User's Manual
PROTECTION
Three basic kinds of privilege level indicators are used when determining accessibility to a segment for
reading and writing. They are termed Current
Privilege Level (CPL), Descriptor Privilege Level (DPL),
and Requested Privilege Level (RPL). The
CPL
is
simply the privilege level
of
the code segment that
is
executing (except if the current code segment
is
conforming). The CPL
is
stored
as
bits 0 and 1 of
the
CS and SS registers. Bits 0 and 1 of DS and ES are not related to CPL.
DPL
is
the privilege level of the segment; it
is
stored in bits 5 and 6 of the access byte of a descriptor.
For data access
to
data segments and non-conforming code segments, CPL must be numerically less
than or equal to
DPL (the task must be of equal or greater privilege) for access
to
be granted. Violation
of this rule during segment load instruction causes a general protection exception with an error code
identifying the selector.
While the enforcement of
DPL protection rules provides the mechanism for the isolation of code and
data
at
different privilege levels, it
is
conceivable
that
an erroneous pointer passed onto a more trusted
program might result in the illegal modification of data with a higher privilege level. This possibility
is
prevented by the enforcement of effective privilege level protection rules and correct usage of the
RPL
value.
The
RPL
(requested privilege level)
is
used for pointer validation.
It
is
the least significant
two
bits in
the selector value loaded into any segment register.
RPL
is
intended to indicate the privilege level of
the originator
of
that selector. A selector may be passed down through several procedures at different
levels. The
RPL
reflects the privilege level of the original supplier of the selector, not the privilege
level of the intermediate supplier. The
RPL
must be numerically less than or equal to the DPL of the
descriptor selected, thereby indicating greater or equal privilege of the supplier; otherwise, access
is
denied and a general protection violation occurs.
Pointer validity testing
is
required in any system concerned with preventing program errors from
destroying system integrity. The
80286 provides hardware support for pointer validity testing. The
RPL
field indicates the privilege level of the originator of the pointer
to
the hardware. Access will be
denied if the originator of the pointer did not have access
to
the selected segment even if the
CPL
is
numerically less than or equal
to
the DPL.
RPL
can reduce the effective privilege of a task when using
a particular selector.
RPL
never allows access
to
more privileged segments (CPL must always be
numerically less than or equal to
DPL).
A fourth term
is
sometimes used: the Effective Privilege Level (EPL).
It
is
defined as the numeric
maximum of the
CPL
and the
RPL-meaning
the one of lesser privilege. Access to a protected entity
is
granted only whcn the EPL
is
numcrically less than or equal
to
the
nPL
of that entity. This
is
simply
another way of saying that both
CPL and
RPL
must be numerically less than or equal
to
DPL for
access to be granted.
7.4.4
Pointer Privilege Stamping via
ARPL
The
ARPL
instruction
is
provided
in
the 80286 to fill the
RPL
field of a selector with the minimum
privilege (maximum numeric value)
of
the seiector's currcnt RFI., "iid the c,,:lc.'s CPr., (given in an
instruction-specified register). A straight insertion of the caller's CPL would stamp the pointer with
the privilege level of the caller, but not necessarily the ultimate originator of the selector (e.g., Level 3
supplies a selector to a level 2 routine
that
calls a level 0 routine with the same selector).
Figure
7-9
shows a program with an example of such a situation. The program
at
privilege level 3 calls
a routine
at
level 2 via a gate. The routine
at
level 2 uses the
ARPL
instruction to assure that the
selector's
RPL
is
3.
When the level 2 routine calls a routine
at
level 0 and passes the selector, the
ARPL
instruction
at
level 0 leaves the
RPL
field unchanged.
7-14