Linux Kernel series-5. Transfer of privileges and privileges in operating system development, linux privileges

Linux Kernel series-5. Transfer of privileges and privileges in operating system development, linux privileges

CPL-the privileged level of the currently executed program or task, which is stored in the 0th-bit and 1st-bit cs and ss.

DPL-the privileged level of a segment or portal. If it is a data segment, DPL specifies the lowest privileged level for access to this segment.

RPL-represented by selecting the 0th-bit and 1st-bit sub-segments. The processor checks RPL and CPL to check whether an access request is valid. RPL ensures that the operating system does not access a segment on behalf of a program.

We will first demonstrate the privileged-Level Error access version.

First, modify the DPL of the segment descriptor corresponding to LABEL_DESC_DATA to 1:

LABEL_DESC_DATA:   Descriptor    0,      DataLen-1, DA_DRW+DA_DPL1    ; Data

Modify the sub-RPL to 3:

SelectorDataequLABEL_DESC_DATA- LABEL_GDT + SA_RPL3

The running result is as follows:

Virtual Machine crash. Because RPL & CPL must be <= DPL

The following shows how to transfer from low privilege to high privilege:

Inter-code transfer through jmp and call is very limited. For non-consistent code segments, only inter-code segments with the same privilege level can be transferred. The maximum number of consistent code segments can be increased from low to high, and CPL will not change. If you want to freely transfer between different levels of privilege, you obviously need several other methods, that is, using the gate descriptor or TSS. The format of the call gate descriptor is as follows:

A gate describes the linear address specified by a selector and an offset. The program transfers the address through it.

The following are the target segments for transfer by calling the door:

[SECTION. sdest]; call the target segment [BITS32] LABEL_SEG_CODE_DEST:; jmp $ movax, SelectorVideomovgs, ax; video segment Selection Sub-(Purpose) movedi, (80*12 + 0) * 2; the screen contains 12th rows and 0th columns. Movah, 0Ch; 0000: Black Bottom 1100: red letter moval, 'C' mov [gs: edi], axretfSegCodeDestLenequ $-LABEL_SEG_CODE_DEST; END of [SECTION. sdest]

Below is the code snippet descriptor, and the Code for selecting the child and initialization descriptor:

LABEL_DESC_CODE_DEST: Descriptor 0, SegCodeDestLen-1, DA_C + DA_32; inconsistent code segment, inline-LABEL_GDT; initialize the code segment Descriptor xoreax, eaxmovax, csshleax, 4 addeax, LABEL_SEG_CODE_DESTmovword [LABEL_DESC_CODE_DEST + 2], axshreax, 16 movbyte [LABEL_DESC_CODE_DEST + 4], almovbyte [LABEL_DESC_CODE_DEST + 7]

Now add the call door:

LABEL_CALL_GATE_TEST: Gate SelectorCodeDest,   0,     0, DA_386CGate+DA_DPL0

Macro Gate is defined in pm. inc.

The attribute of the descriptor is da_1_cgate, indicating that it is a call gate. The specified SelectorCodeDest indicates that the target code segment is the newly added code segment. If the offset is 0, it will jump to the beginning of the target code segment. In addition, we specify the DPL as 0.

Now the call door is ready. It points to SelectorCodeDest: 0, that is, the code at LABEL_SEG_CODE_DEST.

Suppose we want to transfer code A to code B, and use A call gate G, that is, the target selection in the call gate G points to the segment of code B. The DPL of code B is recorded as DPL_ B. When the call command is used, the target code DPL_ B <= CPL is required. When the jmp command is used, it can only be DPL_ B = CPL.

Now add a low-privilege code segment ring3 and stack:

LABEL_DESC_CODE_RING3: Descriptor 0, SegCodeRing3Len-1, DA_C + DA_32 + counter: Descriptor 0, TopOfStack3, DA_DRWA + DA_32 + DA_DPL3; stack segment ring3 [SECTION. s3] ALIGN32 [BITS32] LABEL_STACK3: times 512 db 0TopOfStack3equ $-LABEL_STACK3-1; END of [SECTION. s3]; CodeRing3 [SECTION. ring3] ALIGN32 [BITS32] LABEL_CODE_RING3: movax, SelectorVideomovgs, axmovedi, (80*14 + 0) * 2 movah, 0 Chmoval, '3' mov [gs: edi], axjmp $ SegCodeRing3Lenequ $-LABEL_CODE_RING3; END of [SECTION. ring3]

Run the following command:

The Red 3 is printed, indicating that the transfer from ring0 to ring3 is successful. Next, we will test the use of the call door.

Change the descriptor and sub-selection of the call door to the privilege level 3. When there is also a transfer from the low privilege level to the high privilege level, we need to use TSS to prepare a TSS.

LABEL_DESC_TSS: Descriptor 0, TSSLen-1, da_rjtss; TSS [SECTION. tss] ALIGN32 [BITS32] LABEL_TSS: DD0; BackDDTopOfStack; level 0 stack DDSelectorStack; DD0; Level 1 stack DD0; Level 2 stack DD0; DD0; CR3DD0; EIPDD0; success; EAXDD0; ECXDD0; EDXDD0; EBXDD0; ESPDD0; EBPDD0; feature; EDIDD0; ESDD0; feature; SSDD0; DSDD0; feature; LDTDW0; DW $-consumer + 2; i/O bitmap base address DB0ffh; I/O bitmap end mark TSSLenequ $-LABEL_TSS

We need to load it before the privilege level change.

movax, SelectorTSSltrax

The running result is as follows:

 

C Indicates the transfer from low privilege level to high privilege level.

 

 

【Source code]