Microprocessors system architectures – IA32 real and virtual-8086 mode Jakub Yaghob
Compatibility with 16-bit code Advantages Allows execution of an older code Disadvantages Supports programmer laziness/persistence IA-32 compatibility modes Real mode Virtual-8086 mode
Compatibility mode comparison Common characteristic Binary code compatibility with predecessors of IA-32 (8086, 80186, 80286) Possibility to use some 32-bit features Real mode Nearly compatible with 8086 Starting CPU mode after the RESET Minimal support from OS No protection mechanisms Some important IA-32 features are not available (paging) Virtual-8086 mode More differences against 8086 Part of the protected mode, cannot run without it Complicated emulation software Keeps protection Uses all features of IA-32 (including paging) Virtualization – more VM86 machines at the same moment Cannot be entered from the long mode
Real mode Usage CPU starting mode Does not need memory structures, excluding interrupt vector To this date used for some recovery software No protection Features Real mode address translation Instruction operands 8- or 16-bit It is possible to enable 32-bit operation using an instruction prefix Only 16-bit registers are available Higher parts only using an instruction prefix Including IP and FLAGS 16-bit stack Interrupt vector Relocatable using LIDT All instruction from and supported FS and GS available for IA-32 CPUs
Real mode address translation Paging Not supported Segmentation Simulates 8086 behavior No descriptor tables Segment attributes set to simulate real mode Based address derive from the visible part Base = selector * 16 Segment limit: Segment type: code-writable Inaccurate 8086 memory model Address computed in 32 bits HMA – available memory in the range h-10FFFFh
16-bit address modes 16-bit instructions use 16-bit address mode Offset = [Base] + [Index] + [Displacement] Base = BX, BP Index = SI, DI Use 32-bit address mode with an instruction prefix
Interrupt system Relocatable vector (IDTR) Positioned on address 0 Real mode format: far 16-bit pointers Interrupt handling Only FLAGS stored Only IP changes Stack pointer is only SP
Virtual-8086 mode Special task running in the protected mode Structure of a V86 task 32-bit TSS The 8086 program A V86 monitor Must run on CPL=0 Interrupt and exception handling I/O emulation Access to the V86 memory 8086 OS services 16-bit OS implemented inside the V86 16-bit OS implemented using 32-bit OS
Paging in V86 CPU translates V86 addresses to linear addresses Linear address can use paging Advantages More V86 tasks at a time Lower 1MB mapped to different physical memory Emulating 1MB address space of the 8086 Mapping range h-10FFFFh to 0h-0FFFFh Sharing „ROM“ contents Memory mapped I/O
Protection within V86 task Protection is not enforced between the segments Protection possibilities Reserving lower 1MB+64K for V86 tasks V86 cannot generate addresses out of this range Paging protection V86 monitor has U/S =0 Sensitive instructions IOPL sensitive: CLI, STI, PUSHF, POPF, INT n, IRET Not IOPL sensitive: IN, OUT, INS, OUTS If IOPL <3, then sensitive instructions invoke #GP
Entering V86 mode CPU runs in V86, if EFLAGS[VM] =1 How to set it Task switch Reading EFLAGS from TSS before segment registers loading Return from interrupt handler IRET Reading EFLAGS from the stack VM flag checks Segment register loading How to set segment registers caches Instruction decoding Instructions not supported by V86 Instructions sensitive on IOPL Access rights V86 always runs with CPL=3
Entering and leaving VM86 – I
Entering and leaving VM86 – II 1. Task switch 2. HW interrupt/exception, INT n when IOPL =3 3. #GP caused by INT n, IRET, POPF, PUSHF, IN, OUT when IOPL <3 4. Normal return from protected mode interrupt/exception handler 5. A return from V86 monitor to redirect an interrupt/exception 6. Internal redirection of INT n when VME=1, IOPL <3 and the redirection bit is 1
Leaving V86 Only through an interrupt or exception HW external interrupt An exception caused by V86 code INT n handler It is possible to directly redirect it back to V86 code RESET or INIT HLT instruction causes #GP
V86 I/O Protection Protection of all ports V86 performs I/O directly (no protection) Access specific I/O ports I/O map in the TSS Access specific I/O memory mapped ports Paging
Interrupt and exception handling in V86 All interrupts divided into classes Class 1 All exceptions All HW interrupts including NMI Class 2 Maskable HW interrupts when CR4[VME] =1 Class 3 All INT n Moreover, handling of classes 2 and 3 depends IOPL setting Working with EFLAGS[IF], EFLAGS[VIF], EFLAGS[VIP] CR4[VME] setting INT n redirection map in TSS Virtual interrupt support EFLAGS[VIF], EFLAGS[VIP]
V86 interrupt handling for class 1 – I 32-bit interrupt-, trap-, task-gate Switches to 32-bit and CPL=0 Saves the state of the segment registers Clears the segment registers DS, ES, GS, FS SS:ESP already contains an address for the stack 0 CS:EIP already contains interrupt handler address Clearing flags VM, NT, RF, TF in EFLAGS Begins execution of interrupt handler Handling interrupts for V86 Check EFLAGS [ VM ] on the stack Handling in the protected mode Invoking V86 monitor V86 monitor can invoke V86 handler
V86 interrupt handling for class 1 – II
V86 interrupt handling for class 1 – III Invoking V86 handler from V86 monitor Use the 8086 interrupt vector to locate V86 handler address Copy FLAGS and CS:IP from the stack 0 to the V86 stack (CPL 3) Change return address on the stack 0 to the V86 handler Return using IRET to the V86 IRET in V86 causes #GP and invokes V86 monitor Copy FLAGS from stack 3 to stack 0 Set CS:IP on stack 0 to original address of V86 interrupt Return using IRET to the V86
V86 interrupt handling for class 2 – I Maskable V86 interrupt handling using virtual interrupts Activated by CR4 [ VME ]=1 and IOPL <3 Flags VIF and VIP in EFLAGS Reduces V86 monitor calls when working with IF ( PUSHF, POPF, STI, CLI ) Virtualization CLI and STI work with VIF PUSHF saves VIF instead of IF POPF loads VIF from IF, IF remains intact VIP records existence of deferred (pending) maskable HW interrupt VIP checked by CPU, never set; set by SW
V86 interrupt handling for class 2 – II Handling maskable HW interrupt Invoke 32-bit handler Switch to 32-bit and CPL =0 Save the V86 state on the stack 0 Clear the segment registers Clear the VM flag in EFLAGS Begin execution of a 32-bit interrupt handler Check EFLAGS [ VM ] on the stack 0 If the flag is set, call V86 monitor V86 monitor checks VIF in EFLAGS If VIF=0, set the VIP and return to the 32-bit interrupt handler If VIF=1, can be handled as class 1 Return back to V86
V86 interrupt handling for class 2 – III Deferring interrupt using the flag VIP Before the VIF is set ( POPF, STI ), CPU in V86 checks If VIP=0, VIF is set and continue If VIP=1, #GP exception is invoked The #GP exception calls V86 monitor Handle the deferred interrupt Clear VIP and set VIF in EFLAGS on the stack Return to V86
V86 interrupt handling for class 3 – I SW interrupt handling ( INT n ) BRM=Bit in Redirection Map in the TSS VMEIOPLBRMAction 03XInvoking 32-bit handler 0<3<3X#GP 131Invoking 32-bit handler 1<3<31 #GP, VIF and VIP available 130 Redirecting to V86 handler - save FLAGS with NT=0 and IOPL=0 on the stack - save CS:IP on the stack - clear IF and TF - loads CS:IP from V86 interrupt vector 1<3<30 Redirecting to V86 handler, VIF and VIP available - save FLAGS with IOPL=3 and IF←VIF on the stack - save CS:IP on the stack - clear VIF and TF - loads CS:IP from V86 interrupt vector
V86 interrupt handling for class 3 – II Redirection map in the TSS Easier system calls for 16-bit OS Using INT n as system calls INT 21 in the MS-DOS