Home

Awesome

CPU Internals

These notes are taken from Intel SDM. You can consider them as a short/resumed version of some parts of the manuals that I found worth looking at when learning about system programming, OS internals or virtualization.

Contents

Volume 1 Basic Architecture

Chapter 3 Basic Execution Environment

Modes of Operation

Overview of the Basic Execution Environment

<p align="center"><img src="https://i.imgur.com/i9Djo8N.png" width="500px" height="auto"></p> <p align="center"> <img src="https://i.imgur.com/5V6dS2F.png" width="500px" height="auto"></p>

Memory Organization

IA-32 Memory Models
<p align="center"> <img src="https://i.imgur.com/EfpFmVB.png" width="500px" height="auto"></p>
Paging and Virtual Memory
Modes of Operation vs. Memory Model

Basic Program Execution Registers

General Purpose Registers
<p align="center"> <img src="https://i.imgur.com/cvFWSF9.png" width="500px" height="auto"></p>
General-Purpose Registers in 64-Bit Mode

Segment Registers

<p align="center"> <img src="https://i.imgur.com/AbhbgWY.png" width="500px" height="auto"></p> <p align="center"> <img src="https://i.imgur.com/fu7EMkz.png" width="500px" height="auto"></p> <p align="center"> <img src="https://i.imgur.com/cixb0xe.png" width="600px" height="auto"></p>
Segment Registers in 64-Bit Mode

Chapter 6 Procedure Calls, Interrupts, and Exceptions

Stacks

<p align="center"><img src="https://i.imgur.com/bcoXzvx.png" width="500px" height="auto"></p>
Stack-Frame Base Pointer
Return Instruction Pointer
Stack Behavior in 64-Bit Mode

Calling Procedures Using CALL and RET

Far CALL and RET Operation

When executing a far call, the processor performs these actions:

  1. Pushes the current value of the CS register on the stack.
  2. Pushes the current value of the EIP register on the stack.
  3. Loads the segment selector of the segment that contains the called procedure in the CS register.
  4. Loads the offset of the called procedure in the EIP register.
  5. Begins execution of the called procedure.

When executing a far return, the processor does the following:

  1. Pops the top-of-stack value (the return instruction pointer) into the EIP register.
  2. Pops the top-of-stack value (the segment selector for the code segment being returned to) into the CS register.
  3. If the RET instruction has an optional n argument, increments the stack pointer by the number of bytes specified with the n operand to release parameters from the stack.
  4. Resumes execution of the calling procedure.
<p align="center"> <img src="https://i.imgur.com/Nn0SFOy.png" width="500px" height="auto"></p>
Parameter Passing
Calls to Other Privilege Levels
<p align="center"> <img src="https://i.imgur.com/RTkdO9L.png" width="500px" height="auto"></p>
CALL and RET Operation Between Privilege Levels

When making a call to a more privileged protection level, the processor does the following (see Figure 6-4):

  1. Performs an access rights check (privilege check).
  2. Temporarily saves (internally) the current contents of the SS, ESP, CS, and EIP registers.
  3. Loads the segment selector and stack pointer for the new stack (that is, the stack for the privilege level being called) from the TSS into the SS and ESP registers and switches to the new stack.
  4. Pushes the temporarily saved SS and ESP values for the calling procedure’s stack onto the new stack.
  5. Copies the parameters from the calling procedure’s stack to the new stack. A value in the call gate descriptor determines how many parameters to copy to the new stack.
  6. Pushes the temporarily saved CS and EIP values for the calling procedure to the new stack.
  7. Loads the segment selector for the new code segment and the new instruction pointer from the call gate into the CS and EIP registers, respectively.
  8. Begins execution of the called procedure at the new privilege level.

When executing a return from the privileged procedure, the processor performs these actions:

  1. Performs a privilege check.
  2. Restores the CS and EIP registers to their values prior to the call.
  3. If the RET instruction has an optional n argument, increments the stack pointer by the number of bytes specified with the n operand to release parameters from the stack. If the call gate descriptor specifies that one or more parameters be copied from one stack to the other, a RET n instruction must be used to release the parameters from both stacks. Here, the n operand specifies the number of bytes occupied on each stack by the parameters. On a return, the processor increments ESP by n for each stack to step over (effectively remove) these parameters from the stacks.
  4. Restores the SS and ESP registers to their values prior to the call, which causes a switch back to the stack of the calling procedure.
  5. If the RET instruction has an optional n argument, increments the stack pointer by the number of bytes specified with the n operand to release parameters from the stack.
  6. Resumes execution of the calling procedure.
<p align="center"> <img src="https://i.imgur.com/ZNrnZQd.png" width="500px" height="auto"></p>

Volume 2 Instruction Set Reference

Chapter 6 Safer Mode Extensions Reference

Overview

SMX functionality

Volume 3 System Programming Guide

Chapter 2 System Architecture Overview

Overview of the System-Level Architecture

<p align="center"> <img src="https://i.imgur.com/O0QCFwt.png" width="700px" height="auto"></p> <p align="center"> <img src="https://i.imgur.com/gCayvoh.png" width="700px" height="auto"></p>
Global and Local Descriptor Tables
Global and Local Descriptor Tables in IA-32e Mode
System Segments, Segment Descriptors, and Gates
Gates in IA-32e Mode
Task-State Segments and Task Gates
Task-State Segments in IA-32e Mode
Interrupt and Exception Handling
Memory Management
Memory Management in IA-32e Mode
System Registers
System Registers in IA-32e Mode

MODES OF OPERATION

<p align="center"> <img src="https://i.imgur.com/bbcrQlk.png" width="600px" height="auto"></p>

Extended Feature Enable Register

<p align="center"> <img src="https://i.imgur.com/FepFdCU.png" width="600px" height="auto"></p>

SYSTEM FLAGS AND FIELDS IN THE EFLAGS REGISTER

<p align="center"> <img src="https://i.imgur.com/1YFZsgw.png" width="600px" height="auto"></p>

System Flags and Fields in IA-32e Mode

MEMORY-MANAGEMENT REGISTERS

<p align="center"> <img src="https://i.imgur.com/yx6piV0.png" width="600px" height="auto"></p>

Global Descriptor Table Register (GDTR)

Local Descriptor Table Register (LDTR)

IDTR Interrupt Descriptor Table Register

Task Register (TR)

Chapter 3 Protected Mode Memory Management

MEMORY MANAGEMENT OVERVIEW

<p align="center"> <img src="https://i.imgur.com/QpA3AS9.png" width="600px" height="auto"></p

USING SEGMENTS

Basic Flat Model

<p align="center"> <img src="https://i.imgur.com/tQ02vfP.png" width="600px" height="auto"></p

Protected Flat Model

<p align="center"> <img src="https://i.imgur.com/dSPFaY8.png" width="600px" height="auto"></p

Multi-Segment Model

<p align="center"> <img src="https://i.imgur.com/X6pRDKv.png" width="600px" height="auto"></p

Segmentation in IA-32e Mode

Paging and Segmentation

LOGICAL AND LINEAR ADDRESSES

<p align="center"> <img src="https://i.imgur.com/jh5Bp46.png" width="600px" height="auto"></p>

Logical Address Translation in IA-32e Mode

Segment Selectors

<p align="center"> <img src="https://i.imgur.com/JUOiXYX.png" width="600px" height="auto"></p>

Segment Registers

<p align="center"> <img src="https://i.imgur.com/lxlmUtA.png" width="600px" height="auto"></p>

Segment Descriptors

<p align="center"> <img src="https://i.imgur.com/yjnRlez.png" width="600px" height="auto"></p>

System Descriptor Types

Segment Descriptor Tables

<p align="center"> <img src="https://i.imgur.com/qEnuApv.png" width="600px" height="auto"></p>

Chapter 4 Paging

PAGING MODES AND CONTROL BITS

Three Paging Modes

<p align="center"> <img src="https://i.imgur.com/zXoVCCw.png" width="600px" height="auto"></p>

Paging-Mode Enabling

<p align="center"> <img src="https://i.imgur.com/QUBkDw5.png" width="600px" height="auto"></p>

Paging-Mode Modifiers

Hierarchical Paging Structures: An Overview

<p align="center"> <img src="https://i.imgur.com/xsLNtRp.png" width="600px" height="auto"></p>

32-BIT PAGING

<p align="center"> <img src="https://i.imgur.com/yk5DDik.png" width="500px" height="auto"></p> <p align="center"> <img src="https://i.imgur.com/graLHn1.png" width="500px" height="auto"></p>

PAE PAGING

<p align="center"> <img src="https://i.imgur.com/PHpSltX.png" width="500px" height="auto"></p> <p align="center"> <img src="https://i.imgur.com/tZxmqVu.png" width="500px" height="auto"></p> <p align="center"> <img src="https://i.imgur.com/DPSmC3x.png" width="500px" height="auto"></p>

4-LEVEL PAGING

<p align="center"> <img src="https://i.imgur.com/ycLpWUf.png" width="500px" height="auto"></p> <p align="center"> <img src="https://i.imgur.com/s6dZ8fY.png" width="500px" height="auto"></p> <p align="center"> <img src="https://i.imgur.com/QcWP0ZZ.png" width="500px" height="auto"></p> <p align="center"> <img src="https://i.imgur.com/2gEHP0B.png" width="500px" height="auto"></p>

Protection Keys

PAGE-FAULT EXCEPTIONS

<p align="center"> <img src="https://i.imgur.com/XIIyvJN.png" width="500px" height="auto"></p>

ACCESSED AND DIRTY FLAGS

Chapter 6 Interrupt and Exception Handling

Interrupt And Exception Overview

Exception and Interrupt Vectors

<p align="center"> <img src="https://i.imgur.com/lSdAuQl.png" width="600px" height="auto"></p>

Sources of Interrupts

External Interrupts
Maskable Hardware Interrupts
Software-Generated Interrupts

Sources of Exceptions

Program-Error Exceptions
Software-Generated Exceptions
Machine-Check Exceptions

Exceptions Classifications

Exception and Interrupt Handling

Chapter 10 Advanced Programmable Interrupt Controller (APIC)

Chapter 11 Memory Cache Control

Internal caches, TLBs, and buffers

<p align="center"><img src="https://i.imgur.com/75tM4Iq.png" width="500px" height="auto"></p> <p align="center"><img src="https://i.imgur.com/ToePjTl.png" width="500px" height="auto"></p>

Methods Of Caching Available

<p align="center"><img src="https://i.imgur.com/gVtPKG5.png" width="700px" height="auto"></p>

Intel 64 and IA-32 processors may implement four types of caches: the trace cache, the level 1 (L1) cache, the level 2 (L2) cache, and the level 3 (L3) cache:

Page Attribute Table (PAT)

Chapter 17 Debug, Branch Profile, TSC, and Intel® Resource Director Technology (Intel® RDT) Features

Overview of Debug Support Facilities

Debug Exceptions

<p align="center"><img src="https://i.imgur.com/U1P42xk.png" width="500px" height="auto"></p>
Debug Address Registers (DR0-DR3)

Debug Registers DR4 and DR5

Debug Status Register (DR6)

Chapter 22 Architecture Compatibility

Model-Specific Registers

Memory Type Range Registers

Chapter 23 Introduction To Virtual Machine Extensions

Virtual Machine Architecture

Introduction To VMX Operation

Life Cycle of VMM Software

<p align="center"><img src="https://i.imgur.com/Vpvq9Gi.png" width="400px" height="auto"></p>

Virtual-machine Control Structure

Discovering Support For VMX

Enabling And Entering VMX Operation

Restrictions On VMX Operation

Chapter 24 Virtual Machine Control Structures

Overview

<p align="center"><img src="https://i.imgur.com/RFdaRU8.png" width="500px" height="auto"></p>

Format Of The VMCS Region

Byte OffsetContents
0Bits 30:0: VMCS revision identifier, Bit 31: shadow-VMCS indicator
4VMX-abort indicator
8VMCS data (implementation-specific format)

Organization Of VMCS Data

The VMCS data are organized into six logical groups:

VMCS Layout

VMCS Types: Ordinary And Shadow

Software Use of Virtual-Machine Control Structures

VMREAD, VMWRITE, and Encodings of VMCS Fields

Initializing a VMCS

VMXON Region

Chapter 25 VMX Non-Root Operation

Instructions That Cause VM Exits Unconditionally

Instructions That Cause VM Exits Conditionally

Other Causes Of VM-Exits

Chapter 28 VMX Support For Address Translation

VIRTUAL PROCESSOR IDENTIFIERS (VPIDS)

THE EXTENDED PAGE TABLE MECHANISM (EPT)

EPT Overview

EPT Translation Mechanism

Chapter 30 VMX Instruction Reference

Overview

Appendix A VMX Capability Reporting Facility

RESERVED CONTROLS AND DEFAULT SETTINGS

VMX-FIXED BITS IN CR0

VMX-FIXED BITS IN CR4