Model-Specific Registers

1
Model-Specific Registers

• A look at Intels scheme for introducing new CPU
  features

2
Microprocessor evolution
8080
64K-memory, 8-bit registers (no mul/div, no FPU)
1973
8086
1M -memory, 16-bit registers, I/O-ports (8087
option)
1978
80186
Ins/outs, shift/rotate-immediate,
integrated-DMAPICTimers
1981
80286
16M-memory, protected-mode multitasking (80287
option)
1982
80386
4GB-memory, 32-bit registers, paging (287/387
options)
Added TR6, TR7
1985
80486
Integrated FPU, RISC, cacheing, xadd (APIC option)
Added TR3, TR4, TR5
1989
MMX-instructions, integrated local-APIC, MSRs,
dual-pipelines, branch-prediction
80586 Pentium
Removed TR3,TR4,TR5,TR6,TR7
1993
3
The Model-Specific concept

• Beginning with the Pentium processor, Intel has
  been including experimental features in its
  processors, warning that they may disappear from
  future designs, but providing a standard and
  permanent way for all such features to be
  accessed
• This access is via a pair of privileged
  instructions (rdmsr and wrmsr) that can only be
  executed by ring0 code

4
Quite a few MSRs now!

• At first there were only about a dozen of these
  MSRs (Model-Specific Registers), but lately their
  number is well over 200
• Some MSRs have evidently proven to be
  sufficiently satisfactory and worth having that
  they are now deemed as permanent fixtures of the
  defined i386 architecture

5
The Time-Stamp Counter

• This 64-bit Model-Specific Register was
  introduced in the Pentium processor and has been
  present in each CPU thereafter
• It increments once every CPU clock-cycle,
  starting from 0 when power is turned on
• It wont overflow for at least ten years
• Unprivileged programs (ring3) normally can
  access, it via the rdtsc instruction

6
Using the TSC
64-bits
63
32 31
0
EDX
EAX
time0 .quad 0 saves starting value from the
TSC time1 .quad 0 saves concluding value
from TSC how you can measure CPU clock-cycles
in a code-fragment rdtsc read the
Time-Stamp Counter movl eax, time00 save
least-significant longword movl edx, time04
save most-significant longword ltYour
code-fragment to be measured goes
heregt rdtsc read the Time-Stamp
Counter movl eax, time10 save
least-significant longword movl edx, time14
save most-significant longword now subtract
starting-value time0 from ending value time1
7
The TSC as an MSR

• Each Model-Specific Register has its own
  identifying register-number, and it can be
  accessed (from ring0) using the special pair of
  instructions rdmsr and wrmsr
• The Time-Stamp Counter is MSR number 0x10
• To write a new 64-bit value into the TSC, you
  load the desired 64-bit value into the EDXEAX
  register-pair, you put the MSR ID-number 0x10
  into register ECX, then you execute wrmsr

8
IA32_APIC_BASE

• This register has MSR number 0x1B and is private
  to each CPU in an SMP system
• It establishes the base-address for the
  Local-APICs memory-mapped registers (the default
  base-address is 0xFEE00000, but that can be
  changed using this MSR)
• The CPUs Local-APIC functions can be either
  enabled or disabled (via bit 11)
• The BSP can be recognized (via bit 8)

9
Relocating the APIC registers
IA32_APIC_BASE (64-bits)
63
32 31 12 11
8 0
reserved
APIC base-address (4K page-number)
E N
B S P
Default-value for APIC base-address page 0xFEE00
Local-APIC Enable bit (1enabled, 0disabled)
Boot-Strap Processor (read-only) 1yes, 0no
make the processors Local-APIC registers
accessible in real-mode mov 0x000D8000, eax
least-significant 32-bits mov 0x00000000,
edx most-significant 32-bits mov 0x1B,
ecx MSR register-number wrmsr write to
specified MSR
10
Extended Feature Enable Register

• This Model-Specific Register (MSR) was introduced
  in the AMD64 architecture and perpetuated by
  EM64T (for compatibility)

63

11 10 8
0
S C E
L M E
L M A
N X E
Legend SCE SysCall/sysret is Enabled (1yes,
0no) LME Long-Mode is Enabled (1yes,
0no) LMA Long-Mode is Active (1yes,
0no) NXE Non-eXecutable pages Enabled (1yes,
0no)
NOTE The MSR address-index for EFER
0xC0000080, and this register is accessed using
RDMSR or WRMSR instructions
11
The x86 operating modes
Virtual 8086 mode
IA-32e mode
64-bit mode
Real mode
Power on
Protected mode
Compatibility mode
System Management mode
12
Why CPUs mode matters

• Key differences among the x86 modes
• How memory is addressed and mapped
• What instruction-set is available
• Which registers are accessible
• Which exceptions may be generated
• What data-structures are required
• How task-switching can be accomplished
• How interrupts will be processed

13
Mode transitions

• The processor starts up in real mode
• Mode-transitions normally happen under program
  control (except for transitions to the so-called
  System Management Mode)
• Details of programming a mode-change depend on
  which modes are involved
• Some mode-transfers arent possible
• 64-bit mode offers a lot of surprises

14
Registers in 64-bit mode
EAX ? RAX ECX ? RCX
EDX ? RDX EBX ? RBX ESP ?
RSP EBP ? RBP ESI ? RSI
EDI ? RDI EIP ? RIP EFLAGS ?
RFLAGS
R8 R9 R10 R11 R12 R13 R14 R15 CR8
CR0 CR2 CR3 CR4 DR0 DR1 DR2 DR3 DR6 DR7
63
32 31 16 15
8 7 0
RAX
EAX
AX
AL
15
Some missing features

• Memory-segmentation is turned off
• Base-address is zero for CS, DS, ES, SS
• Segment-limit checking is not performed
• Certain familiar instructions no longer are
  defined while executing in 64-bit-mode
• Cannot use pusha and popa
• Cannot ljmp or lcall with direct addressing
  
• Cannot use lahf and sahf

16
canonical addresses
00000 00001 00010 00011 00100 00101 00110 00111 0
1000 01001 01010 01011 01100 01101 01110 01111 100
00 10001 10010 10011 10100 10101 10110 10111 1100
0 11001 11010 11011 11100 11101 11110 11111
non-canonical (invalid) virtual addresses
canonical addresses
0xFFFFFFFFFFFFFFFF
0xFFFF800000000000
Analogy using 5-bit values
64-bit vrtual address space
canonical addresses
0x00007FFFFFFFFFFF
0x0000000000000000
17
4-Levels of mapping
63 48 47
39 38 30 29 21
20 12 11
0
offset
sign-extension
PML4
PDPT
PDIR
PTBL
Page Frame (4KB)
64-bit canonical virtual address
Page Table
Page Directory
Page Directory Pointer Table
Page Map Level-4 Table
CR3
Each mapping-table contains up to 512
quadword-size entries
18
4-level address-translation

• The CPU examines any virtual address it
  encounters, subdividing it into five fields

63 48 47 39 38 30
29 21 20 12 11
0
offset into page-frame
index into page-table
index into page- directory
index into page- directory pointer table
index into level 4 page-map table
sign- extension
16-bits
9-bits
12-bits
9-bits
9-bits
9-bits
Any 48-bit virtual-address is sign-extended
to a 64-bit canonical address
Only canonical 64-bit virtual-addresses are
legal in 64-bit mode
19
Format of 64-bit table-entries
Physical addresses on our current Core-2 CPUs are
only 40 bits
63 62 52 51

40 39 32
Reserved (must be 0)
Page-frame physical base-address 39..32
E X B
avl
31
12
11 9 8 7 6 5 4 3 2 1 0
Page-frame physical base-address31..12
P
W
U
P W T
P C D
A
avl
Meaning of these bits varies with the table
Legend P Present (1yes, 0no) PWT
Page Cache Disable (1yes, 0no) W
Writable (1yes, 0no) PWT Page Write-Through
(1yes, 0no) U User-page (1yes, 0no)
avl available for user-defined purposes A
Accessed (1yes, 0no) EXB
Execution-disabled Bit (if EFER.NXE1)
20
RDMSR and WRMSR

• An assembly language code-fragment to turn on the
  LME-bit (Long-Mode Enable)

Each Model-Specific Register (MSR) is 64-bits
wide and has a unique 32-bit address-index
which is first placed into register ECX. Then
the least-significant 32-bits of that MSR is
accessed using register EAX, while the
most-significant 32-bits is accessed using
register EDX. mov 0xC0000080, ecx setup
EFER address-index rdmsr read EFER into
(EDX,EAX) bts 8, eax set the LME-bits
image to 1 wrmsr write (EDX,EAX) into
EFER NOTE RDMSR and WRMSR must be executed at
Ring0 privilege-level.
21
Control Registers CR4 and CR0
31
13
5 0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
V M X E
0
0
O S X M M E x
O S F X C R
P C E
P G E
M C E
P A E
P S E
D E
T S D
P V I
V M E
Control Register CR4
31

0
P G
C D
N W
0
0
0
0
0
0
0
0
0
0
A M
0
W P
0
0
0
0
0
0
0
0
0
0
N E
E T
T S
E M
M P
P E
Control Register CR0
Legend (for 64-bit mode) PE Protected-mode
Enabled (1yes, 0no) PG Paging Enabled
(1yes, 0no) PAE Page-Addressing Extensions
(1enabled, 0disabled)
22
Segment-Descriptor Format
64-bit code-segment (LONG mode)
63
32
Base31..24 (if L0)
G
D
L
A V L
Limit 19..16 (if L0)
P
D P L
S
X
C / D
R / W
A
Base23..16 (if L0)
Base15..0 (if L0)
Limit15..0 (if L0)
31
0
Legend DPL Descriptor Privilege Level
(0..3) G Granularity (0 byte, 1
4KB-page) P Present (0 no, 1 yes) D
Default size (0 16-bit, 1 32-bit) S System
(0 yes, 1 no) X eXecutable (0 no, 1
yes) A Accessed (0 no, 1
yes) code-segments R Readable (0 no, 1
yes) C Conforming (0no, 1yes) data-segments
W Writable (0 no, 1 yes) D
expands-Down (0no, 1yes) L Long-mode
(i.e., 64-bit addressing) (0no, 1yes) AVL
Available for users purposes
23
IA-32e Call-Gate descriptor
127
96
Reserved (must be 0)
offset63..32
offset63..32
Base31..24 (if S0)
G
D
L
A V L
offset31..16
P
D P L
0
X
C / D
R / W
Gate Type (1100)
Reserved (must be 0)
code-segment selector
offset15..0
31
0
We can use a call-gate to jump from 16-bit
code-segment to a 64-bit code-segment
24
Summary of steps

• Transition from real-mode to IA-32e mode
• Build the table of global descriptors
• Load GDTR with pseudo-descriptor for GDT
• Build the 4-level page-mapping tables
• Enable IA-32e mode (set EFER.LME1)
• Enable Page-Address Extensions (CR4.PAE)
• Load Level4 page-map table address in CR3
• Activate IA-32e mode (CR0.PE and CR0.PG)
• Transfer via call-gate to 64-bit code-segment

25
Notes on the transition

• Code-segment must be identity-mapped
• Interrupts have to be temporarily disabled
• All memory-addressing in 64-bit mode via CS, SS,
  DS or ES uses 0 as base-address (and checking of
  segment-limits is omitted)

26
For a return to real-mode

• Processor must enter 16-bit code-segment in
  compatibility-mode via indirect far jump
• Load segment-registers DS, ES, and SS with
  writable 16-bit segment-selectors (64K-limit)
• Code-segment has to be identity-mapped
• Deactivate IA-32e mode by clearing PG-bit
• Leave protected-mode by clearing PE-bit
• Reload registers CS and SS with real-mode
  segment-addresses before enabling interrupts

27
In-class exercise 1

• Try running our trymoves.s demo, to see the
  effect of changing the bottom-half of a 64-bit
  register
• Then modify the instructions in this demo so that
  you use as many of the new CPU registers as
  possible (i.e., use R8,,R15 instead of RAX, RBX,
  etc., and R8L, R9L, , instead of AL, BL, etc.)

28
Demo-program try64bit.s

• We created a demo-program that starts in
  real-mode, enters 64-bit mode and draws a
  message, jumps to compatibility mode and draws
  another message, then returns to real-mode and
  shows a final message
• It has to write directly to VRAM when its not
  executing in real-mode because the ROM-BIOS
  routines use real-style code

29
How text-mode VRAM works

• The video memory resides at 0x000B8000 and in
  text-mode it is organized as a linear array of
  two-byte elements (i.e., words)
• Array-elements are arranged in row-major order
  (left-to-right, top-to-bottom)

15 8 7
0
Attribute-code for the foreground and
background colors
Ascii code for character
30
Default color-programming
7 6 5 4
3 2 1
0
Blue 1
Intense 1
Red 1
Blue 1
Green 1
Red 0
Green 0
Blinking 0
FORECOLOR
BACKCOLOR
31
Character-cell screen-locations
80 cells-per-row
25 rows
for (row 0, column 0) the address-offset is
(0800)2
for (row 2, column 79) the address-offset is
(28079)2
for (row 24, column 40) the address-offset is
(248040)2
32
In-class exercise 2

• Can you modify the message-colors used in our
  try64bit.s demo-program so that
• the first message is bright-red against white
• the second message is brown against cyan
• The final message is magenta against black