x86 and xv6 CS 450: Operating Systems Michael Saelee

Transcription

1 x86 and xv6 CS 450: Operating Systems Michael Saelee

2 To work on an OS kernel, we must be intimately familiar with the underlying ISA, hardware, and system conventions - x86 ISA - C architecture - Unix, GCC, ELF, etc.

3 x86 ISA

4 - Intel IA-32 Software Developer s Manuals (linked on course website) are comprehensive references - Volume 1: Architectural Overview (e.g., regs, addressing) - Volume 2: Instruction Set Reference - Volume 3: Systems rogramming Guide (e.g., mechanisms that let operating system control/configure hardware) - (Majority of diagrams in slides are from these manuals)

5 x86 Family of ISAs - Started with Intel s bit CU in Followed by 80186, 80286, 80386, (then entium ) introduced 32-bit addressing ( IA-32 architecture) - CISC-style ISA - Large instruction set, complex addressing modes

6 Backwards Compatibility - x86 implies backwards compatibility all the way to All x86 CUs boot into 16-bit real address mode (aka real mode ) - Supported CUs can switch into 32-bit rotected Mode - i.e., we need to understand real mode to write an OS!

7 Instruction Set Overview - Arithmetic: add, sub, and, etc. - Moving data: mov, push, pop, etc. - Control flow: jmp, call, ret, etc. - I/O: in, out - rivileged: int, iret, hlt, etc.

8 Instruction formats: - 0 operands, e.g., ret - 1 operand, e.g., pushl %ebp - 2 operands O SRC, DST e.g., movl $0xa, %eax - Operands may be immediate values (constants), registers, memory addresses

9 NB: we ll be using AT&T syntax for x86 assembly - output by GCC/GAS - Constants are prefixed with $, Register names with % - Instruction suffixes (b=8-bit, w=16-bit, l=32-bit, etc.) used to indicate operand sizes - not the same as official Intel syntax! (output by NASM)

10 General-urpose Registers bit 32-bit AH AL AX EAX BH BL BX EBX CH CL CX ECX DH DL DX EDX B EB SI ESI DI EDI S ES Figure 3-5. Alternate General-urpose Register Names EAX Accumulator for operands and results data EBX ointer to data in the DS segment ECX Counter for string and loop operations EDX I/O pointer ESI ointer to data in the segment pointed to by the DS register; source pointer for string operations EDI ointer to data (or destination) in the segment pointed to by the ES register; destination pointer for string operations ES Stack pointer (in the SS segment) EB ointer to data on the stack (in the SS segment) As shown in Figure 3-5, the lower 16 bits of the general-purpose registers map directly to the register set found in

11 EFLAGS register used for conditional operations E.g., if last operation resulted in zero/nonzero/neg/etc..l0: movl $0, %eax for (i=0; i<10; i++); addl $1, %eax cmpl $10, %eax # 10-eax jne.l0 # jump if ZF 0

12 I D V I V I F A C V M R F 0 N T I O L O F D F I F T F S F Z F 0 A F 0 F 1 C F X ID Flag (ID) X Virtual Interrupt ending (VI) X Virtual Interrupt Flag (VIF) X Alignment Check / Access Control (AC) X Virtual-8086 Mode (VM) X Resume Flag (RF) X Nested Task (NT) X I/O rivilege Level (IOL) S Overflow Flag (OF) C Direction Flag (DF) X Interrupt Enable Flag (IF) X Trap Flag (TF) S Sign Flag (SF) S Zero Flag (ZF) S Auxiliary Carry Flag (AF) S arity Flag (F) S Carry Flag (CF) S Indicates a Status Flag C Indicates a Control Flag X Indicates a System Flag Reserved bit positions. DO NOT USE. Always set to values previously read. Figure 3-8. EFLAGS Register (only bottom 16-bits in real mode)

13 I (16-bit) / EI (32-bit) is instruction pointer register (C elsewhere) - always points to next instruction; automatically incremented - change explicitly with jump, call, ret, etc.

14 Addressing modes: - Direct: movl 0x401000, %eax eax = *(uint32_t *)(0x401000) - Indirect: movl (%ebx), %eax eax = *(uint32_t *)ebx

15 Addressing modes (continued): - Base-Displacement: movl 8(%ebx), %eax eax = *(uint32_t *)(ebx + 8) - Indexed & Scaled: movl (%ebx, %ecx, 4), %eax eax = *(uint32_t *)(ebx + ecx*4)

16 16-bit addressing modes: 32-bit addressing modes: (Courtesy WikiMedia Commons)

17 Real mode addressing has 16-bit registers, but 20-bit physical addresses - Use one of four 16-bit segment registers: CS, DS, SS, ES - Shift left by 4 bits (i.e., 16) to obtain a segment base address - Add to virtual address to obtain physical address

18 Real mode addressing - Code and Stack accesses using I, S, and B automatically use CS (code segment) and SS (stack segment) values - e.g., if I=0x4000 and CS=0x1100, CS:I refers to absolute address 0x x4000 = 0x Can be confusing and unwieldy (especially if data straddles segments)

19 rotected mode addressing - Full 32-bit addresses stored in registers - Segment registers (expanded to CS, DS, SS, ES, FS, GS, and still all 16-bit) no longer hold base addresses, but selectors - Selectors are used to load segment descriptors from a descriptor table which describe location/size/status/etc. of segments

20 Logical Address 15 0 Seg. Selector 31(63) Offset (Effective Address) 0 Descriptor Table Segment Descriptor Base Address + 31(63) Linear Address 0 Figure 3-5. Logical Address to Linear Address Translation

21 Segmentation - Recall: segmentation allows virtual addresses to be translated using segment base addresses - Segment descriptors also allow for access control (e.g., restricted access to certain segments) - Mapping from segmented to linear address can be simple/ flat or arbitrarily complex!

22 Segment Registers CS SS Code- and Data-Segment Descriptors Linear Address Space (or hysical Memory) Code Not resent FFFFFFFFH DS ES Access Limit Base Address Data and Stack 0 FS GS Figure 3-2. Flat Model

23 Segment Registers CS ES SS DS FS GS Segment Descriptors Access Limit Base Address Access Limit Base Address Linear Address Space (or hysical Memory) Code Not resent Memory I/O Data and Stack FFFFFFFFH 0 Figure 3-3. rotected Flat Model

24 Segment Registers CS SS DS ES FS GS Segment Descriptors Access Limit Base Address Access Limit Base Address Access Limit Base Address Access Limit Base Address Access Limit Base Address Access Limit Base Address Access Limit Base Address Access Limit Base Address Access Limit Base Address Access Limit Base Address Linear Address Space (or hysical Memory) Stack Code Data Data Data Data Figure 3-4. Multi-Segment Model

25 Segment Descriptor Tables - Kernel is responsible for maintaining descriptor tables on a system wide (via Global Descriptor Table) or task-specific (via Local Descriptor Table) basis - art of growing list of kernel data structures!

26 Index T I RL Table Indicator 0 = GDT 1 = LDT Requested rivilege Level (RL) Figure 3-6. Segment Selector Global Descriptor Table (GDT) Local Descriptor Table (LDT) T I Segment Selector TI = 0 56 TI = First Descriptor in GDT is Not Used GDTR Register LDTR Register Limit Base Address Limit Base Address Seg. Sel. Figure Global and Local Descriptor Tables

27 Base 31:24 G D / B Seg. A D L V Limit S Type Base 23:16 4 L 19:16 L Base Address 15:00 Segment Limit 15:00 0 L 64-bit code segment (IA-32e mode only) AVL Available for use by system software BASE Segment base address D/B Default operation size (0 = 16-bit segment; 1 = 32-bit segment) DL Descriptor privilege level G Granularity LIMIT Segment Limit Segment present S Descriptor type (0 = system; 1 = code or data) TYE Segment type Figure 3-8. Segment Descriptor

28 CS and CL - Bottom 2 bits of CS indicate the CL (current privilege level) - Recall: 0 = highest, 3 = lowest used to guard access to privileged/restricted instructions and memory - CS segment selector cannot be manipulated directly (why?) - Loaded from descriptor DL (when switching segments)

29 xv6 and Segmentation - xv6 mostly uses a flat model, so segmentation setup is simple - But segmentation descriptors are very similar to those used in interrupt descriptor tables (IDTs) - Used for carrying out interrupts and enforcing privilege level (CL) policies coming later

30 aging - Recall: paging allows for more granular mapping of linear address spaces onto physical memory - Fixed sized pages mapped from linear to physical address space - We will use support for 2-level paging for 32-bit addresses: - 1K page directory entries 1K page tables (each) - 4KB pages

31 Linear Address Directory Table Offset KByte age 10 age Directory 10 age Table hysical Address DE with S=0 20 TE CR3 Figure 4-2. Linear-Address Translation to a 4-KByte age using 32-Bit aging

32 Segmentation & aging - Segmentation is set up to provide a (mostly) flat model in xv6 - aging is used to do heavy lifting of virtual physical memory mapping - xv6 sets up paging structures on a per-process basis

33 Logical Address (or Far ointer) Segment Selector Offset Linear Address Space Global Descriptor Table (GDT) Linear Address Dir Table Offset hysical Address Space Segment Descriptor Segment Lin. Addr. age Directory age Table Entry age hy. Addr. Entry Segment Base Address age Segmentation aging Figure 3-1. Segmentation and aging

34 Address of page directory 1 Ignored C D W T Ignored CR3 Bits 31:22 of address of 4MB page frame Reserved (must be 0) Bits 39:32 of address 2 A T Ignored G 1 D A C D W T U / S R / W 1 DE: 4MB page Address of page table Ignored 0 I g n A C D W T U / S R DE: / W 1 page table Ignored 0 DE: not present Address of 4KB page frame Ignored G A T D A C D W T U / S R / W 1 TE: 4KB page Ignored 0 TE: not present NOTES: Figure 4-4. Formats of CR3 and aging-structure Entries with 32-Bit aging

35 Control & System Registers - Transitioning between real & protected mode, activating paging, switching descriptor tables, etc., are all governed by control & system register settings - Modifying these settings is restricted by CL

36 31(63) Reserved K E S M A S M E S M X E V M X E U M I C E G E M C E A E S E D E T S D V I V M E CR4 OSXSAVE FSGSBASE CIDE OSFXSR OSXMMEXCT 31(63) age-directory Base C D W T CR3 (DBR) 31(63) 0 age-fault Linear Address CR2 31(63) 0 CR G C D N W A M W N E E T T S E M M E CR0 Reserved Figure 2-7. Control Registers

37 31(63) Reserved K E S M A S M E OSXSAVE 31(63) S M X E V M X E U M I FSGSBASE CIDE C E G E M C E A E S E D E T S D OSFXSR OSXMMEXCT V I V M E CR4 Real-Address Mode Reset or E=1 E=0 Reset or RSM SMI# age-directory Base 31(63) 0 age-fault Linear Address C D W T CR3 (DBR) CR2 Reset rotected Mode SMI# RSM LME=1, CR0.G=1* SMI# System Management Mode 31(63) 0 CR1 VM=0 VM=1 See** IA-32e Mode RSM G C D N W Reserved A M W N E E T T S E M M E CR0 Virtual-8086 Mode SMI# RSM * See Section ** See Section Figure 2-7. Control Registers Figure 2-3. Transitions Among the rocessor s Operating Modes

38 .code16.globl start start: cli # Assemble for 16-bit mode # BIOS enabled interrupts; disable # Zero data segment registers DS, ES, and SS. xorw %ax,%ax # Set %ax to zero movw %ax,%ds # -> Data Segment... lgdt movl orl movl gdtdesc %cr0, %eax $CR0_E, %eax %eax, %cr0 # Complete transition to 32-bit protected mode by using long jmp # to reload %cs and %eip. The segment descriptors are set up with no # translation, so that the mapping is still the identity mapping. ljmp $(SEG_KCODE<<3), $start32.code32 # Tell assembler to generate 32-bit code now. start32: # Set up the protected-mode data segment registers movw $(SEG_KDATA<<3), %ax # Our data segment selector movw %ax, %ds # -> DS: Data Segment... # Set up the stack pointer and call into C. movl $start, %esp call bootmain xv6 bootstrap assembly

39 I/O - Two basic models for accessing I/O devices: - Separate I/O port address space from data address space - Memory-mapped I/O

40 I/O orts - Separated, limited address space - Special, privileged instructions (in/out) to explicitly read from /write to I/O ports - e.g., in $0x60, %al # get last typed # character (S/2 kbd)

41 Memory-mapped I/O - I/O controllers responsible for mapping ranges of physical addresses to I/O devices - Look like regular memory accesses - No special instructions! - Accessing these special addresses read/write I/O devices

42 I/O rotocols - Two basic protocols for interacting with I/O devices: - olling, aka rogrammed I/O (IO) - Interrupt-driven I/O

43 olling / rogrammed I/O - Software-driven, e.g., L0: inb STATUS_ORT, %al andb %al, BUSY_FLAG jne L0 # check if busy (e.g., still writing) movb (%esi,%ebx), %al incb %ebx # load data byte # increment index outb DATA_ORT, %al # write data byte to data port outb CONTROL_ORT, $0x01 # let device know to inspect data outb CONTROL_ORT, 0 jmp L0

44 olling / rogrammed I/O - CU must periodically probe hardware for status - to check if device is ready to be written to - to check if data is available to be read - to check for exceptional conditions

45 Interrupt-driven I/O - Device is responsible for notifying CU of event - CU might still initial request, but doesn t need to poll - Notification happens via hardware interrupt mechanism - Invokes interrupt handler (kernel routine)

46 ros/cons of olled vs. Interrupt-driven I/O?

47 ros/cons of olling - no additional hardware requirements - easy to program - if CU is idle, increase - places burden on CU problematic if heavy load - possibly unresponsive - even if no I/O is needed! utilization

48 ros/cons of Interrupt-driven - good for CU utilization - outsource responsibility - if no I/O needed, no CU activity at all! - requires hardware support (limited interrupts) - if frequent I/O, requires lots of context switches! - concurrency issues?

49 Interrupts & Exceptions - NB: terminology differs a bit from what we used in CS 351! - Encompass all events that request special CU attention, typically by transferring control from the active task to a special interrupt/exception handler

50 Interrupts - Hardware-sourced events requesting CU attention - Typically unrelated to executing instruction - Can also be generated by software with int N instruction

51 Exceptions - Errors/Events arising due to the currently executing instruction - Classes: - Faults - Traps - Aborts

52 Exception classes (review!) - Faults: can be corrected after handler, return to state prior to faulting instruction (e.g., page fault) - Traps: reported immediately after execution of instruction (e.g., debugging breakpoint, system call), regular return - Abort: severe errors; cannot return to task

53 Tasks - Must be some sort of context to be interrupted - TSS segment is used to define the currently executing task - General purpose registers - Control registers (including EFLAGS, EI, LDTR, etc.) - Stack pointers for different privilege levels

54 Code Segment Task-State Segment (TSS) Data Segment Stack Segment (Current riv. Level) Stack Seg. riv. Level 0 Stack Seg. riv. Level 1 Task Register CR3 Stack Segment (riv. Level 2) Figure 7-1. Structure of a Task

55 I/O Map Base Address Reserved T 100 Reserved LDT Segment Selector 96 Reserved GS 92 Reserved FS 88 Reserved DS 84 Reserved Reserved SS CS Reserved ES 72 EDI 68 ESI 64 EB 60 ES 56 EBX 52 EDX 48 ECX 44 EAX 40 EFLAGS 36 EI 32 CR3 (DBR) 28 Reserved SS2 24 ES2 20 Reserved SS1 16 ES1 12 Reserved SS0 8 ES0 4 Reserved revious Task Link 0 Reserved bits. Set to 0. Figure Bit Task-State Segment (TSS)

56 Handling Interrupts/Exceptions - Interrupt Descriptor Table (IDT) contains gate descriptors associating service routines with interrupt/exception numbers total indices (aka vector numbers): : architecture-defined : user-defined; can be assigned to I/O devices

57 47 IDTR Register IDT Base Address IDT Limit + Interrupt Descriptor Table (IDT) Gate for Interrupt #n (n 1) 8 Gate for Interrupt #3 Gate for Interrupt #2 Gate for Interrupt #1 Figure 6-1. Relationship of the IDTR and IDT

58 IDT Destination Code Segment Interrupt Vector Interrupt or Trap Gate Offset + Interrupt rocedure Segment Selector GDT or LDT Base Address Segment Descriptor Figure 6-3. Interrupt rocedure Call

59 Interrupt/Exception Vectors Vector Mnemonic Table 6-1. rotected-mode Exceptions and Interrupts Description Type Error Code Source 0 #DE Divide Error Fault No DIV and IDIV instructions. 1 #DB Debug Exception Fault/ Trap No Instruction, data, and I/O breakpoints; single-step; and others. 2 NMI Interrupt Interrupt No Nonmaskable external interrupt. 3 #B Breakpoint Trap No INT3 instruction. 4 #OF Overflow Trap No INTO instruction. 5 #BR BOUND Range Exceeded Fault No BOUND instruction. 6 #UD Invalid Opcode (Undefined Opcode) Fault No UD instruction or reserved opcode. 7 #NM Device Not Available (No Math Coprocessor) 8 #DF Double Fault Abort Yes (zero) 9 Coprocessor Segment Overrun (reserved) Fault No Floating-point or WAIT/FWAIT instruction. Any instruction that can generate an exception, an NMI, or an INTR. Fault No Floating-point instruction #TS Invalid TSS Fault Yes Task switch or TSS access. 11 #N Segment Not resent Fault Yes Loading segment registers or accessing system segments. 12 #SS Stack-Segment Fault Fault Yes Stack operations and SS register loads. 13 #G General rotection Fault Yes Any memory reference and other protection checks. 14 #F age Fault Fault Yes Any memory reference. 15 (Intel reserved. Do not use.) No 16 #MF x87 FU Floating-oint Error (Math Fault) 17 #AC Alignment Check Fault Yes (Zero) Fault No x87 FU floating-point or WAIT/FWAIT instruction. Any data reference in memory #MC Machine Check Abort No Error codes (if any) and source are model dependent #XM SIMD Floating-oint Exception Fault No SSE/SSE2/SSE3 floating-point instructions 4 20 #VE Virtualization Exception Fault No ET violations Intel reserved. Do not use User Defined (Non-reserved) Interrupts NOTES: Table 6-1. rotected-mode Exceptions and Interrupts (Contd.) Interrupt External interrupt or INT n instruction.

60 Gate Descriptors - Interrupts are associated with Interrupt Gates - Exceptions are associated with Trap Gates

61 Task Gate D L TSS Segment Selector 0 Interrupt Gate Offset D L 0 D Segment Selector Offset Trap Gate Offset D L 0 D Segment Selector Offset DL Offset Selector D Descriptor rivilege Level Offset to procedure entry point Segment resent flag Segment Selector for destination code segment Size of gate: 1 = 32 bits; 0 = 16 bits Reserved Figure 6-2. IDT Gate Descriptors

62 rivilege level checks - Hardware ensures that interrupts cannot transfer control from more-privileged to less-privileged code - i.e., enforce CL destination segment DL - For interrupts generated with int instruction, gate DL is checked to restrict interrupts - i.e., enforce CL gate DL

63 Masking Interrupts - Most external interrupts can be masked (i.e., ignored), by setting the IF (interrupt flag) in EFLAGS register - cli/sti instructions: clear/set interrupt flag - IF is automatically cleared when an interrupt (but not a trap) gate is taken - How is this useful?

64 Interrupt rocedure When the processor performs a call to the exception- or interrupt-handler procedure: If the handler procedure is going to be executed at a numerically lower privilege level, a stack switch occurs. When the stack switch occurs: a. The segment selector and stack pointer for the stack to be used by the handler are obtained from the TSS for the currently executing task. On this new stack, the processor pushes the stack segment selector and stack pointer of the interrupted procedure. b. The processor then saves the current state of the EFLAGS, CS, and EI registers on the new stack (see Figures 6-4). c. If an exception causes an error code to be saved, it is pushed on the new stack after the EI value. If the handler procedure is going to be executed at the same privilege level as the interrupted procedure: a. The processor saves the current state of the EFLAGS, CS, and EI registers on the current stack (see Figures 6-4). b. If an exception causes an error code to be saved, it is pushed on the current stack after the EI value.

65 Interrupted rocedure s and Handler s Stack Stack Usage with No rivilege-level Change EFLAGS CS EI Error Code ES Before Transfer to Handler ES After Transfer to Handler Interrupted rocedure s Stack Stack Usage with rivilege-level Change ES Before Transfer to Handler ES After Transfer to Handler Handler s Stack SS ES EFLAGS CS EI Error Code Figure 6-4. Stack Usage on Transfers to Interrupt and Exception-Handling Routines

66 Returning from interrupt - Need to restore previous stack/register states, and potentially return to previous privileged level (switch stacks) - iret instruction automatically restores state using values saved on stack (including EI, CS, EFLAGS) by interrupt procedure

67 EFLAGS Register Control Registers CR4 CR3 CR2 CR1 CR0 Task Register hysical Address Linear Address Segment Selector Register Global Descriptor Table (GDT) Task-State Segment (TSS) Code, Data or Stack Segment Task Code Data Stack Interrupt Vector IDTR Interrupt Descriptor Table (IDT) Interrupt Gate Task Gate Trap Gate XCR0 (XFEM) Segment Sel. TSS Seg. Sel. Call-Gate Segment Selector GDTR LDTR Seg. Desc. TSS Desc. Seg. Desc. TSS Desc. LDT Desc. Local Descriptor Table (LDT) Seg. Desc. Call Gate Current TSS Task-State Segment (TSS) Current TSS Interrupt Handler Code Stack Task Code Data Stack Exception Handler Code Stack rotected rocedure Code Current TSS Stack Linear Address Space Linear Address Dir Table Offset Linear Addr. age Directory age Table age g. Dir. Entry g. Tbl. Entry hysical Addr. 0 CR3* *hysical Address This page mapping example is for 4-KByte pages and the normal 32-bit physical address size. Figure 2-1. IA-32 System-Level Registers and Data Structures

68 C Architecture

69 What else? - Memory + memory layout - ersistent store (disk) - Text/graphics display - Keyboard/Mouse + other I/O devices and controllers - BIOS, Clock

70 0xFFFFFFFF (4GB) rotected mode memorymapped devices hysical memory map Unused Extended memory BIOS ROM Real-mode devices VGA display Low memory hysical RAM limit 0x (1MB) 0x000F0000 (960KB) 0x000C0000 (768KB) 0x000A0000 (640KB) 0x

71 Startup & BIOS - On startup, transfer control to address FFFF:0000 (real mode) - BIOS executes power on self test, initializes video card, disk controller, and sets up basic interrupt routines for simple I/O - If boot drive is found, load boot sector (512 bytes, tagged with ending 0x55AA marker) from drive at address 0000:7C00

72 Bootloader Responsibilities - Set up minimal execution environment (stack, protected mode) - Scans disk for kernel image (may load second-stage bootloader to navigate partitions, file system, executable formats, etc.) - Load kernel image at predetermined location in memory - Transfer control to kernel

73 On Bootloaders - Bootloaders can get very complicated! - E.g., multistage boot loaders like Linux Loader (LILO) and Grand Unified Bootloader (GRUB) understand file systems and executable file formats - Also have scripting support and built-in shells

74 QEMU

75 Full System Emulator - Emulates the behavior of a real x86 C in software - Simulates physical memory map and I/O devices - Supports up to 255 CUs (speed dependent on host machine) - Simple to debug, and won t break your actual OS! - Can connect to GDB to step through instructions

76 The QEMU C System emulator simulates the following peripherals: - i440fx host CI bridge and IIX3 CI to ISA bridge - Cirrus CLGD 5446 CI VGA card or dummy VGA card with Bochs VESA extensions (hardware level, including all non standard modes). - S/2 mouse and keyboard - 2 CI IDE interfaces with hard disk and CD-ROM support - Floppy disk - CI and ISA network adapters - Serial ports - IMI BMC, either and internal or external one - Creative SoundBlaster 16 sound card - ENSONIQ AudioCI ES1370 sound card - Intel 82801AA AC97 Audio compatible sound card - Intel HD Audio Controller and HDA codec - Adlib (OL2) - Yamaha YM3812 compatible chip - Gravis Ultrasound GF1 sound card - CS4231A compatible sound card - CI UHCI, OHCI, EHCI or XHCI USB controller and a virtual USB-1.1 hub. SM is supported with up to 255 CUs. QEMU uses the C BIOS from the Seabios project and the lex86/bochs LGL VGA BIOS.

77 Demo