Segment descriptors constructs the most basic and fundamental execution environment under the protection mode. The system descriptors builds the core components in protected mode:
1, TSS Descriptor provides a hardware-level process switching mechanism 2, the LDT descriptor for the process to use multiple descriptor 3, Gate descriptor to provide processor permission level switching mechanism.
Process switching mechanism provided by 5.7.1 and TSS
TSS is a memory area that stores process-related execution environment information. The initialized TSS is provided by the user, and the saved information is executed by processor when the process is switched.
5.7.1.1, three elements constitute a TSS environment:
1. TSS Descriptor: This descriptor belongs to the system descriptor type, and its S (System) bit is 0.
The following is a list of the type values for TSS descriptors:
0001:16-bit TSS 0
011:busy 16-bit TSS
1 001:32-bit TSS
1011:busy 32-bit TSS
---------------------------------------------------
The above is the type of TSS descriptor under x86, and the 32-bit TSS descriptor, which is divided into 16 and 32-bit tss,x64, will become 64-bit TSS descriptor.
Scenario Tip:
The busy state of TSS is primarily used to support nesting of tasks. The TSS descriptor is busy when it is not allowed to execute. It also prevents the recurrence of the TSS process switching mechanism.
2. TSS selector and TR (Task register) registers
The structure of the TR register is identical to the segment registers, that is, the selector part that is visible by the software and the hidden part of the processor visible (the information part) constitute. The meaning of selector in Tr.selector and Cs.selector is exactly the same. The load of its descriptor is the same.
That is: the TSS descriptor will be loaded into the hidden portion of the TR Tr.selector after the index finds the TSS descriptor in the Gdt/ldt. Of course, before loading to the TR register, the check passes before it can be loaded into the TR register. If loading NON-TSS descriptor into TR, it will produce #GP exception.
3. TSS block (Task Status Segment)
Like code segment or data segments, the final TSS segment is determined by the TSS descriptor. TSS descriptor points to the base, limit, and DPL information of the TSS segment. T
The SS segment Stores EFlags registers, GPRs registers, and associated permission levels for stack pointer (ss & SP), CR3, and so on.
Establishment of the mechanism of 5.7.1.2 and TSS
For a multitasking OS, the TSS segment is essential and the system requires at least one TSS segment, but now the OS system does not use the TSS mechanism to switch tasks.
Scenario Tip: The only reason for the existence of TSS is that you need to provide a 0 to 2 permission level stack pointer, and the corresponding stack pointer provided by TSS must be used when a stack switch occurs. However: if you provide an empty TSS segment, or you might consider implementing a stack switchover in a way that directly passes the stack pointer, it is essential to design processor to read the TSS segment. |
The following instructions are used to establish the initial TSS segment:
LTR word ptr [tss_selector]/* provides TSS Selector in [tss_selector] */
Or:
LTR AX/* provides TSS selector */in AX Register */
The ltr instruction uses the provided selector to be loaded into the TR register after the Gdt/ldt index is found in the TSS descriptor. The initial TSS descriptor must be set to the available state, otherwise it cannot be loaded into the TR. Processor The TSS descriptor to busy state after loading the TSS descriptor.
process of 5.7.1.3 and TSS process switching
When the current process is switching to another process, there are 2 types of selector available: using TSS selector and Task Gate selector (Task Gate character).
Such as:
Call 0x2b:0x00000000/* Assume 0x2b is a TSS selector */
call 0x3b:0x00000000 /* Assume that the hardware-level process switching mechanism provided by 0X3B for Task-gate selector */
TSS is complex, and most OS does not allow The TSS mechanism is because the performance of the implementation is too poor. The process of TSS process switching for the above two instructions is as follows:
1, using TSS selector
Call 0x2b:0x00000000 /* 0x2b for TSS selector */
There are some differences between using the JMP directive and the call command here, C All allows for nesting of TSS process transitions, and jmp does not allow nesting.
(1) processor uses TSS selector (0X2B) to find the 5th descriptor
(2) in the GDT index to check if the processor type found is a TSS descriptor, If not, #GP exception will be generated. Whether it is available TSS, if the target TSS descriptor is busy, it will also produce #GP abnormalities.
(3) processor for another check: permission checks, CPL <= DPL and selector. RPL <= DPL is passed, otherwise #GP exception is generated.
(4) The execution environment of the current process is stored in the TSS segment of the current process.
Scenario Tip: In this step, the TSS selector switch has not occurred at this time, processor the current process environment information is stored in the current TSS segment. |
(5) Here a TSS selector switch occurs. The new TSS selector is loaded into the tr.selector, while the new TSS descriptor is also loaded into the hidden part of the TR storage.
Scenario Tip: (1) Here, processor also keeps the old TSS selector in the link domain of the current TSS segment (newly loaded TSS). The link in this TSS segment is actually the old TSS selector domain, used to get the original TSS selector when the process returns. Thus, the nesting mechanism of the task is realized. (2) Processor The NT (Nest Task) flag position of the current EFlags register is 1, indicating that the current process is nested inside. |
(6) Processor the execution environment of the new process from the current TSS segment, including: Each selector registers (segment registers), GPRs, Stack pointer (ss & SP), CR3 Registers, and EFlags registers. In this step, before loading selectors into segment registers, you must also pass the relevant selector & Descriptor routine checks and permission checks. It is not really loaded until it is passed. Otherwise #GP exception is generated.
Scenario Tip: processor also does another job: descriptor the TSS of the new process to the busy state. So that the new process cannot be re-entered. |
(7) Processor continues from the current Cs:rip to complete the transition of the TSS process. This cs:rip is the cs:rip of the newly loaded new process
---------------------------------------------------------------------------------------
As can be seen from the above process, the use of TSS process switching mechanism is extremely complex, resulting in process switching performance is too poor. It's much slower than using call gate and trap Gate. If there is a change in permissions, a stack switchover will also occur.
The return of the process is equally complex. It also takes so many steps to summarize that the main time consumption occurs in the information preservation aspect of the old and new processes.
2. Using Task Gate selector
Alternatively, using task Gate selector for TSS process switching, using task Gate selector, in addition to being call/jmp, can be used in the interrupt mechanism, in the following two cases:
Call 0x3b:0x00000000/* 0x3b for Task Gate selector */
Or:
int 0x3e/* Assume 0x3e is a vector of task gate */
These two situations are similar, except for some subtle differences, but the triggering mechanism is different.
Processor found in the GDT index is a task gate descriptor, the task Gate descriptor which indicates the target of the TSS selector. Processor The TSS selector from Task Gate descriptor, the remaining work is consistent with the process of switching using TSS selector.
Processor access to Task Gate descriptor requires only a permission check on the task Gate descriptor: CPL <= DPL and RPL <= DPL. There is no need to examine the DPL permissions for TSS descriptor here. |
Gate descriptor mechanism provides an indirect layer of access that is primarily used to control the switching of permissions.
As a matter of fact:
For call 0x2b:0x00000000, processor does not know whether the selector is a TSS selector or a task gate selector, and after finding descriptor, processor view This descriptor type can be determined by the TSS selector or task Gate selector.
Finally note: (1) using the JMP instruction to transfer, processor will not be eflags in the NT flag Location 1 (2) using the outage mechanism of the TSS process switch, processor will not be the task of the permission check action. |
return of the 5.7.1.4 and TSS processes
The process of switching from the TSS mechanism uses the iret instruction to return to the original process after execution, and the update action of the new and old TSS segment will also occur.
when a process returns by using RET, the processor will not return to the nested outer process from the nested inner layer, that is, the original process will not be returned. Processor the processing of the RET instruction will only take the return address from stack pointer (SS:ESP).
When using the Iret interrupt return instruction for the use process:
(1) Processor will check the current eflags. The NT flag bit is 1, which is to check whether the current process is in the nested inner layer.
(2) EFlags. NT = 1,processor will remove the TSS selector from the original process from the link (Old TSS selector) field in the current TSS segment.
(3) processor will not make any permission checks, the TSS selector is loaded into TR.SELECTOR,TSS descriptor while being loaded into the hidden part of the TR.
(4) Processor will clear the current eflags. NT is 0. If you return using the RET command, processor will not clear eflags. NT is 0
(5) Load a new process execution environment from the TSS segment and continue the execution from the CS:EIP. Reset the original TSS descriptor to the available state so that it can be entered again.
-----------------------------------------------------------------------------
from the available, processor encounter RET instruction, is not to eflags. NT for check-in. Instead of using the IRET Directive, processor will be on eflags. NT for inspection.
[Reproduced]x86 's TSS task switching mechanism