Auf Deutsch
What is protected mode?
The 8088 CPU used in the original IBM PC was not
very scalable. In particular, there was no easy way to access more than
1 megabyte of physical memory. To get around this while allowing backward
compatability, Intel designed the 80286 CPU with two modes of operation:
real mode, in which the '286 acts like a fast 8088, and protected
mode (now called 16-bit protected mode). Protected mode allows programs
to access more than 1 megabyte of physical memory, and protects against
misuse of memory (i.e. programs can't execute a data segment, or write into
a code segment). An improved version, 32-bit protected mode, first appeared
on the '386 CPU.
How do real mode and protected mode differ?
Table 1: differences between real- and protected modes
|
| Real Mode
| 16-bit Protected Mode
| 32-bit Protected Mode
|
| Segment base address
| 20-bit (1M byte range)
= 16 * segment register
| 24-bit (16M byte range),
from descriptor
| 32-bit (4G byte range),
from descriptor
|
| Segment size (limit)
| 16-bit, 64K bytes (fixed)
| 16-bit, 1-64K bytes
| 20-bit, 1-1M bytes or 4K-4G bytes
|
| Segment protection
| no
| yes
| yes
|
| Segment register
| segment base address / 16
| selector |
selector
|
I thought protected mode didn't use segmented memory...
The segments are still there, but in 32-bit protected mode, you can set the
segment limit to 4G bytes. This is the maximum amount of physical memory
addressable by a CPU with a 32-bit address bus. Limit-wise, the segment then
'disappears' (though other protection mechanisms remain in effect).
This reason alone makes 32-bit protected mode popular.
What's a descriptor?
In real mode, there is little to know about the segments. Each is 64K bytes
in size, and you can do with the segment what you wish: store data in it,
put your stack there, or execute code stored in the segment. The base address
of the segment is simply 16 times the value in one of the segment registers.
In protected mode, besides the segment base address, we also need the segment
size (limit) and some flags indicating what the segment is used for. This
information goes into an 8-byte data structure called a descriptor:
Table 2: code/data segment descriptor
| Lowest byte
| Byte 1
| Byte 2
| Byte 3
| Byte 4
| Byte 5
| Byte 6
| Highest byte
|
| Limit 7:0
| Limit 15:8
| Base 7:0
| Base 15:8
| Base 23:16
| Access
| Flags, Limit 19:16
| Base 31:24
|
This is a 32-bit ('386) descriptor. For 16-bit ('286) descriptors, the top
two bytes (Limit 19:16, Flags, and Base 31:24) are zero. The Access byte
indicates segment usage (data segment, stack segment, code segment, etc.):
Table 3: access byte of code/data segment descriptor
| Highest bit
| Bits 6, 5
| Bit 4
| Bits 3
| Bit 2
| Bit 1
| Lowest bit
|
| Present
| Privilege
| 1
| Executable
| Expansion direction/conforming
| Writable/readable
| Accessed
|
- Present bit. Must be set to one to permit segment access.
- Privilege. Zero is the highest level of privilege (Ring 0),
three is the lowest (Ring 3).
- Executable bit. If one, this is a code segment, otherwise it's a
stack/data segment.
- Expansion direction (stack/data segment). If one, segment grows
downward, and offsets within the segment must be greater than
the limit.
- Conforming (code segment). Privilege-related.
- Writable (stack/data segment). If one, segment can be written to.
- Readable (code segment). If one, segment can be read from.
(Code segments are not writable.)
- Accessed. This bit is set whenever the segment is read from
or written to.
The 4-bit Flags value is non-zero only for 32-bit segments:
Table 4: flags nybble
| Highest bit
| Bit 6
| Bit 5
| Bit 4
|
| Granularity
| Default Size
| 0
| 0
|
The Granularity bit indicates if the segment limit is in units of 4K byte
pages (G=1) or if the limit is in units of bytes (G=0).
For stack segments, the Default Size bit is also known as the B (Big) bit,
and controls whether 16- or 32-bit values are pushed and popped. For code
segments, the D bit indicates whether instructions will operate on 16-bit
(D=0) or 32-bit (D=1) quantities by default. To expand upon this: when the
D bit is set, the segment is USE32, named after the assembler
directive of the same name. The following sequence of hex bytes:
B8 90 90 90 90
will be treated by the CPU as a 32-bit instruction, and will disassemble as
mov eax, 90909090h
In a 16-bit (USE16) code segment, the same sequence of bytes would
be equivalent to
mov ax,9090h
nop
nop
Two special opcode bytes called the Operand Size Prefix and the
Address Length Prefix reverse the sense of the D bit for the
instruction destination and source, respectively. These prefixes affect
only the instruction that immediately follows them.
Bit 4 of the Access byte is set to one for code or data/stack segments. If
this bit is zero, you have a system segment. These come in several
varieties:
- Task State Segment (TSS). These are used to 'simplify'
multitasking. The '386 or higher CPU has four sub-types of TSS.
- Local Descriptor Table (LDT). Tasks can store their own
private descriptors here, instead of in the GDT.
- Gates. These control CPU transitions from one level of
privilege to another. Gate descriptors have a different format than
other descriptors:
Table 5: gate descriptor
| Lowest byte
| Byte 1
| Byte 2
| Byte 3
| Byte 4
| Byte 5
| Byte 6
| Highest byte
|
| Offset 7:0
| Offset 15:8
| Selector 7:0
| Selector 15:8
| Word Count 4:0
| Access
| Offset 23:16
| Offset 31:24
|
Note the Selector field. Gates work through indirection, and require a
separate code or TSS descriptor to function.
Table 6: access byte of system segment descriptor.
| Highest bit
| Bits 6, 5
| Bit 4
| Bits 3, 2, 1, 0
|
| Present
| Privilege
| 0
| Type
|
Table 7: System segment types
| Type | Segment function | | Type | Segment function
|
| 0 | (invalid) | | 8 | (invalid)
|
| 1 | Available '286 TSS | | 9 | Available '386 TSS
|
| 2 | LDT | | 10 | (undefined, reserved)
|
| 3 | Busy '286 TSS | | 11 | Busy '386 TSS
|
| 4 | '286 Call Gate | | 12 | '386 Call Gate
|
| 5 | Task Gate | | 13 | (undefined, reserved)
|
| 6 | '286 Interrupt Gate | | 14 | '386 Interrupt Gate
|
| 7 | '286 Trap Gate | | 15 | '386 Trap Gate
|
Whew! For now, just remember that TSSes, LDTs, and gates are the three main
types of system segment.
Where are the descriptors?
They are stored in a table in memory: the Global Descriptor Table
(GDT), Interrupt Descriptor Table (IDT), or one of the
Local Descriptor Tables (LDTs). The CPU contains three registers: GDTR,
which must point to the GDT, IDTR, which must point to the IDT (if
interrupts are used), and LDTR, which must point to the LDT (if an LDT is
used). Each of these tables can hold up to 8192 descriptors.
What's a selector?
In protected mode, the segment registers contain selectors, which
index into one of the descriptor tables. Only the top 13 bits of the
selector are used for this index. The next lower bit choses between the GDT
and LDT. The lowest two bits of the selector set a privilege value.
How do I enter protected mode?
Entering protected mode is actually rather simple, and is is described in
many other tutorials. You must:
- Create a valid Global Descriptor Table (GDT), and create the 6-byte
'pseudo descriptor' pointing to the GDT
- Disable interrupts
- LGDT. The operand of this instruction points to the GDT
pseudo-descriptor, which in turn points to the GDT
- Set the PE bit in the MSW register
- Load all data segment registers with valid selectors
- Do a far jump (load both CS and IP/EIP) to load CS and enter pmode
How do I get back to Real Mode?
- Disable interrupts
- Do a far jump to a code segment with limit 64K (FFFFh)
- Load SS with a selector pointing to a descriptor that is 'appropriate
for real mode':
Limit = 64K (FFFFh) Byte-granular (G=0)
Expand-up (E=0) Writable (W=1)
Present (P=1) Base address = any value
The bit values correspond to an Access byte with the binary value = 1xx1001x
- Clear the PE bit in register CR0
- Jump to a 16:16 real-mode far address
- Load all data segment registers with real-mode values
- If you used interrupts in protected mode, use LIDT to load an IDT that
is 'appropriate for real mode', with base address = 0 and limit = 3FFh.
On 386+ CPUs, use the 32-bit operand size override prefix so all 32 bits
of the IDT base are set (otherwise, only the bottom 24 bits will be set).
; this code in NASM syntax
o32 lidt [real_idt]
...
real_idt:
dw 1023
dd 0
- Zero the high 16 bits of 32-bit registers. If the register value is not
important, just zero the entire 32-bit register, otherwise use 'movzx':
xor eax,eax
...
movzx ebp,bp
movzx esp,sp
- Enable interrupts
What pitfalls have you encountered?
- You must pay extreme attention to detail here. One wrong bit will make
things fail. Protected mode errors often triple-fault the CPU, making it
reset itself. Be prepared to see this happen again and again.
- Most library routines probably won't work. printf(), for example,
won't work because it evenutally calls either a DOS or BIOS service to put
text on the screen. Unless you have a DOS extender, these services
are unavailable in protected mode. I had good luck using sprintf()
to put formatted text in a buffer, which I then wrote to the screen with my
own protected-mode routine.
- Before clearing the PE bit, the segment registers must point to
descriptors that are appropriate to real mode. This means a limit of
exactly 0xFFFF (see other restrictions above). One of my demo programs had
ES pointing to a text-video segment. With a limit of 0xFFFF, things worked
well. With a limit of 3999 (80 * 25 * 2 - 1), the system froze up
after returning to real mode and trying to use the ES register.
Actually, for DS, ES, FS and GS, the segment limit must be 0xFFFF or
greater. If you give the segment a limit of 0xFFFFF and make it
page-granular, you can access up to 4G of memory from real mode --
this is unreal mode. However, limits other than 0xFFFF (or
page-granularity) for CS or SS cause big problems in real mode.
- You can not use the '286 LMSW instruction to clear the PE bit.
Use MOV CR0, nnn. (On the '286 CPU, the only way to return to real mode
is to reset the CPU!)
- Load all segment registers with valid selectors after entering
protected mode. I forgot to do this with ES. A protected-mode routine
pushed ES, loaded it with a valid selector, and used it. When it tried to
pop the old, invalid (real-mode) selector back into ES, it crashed.
- The IDTR must also be reset to a value that is appropriate to
real-mode before re-enabling interrupts (see above).
- Not all instructions are legal in real mode. If you attempt to use task
state segments for multitasking, note that executing the LTR instruction in
real-mode will cause an illegal instruction interrupt.
- Descriptor tables in ROM? Section 10.4.3 of 386INTEL.TXT states
The GDT (as well as LDTs) should reside in RAM,
because the processor modifies the accessed bit of descriptors.
However, one of my sources (thanks Vinay) states that later CPUs
will not attempt to set the Accessed bit in a descriptor if that
bit is already set. Check the docs for the CPU you are using.
- The naive code described here will crash if the PC is in Virtual 8086
(V86) mode. This is a fourth mode of operation found on the 386 CPU,
with addressing similar to real mode but some of the protection mechanisms
of protected mode. You may know that a Windows (or OS/2, or Linux) DOS box
runs in V86 mode, but you may not realize that memory managers such as
EMM386 also put the CPU in V86 mode.
If you want to start simple, try these tips:
- Don't worry about returning to real mode. Use the reset button :)
- Leave interrupts disabled.
- Don't use an LDT.
- Put only four descriptors in the GDT: null, code, stack/data, and
linear data (base address = 0).
- Set the segment bases to real-mode values i.e. 16 * real-mode segment
register value. This lets you address variables in the same way in both
real and protected modes.
- Set all segment limits to their maximum.
- Leave all privilege values set to 0 (Ring 0, highest privilege).
- Before each step of switching to pmode, poke a character into video
memory, to see (literally!) how far the code gets. Text-mode VGA memory
starts at address 0B8000h.