Vol. 3 5-1
CHAPTER 5
PROTECTION
In protected mode, the Intel 64 and IA-32 architectures provide a protection mecha-
nism that operates at both the segment level and the page level. This protection
mechanism provides the ability to limit access to certain segments or pages based on
privilege levels (four privilege levels for segments and two privilege levels for pages).
For example, critical operating-system code and data can be protected by placing
them in more privileged segments than those that contain applications code. The
processor’s protection mechanism will then prevent application code from accessing
the operating-system code and data in any but a controlled, defined manner.
Segment and page protection can be used at all stages of software development to
assist in localizing and detecting design problems and bugs. It can also be incorpo-
rated into end-products to offer added robustness to operating systems, utilities soft-
ware, and applications software.
When the protection mechanism is used, each memory reference is checked to verify
that it satisfies various protection checks. All checks are made before the memory
cycle is started; any violation results in an exception. Because checks are performed
in parallel with address translation, there is no performance penalty. The protection
checks that are performed fall into the following categories:
• Limit checks.
• Type checks.
• Privilege level checks.
• Restriction of addressable domain.
• Restriction of procedure entry-points.
• Restriction of instruction set.
All protection violation results in an exception being generated. See Chapter 6,
“Interrupt and Exception Handling,” for an explanation of the exception mechanism.
This chapter describes the protection mechanism and the violations which lead to
exceptions.
The following sections describe the protection mechanism available in protected
mode. See
Chapter 17, “8086 Emulation,” for information on protection in real-
address and virtual-8086 mode.
5.1 ENABLING AND DISABLING SEGMENT AND PAGE
PROTECTION
Setting the PE flag in register CR0 causes the processor to switch to protected mode,
which in turn enables the segment-protection mechanism. Once in protected mode,