I’m studying about protection ring of x86 system.
Examples of accessing data segments
In this picture, there are segment selectors.
My questions are…
- segment selectors are in the RAM?
- who create segment selectors? automatically?
- one segment can have multiple segment selectors?
- relationship btw segment selectors and segment registers?
- this kind of structure(i.e, paged segmentation, segment selectors, …) are used on modern system?
Thanks.
I will attempt to explain this in terms as simple as possible.
What is segmentation?
Segmentation is the idea of dividing memory into segments. These segments have a base address and a limit (or size).
Traditionally, in Real Mode (DOS era), segments were defined as follows:
base_address = segment_register * 16
limit = 64 KiB
In Protected Mode, however, segments are no longer defined like this. Instead, there’s a table which contains details about every segment. As a bonus, it not only describes the base address and the limit, but also the privilege required to use it (that’s why it’s called Protected Mode) and if it’s a 16-bit or 32-bit segment.
The Global Descriptor Table (GDT)
The GDT is a table (i.e. array) set up by an operating system in memory which contains descriptors. These come in 2 types: segment descriptors (which define segments, along with all their attributes) and system descriptors (which define various OS structures in memory, some are important, some not so much).
The operating system tells the CPU where this table is located using the privileged lgdt
instruction. However, if you attempt it in user-mode code, it will fault.
Segment descriptors
Segment descriptors define segments. See below to see how to actually load and use one. A segment descriptor has this format.
Segment selectors
Segment selectors are simply indexes into the GDT. They have a specific format in which the last 3 bits are used for other purposes (bit 2 is the Table Indicator, while bits 1-0 are the Requested Privilege Level). Only bits 15-3 describe the actual index. For example, selector 0x20
indicates index 4 (starting from 0) in the GDT.
Segment registers
The segment registers (CS
, DS
, ES
, FS
, GS
and SS
) are designed to store these selectors while they are in use. However, when they are not in use, they can be stored in memory or in any other place.
The NULL selector acts as a sort of NULL pointer from C. You can freely load it into segment registers, but any attempt to use it will fault.
Example: a memory access such as [ebx]
will be relative to the segment base described by DS
(or you can explicitly specify a segment register, such as [es:ebx]
).
In Real Mode, such an instruction would have accessed the memory address ds * 16 + ebx
. However, in Protected Mode, the base address is taken from the GDT (at the index indicated by DS
), and the offset ebx
is added to it. The good part is that if the descriptor indicated by DS
is privileged, but the code making the memory access is not, it will fault with a General Protection Fault.
How are segment descriptors created?
The segment descriptors, as mentioned before, are part of the GDT and are created by the operating system. The segment selectors are (usually) given by the OS to the application. The application is free to set its own selectors if it wants, provided that the corresponding descriptors exist and are accessible (which in modern OSes is almost never the case).
Can you have multiple segment selectors?
One can and always has multiple selectors. This is because CS
must reference a code segment descriptor, while everything else references a data segment descriptor.
Isn’t it slow to access the GDT for every memory access?
It is. If that was the case, the CPU would have to access the correct GDT entry every time someone accessed memory, in order to validate privilege levels and to get the segment base and limit for calculations.
Fortunately, the CPU caches these entries (into the so-called descriptor caches) whenever you load a segment register. This is why loading a segment register is a rather expensive operation. These caches are then guaranteed to remain unchanged until you reload the corresponding segment register again. This includes switching out of Protected Mode, without restoring the descriptor caches (and this is how you enter the Unreal Mode).
Segmentation on modern 32-bit systems
Segmentation cannot be disabled on x86, but it can be…well…bypassed. By setting all descriptors as having base 0 and a 4GiB limit, you essentially bypass all advantages and disadvantages of segmentation.
All modern systems use paging to achieve memory protection. However, segmentation is still required because it enforces the privilege level. Each descriptor in the GDT has a DPL (Descriptor Privilege Level) field. This is what enforces the so-called privilege Rings. If a user-mode application had access to Ring 0 selectors, it could execute privileged instructions and bypass every protection mechanism, including paging.
Apart from that, there are a couple of system structures (defined in the GDT using system descriptors) such as the Task State Segment (TSS) which are critical for the OS. The TSS, for example, ensures that when any transition from Ring 3 to Ring 0 happens, the stack (SS:ESP
) is switched to a well-known kernel stack, since the user-mode stack can’t be trusted.
Segmentation is still used for the FS
and GS
registers. In Windows, FS
references a descriptor which points to the Thread Information Block, while GS
is NULL.
Segmentation on 64-bit systems
In 64-bit mode, segmentation is almost disabled. The only selector that truly matters is CS
, which sets the privilege level according to the DPL field. The DS
, ES
and SS
registers are unused. DS
and ES
are set to 0 (in 64-bit mode the NULL selector does nothing, it doesn’t fault when used), while SS
still points to a descriptor (loading NULL faults), though I’m not really sure why it can’t be 0.
However, the descriptors can’t set a base or a limit*. Essentially, the CPU creates the same environment that has to be created manually in 32-bit mode. Memory protection is achieved by paging, which is mandatory in 64-bit mode.
There is a way to set the base for the FS
and GS
selectors (see the WRFSBASE
and WRGSBASE
instructions). This doesn’t affect the GDT entries at all (they still only have space for a 32-bit base), but instead directly modifies the descriptor caches (the registers themselves are typically set to 0). Windows 64-bit uses GS
instead of FS
to point to the TIB.
* Some CPUs support setting a segment limit in the last 4GiB of the 256TiB address space. From what I understand, this was done to facilitate software virtualization before hardware virtualization (VT-x and AMD-V) was a thing.
To shortcut things, the answer to #5 is No.
Thanks for your reply. Then, modern system use just paging to manage memory?
@NateEldredge I feel like that’s a big oversimplification. They are used, but they are used in such a way that their effect doesn’t matter. Without the segmentation structures you cannot achieve privilege separation on x86. Paging only enforces the privilege levels, but something (the GDT) has to define them. Paging itself is useless if user code can execute
mov cr3
, for example.@DarkAtom: Without setting up a GDT, you can’t even switch to protected mode or long mode at all, since you can’t jump to a 32-bit or 64-bit code segment. So yeah I guess it’s fair to say you’d have no privilege separation / memory protection, but that’s because you’d be stuck in real mode without the possibility of enabling paging at all! (Or could just changing the control-register bits put you in 16-bit protected mode, with segment bases unchanged from real mode? You couldn’t handle interrupts without a GDT since that involves loading a new CS:[er]IP specified in the IDT.)
@PeterCordes While I’m sure it’s undefined behavior according to the manual, you can probably switch to protected mode and even long mode. I think you can set
CR0.PE
(maybe evenCR0.PG
,CR4.PAE
andEFER.LME
) and use the real mode descriptor caches. You probably can’t get out of 16-bit mode though. EDIT: Didn’t see your edit so I wrote this 😛