System Call Support

Mark Smotherman
Last updated: May 2004

Summary: TBD

.. under construction ..

Early history - including memory protection, multiple modes of execution, and privileged instructions.

Many of the seminal ideas, however, were widely spread by word of mouth or internal memorandum rather than by journal publication, and historical accuracy is sometimes difficult to obtain. In addition, some ideas related to protection were originally conceived in other contexts.
...
The concepts of base-and-bound register and hardware-interpreted descriptors appeared, apparently independently, between 1957 and 1959 on three projects with diverse goals. At M.I.T., J. McCarthy suggested the base-and-bound idea as part of the memory protection system necessary to make time-sharing feasible. IBM independently developed the base-and-bound register as a mechanism to permit reliable multiprogramming of the Stretch (7030) computer system. At Burroughs, R. Barton suggested that hardware-interpreted descriptors would provide direct support for the naming scope rules of higher level languages in the B5000 computer system.

-- from Saltzer and Schroeder, "The Protection of Information in Computer Systems," CACM, July 1974.

Hardware Developments

Examples


recent comp.arch traffic

Paul Repacholi writes

> Didn't the DEC KL-10 have "call gates" that were implemented
> in just this fashion...?

The PORTAL intruction? That worked by triggering a MM fault on the fetch, which the PORTAL than stepped on before it got out of the Mbox. If you jumped to other than the PORTAL, the MM fault happened and got to the kernal. It was a bit odd in that it could controll access to code in user mode, that you could only execute, not read, and further, you could only enter it at specific points with out MM faulting.

Dale Morris writes:

PA-RISC implements this sort of mechanism in its GATEWAY instruction, which can be used to branch and promote to any of 3 privilege levels. The instruction TLB mapping (for the page containing the GATEWAY instruction) provides information on what privilege level to promote to, and whether the GATEWAY instruction is legal (GATEWAY instructions on normal code pages fault).

Itanium also implements a similar mechanism with the EPC instruction. It works similarly, but doesn't branch - it only does the privilege promotion. In Itanium, privilege can also be changed on a normal br.ret, allowing system call code to simply return to the calling process. However, since the privilege to return to is stored in an unprivileged register, we also had to guard against an application trying to spoof a system call into returning at high privilege. Therefore, the EPC also validates the return privilege level (to ensure that it's no higher than the current executing privilege level) before it promotes.


added Jan. 2010: "SYSENTER: a good idea, taken too far..." [Andy Glew's description of x86 SYSENTER/SYSEXIT]


[History page] [Mark's homepage] [CPSC homepage] [Clemson Univ. homepage]

mark@cs.clemson.edu