Linux Kernel Series-5. Privileged level of operating system development CPL, DPL, RPL

cpl--the privileged level of the currently executing program or task, which is stored on the No. 0 and 1th bits of CS and SS.

The privileged level of the dpl--segment or gate, and if it is a data segment, the least privileged level that can access this segment

The rpl--is represented by the No. 0 and 1th digits of the segment selector. The processor verifies that an access request is legitimate by checking the RPL and Cpl. RPL ensures that the operating system does not someone else to access a segment on behalf of a program.

Let's start by showing the privileged-level error access version.

First, the label_desc_data corresponding segment descriptor is changed to 1 DPL:

Label_desc_data:   descriptor    0,      DataLen-1, Da_drw+da_dpl1    ; Data

Continue to modify, change the RPL of the selector to 3:

SELECTORDATAEQULABEL_DESC_DATA-LABEL_GDT + SA_RPL3

The results of the operation are as follows:

The virtual machine crashes. Because RPL & CPL must <= DPL

Here's a demonstration of how to go from low privilege to high privilege:

The transition between code segments that can be made through jmp and call is very limited, and for non-uniform snippets, it can only be transferred between the same privileged-level code snippets. A consistent code snippet can be encountered at most from low to high, and the CPL will not change. If you want to freely move between different privileged levels, there are obviously several other ways to use the gate descriptor or TSS. The calling gate descriptor format is as follows:

A gate describes the linear address specified by a selector and an offset, and the program is transferred by this address.

The following is the target segment that is transferred by calling the door:

[section. Sdest]; Call gate target segment [Bits32]label_seg_code_dest:;jmp$movax, Selectorvideomovgs, ax; Video Segment Selector (purpose) Movedi, (80 * 12 + 0) * 2; Screen 12th, column No. 0. Movah, 0Ch; 0000: Black Bottom    1100: Scarlet Letter Moval, ' C ' mov[gs:edi], axretfsegcodedestlenequ$-label_seg_code_dest; END of [section. Sdest]

Here is the code snippet descriptor, which selects the child and the initialization descriptor:

Label_desc_code_dest:descriptor 0,segcodedestlen-1, da_c+da_32; Non-Uniform code snippet, 32SELECTORCODEDESTEQULABEL_DESC_CODE_DEST-LABEL_GDT; Initialize Test call Gate Code Snippet Descriptor Xoreax, Eaxmovax, Csshleax, 4addeax, Label_seg_code_destmovword [Label_desc_code_dest + 2], Axshreax, 16movbyte [Label_desc_code_dest + 4], Almovbyte [Label_desc_code_dest + 7], ah

Now add the call Gate:

Label_call_gate_test:gate Selectorcodedest,   0,     0, Da_386cgate+da_dpl0

The definition of Acer Gate in Pm.inc

The property of the descriptor is da_386cgate indicates that it is a call gate. The selector specified inside is selectorcodedest, which indicates that the target code snippet is a newly added code snippet. The offset address is 0, which means that it jumps to the beginning of the target code snippet. In addition, we designate its DPL as 0.

Now the call gate is ready, it points to the location of selectorcodedest:0, which is the code at the label Label_seg_code_dest.

Now add a low-privileged snippet Ring3 and stack:

Label_desc_code_ring3:descriptor 0,segcodering3len-1, Da_c+da_32+da_dpl3label_desc_stack3:     Descriptor 0,      TopOfStack3, DA_DRWA+DA_32+DA_DPL3; Stack segment ring3[section. S3]align32[bits32]label_stack3:times db 0topofstack3equ$-label_stack3-1; END of [section. S3]; Codering3[section Ring3]align32[bits32]label_code_ring3:movax, Selectorvideomovgs, Axmovedi, (+ 0) * 2movah, 0Ch Moval, ' 3 ' mov[gs:edi], axjmp$segcodering3lenequ$-label_code_ring3; END of [section. Ring3]

EXECUTE as follows:

The Red 3 was printed, indicating that our transfer from RING0 to Ring3 was successful. Next Test the use of the call door.

Change the invocation gate descriptor and selector to a privilege level of 3. There is also the need to use TSS to prepare a TSS from the low privilege level to the high privilege level transfer.

LABEL_DESC_TSS:        descriptor 0,          TSSLen-1, DA_386TSS; Tss[section. tss]align32[bits32]label_tss:dd0; Backddtopofstack; Level 0 stack ddselectorstack;dd0; Level 1 stack dd0;dd0; Level 2 stack dd0;dd0; cr3dd0; EIPDD0; EFLAGSDD0; EAXDD0; ECXDD0; EDXDD0; EBXDD0; ESPDD0; EBPDD0; ESIDD0; EDIDD0; ESDD0; CSDD0; SSDD0; DSDD0; FSDD0; GSDD0; LDTDW0; Debug Trap Flag dw$-LABEL_TSS + 2; I/O bitmap base db0ffh; I/O bitmap end flag tsslenequ$-LABEL_TSS

We need to load it before the privilege level transforms.

Movax, Selectortssltrax

The results of the operation are as follows:

See the letter C indicates a transfer from a low privilege level to a high privileged level.

" Source "

Linux Kernel Series-5. Privileged level of operating system development CPL, DPL, RPL