Ring 0 Vs Ring 3

[Unlink]

Hi again,
i hope i am not causing any troubles here

1- i want to know what instructions is allowed in ring 0 but not allowed in ring 3 ?

2- i also want to know which memory area is allowend for ring 0 and not ring 3 knowing that the memory model is pure segmentation with base 0 and limit 4 gb

3- for the ports what ports is allowed for ring 0 but not for ring 3, i know that this is controlled by IOBITMP in the TSS, but does linux & bsd prevent all IO for ring 3 process, if they do how to disable all io for ring 3, as i like to trace how things is made up in linux

Thanks

[Brendan]

Hi,

i hope i am not causing any troubles here

I hope I'm not causing trouble here too .

My comments below ignore virtual 8086 mode completely (in virtual 8086 mode there's different privileged instructions and some I/O port handling changes).

1- i want to know what instructions is allowed in ring 0 but not allowed in ring 3 ?

Intel's system programmers manual, section 4.9 "Privileged Instructions" has a list:

• LGDT
  LLDT
  LTR
  LIDT
  MOV (to and from control registers only)
  MOV (to and from debug registers only)
  LMSW
  CLTS
  INVD
  WBINVD
  INVLPG
  HLT
  RDMSR
  WRMSR
  RDPMC
  RDTSC

Also, some instructions (like CLI and STI) are controlled by IOPL, just like instructions that access I/O ports (see below).

2- i also want to know which memory area is allowend for ring 0 and not ring 3 knowing that the memory model is pure segmentation with base 0 and limit 4 gb

Protection of memory areas is controlled by segmentation and paging, and nothing else.

3- for the ports what ports is allowed for ring 0 but not for ring 3, i know that this is controlled by IOBITMP in the TSS, but does linux & bsd prevent all IO for ring 3 process, if they do how to disable all io for ring 3, as i like to trace how things is made up in linux

Ring 0 can always access all I/O ports. Ring 3 may be able to access all of them or none of them, depending on how the OS sets IOPL (the "I/O Privilege Level" bits in EFLAGS). If IOPL is set to zero, ring 3 code may be granted access to individual I/O ports if the OS uses the IOBMP in the TSS.

I don't know what BSD and LInux do though...


Cheers,

Brendan

[kataklinger]

2- i also want to know which memory area is allowend for ring 0 and not ring 3 knowing that the memory model is pure segmentation with base 0 and limit 4 gb

If RING3 descriptors has base 0 and limin of 4gb, then you don't have memory protection at all. But still you can protect execution of privileged instructions and I/O access. User programs can access to all memory including kernel memory and this is problem. Paging can solve this, because you can tell which page can be accessed from which ring (0-supervisor, 3-user).

[Unlink]

ya thanks,
but how do i disable cli & sti they still run even in ring 3 ?

[Pype.Clicker]

you normally don't want user tasks to disable interrupts ... that'd mean, for instance, that a given program could completely hang up the system by issueing

Code: Select all

cli
hlt

Now, there are "virtual interrupt flag" thingy that you might want to investigate that let user code (and especially VM86) "believe" that interrupts are disabled and later receive deferred interrupts when STI is raised again. That will allow the kernel to make the VM86 code (i mean, the real-mode bios code, not the VirtualMonitor) block IRQs that should have been delegated to VM86 and still having IRQ0 feeding the scheduler, etc.

[kataklinger]

RING3 tasks can execute CLI & STI instruction only if IOPL=3 in EFLAG. If you set IOPL to 0, CLI&STI can be execute only form RING0.

[Unlink]

RING3 tasks can execute CLI & STI instruction only if IOPL=3 in EFLAG. If you set IOPL to 0, CLI&STI can be execute only form RING0.

kataklinger u r amazing, that was really my problem, really thanks
but here is another one:
i use pure paging and 4 GB address is avaible for both ring0 & ring3.
but when i call my printf() from ring3, i got stack fault with error 0x23.
the printf() takes unlimited parameters and i don't think the error is caused by it, since it works for ring0 & i've tested it on a linux executable.
so can u figure out where is my error?
thanks alot

[Unlink]

SORRY, i don't mean pure paging i meant PURE SEGMENTATION.

[kataklinger]

If error code is not equal to zero it conatians the value of selector in SS during the exception and it means that segment is not present, so check present flag in descriptor for your stack segment.

Is that happens only if you call printf(), or it happens if you call any function?

P.S. You shouldn't use same code for kernel mode printf and user mode printf or any other code. If you want to call some kernel function from user mode you should do that throught software interrupts or call gates (or fast systemc calls).

[Unlink]

i only tested it with my printf() & puts(), i don't know wether it works for other functions, i thought it may be a kind of protection since printf & puts actually write to a memory mapped I/O 0xb8000.

yes, i've used the same printf() for both kernel & user without interrupts or call gates, since is defined a ring3 cs, ds with base 0 & limit 4gb !!! but i don't if that's right or not ?

thanks for your help

[Unlink]

i forgot to say that when i try to use this test code rather than the printf() :

Code: Select all

char *v=(char *)0xb8000;
*v++='T';
*v=0x7;

it still generates a stack fault with error 0x23
and here is my gdt :

Code: Select all

gdt:
   null_desc   dd   0h
               dd      0h
   flat_code   dw   0ffffh
               dw   0h
               db   0h
               db   10011010b 
                    db   11001111b
                     db   0h
   flat_data      dw   0ffffh
            dw   0h
            db   0h
            db   10010010b ; 92h
            db   11001111b ; cfh
            db   0h
   user_code   dw   0ffffh
            dw   0h
            db   0h
            db   11111010b
            db   11001111b
            db   0h
   user_data   dw   0ffffh
            dw   0h
            db   0h
            db   11110110b ; f2h
            db   11001111b ; cfh
            db   0h
   task_state   dd   0h
            dd   0h

and i don't know wether i should set the X bit for code segments or not ?

[Pype.Clicker]

if you're in the bochs, i suggest you set a breakpoint and use dump-cpu to see the actual limit for the stack segment.

hint: your 0x20 descriptor seems to be expand-down. Is that on purpose ?

[kataklinger]

11110110b != 0f2h ;D
11110110b == 0f6h
So yu need 11110010b.

Few pairs of eyes are better then on

Try this:

Code: Select all

user_data   dw   0ffffh
            dw   0h
            db   0h
------> db   11110010b ; f2h
            db   11001111b ; cfh
            db   0h

[Unlink]

yup
so my data was really stack
i've also noticed it, after i pasted the code her.
but why shouldn't i set the x bit in the CS ?

[kataklinger]

What is the X bit?