5.5.2.1.1 Segmentation
The segmentation unit translates a logical address into a linear address. A logical address consists of two
parts: a 16 bit segment identifier called the segment selector, and a 32-bit offset. For quick retrieval of the
segment selector, the processor provides six segmentation registers whose purpose is to hold segment
selectors. Three of these segmentation registers have specific purpose. For example, the code segment (cs)
register points to a memory segment that contains program instructions. The cs register also includes a 2-bit
field that specifies the Current Privilege Level (CPL) of the CPU. The CPL value of 0 denotes the highest
privilege level, corresponding to the kernel mode; the CPL value of 3 denotes the lowest privilege level,
corresponding to the user mode.
Each segment is represented by an 8-byte Segment Descriptor that describes the segment characteristics.
Segment Descriptors are stored in either the Global Descriptor Table (GDT) or the Local Descriptor Table
(LDT). The system has one GDT, but may create an LDT for a process if it needs to create additional
segments besides those stored in the GDT. The GDT is accessed through the GDTR processor register, while
the LDT is accessed through the LDTR processor register.
From the perspective of hardware security access, both GDT and LDT are equivalent. Segment descriptors
are accessed through their 16-bit segment selectors. A segment descriptor contains information, such as
segment length, granularity for expressing segment size, and segment type, which indicates whether the
segment holds code or data. Segment descriptors also contain a 2-bit Descriptor Privilege Level (DPL),
which restricts access to the segment. The DPL represents the minimal CPU privilege level required for
accessing the segment. Thus, a segment with a DPL of 0 is accessible only when the CPL is 0.
Figure 5-28 schematically describes access control as enforced by memory segmentation.
87
Figure 5-28: Access control through segmentation