A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
3 Votes 706 Comments (1) • Share • Link 2012-01-13 0 no problem. – Tang Shiqiang 2012-01-13 3 answers Latest
3 Votes 6000
The best answer cpl is the privilege level of the current process, which is the privileged level of the segment of the currently executing code, which exists in the lower 2 bits of the CS and SS registers (No. 0, 1 bits). CPL represents the current privilege level of a program or task, it is not part of a segment, the current program or task can not be displayed at the same time 2 privilege levels, then CS and SS No. 0 and 1th should always be the same. Attempting to mount the SS-RPL to a data segment selection that is different from the CPL causes an exception. They are always the same. Cpl is CS and SS segment selector rpl,cpl stored in CS and SS register in the RPL field, each time a code snippet/stack segment (Special data segment) selected sub-loading CS/SS register, the processor automatically put the CPL into the RPL field of CS/SS. RPL describes the process request permission for segment access (requested Privilege level), for segment selectors, each segment selector has its own RPL, which describes the process's request permission for segment access, a bit like a function parameter. And RPL is not fixed for each segment, the RPL can be different when accessing the same paragraph 2 times. RPL may weaken the role of CPL, such as the current cpl=0 process to access a data segment, which sets the RPL in the segment selector to 3 so that it still has only privileged 3 access to that segment. The processor verifies that the request is legitimate by checking the RPL and Cpl. Even if the segment that made the request for access has sufficient privilege levels, it is not possible if the RPL is not enough. (CPL <= DPL) && (RPL <= DPL)
discuss the comparison of privilege levels: Cpl represents the current privilege level of the program or task, it does not belong to a segment, the current program or task cannot show 2 privilege levels at the same time, then CS and SS No. 0 and 1th bits should always be the same. Attempting to mount the SS-RPL to a data segment selection that is different from the CPL causes an exception. In addition, later in the discussion jumps can see, they are always the same. DPL represents the privilege level of a segment or gate, and when a program accesses segment A, the CPL and the DPL of segment A are compared to determine whether the program has access to segment a. RPL Indicates whether the selected child has permission to access the segment to which it points. The select child points to a segment descriptor, the segment descriptor points to a segment, and the privileged level of the segment is determined by the DPL in the segment descriptor. When the program needs to access segment A, it is necessary to first pass the segment descriptor of segment A of paragraph A, before accessing segment A, in which the CPU first compares the RPL in the segment a selector with the DPL in the segment a descriptor to determine if the selector has access to the segment it points to. Success is the comparison between Cpl and segment a DPL. The comparison rules between RPL and DPL are consistent with the rules of comparison between Cpl and DPL. For example, to explain the meaning of the preceding sentence: for example, the current program to access a data segment A, then the CPL can not be greater than the DPL of paragraph A, or failure (this is discussed later). This is the CPL and paragraph A of the comparison rules of DPL, then the same paragraph a rpl, DPL also follow such a rule, that is, paragraph a RPL can not be greater than paragraph a of DPL. RPL and Cpl are not compared. In any case, access between the same privileged level is always infallible, so comparisons between the same privilege levels are often ignored in subsequent discussions. In protected mode, the code snippet can hold data, but the data segment cannot hold the code (jumps are not over). So the code snippet can either get the data in the code snippet (the read Snippet property needs to be readable, even if the data in its own segment needs to be readable), you can get the data in the data segment (the data segment is always readable), and you can jump to other code snippets. In addition to the data segment is read, nothing can be done. Code snippets are divided into consistent and non-uniform pieces of code, which affect the privilege-level comparisons, and whether the consistency is determined by the 42nd bit of the segment descriptor. The data segment differs from the code, and it is always non-consistent. The code snippet only affects privileged-level comparisons when it is accessed as a party (or as a target code snippet), without distinction as an access party. The difference between a consistent code snippet is that, during a jump between segments, if the target snippet is a more privileged consistent snippet, then the jump succeeds and the CPL does not change (CS and SS are not changed), so the CPL is different from the target snippet's RPL (the CPL value is larger and the privilege level is lower) If the target snippet is a more privileged, non-uniform snippet, then the jump will fail, and a call gate is required. In addition, such asIf the target code snippet is a lower privileged code snippet (whether or not it is consistent), then the jump will always fail unless you use RETF to jump. If the current program accesses a data segment A, the CPL cannot be greater than the DPL of segment A, otherwise it fails. This means that the current program cannot access data segments with higher privileged levels. The CPL can be less than the DPL of segment A, which means that the current program can access data segments with lower privileged levels. This is consistent with the current program's access rules for call gates and TSS. The privilege level check is performed when the selector is loaded into the segment register. First of all, a relatively simple piece of data segment a select sub-load DS (similar to Mount Es,fs,gs, here is the example of DS): The DPL of segment a must be greater than RPL, but also must be greater than the CPL (7th), otherwise an exception, the RPL of segment A is not compared with Cpl. In addition, when the program jumps to the low privilege level, the DPL of the segment pointed to by the CPL and DS is checked, and if DPL is less than Cpl, then the DS is loaded with the selector of the null descriptor. Data segment A selects the case where the child is loaded into the SS (only the data segment selector can mount the SS, the snippet selector cannot be loaded into the SS, whether or not readable): the RPL and DPL of segment a must be equal to the CPL, or else fail. Let's see why this is the case. The CPU is guaranteed to be identical to the No. 0 and 1th bits (CPL) in CS and SS, so the RPL of segment a must be equal to Cpl. The CPU also ensures that the privilege level of the current program is consistent with the privilege level of the stack segment currently in use, so the DPL of segment A is equal to Cpl. Code snippet a selects sub-mount DS (similar to Mount Es,fs,gs, as explained in DS): If segment A is unreadable, the mount fails. If segment A is a non-uniform code segment that is readable, then the RPL of CPL, segment a must be equal to the DPL of segment A, or the mount will fail. If segment A is a coherent code segment that is readable, then the RPL of Cpl, segment a can be greater than the DPL of segment a, but not less than the DPL of segment A. While code snippet a uses paragraph beyond the prefix CS to read the data within its own segment, the CPU checks if the segment a is readable, and if it is unreadable, it will cause an exception if there is no selection of the child's loading process. Finally, the section jumps between sections of code. Inter-segment jumps can be used in jmp, call, RETF, and calling Gates. From the high privilege level to the low privilege level only with RETF, from the low privilege level to the highly privileged non-uniform code snippet, only with the call gate, but also with the call command to use the calling door, from the low privilege level to the high privilege level of the consistent code snippet JMP, call, the calling gate can be.
consistent code snippet is the segment that the kernel opens up for application access, but does not allow the user program to write data. CPL (current priviliege levels) : It represents the privilege level of the code snippet, represented by the No. 0 and 1th bits of CS and SS. The processor will change the CPL when the program transfers code to a different privilege level. Consistent code can be accessed by code of the same or lower privileged level (user program) when a consistent code snippet is encountered. The CPL is not changed when the processor accesses a consistent piece of code that differs from the CPL privilege level. DPL (descriptor Priviliege level) : Represents the privileged rank of a segment or gate. It is stored in the DPL field of the segment or door descriptor. When the current code snippet attempts to access a segment or a door, DPL will be compared to CPL and RPL, and DPL will be treated differently depending on the segment or gate type: Data segment: DPL provides a minimum level of privilege to access this segment. Non-Uniform code snippet (without the use of a call gate): DPL Specifies the privilege level to access this segment. Call Gate: Consistent with data segment. Consistent code snippets and non-uniform snippets accessed through the call Gate: DPL Specifies the highest level of privilege to access this segment. TSS: Consistent with data segments. RPL (requested Priviliege level) : RPL is represented by selecting the No. 0 and 1th bits of the child. The processor verifies that an access request is legitimate by checking the RPL and Cpl. Even if the requested segment has sufficient privilege levels, it is not possible if the RPL is not enough. That is, if the number of RPL is larger than CPL, then RPL will play a decisive role and vice versa. It seems that the following explanation is more intuitive: for a consistent code snippet: that is, the shared segment. <1>: High-privilege programs do not allow access to low-privileged data-the core State does not allow the invocation of user-state data. <2>: Privileged low-level programs can access high-privileged data. But the privilege level does not change, either the user state or the user state. For common code Snippets. That is, the non-Uniform code snippet: <0> only sibling access is allowed. <1> Absolutely prohibit different levels of access: Nuclear mentality is not user-state. The user state does not use the kernel mentality either.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service