Copyright Disclaimer: During reprinting, please use hyperlinks to indicate the original source and author information of the article and this statement
Http://myjfm.blogbus.com/logs/57252310.html
---------------------
CPLIs the current privilege level of the current process, is the privilege level of the segment where the code is currently being executed, which exists in the lower two Cs registers.
RPLIt indicates that the process's request permission for segment access (request privilege
Level), isSegment Selection Sub-Each segment has its own RPL, which indicates that the process has the permission to access the segment, a bit like a function parameter. And RPL is not fixed for each segment.
The RPL of the two accesses to the same segment can be different. RPL may weaken the role of CPL. For example, the current CPL = 0 process needs to access a data segment, which sets RPL in the segment selection operator to 3.
Although it only has 3 access permissions for this section.
DPLStored inSegment descriptorSpecifies the permission level (descriptor privilege level) to access this segment, and the DPL of each segment is fixed.
When a process accesses a segment, it requires a process privilege-level check. GenerallyDPL> = max {CPL, RPL}
For example, Chinese officials are divided into 6 levels: President 1, Prime Minister 2, Governor 3, Mayor 4, county magistrate 5, and village chief 6. Suppose I am the current process, level PM (CPL = 2), I'm going to Liaocheng
(DPL = 4) Investigation (haha), I use the governor's level (RPL = 3
In this way, they can also be scared to death:-) visit, right? If I use the county magistrate's level, people will ignore us (you can watch the WeChat private visit on TV, huh, huh! Why does RPL take into account
Security issues are like you clearly have the write permission on a file. Why is it not for security!
[Reporter Note: The following plug-ins: http://www.oldlinux.org/oldlinux/viewthread.php? Tid = 3627]
"CPU only has DPL and CPL, and there is no place to save RPL. "
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ This statement has a problem. RPL is stored in the segment Selection Sub-, and the segment Selection Sub-can be loaded into the segment register (visible part). We know that registers (including segment registers) it is physically in the CPU.
My question is, where do DPL, CPL, and RPL access code segments at different privileged levels during the privileged checks?
~~~~~~~~~~~~~~~~~~~~~~~~~~~ DPL is stored in the segment/gate descriptor, and RPL is stored in the segment selection child. CPL is the rpl of the child selected in the middle section of the current CS.
During code switching at different privileged levels, if we have two scenarios in mind: DPL/CPL of the original code segment and DPL/RPL of the new code segment, we may not be so confused.
If the current CPL is the RPL In the CS segment register, when loading Another privileged code segment with the CS segment register, you need to update the CS segment register so that it points to the description of the target code segment.
Mark the RPL bit in the code segment, so that the privilege level (CPL) of the current Code segment is hidden. So how to implement this judgment (DPL>
Max (CPL, RPL )? This is one of my biggest concerns.
~~~~~~~~~~~~~~~~~~~~~~~~~~ That's right. CPL is the RPL in CS. You are confused because of misunderstanding.Timing of privileged-level checks-- Not Loading
This check is performed only after CS is passed. Instead, the new and new DPL/RPL comparison checks are performed by the Special Parallel hardware in the CPU while loading, otherwise, an exception is triggered. In addition, DPL>
Max (CPL, RPL) is the privileged-Level Check condition when the current Code accesses the data segment. It is not the privileged-Level Check condition for code segment switching; the privileged-level check conditions for code segment switching should be divided into several situations
Situation, Zhao Bo's reply above.
In invisible descriptor, there will also be a CPL -- by sjlung
~~~~~~~~~~~~~~~~~~~~~~~~ This is purely a misunderstanding. segment descriptors are not visible in segment registers, and DPL is not included in Cpl. Again, CPL is the sub-division selected in the middle section of CS (visible part !) .
[Plug-in completed] -------------------------------------------------------
Full explanation:
--------------------------------------------------------------------------------
RPL is the value obtained from the combination of Bit 0 and bit 1 in the segment Selection Sub-, but here we need to figure out what is the segment Selection Sub, according to intel
(IA-32 intelr architecture software developer's manual, Volume
3 system programming guide) It is a 16bit identifier (Original: A segment Selector
Is a 16-bit identifier for a segment). But what is identifier?
It can be the name of a variable (an identifier is a name for variables). In short, it can be a variable of the general meaning. Here
16-bit identifier for a segment
It can be a general 16-bit variable, but it must be interpreted according to Intel's rules at the same time-Bit 0 and bit
The one-bit combination value is RPL and so on...
Therefore, if necessary, you can declare one or more variables to represent these segments and select Sub-segments. In this way, your program can have many sub-segments at a certain time, of course, there are multiple choices.
So many RPL. We can say how many RPL are in the program. What do you think of the variables you declare? |
The CPL (CS. RPL) of the program is the value obtained from the combination of Bit 0 and bit 1 in CS register. At a certain time point, only this value uniquely represents the CPL of the program.
DPL is the privileged level in the segment descriptor. It is intended to represent the privileged level of the segment it describes.
A program can use many segments (data, code, stack) or only one code segment. Normally, when the program environment is set up, the segment descriptor does not need to be changed.
----- Of course, DPL does not need to be changed.
I. Privileged Access Control for data and stack segments:
CPL of the program requesting access to the data segment or stack segment is less than or equal to the DPL of the data segment or stack segment to be accessed, and the DPL of the sub-RPL is less than or equal to the data segment or stack segment to be accessed, that is, the program must follow
Criterion: only code with the same or higher privilege level can access the corresponding data segment. Here, RPL may weaken the role of CPL. When you access a data segment or stack segment, the minimum privilege in the CPU and RPL is used by default.
So max {CPL, RPL} is less than or equal to DPL. Otherwise, access fails.
2. privileged level control over code segment access (privileged transfer of code execution right ):
Let's startSome "laws":
The CPU does not assign the RPL of the sub-segment to the CS. RPL ..
The CPL (CS. RPL) of the program after the jump only has the following two possibilities:
Cpl (CS. RPL) = CPL (CS. RPL) of the program before the jump)
Or
Cpl (CS. RPL) = codedescriptor. DPL
Take call as an example (you can only jump to a segment equal to or higher than the current privilege level ):
To determine the two options, we first need to know whether the program segment is consistent or inconsistent after the jump. In fact, it is also very simple. The rules are as follows:
If you can successfully jump to the consistent code segment, the CPL (CS. RPL) = CPL (CS. RPL), (the CPL of the program after the jump inherits the CPL of the program before the jump)
If you can successfully jump to a non-consistent code segment,
Cpl (CS. RPL) = descriptor. DPL of the program after the jump. (After the jump, the CPL of the program becomes the privileged level of the code segment. I mentioned earlier that DPL is
In the segment descriptor, the privilege level is used to represent the privileged level of the segment it describes.) How can we successfully jump?
Here we haveFour important concepts:
1) Section protection concept isHigh privilege level does not find low privilege level servicesFor low privilege level assistance, the same must be fine. (The logic is correct. I don't know the truth .) that is to say, the county magistrate does not look for the village magistrate, and the village magistrate does not ask for the peasants. In turn, the peasants seek the village magistrate and the county magistrate. this concept is the most important.
2)Consistent code segmentMeaning:
This makes it easy for the guests to take advantage of the owner's (consistent code segment) things for themselves. However, the identity of the guests has not changed newcs. RPL = oldcs. RPL so they can only do things for themselves. For example, the village chief has
A cow, a farmer can borrow to help his own farm, but not others. But if you are a village chief, you can certainly plant all the farms in the village.
3)
Inconsistent code segmentMeaning: the owner (non-consistent code segment) can help the guests, but it must use its own identity newcs. RPL =
Destinationdescriptorcode. DPL may have security issues,
It is easy for farmers to become county leaders. If the master is too stubborn, he must stick to his identity. Is there any way to change it? Is it a compromise. Okay, it is the use of RPL.
4) RPL:
It allows the program to express a privileged identity max (RPL, CPL) when needed without losing its own privileged CPL (CS. RPL). When necessary, it is used to check the identity.
. In fact, RPL has nothing to do with the privileged DPL of the segment itself and the current privileged CPL, because the RPL value is not assigned to the CS. RPL after the successful jump.
I still want to ask how to successfully jump to the next hop? There are two situations:
Normal jump(No gate passed
(This): After JMP or call, follow the 48-bit full pointer (16-bit segment Selection Sub-+ 32-bit address offset), and the segment Selection Sub-points to the segment descriptor, such a jump is called a direct (normal) Jump.
. A normal jump does not cause a jump of the privileged level, that is, it does not cause CPL changes. For details, refer to the following description:
The target is a consistent code segment:
Requirement: CPL (CS. RPL)> = destinationdescriptorcode. DPL. Other RPL do not check.
Cpl (newcs. RPL) = CPL (oldcs. RPL) of the program before the jump)
The above arrangement refers to the concept 1, 2. At this time, CPL has not changed, even if it executes code with a higher privilege level (DPL. If the access fails, an exception occurs.
The target code segment is inconsistent:
Requirement: CPL (CS. RPL) = destinationdescriptorcode. DPL and RPL ≤ CPL (CS. RPL)
Cpl (newcs. RPL) = destinationdescriptorcode. DPL
The above arrangement is the meaning of concept 3 and the meaning of Part 1 ---- the owner (non-consistent code segment) only helps the guests with the same privilege level. Because the premise is CPL = DPL
Cpl (newcs. RPL) =
Destinationdescriptorcode. DPL does not change the CPL value, and the privileged level (CPL) does not change. If the prerequisite is not met during access
Cpl = DPL, an exception is thrown.
Redirect by calling the door:When the inter-segment Transfer Instruction JMP and inter-segment Transfer Instruction call are followed by the target segment Selection Sub-points to a call gate descriptor, the jump is to use the call door jump. At this time, if the child is selected and followed by a 32-bit address offset, it will not be used by the CPU, because the call gate descriptor has recorded the offset of the target code. One more step to redirect by using a door adjustment than a normal jump, that is, when accessing the call door descriptorUse the descriptor as a data segment to check Access Permissions, Indicates that the RPL of the caller is equal to or less than the gate descriptor DPL, And the CPL of the current Code segment is equal to or equal to the gate descriptor DPL, just like accessing the data segment, CPL of the program requesting access to the data segment is less than or equal to the DPL of the data segment to be accessed, and the sub-RPL is less than or equal to the DPL of the data segment or stack segment to be accessed. Only when the preceding conditions are met can the CPU further read the selection and address offset of the target code segment from the call gate descriptor to perform the next step.
After reading the segment selection and address offset of the target code from the call door, the information we currently have returned to the previous step, it is on the same starting line as a normal jump.
Segment selection and address offset), the difference is that, at this time, the CPU will readSelect RPL in the child of the target code segment to clear 0That is, the role of selecting the sub-RPL for the code segment in the call door is ignored. After this step is completed, the CPU starts CPL for the current program, and the target code segment selects the sub-RPL (in fact, it can always meet the requirements after being cleared) and DPL in the target code segment descriptor selected by the target code sub-indicator to perform a privileged level check and redirect based on the situation, as shown below:
The target is a consistent code segment:
Requirement: CPL (CS. RPL) ≥ destinationdescriptorcode. DPL and RPL are not checked. Because RPL is cleared to 0, RPL is always satisfied with RPL ≤ DPL. This is consistent with normal redirection and is applicable to JMP and call.
Cpl (newcs. RPL) = CPL (oldcs. RPL) of the program before the jump. Therefore, no transition occurs at the privilege level.
The target code segment is inconsistent:
When the JMP command is used to redirect:
Requirement: CPL (CS. RPL) = destinationdescriptorcode. DPL and RPL <=
Cpl (CS. RPL) (in fact, RPL is always satisfied because RPL is cleared 0, so the relationship between RPL and CPL is not checked here ). If the requirements are not met, the program will cause an exception.
Cpl (newcs. RPL) = destinationdescriptorcode. DPL
Because the premise is CPL = DPL, the CPL (newcs. RPL) = destinationdescriptorcode. DPL of the program after the jump will not change the CPL value, and the privilege level will not change. If CPL = DPL is not met during access, an exception is thrown.
When the call command is used to redirect:
Requirement: CPL (CS. RPL) ≥ destinationdescriptorcode. DPL (RPL is cleared 0, not checked). If the requirements are not met, the program will cause an exception.
Cpl (newcs. RPL) = destinationdescriptorcode. DPL
When the condition CPL = DPL, CPL = DPL after the program jump, the privileged level does not jump; When CPL> DPL, after the program jump
Cpl = DPL,Privileged Level TransitionThis is the only jump method that we can see when the current position changes the current execution of the Program (CPL), that is, using the Call Command + call the door to jump,
The target code segment is a non-consistent code segment.
Summary: The above two types of redirection are described, namely normal jump and call door jump. The redirection can be subdivided into JMP jump and call jump, whether the jump is successful or not by CPL, RPL, and DPL
Comprehensive Decision. All redirects are from low-privilege-level code to the same level or higher-level privileged level (DPL), but keep the current execution privileged level (CPL) unchanged, it is a little difficult to tell why the jump to the high-privilege level is not changed, and the "high-privilege level" here refers to the DPL of the target code segment descriptor, it specifies the highest privilege level that can jump to the code segment. The CPL remains unchanged, which means that the privilege level does not jump. We can see that CPL changes will occur only when the call command + call door method is used to jump and the target code segment is inconsistent, that is, the Code Execution privilege-level transition, this is currently the only way to change the execution privilege level. If you know other methods, please leave a message to me.
---------------------------------------------------
Consistent code segment, inconsistent code segment
Consistent bits: 2nd bits of the type (including four binary bits) field in the descriptor attribute.
When S = 1, the four binary digits in type are:
3 2 1 0
Execution bit consistent bit read/write bit access bit
Execution bit: When set to 1, it indicates that execution can be performed. If set to 0, it indicates that execution cannot be performed;
Consistent bit: If set to 1, it indicates the consistent code segment. If set to 0, it indicates the inconsistent code segment;
Read/write bits: If set to 1, it indicates readable and writable; if set to 0, it indicates read-only;
Access bit: if it is set to 1, it indicates that it has been accessed. If it is set to 0, it indicates that it has not been accessed.
Therefore, the consistent code segment and the non-consistent code segment mean whether the consistent bit is set to 1, and the consistent code segment is set to 1, and the non-consistent code segment is set to 0.