _________________ Want hosting for free for your asm project? You can PM me. (*.fasm4u.net) |
|||
10 Feb 2010, 23:33 |
|
asmmsa 11 Feb 2010, 12:30
can you point me where in intel manuals is descriptopn of TSS entry in GDT?
i cant find it, and interrupt from ring0 to ring3 ends with 'ss selector null' even if i have TSS loaded into TR and it has ss0 and esp0 valid. |
|||
11 Feb 2010, 12:30 |
|
asmmsa 11 Feb 2010, 12:44
never mind, it was my fault as always.
some ASSHOLE put offsets in idffrent order on osdev, ss0 is under 0x08 not 0x0A. memory grows this >>>>> way in little endian, not <<< that way, remember that plz. left is >>>>, right is <<<<<. its easier for notation. when you erite db 0,1,2, 2 is most significant, most left. Code: use16 org 0x7C00 lgdt fword [gdt] lidt fword [idt] mov eax,intt mov word [ido1],ax shr eax,16 mov word [ido2],ax mov eax,cr0 inc al mov cr0,eax jmp 0x0008:start use32 start: mov ax,0x0010 mov ds,ax mov ss,ax mov esp,stack0 mov eax,TSS_DATA mov word [TSS],104 mov word [TSS+2],ax ror eax,16 mov byte [TSS+4],al mov byte [TSS+7],ah ror eax,16 mov dword [eax+4],stack0 mov word [eax+8],0x0010 mov ax,0x0028 ltr ax push 0x00000023 push stack3 push 0x0000001B push ring3_eip retf ;im in ring3 now, using 0x23 SS and stack3 esp. ring3_eip: xor al,al idiv al mov ecx,0x01000000 loopd $ cli ;exception because im in ring3 hlt intt: mov ax,0x10 mov ds,ax mov word [ds:0x000b8000],0x0F40 iret idt: dw 15 dd idttable idttable: ido1 dw 0 dw 0x0008 db 0 db 10001111b ido2 dw 0 dq 0 gdt: dw 47 dd gdttable gdttable: dq 0 ;0 execute db 0xFF, 0xFF, 0x00, 0x00, 0x00, 10011000b, 11001111b, 0x00 ;8 read_write db 0xFF, 0xFF, 0x00, 0x00, 0x00, 10010010b, 11001111b, 0x00 ;10 ring3_execute db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11111000b, 11001111b, 0x00 ;18 ring3_read_write db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11110010b, 11001111b, 0x00 ;20 TSS db 0x00, 0x00, 0x00, 0x00, 0x00, 11101001b, 10000000b, 0x00 ;28 TSS_DATA: rd 26 rd 10 stack0: rd 10 stack3: db 510 - ($ - $$) dup 0, 0x55, 0xAA working code ring0>3>0 exception now, i wil ltry long mode. i ve read about it, and have 1 question: is it possible to enter long mode without paging? |
|||
11 Feb 2010, 12:44 |
|
revolution 11 Feb 2010, 13:03
asmmsa wrote: never mind, it was my fault as always. asmmsa wrote:
|
|||
11 Feb 2010, 13:03 |
|
a115433 05 Mar 2010, 17:50
ive lost pass to my previous account, but its still asmmsa
call gate cant be used to switch from ring0 to ring3. only returns or propably a task switch |
|||
05 Mar 2010, 17:50 |
|
ouadji 05 Mar 2010, 18:24
Quote:
CallGate allows the transfer between any privilege level. ring3 to ring0, but also ring0 to ring 3 |
|||
05 Mar 2010, 18:24 |
|
baldr 05 Mar 2010, 19:06
ouadji,
Are you sure? I've skimmed Intel SDM on the call and jmp instructions, privilege level restrictions state quite contrary: jmp through call gate can't change CPL, same for call to conforming segment; non-conforming segment can't be less-privileged. |
|||
05 Mar 2010, 19:06 |
|
Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.