Protected Mode Addressing

Systems Design & Programming

CMPE 310

Protected Mode Memory Addressing

EBX
DS
0008
00000088
Selector Offset

Memory System

FFFFFFFF

Descriptor Table
+
...
... 0000FF00
...

0000FF88

Data
Segment
0000FF00

Base
00000000

Segments are interpreted differently in Protected Mode vs. Real Mode:

Q Segment register contains a selector that selects a descriptor from the descriptor
table.
Q The descriptor contains information about the segment, e.g., it's base address, length
and access rights.
Q The offset can be 32-bits.
1

Protected Mode Addressing

Systems Design & Programming

CMPE 310

Segment Descriptors in Protected Mode

63
56 55 52 51 48 47
40 39
Base
(L19- Access
(B31-B24)
L16) Rights
7

16 15
Base
(B23-B0)

byte

DPL

Limit
(L15-L0)
3

TYPE

P Base address:
Starting location of the memory segment.
P Limit:
Length of the segment minus 1.
20-bits allows segments up to 1 MB.
This value is shifted by 12 bits to the left when the G (Granularity bit) is set to 1.

Systems Design & Programming

Protected Mode Addressing

CMPE 310

Segment Descriptors in Protected Mode

Segment Descriptors: Bits 52-55
P G bit:
When G=0, segments can be 1 byte to 1MB in length.
When G=1, segments can be 4KB to 4GB in length.
P U bit:
User (OS) defined bit.
P D bit:
Indicates how the instructions (80386 and up) access register and memory data in protected mode.
Q When D=0, instructions are 16-bit instructions, with 16-bit offsets and 16-bit registers. Stacks are assumed 16-bit wide and SP is used.
Q When D=1, 32-bits are assumed.
Allows 8086-80286 programs to run.
P X bit:
Reserved by Intel
3

Protected Mode Addressing

Systems Design & Programming

CMPE 310

Segment Descriptors in Protected Mode

Segment Descriptors: Access Rights (Byte 5):
P

DPL

TYPE

A
A=0, Segment not accessed
A=1, Segment has been accessed

S = 0, System descriptor
S = 1, Code, data or stack
Sets the desc. privilege level.
P = 0, descriptor is undefined.
P = 1, descriptor contains a valid
base and limit.

000
001
010
011
100
101
110
111

Data, read-only
Data, read/write
Stack, read-only
Stack, read/write
Code, execute-only
Code, execute/read
Code, execute-only, conforming
Code, execute/read, conforming

The Access Rights (AR) byte controls access to a protected mode segment and how
the segment functions in the system.
4

Systems Design & Programming

Protected Mode Addressing

CMPE 310

Segment Descriptors in Protected Mode

The A (accessed) bit is set automatically by the microprocessor and is never cleared.
This allows OS code to track frequency of usage.

63

The P (present) bit should be interpreted as 'descriptor-is-valid'.

If this bit is 0, the microprocessor will refuse any attempts to use this descriptor in
an instruction.
47
40 39
0
Access
Available
Available
Rights
Although the AR must always be valid, when P=0, the rest of the descriptor can be
used in any way the OS likes.
The S (system) bit indicates how the descriptor is to be interpreted.
S=0 indicates a system descriptor (more on this later).
S=1 indicates a code, data or stack descriptor.

Systems Design & Programming

Protected Mode Addressing

CMPE 310

Segment Descriptors in Protected Mode

Non-system (S=1) segments:
Q Type=0: The data segment is basically a ROM.
Q Type=1: Both read and write operations allowed.
Code can NOT be fetched and executed from either of these segment types.
Q Type=2 or 3: A stack segment is defined analogously to Types 0 and 1.
However, the interpretation of the limit field is different.
In this case, all offsets must be greater than the limit.
The upper limit is set to base address + FFFF (with D=0) or base address +
FFFFFFFF (with D=1).
This means the stack segment ends 1 byte below the base address.
Expanding of the stack segment simply involves decreasing the limit.

Systems Design & Programming

Protected Mode Addressing

CMPE 310

Segment Descriptors in Protected Mode

4GB
Base

Base + FFFFFFFF

bottom
Growth direction

Base + limit

Stack segment area

top
0

Q Type=4: A code segment with no read permission.

This means no constants are allowed, since they cannot be read out.
Q Type=5: A code segment in which constants may be embedded.
In either case, no writing (self-modifying code) is permitted.
Q Type=6 and 7: Analogous to Types 4 and 5 without privilege protection.
We'll discuss the meaning of 'conforming' soon.
7

Protected Mode Addressing

Systems Design & Programming

CMPE 310

Segment Registers in Protected Mode

Interpretation:

Selector

15

Descriptor Index
13-bits
Selects one of the 8192
descriptors.

TI

RPL

RPL = Requested privilege

level. 00 is highest and 11
is lowest.
TI = 0, Global Descriptor Table.
TI = 1, Local Descriptor Table.

Descriptor Index and Table Index (TI):

The 13 bit descriptor index selects one of up to 8K descriptors in either the GDT and
LDT, as specified by the TI bit.
Therefore, these 14 bits allows access to 16K 8-byte descriptors.
RPL:
The desired privilege level of the program.
Access is granted if the RPL value is lower (higher in privilege) than the AR of the
segment. Otherwise, a privilege violation is issued.
8

Protected Mode Addressing

Systems Design & Programming

CMPE 310

Segmentation Address Translation

Memory System

Global Descriptor Table

Note: there is no
meaning
associated the
relative position
of the segment
descriptors in the
table -- unlike
page tables as
we will see.

ESI
000000FF

Note: Descriptor 0
is called the NULL
descriptor and may
not be used to access
memory.

FFFFFF

1000FF
Base

Limit

Data
Segment
100000

DS
0008

...

00 00 92 10 00 00 00 FF 1
...
0
Access rights

000000

So instead of left shifting by 4 bits in Real Mode to form the segment address, we right shift
by 3 bits and use the value as a table index.
9

Systems Design & Programming

Protected Mode Addressing

CMPE 310

Segmentation Address Translation

There are actually three different descriptor tables, GDT, LDT and IDT.
Exactly one GDT and IDT must be defined for Protected Mode operation.
Q Global Descriptor Table (GDT).
The GDT is used by all programs.
Q Local Descriptor Table (LDT).
An LDT can optionally be defined on a per-task basis and is used to expand the
addressable range of the task.
Q Interrupt Descriptor Table (IDT).
The IDT is a direct replacement to the interrupt vector table used in 8086 systems.
Note that references to IDT are done through the hardware interrupt mechanism, and not
from a program via a selector.

10

Systems Design & Programming

Protected Mode Addressing

CMPE 310

Segmentation Address Translation

Programmer invisible registers:
The GDT and IDT (and LDT) are located in the memory system.
Segment registers
Selector

CS

Descriptor Cache
Base Address
Limit

Access

DS
ES
SS
FS
GS
TR
LDTR

Selector
Selector
GDTR
IDTR

Base Address

Limit

Access

Descriptor Table Addresses

Base Address
Limit
32-bits
16-bits

The addresses of the GDT and IDT and their limits (up to 64K bytes) are loaded in special
registers, GDTR and IDTR, before switching to Protected Mode is possible.
11

Systems Design & Programming

Protected Mode Addressing

CMPE 310

Segmentation Address Translation

Programmer invisible registers:
The other registers enclosed by the red-dotted line are part of the descriptor cache.
The cache is used to reduce the number of actual memory references needed to
construct the physical address.
There is one cache register for each of the 6 segment registers, CS, DS, etc. and the
LDTR (Local Descriptor Table Register) and TR (Task Register) selectors.
The base address, limit and access rights of the descriptor are loaded from memory
every time the corresponding selector changes.
The LDTR and TR selectors refer to special system descriptors in the GDT.
These registers provide hardware acceleration support for task switching.
Let's first consider how LDTs are used to extend the address space of individual tasks.

12

Protected Mode Addressing

Systems Design & Programming

CMPE 310

DS
LDT
cache

Data Descriptor

Descriptor
LDTR

GDTR

LDT Descriptor

LDT

32-bit Offset

GDT

ESI

Data

Local Descriptor Tables

The LDTR selector indexes a GDT system descriptor describing the segment containing
the LDT while the cache stores the actual LDT descriptor.
FFFFFF

Descriptor
000000

The LDTR selector can be loaded with a new value when another task is run.
13

Systems Design & Programming

Protected Mode Addressing

CMPE 310

Local Descriptor Tables

LDT Segment Descriptor:
56 55 52 51 48 47
40 39
63
Lim
Base
0000
(19- P0000010
(31-24)
16)

16 15
Base
(23-0)

0
Limit
(15-0)

Bit 44: The S flag is clear to indicate an LDT descriptor.

Bit 40-43: The Type field is extended to 4 bits (no Accessed bit). Type 2 (0010) indicates a LDT descriptor.
Bit 47: If the Present bit is not set (e.g. there is no LDT defined), the 80x86 will not
allow you to load the LDTR with its selector.
Bit 0-15, 16-19: Although the limit is still 20 bits (and the G bit is also valid), segments larger than 64KB don't make sense!

14