PROTECTION
Task privilege
is
a dynamic value.
It
is
derived from the code segment currently being executed. Task
privilege can change only when a control transfers to a different code segment.
Descriptor privilege, including code segment privilege,
is
assigned when the descriptor (and any associ-
ated segment)
is
created. The system designer assigns privilege directly when the system
is
constructed
with the system builder (see the
80286 Builder User's GUide) or indirectly via a loader.
Each task operates
at
only one privilege level at any given moment: namely that of the code segment
being executed. (The conforming segments discussed
in
section 11.2 permit some flexibility
in
this
regard.) However,
as
figure
7-6
indicates, the task may contain segments
at
one, two, three, or four
levels, all of which are to be used
at
appropriate times. The privilege level of the task, then, changes
under the carefully enforced rules for transfer of control from one code segment to another.
The descriptor privilege attribute
is
stored in the access byte of a descriptor and
is
called the Descrip-
tor Privilege Level (DPL). Task privilege
is
called the Current Privilege Level (CPL). The least signif-
icant
two
bits of the
CS
register specify the CPL.
A
few
general rules of privilege can be stated before the detailed discussions of later sections. Data
access
is
restricted to those data segments whose privilege level
is
the same as or less privileged (numer-
ically greater) than the current privilege level (CPL). Direct code access, e.g., via call or jump,
is
restricted to code segments of equal privilege. A gate (section 7.5.1)
is
required for access to code at
more privileged levels
..
7.4
SEGMENT DESCRIPTOR
Although the format of access control information, discussed below,
is
similar for both data and code
segment descriptors, the rules for accessing data segments differ from those for transferring control to
code segments.
Data:
segments are meant to be accessible from many privilege levels, e.g., from other
programs
at
the same level or from deep within the operating system. The main restriction
is
that they
cannot be accessed by less privileged code.
Code segments, on the other
hand,
are meant to be executed at a single privilege level. Transfers of
control that cross privilege boundaries are tightly restricted, requiring the use of gates. Control
trans-
fers wiihin a privilege level can also usc gates, but they are not required. Control transfers are discussed
in section 7.5.
Protection checks are automatically invoked at several points
in
selecting and using
new
segments. The
process
of
addressing memory begins when the currently executing program attempts to load a selector
into one of the segment registers.
As
discussed in Chapter 6, the selector has the form shown
in
figure
7-7.
When
a
new
Sli;;lticiuf
is
loaded
intv
a segment
regigter,
the
p!0~eSSOr
~~r.esses
the associated
descriptor
to perform the necessary loading and privilege checks.
The protection mechanism verifies that the selector points to a valid descriptor type
for"
the segment
register (see section 7.4.1). After verifying the descriptor type, the
CPU compares the privilege level
of the task (CPL) to the privilege level in the descriptor (DPL) before loading the descriptor's
infor-
mation into the cache.
The general format of the eight bits in the segment descriptor's access rights byte
is
shown
in
table
7-1.
7-10