22
Task Privilege
A task always executes at one of the four privilege levels.
The task privilege level at any specific instant is called the
Current Privilege Level (CPL) and is defined by the lower
two bits of the CS register. CPL cannot change during exe-
cution in a single code segment. A task's CPL may only be
changed by control transfers through gate descriptors to a
new code segment (See Control Transfer). Tasks begin exe-
cuting at the CPL value specified by the code segment
selector within TSS when the task is initiated via a task
switch operation (See Figure 18). A task executing at Level 0
can access all data segments defined in the GDT and the
task's LDT and is considered the most trusted level. A task
executing a Level 3 has the most restricted access to data
and is considered the least trusted level.
Descriptor Privilege
Descriptor privilege is specified by the Descriptor Privilege
Level (DPL) field of the descriptor access byte. DPL specifies
the least trusted task privilege level (CPL) at which a task may
access the descriptor. Descriptors with DPL = 0 are the most
protected. Only tasks executing at privilege level 0 (CPL = 0)
may access them. Descriptors with DPL = 3 are the least pro-
tected (i.e. have the least restricted access) since tasks can
access them when CPL = 0, 1, 2, or 3). This rule applies to all
descriptors, except LDT descriptors.
Selector Privilege
Selector privilege is specified by the Requested Privilege
Level (RPL) field in the least significant two bits of a selector.
Selector RPL may establish a less trusted privilege level
than the current privilege level for the use of a selector. This
level is called the task's effective privilege level (EPL). RPL
can only reduce the scope of a task's access to data with
this selector. A task's effective privilege is the numeric maxi-
mum of RPL and CPL. A selector with RPL = 0 imposes no
additional restriction on its use while a selector with RPL = 3
can only refer to segments at privilege Level 3 regardless of
the task's CPL. RPL is generally used to verify that pointer
parameters passed to a more trusted procedure are not
allowed to use data at a more privileged level than the caller
(refer to pointer testing instructions).
Descriptor Access and Privilege Validation
Determining the ability of a task to access a segment
involves the type of segment to be accessed, the instruction
used, the type of descriptor used and CPL, RPL, and DPL.
The two basic types of segment accesses are control trans-
fer (selectors loaded into CS) and data (selectors loaded into
DS, ES or SS).
Data Segment Access
Instructions that load selectors into DS and ES must refer to
a data segment descriptor or readable code segment
descriptor. The CPL of the task and the RPL of the selector
must be the same as or more privileged (numerically equal
to or lower than) than the descriptor DPL. In general, a task
can only access data segments at the same or less privi-
leged levels than the CPL or RPL (whichever is numerically
higher) to prevent a program from accessing data it cannot
be trusted to use.
An exception to the rule is a readable conforming code seg-
ment. This type of code segment can be read from any privi-
lege level.
If the privilege checks fail (e.g. DPL is numerically less than
the maximum of CPL and RPL) or an incorrect type of
descriptor is referenced (e.g. gate descriptor or execute only
code segment) exception 13 occurs. If the segment is not
present, exception 11 is generated.
Instructions that load selectors into SS must refer to data
segment descriptors for writable data segments. The
descriptor privilege (DPL) and RPL must equal CPL. All
other descriptor types or a privilege level violation will cause
exception 13. A not present fault causes exception 12.
TABLE 13. DESCRlPTOR TYPES USED FOR CONTROL TRANSFER
CONTROL TRANSFER TYPES
OPERATION TYPES
DESCRIPTOR
REFERENCED
DESCRIPTOR
TABLE
Intersegment within the same privilege levels
JMP, CALL, RET, lRET (Note 4) Code Segment
GDT/LDT
Intersegment to the same or higher privilege level interrupt
within task may change CPL
CALL
Call Gate
GDT/LDT
Interrupt Instruction, Exception
External Interrupt
Trap or Interrupt Gate lDT
Intersegment to a lower privilege level (changes task CPL) RET, IRET (Note 4)
Code Segment
GDT/LDT
Task Switch
CALL, JMP
Task State Segment
GDT
CALL, JMP
Task Gate
GDT/LDT
lRET (Note 5)
Interrupt Instruction, Exception
External Interrupt
Task Gate
IDT
NOTES:
4. NT (Nested Task bit of flag word) = 0
5. NT (Nested Task bit of flag word) = 1
80C286