X86 Protection

anup.estuff · 04-27-2014, 09:41 PM

Hi all,

I have some questions in x86 protection Mechanism.

We have RPL for data segment selectors.
From where is the RPL loaded into the segment selector?. Is it stored in the process descriptor or the Segment Descriptor of that Data segment?

sundialsvcs · 04-27-2014, 10:59 PM

The x86 processor instruction manuals from Intel explain all about it . . .

anup.estuff · 04-27-2014, 11:04 PM

I tried going through the manual. I was not able to precisely find out from where is it loaded. Can you please help me through this question.

sundialsvcs · 04-28-2014, 07:32 AM

Pardon me, but when I look at http://en.wikipedia.org/wiki/X86_memory_segmentation, after having done a search for x86 "rpl", I see the answer almost immediately.

Quote:

Originally Posted by WikiPedia:

A logical address consists of a 16-bit segment selector (supplying 13+1 address bits) and a 16-bit offset. The segment selector must be located in one of the segment registers. That selector consists of a 2-bit Requested Privilege Level (RPL), a 1-bit Table Indicator (TI), and a 13-bit index.

When attempting address translation of a given logical address, the processor reads the 64-bit segment descriptor structure from either the Global Descriptor Table when TI=0 or the Local Descriptor Table when TI=1. It then performs the privilege check:

max(CPL, RPL) ≤ DPL
where CPL is the current privilege level (found in the lower 2 bits of the CS register), RPL is the requested privilege level from the segment selector, and DPL is the descriptor privilege level of the segment (found in the descriptor). All privilege levels are integers in the range 0–3, where the lowest number corresponds to the highest privilege.

If the inequality is false, the processor generates a general protection (GP) fault.

There are several different types of segments on the x86 and this protection mechanism applies to each one. The segment reference is either express or implied, as the case may be, but each segment-register's content and the information that it points to specifies the protection that is to apply when the processor uses that segment (register), for that purpose.

There is also a good description (my second Google hit), in http://stackoverflow.com/questions/1...n-x86-machines.

Quote:

Originally Posted by StackOverflow:

The idea is that when the OS/kernel does something on behalf of user code, it could access memory using user code's privileges (RPL would reflect, well, the Requestor's Privilege Level, user code's level). If they are insufficient, an exception fails the operation. If this (or similar) mechanism isn't there, user code may subvert the OS/kernel by somehow requesting an operation to be performed on its behalf and the operation would be performed by the kernel with its, kernel's, privileges.

... and there were several comments made by others in response to this.

anup.estuff · 04-28-2014, 05:58 PM

Hello sundialsvcs,

Thanks for replying. Actually I had gone through the stackoverflow post. So one question on it.
When we say that , its the user code priviledge level, the processor has to somehow find out what was the user's priviledge level. So on x86 how can he find out.
And one more thing,

Kernel can access user data segment -> iilegally
-> Legally - Using get_user_pages. So in either of the cases how is the RPL set so that access to kernel are prohibited/allowed? I mean logically , for each data segment their should be something permission info stored somewhere like process descriptor or some location , from where it is picked and set as the RPL so access by kernel are monitored.

I am somehow missing the connecting links in my understanding. Can you please help me out. Thanks in Advance!!

sundialsvcs · 04-29-2014, 08:46 AM

Read the quoted text again: all the information that you are looking for is right there.

The kernel usually operates at "ring 0," which in less-enlightened processor designs would mean that "it has access to everything" and therefore would constantly have to check, in kernel software, whether a particular chunk of memory should be accessible to the user or not. Instead of this, the x86 architecture can perform the test ... and will throw a general profection fault (GPF), even to the kernel, which the kernel must be prepared to catch.

(When it doesn't, you get things like "unable to handle kernel paging request ...".)

The processor defines, on a segment level and a segment-register level, three privilege-level numbers:

CPL: The privilege level of the CPU at the time.
[b]RPL:{/b] The privilege level requested by the software.
DPL: The privilege-level of the segment being accessed.

Now, notice how max(CPL, RPL) makes the whole thing very efficient:

The user, operating (say) at "ring 3" (CPL=3), can never "get too big for its britches." This much is just ordinary protectiveness.
The kernel, operating at "ring 0" (CPL=0), now has the ability to make memory requests on behalf of the user, knowing that a GPF will occur (in kernel mode ...) if the user is not privileged to access that data. Instead of being forced to constantly check, it too can rely upon the interrupt mechanism to treat invalid references as what they are ... "the exception, rather than the rule."

Within the kernel, there is literally a list of places where a GPF is allowed to occur within kernel-space, with information to tell the kernel what to do about it.

Memory access by the kernel is still complicated by the fact that page-faults could occur if the user-requested data is not in memory at the time, and by the possibility that there are more CPUs/cores involved, and by the special dispatching rules that apply to kernel code (and kernel-task vs. not).