Microprocessors system architectures – IA32 real

and virtual-8086 mode

Jakub Yaghob

Compatibility with 16-bit code

Advantages Allows execution of an older code

Disadvantages Supports programmer laziness/persistence

IA-32 compatibility modes Real mode Virtual-8086 mode

Compatibility mode comparison Common characteristic

Binary code compatibility with predecessors of IA-32 (8086, 80186, 80286) Possibility to use some 32-bit features

Real mode Nearly compatible with 8086 Starting CPU mode after the RESET Minimal support from OS No protection mechanisms Some important IA-32 features are not available (paging)

Virtual-8086 mode More differences against 8086 Part of the protected mode, cannot run without it Complicated emulation software Keeps protection Uses all features of IA-32 (including paging) Virtualization – more VM86 machines at the same moment Cannot be entered from the long mode

Real mode Usage

CPU starting mode Does not need memory structures, excluding interrupt vector

To this date used for some recovery software No protection

Features Real mode address translation Instruction operands 8- or 16-bit

It is possible to enable 32-bit operation using an instruction prefix Only 16-bit registers are available

Higher parts only using an instruction prefix Including IP and FLAGS

16-bit stack Interrupt vector

Relocatable using LIDT All instruction from 80286 and 80287 supported FS and GS available for IA-32 CPUs

Real mode address translation Paging

Not supported Segmentation

Simulates 8086 behavior No descriptor tables Segment attributes set to simulate real mode

Based address derive from the visible part Base = selector * 16

Segment limit: 216-1 Segment type: code-writable

Inaccurate 8086 memory model Address computed in 32 bits HMA – available memory in the range 100000h-10FFFFh

16-bit address modes

16-bit instructions use 16-bit address mode Offset = [Base] + [Index] + [Displacement]

Base = BX, BP Index = SI, DI

Use 32-bit address mode with an instruction prefix

Interrupt system

Relocatable vector (IDTR) Positioned on address 0 Real mode format: far 16-bit pointers

Interrupt handling Only FLAGS stored Only IP changes Stack pointer is only SP

Virtual-8086 mode Special task running in the protected mode Structure of a V86 task

32-bit TSS The 8086 program A V86 monitor

Must run on CPL=0 Interrupt and exception handling I/O emulation Access to the V86 memory

8086 OS services 16-bit OS implemented inside the V86 16-bit OS implemented using 32-bit OS

Paging in V86

CPU translates V86 addresses to linear addresses Linear address can use paging Advantages

More V86 tasks at a time Lower 1MB mapped to different physical memory

Emulating 1MB address space of the 8086 Mapping range 100000h-10FFFFh to 0h-0FFFFh

Sharing „ROM“ contents Memory mapped I/O

Protection within V86 task

Protection is not enforced between the segments Protection possibilities

Reserving lower 1MB+64K for V86 tasks V86 cannot generate addresses out of this range

Paging protection V86 monitor has U/S=0

Sensitive instructions IOPL sensitive: CLI, STI, PUSHF, POPF, INT n, IRET Not IOPL sensitive: IN, OUT, INS, OUTS If IOPL<3, then sensitive instructions invoke #GP

Entering V86 mode CPU runs in V86, if EFLAGS[VM]=1 How to set it

Task switch Reading EFLAGS from TSS before segment registers loading

Return from interrupt handler IRET Reading EFLAGS from the stack

VM flag checks Segment register loading

How to set segment registers caches Instruction decoding

Instructions not supported by V86 Instructions sensitive on IOPL

Access rights V86 always runs with CPL=3

Entering and leaving VM86 – I

Entering and leaving VM86 – II

1. Task switch2. HW interrupt/exception, INT n when IOPL=33. #GP caused by INT n, IRET, POPF, PUSHF, IN,

OUT when IOPL<34. Normal return from protected mode

interrupt/exception handler5. A return from V86 monitor to redirect an

interrupt/exception6. Internal redirection of INT n when VME=1, IOPL<3

and the redirection bit is 1

Leaving V86

Only through an interrupt or exception HW external interrupt An exception caused by V86 code INT n handler

It is possible to directly redirect it back to V86 code RESET or INIT HLT instruction causes #GP

V86 I/O

Protection Protection of all ports V86 performs I/O directly (no protection) Access specific I/O ports

I/O map in the TSS Access specific I/O memory mapped ports

Paging

Interrupt and exception handling in V86 All interrupts divided into classes

Class 1 All exceptions All HW interrupts including NMI

Class 2 Maskable HW interrupts when CR4[VME] =1

Class 3 All INT n

Moreover, handling of classes 2 and 3 depends IOPL setting

Working with EFLAGS[IF], EFLAGS[VIF], EFLAGS[VIP] CR4[VME] setting INT n redirection map in TSS Virtual interrupt support EFLAGS[VIF], EFLAGS[VIP]

V86 interrupt handling for class 1 – I 32-bit interrupt-, trap-, task-gate

Switches to 32-bit and CPL=0 Saves the state of the segment registers Clears the segment registers DS, ES, GS, FS

SS:ESP already contains an address for the stack 0 CS:EIP already contains interrupt handler address

Clearing flags VM, NT, RF, TF in EFLAGS Begins execution of interrupt handler

Handling interrupts for V86 Check EFLAGS[VM] on the stack Handling in the protected mode Invoking V86 monitor V86 monitor can invoke V86 handler

V86 interrupt handling for class 1 – II

V86 interrupt handling for class 1 – III

Invoking V86 handler from V86 monitor Use the 8086 interrupt vector to locate V86 handler

address Copy FLAGS and CS:IP from the stack 0 to the V86 stack

(CPL 3) Change return address on the stack 0 to the V86 handler Return using IRET to the V86 IRET in V86 causes #GP and invokes V86 monitor Copy FLAGS from stack 3 to stack 0 Set CS:IP on stack 0 to original address of V86 interrupt Return using IRET to the V86

V86 interrupt handling for class 2 – I Maskable V86 interrupt handling using virtual interrupts

Activated by CR4[VME]=1 and IOPL<3 Flags VIF and VIP in EFLAGS Reduces V86 monitor calls when working with IF (PUSHF, POPF, STI, CLI)

Virtualization CLI and STI work with VIF PUSHF saves VIF instead of IF POPF loads VIF from IF, IF remains intact VIP records existence of deferred (pending) maskable HW

interrupt VIP checked by CPU, never set; set by SW

V86 interrupt handling for class 2 – II Handling maskable HW interrupt

Invoke 32-bit handler Switch to 32-bit and CPL=0 Save the V86 state on the stack 0 Clear the segment registers Clear the VM flag in EFLAGS Begin execution of a 32-bit interrupt handler

Check EFLAGS[VM] on the stack 0 If the flag is set, call V86 monitor

V86 monitor checks VIF in EFLAGS If VIF=0, set the VIP and return to the 32-bit interrupt handler If VIF=1, can be handled as class 1

Return back to V86

V86 interrupt handling for class 2 – III

Deferring interrupt using the flag VIP Before the VIF is set (POPF, STI), CPU in V86

checks If VIP=0, VIF is set and continue If VIP=1, #GP exception is invoked

The #GP exception calls V86 monitor Handle the deferred interrupt Clear VIP and set VIF in EFLAGS on the stack Return to V86

V86 interrupt handling for class 3 – I SW interrupt handling (INT n)

BRM=Bit in Redirection Map in the TSS

VME IOPL BRM Action0 3 X Invoking 32-bit handler0 <3 X #GP1 3 1 Invoking 32-bit handler

1 <3 1 #GP, VIF and VIP available

1 3 0

Redirecting to V86 handler- save FLAGS with NT=0 and IOPL=0 on the stack- save CS:IP on the stack- clear IF and TF- loads CS:IP from V86 interrupt vector

1 <3 0

Redirecting to V86 handler, VIF and VIP available- save FLAGS with IOPL=3 and IF←VIF on the stack- save CS:IP on the stack- clear VIF and TF- loads CS:IP from V86 interrupt vector

V86 interrupt handling for class 3 – II Redirection map in the TSS

Easier system calls for 16-bit OS Using INT n as system calls

INT 21 in the MS-DOS