Marven Lee wrote:
> I've always assumed that privilege levels above user processes were
> just slightly less privileged parts of the kernel.
This is correct, but you can _also_ consider CPL1/2 processes as
"over-priviledged processes." This is particularly true when you
consider IOPL, which allow(ed) you to fine-grain the upper level where
hardware-driving processes are actually running, or even discriminate
among them.
> With segmentation on x86 it is relatively easy to split a process into two
> rings using PL2 and PL3.
<snip a description of a typical 3-level iAPX286 Operating system/>
> As not every CPU has segmentation then to make it more portable
This implies that pagination is "more portable" than segmentation. In
fact there are two different partitions between CPU architectures, each
with two sets: one being "the CPUs with segmentation, or without", and
the other being "the CPUs with pagination (MMU), or without." The fun of
the i386 architecture (not iAPX286, not amd64) is that it ends being on
both cases in the "with" set, but this is an awkward consequence of the
history, not really a feature. In the general case, as soon as the CPU
is decided you end up being in one or the other set (i.e paginated or
segmented); and if you are real serious about been portable, you need to
support independently both segmentation and pagination, at the general
design level (i.e. not at the applicative level of the various Intel
architecture as you are doing.)
I would argue this make the architecture much more complex, too complex.
> It's a pity x86-64 long mode doesn't support segmentation,
Huh?
Last time I looked, in long mode, any code running in 16-bit or 32-bit
segments are using the segmentation features of the processor. This
allows any process to run segmented, as long as the address space it
needs is less than (or equal to) 4GB. Which I still consider an awful
big address space for most processes, particularly when the interest is
put on hardware control or sandboxing, where having more than 2 levels
of protection might matter (this is in opposition to number crunching or
database management which are typical use of multi-TB-address-space
process, but where inter-process protection is not as much mandatory.)
> It could
> have allowed many large 4GB+ sandboxes in a single address space.
> Perhaps a mode a bit like virtual-8086 mode could have been added
> with a single base and limit.
Vanderpool and Pacifica do exactly that.
Antoine