Priviledges for Ring 3

[Therx]

I was wondering how I could restrict ring 3 access to things such as cli, out, in etc. As any of these could slow the system or crash the hardware. Do I have to use a TSS as my multitasking is software based?

Pete

[Pype.Clicker]

according to Intel Manuals, i think that you cannot do a CLI/STI in DPL3 without triggering a GPF. IN/OUT instructions will also be restricted (the CPU will first test the IOPL in flags and then lookup for a 'go' bit in the IOMAP of the TSS (if any))

There is, however, an extension that allows you to fake interrupts clearing/setting through VIF: when a DPL3 program do "CLI", the VIF bit is cleared, and when an interrupt is received, the system may decide to check the VIF bit and set VIP (Virtual Interrupt Pending).

If the usermode code now do a STI while VIP is set, something will happen (i guess it'll be a GPF again -- check manuals to be sure)

I don't have my SPG digest here ... so everything comes directly from /dev/brain

[mr. xsism]

correct, ring3 automatically cannot do certain opcodes. There was a list in the docs or on a web site i was reading recently. i think it was vol3 of intel docs, but i could be mistaken.

ring0 can do anything ;D muhahahaha

[Therx]

The restricted instructions are the following according to Intel. But CLI/STI aren't there.

? LGDT?Load GDT register.
? LLDT?Load LDT register.
? LTR?Load task register.
? LIDT?Load IDT register.
? MOV (control registers)?Load and store control registers.
? LMSW?Load machine status word.
? CLTS?Clear task-switched flag in register CR0.
? MOV (debug registers)?Load and store debug registers.
? INVD?Invalidate cache, without writeback.
? WBINVD?Invalidate cache, with writeback.
? INVLPG?Invalidate TLB entry.
? HLT?Halt processor.
? RDMSR?Read Model-Specific Registers.
? WRMSR?Write Model-Specific Registers.
? RDPMC?Read Performance-Monitoring Counter.
? RDTSC?Read Time-Stamp Counter.

I've found the IOPL flag in EFLAG register. It says that this can only be modified by popf and iret. Does this mean that I have to fiddle the stack. Would the following work?

Code: Select all

pushf
mov eax, [esp]
and eax, 00111111111111b ;Or what ever its bits 12+13
mov [esp], eax
popf

Sorry my assembly's poor.

pete

[Pype.Clicker]

actually, only the DPL0 code will be allowed to change the IOPL ... And usually, it will do so only once at thread startup.

[Therx]

Yeh I understand EFLAGS can't be modified by Ring 3 in any way. I was more concerned about my assembly code. Would it have worked? and also how can I restrict cli/sti usage?

Pete

[Pype.Clicker]

well,

Code: Select all

   pushf
   pop eax
   and eax,IOPL_MASK
   or eax,IOPL_VALUE
   push eax
   popf

should be fine, no ?
As a generic rule, i discourage the [esp] addressing because you may have surprises with the content of [esp] as your code is fixed/updated, etc.

[Candy]

If I may connotate this some more, there's a small thing wrong

Code: Select all

   pushf -> pushfd
   pop eax
   and eax,IOPL_MASK
   or eax,IOPL_VALUE
   push eax
   popf -> popfd

eax is a 32-bit register, flags are generally 16-bit, not sure whether it makes any difference in bytecode terms, but this is at least logically the same size.

[Pype.Clicker]

oops ... did i said "pushf" ?...
Well, pushfd is more likely to work on any Intel-like assembler

btw, "bytecode" is for virtual machines. For real machines, one usually refers to "opcode" :p