Protected mode

from Wikipedia, the free encyclopedia

The term Protected Mode ( English ; German: protected mode or protection mode ) describes a special operating mode of the IA-32 architecture (also known as x86 architecture) from Intel, which has existed since the 80286 processor. It allows the limitation of memory access rights for various software, and with it the directly accessible memory has increased to 16  MB main memory (16-bit protected mode). With the 80386 and the 32-bit protected mode, linear access to up to 4  GB main memory was possible. Protected mode is used by all modern PC operating systems (at Microsoft optionally since Windows 2.0 , mandatory since Windows 3.1 and Windows NT 3.1 ; at IBM since OS / 2 , Apple since the switch to the Intel platform, i.e. with Mac OS X Tiger ) used.

Background and idea

Segment descriptor table in protected mode

Originally only real mode existed on the 8086 architecture, which for reasons of compatibility is still the start mode with current x86 32-bit processors, so that older operating systems such as DOS can run. In this mode there were no memory protection mechanisms or policies, the operating system and also each individual program could read and write to each memory address at any time. This means the unrealistic requirement that software is completely free of errors, since a single incorrect access to an address of another software (e.g. the operating system) can lead to data loss or instability of the entire system.

In order to defuse this situation, mechanisms have been introduced with which the access rights of programs to different memory areas can be set and assigned more finely, in order to create memory protection between different software.

Concept and characteristics

For reasons of compatibility, Intel decided to use virtual memory management as the method, since the MMU can still fool every program into a complete address space as in real mode. Each program runs in its own copy of the physical address space, sealed off from other software. Operating system areas (typically in the upper area of ​​the address space 2 to 4 GiB) can be equipped with a higher authorization level (English "privilege level"). Among other things, this enables the distinction between kernel mode and user mode , which is implemented in modern operating systems.

In protected mode that supports CPU both segmentation (from 286) and paging (from 386) and the eponymous memory protection with four different levels of protection at the segment level and two levels of protection at page level. The four different protection levels or authorization levels that exist in x86 protection mode and are known as rings grant the code segments running on them different rights. This prevents faulty or malicious application programs from overwriting the operating system and thus changing it or causing it to crash, or from spying on data from other programs, which was still possible on the 8086 processor and could not be prevented. A processor switches to Protected Mode by setting the Protection Enable (PE) bit in Control Register 0 (CR0). Since the Intel 80386 series, there has also been a special mode in Protected Mode, the Virtual 8086 Mode (Virtual Real Mode), which was built in to execute real-mode programs in Protected Mode.

16-bit protected mode

The so-called "16-Bit Protected Mode" was introduced in the 286. This meant that a maximum of 16 MB physical main memory could be addressed via 2 tables with 8192 segments each, each with a maximum of 64 KB. This means that a theoretical memory space of 1 GB is available. These segments are accessed via so-called segment descriptor tables , which are created and managed by the operating system. It is possible to address more virtual addresses than the physical memory available. Using virtual memory management , individual segments can, for example, be swapped out to the hard disk and then marked as “not available” in the descriptor table. As soon as there is read or write access to such a segment, the processor triggers a "Segment not present" exception, which is caught by the operating system in order to reload the requested segment and continue the program.

The 16-bit protected mode was developed by Digital Research Concurrent DOS 286 (1985), FlexOS 286 (1986/1987), IBM 4680 OS (1986), OS / 2 1.x (1987) and MS Windows 3. x (in the so-called "standard mode") is used.

Descriptor tables

There are three types of descriptor tables:

  • Global descriptor table (GDT) - this is identical for all tasks
  • Local descriptor table (LDT) - each task can have its own LDT
  • Interrupt descriptor table (IDT) - is used when starting interrupt service routines.

The descriptor tables are in main memory and managed by the operating system. Their respective (base) address is stored in special registers:

  • GDTR - stores the physical base address of the GDT (24 bits)
  • IDTR - stores the physical base address of the IDT (24 bits)
  • LDTR - is a (16-bit) segment selector for the segment in which the LDT is located.
386 segment descriptor
(bits 24 ... 31 are not yet supported on the 286)

Each descriptor table contains a maximum of 8192 entries, so-called segment descriptors. Each segment descriptor describes a memory segment and contains the following fields:

  • the segment length ( segment limit - 1 byte to 64 KiB)
  • the start address ( base address - accurate to 1 byte)
  • Segment type ( type and S : S = 0 means system segment , S = 1 means user segment )
  • Descriptor Privilege level ( dpl , where the value 0 means the level with the highest rights, 3 the level with the lowest rights)
  • Present - Only segments with the P bit set to 1 in the descriptor are available in physical main memory. This can be used to swap out memory segments, since when segments with P-bit = 0 are accessed, the processor triggers an exception that can be caught by the operating system.

The first entry (with index 0) of the GDT is reserved as a zero selector and must not refer to any memory area.

Segment selectors

Structure of a segment selector

In real mode, the segment registers contain just the start address of the memory segment (more precisely, the top 16 bits of the 20-bit real mode memory address). In the protected mode, however, the segment registers contain a reference to one of the two descriptor tables (GDT or LDT) in which the properties of the memory segments are recorded.

The segment selectors are 16 bits in size and have the following structure: Bit 2 (TI = table indicator ) defines which of the two tables the index (in bits 3 ... 15) refers to.

32-bit protected mode

With the 386, the protected mode has been expanded to 32 bits, and previously unused fields in the descriptor tables allow access to up to 4 GB of physical main memory in 8192 segments of a maximum of 4 GB each. The following extensions were made:

  • Segment Limit - It has been expanded to 20 bits so a segment can be up to 1 MiB in size. To support larger segments without making the length field even larger, an additional "granularity bit" (G) was introduced. If this bit is set, the segment length is no longer interpreted in bytes, but in 4 KiB blocks. This enables segment sizes of up to 4 GiB.
  • Start address - It has been expanded to 32 bits so that the start address can map the entire physical address space
  • Operand size - This bit defines whether a code segment contains 16- or 32-bit code, or whether a stack segment is to be addressed via the 16-bit stack pointer SP or the 32-bit stack pointer ESP.

The 386 (and all successor processors) can also handle these extensions in 16-bit protected mode, so that 16-bit programs that use the 32-bit instruction extensions can also address the additional memory.

From the 386 onwards there is also the option of activating page management ( paging ), which follows the segmentation.

64-bit mode

With the introduction of the AMD64 architecture in the K8 processor from AMD , which was later adopted by Intel under the name EM64T (also IA-32e , now Intel 64 ), a new operating mode was introduced for x86 processors that differs from the previous protected mode is fundamentally different. In this mode there is de facto no segmentation (with one exception, see further in the text). The base address of the segments is permanently set to 0. The descriptor for the code segment is only used to determine the sub-mode (64-bit “Long Mode” or 32-bit “Compatibility Mode”, which is used when executing 32-bit programs under a 64-bit operating system ), the "Default Operation Size" and the privilege level of the code executed in this segment. Only the segment registers FS and GS can receive a 64-bit segment base address directly from the ring 0 via special machine commands (without accessing segment descriptors).

The format of the segment descriptors has been extended for system segments so that they contain 64-bit base addresses or offsets. These descriptors thus effectively occupy 2 entries in the descriptor tables.

Paging and memory swapping

Most modern operating systems for x86 computers, such as Windows , Linux or macOS , work in protected mode. Today, essentially only paging is used to implement memory protection, while segmentation is no longer used. With this mechanism, each process in an operating system can be provided with its own virtual address space , which is separate from the other processes . At the same time, however, the shared use of memory between processes, copy-on-write mechanisms or memory swapping as well as a clear separation of kernel and user address space can be implemented ( kernel memory protection against errors in application programs). This flat memory model is not safe from buffer overflows .

See also

Web links

Individual evidence

  1. 3.2 Modes of Operation . In: Intel 64 and IA-32 Architectures Software Developer Manuals . Intel , Denver, Colorado May 2005, p. 59.
  2. Robert Collins: Protected Mode Basics (PDF) ftp.utcluj.ro. 2007. Retrieved July 31, 2009.