5-28 Vol. 3A
PROTECTION
5.11.1 Page-Protection
Flags
Protection information for pages is contained in two flags in a paging-structure entry (see Chapter 4): the
read/write flag (bit 1) and the user/supervisor flag (bit 2). The protection checks use the flags in all paging struc-
tures.
5.11.2
Restricting Addressable Domain
The page-level protection mechanism allows restricting access to pages based on two privilege levels:
•
Supervisor mode (U/S flag is 0)—(Most privileged) For the operating system or executive, other system
software (such as device drivers), and protected system data (such as page tables).
•
User mode (U/S flag is 1)—(Least privileged) For application code and data.
The segment privilege levels map to the page privilege levels as follows. If the processor is currently operating at
a CPL of 0, 1, or 2, it is in supervisor mode; if it is operating at a CPL of 3, it is in user mode. When the processor is
in supervisor mode, it can access all pages; when in user mode, it can access only user-level pages. (Note that the
WP flag in control register CR0 modifies the supervisor permissions, as described in Section 5.11.3, “Page Type.”)
Note that to use the page-level protection mechanism, code and data segments must be set up for at least two
segment-based privilege levels: level 0 for supervisor code and data segments and level 3 for user code and data
segments. (In this model, the stacks are placed in the data segments.) To minimize the use of segments, a flat
memory model can be used (see Section 3.2.1, “Basic Flat Model”).
Here, the user and supervisor code and data segments all begin at address zero in the linear address space and
overlay each other. With this arrangement, operating-system code (running at the supervisor level) and application
code (running at the user level) can execute as if there are no segments. Protection between operating-system and
application code and data is provided by the processor’s page-level protection mechanism.
5.11.3 Page
Type
The page-level protection mechanism recognizes two page types:
•
Read-only access (R/W flag is 0).
•
Read/write access (R/W flag is 1).
When the processor is in supervisor mode and the WP flag in register CR0 is clear (its state following reset initial-
ization), all pages are both readable and writable (write-protection is ignored). When the processor is in user
mode, it can write only to user-mode pages that are read/write accessible. User-mode pages which are read/write
or read-only are readable; supervisor-mode pages are neither readable nor writable from user mode. A page-fault
exception is generated on any attempt to violate the protection rules.
Starting with the P6 family, Intel processors allow user-mode pages to be write-protected against supervisor-mode
access. Setting CR0.WP = 1 enables supervisor-mode sensitivity to write protected pages. If CR0.WP = 1, read-
only pages are not writable from any privilege level. This supervisor write-protect feature is useful for imple-
menting a “copy-on-write” strategy used by some operating systems, such as UNIX*, for task creation (also called
forking or spawning). When a new task is created, it is possible to copy the entire address space of the parent task.
This gives the child task a complete, duplicate set of the parent's segments and pages. An alternative copy-on-
write strategy saves memory space and time by mapping the child's segments and pages to the same segments
and pages used by the parent task. A private copy of a page gets created only when one of the tasks writes to the
page. By using the WP flag and marking the shared pages as read-only, the supervisor can detect an attempt to
write to a page, and can copy the page at that time.
5.11.4
Combining Protection of Both Levels of Page Tables
For any one page, the protection attributes of its page-directory entry (first-level page table) may differ from those
of its page-table entry (second-level page table). The processor checks the protection for a page in both its page-
directory and the page-table entries. Table 5-3 shows the protection provided by the possible combinations of
protection attributes when the WP flag is clear.