summaryrefslogtreecommitdiffstats
path: root/src/VBox/ValidationKit/bootsectors/bootsector2-cpu-xcpt-1-template.mac
diff options
context:
space:
mode:
Diffstat (limited to 'src/VBox/ValidationKit/bootsectors/bootsector2-cpu-xcpt-1-template.mac')
-rw-r--r--src/VBox/ValidationKit/bootsectors/bootsector2-cpu-xcpt-1-template.mac1973
1 files changed, 1973 insertions, 0 deletions
diff --git a/src/VBox/ValidationKit/bootsectors/bootsector2-cpu-xcpt-1-template.mac b/src/VBox/ValidationKit/bootsectors/bootsector2-cpu-xcpt-1-template.mac
new file mode 100644
index 00000000..e3281508
--- /dev/null
+++ b/src/VBox/ValidationKit/bootsectors/bootsector2-cpu-xcpt-1-template.mac
@@ -0,0 +1,1973 @@
+; $Id: bootsector2-cpu-xcpt-1-template.mac $
+;; @file
+; Bootsector test for basic exceptions - multi mode template.
+;
+
+;
+; Copyright (C) 2007-2022 Oracle and/or its affiliates.
+;
+; This file is part of VirtualBox base platform packages, as
+; available from https://www.virtualbox.org.
+;
+; This program is free software; you can redistribute it and/or
+; modify it under the terms of the GNU General Public License
+; as published by the Free Software Foundation, in version 3 of the
+; License.
+;
+; This program is distributed in the hope that it will be useful, but
+; WITHOUT ANY WARRANTY; without even the implied warranty of
+; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+; General Public License for more details.
+;
+; You should have received a copy of the GNU General Public License
+; along with this program; if not, see <https://www.gnu.org/licenses>.
+;
+; The contents of this file may alternatively be used under the terms
+; of the Common Development and Distribution License Version 1.0
+; (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
+; in the VirtualBox distribution, in which case the provisions of the
+; CDDL are applicable instead of those of the GPL.
+;
+; You may elect to license modified versions of this file under the
+; terms and conditions of either the GPL or the CDDL or both.
+;
+; SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
+;
+
+
+%include "bootsector2-template-header.mac"
+
+
+;*******************************************************************************
+;* Defined Constants And Macros *
+;*******************************************************************************
+;;
+; Some 32/64 macros.
+;
+%if TMPL_BITS == 32
+ %define bs2Idt_BP bs2Idt32bit_BP
+ %define MY_R0_CS BS2_SEL_CS32
+ %define MY_R1_CS BS2_SEL_R1_CS32
+ %define MY_R2_CS BS2_SEL_R2_CS32
+ %define MY_R3_CS BS2_SEL_R3_CS32
+
+ %define MY_R0_DS BS2_SEL_DS32
+ %define MY_R1_DS BS2_SEL_R1_DS32
+ %define MY_R2_DS BS2_SEL_R2_DS32
+ %define MY_R3_DS BS2_SEL_R3_DS32
+
+ %define MY_R0_SS BS2_SEL_SS32
+ %define MY_R1_SS BS2_SEL_R1_SS32
+ %define MY_R2_SS BS2_SEL_R2_SS32
+ %define MY_R3_SS BS2_SEL_R3_SS32
+
+%else
+ %define bs2Idt_BP bs2Idt64bit_BP
+ %define MY_R0_CS BS2_SEL_CS64
+ %define MY_R1_CS BS2_SEL_R1_CS64
+ %define MY_R2_CS BS2_SEL_R2_CS64
+ %define MY_R3_CS BS2_SEL_R3_CS64
+
+ %define MY_R0_DS BS2_SEL_DS64
+ %define MY_R1_DS BS2_SEL_R1_DS64
+ %define MY_R2_DS BS2_SEL_R2_DS64
+ %define MY_R3_DS BS2_SEL_R3_DS64
+
+ %define MY_R0_SS BS2_SEL_SS64
+ %define MY_R1_SS BS2_SEL_R1_SS64
+ %define MY_R2_SS BS2_SEL_R2_SS64
+ %define MY_R3_SS BS2_SEL_R3_SS64
+%endif
+
+%ifdef TMPL_64BIT
+ %assign MY_IS_64BIT 1
+%else
+ %assign MY_IS_64BIT 0
+%endif
+
+
+;*******************************************************************************
+;* Global Variables *
+;*******************************************************************************
+%ifndef CPU_XCPT_1_GLOBALS
+ %define CPU_XCPT_1_GLOBALS
+ g_szWrongIfStateFmt:
+ db 'Wrong IF state (0x%RX32) on line 0x%RX32', 0
+ g_szWrongHandlerCsFmt:
+ db 'Wrong handler CS=%RX16, expected %RX16 (line 0x%RX32)', 0
+ g_szWrongCurCsFmt:
+ db 'Wrong CS=%RX16, expected %RX16 (line 0x%RX32)', 0
+ g_szWrongCurSRegFmt_fs:
+ db 'Wrong FS=%RX16, expected %RX16 (line 0x%RX32)', 0
+ g_szWrongCurSRegFmt_ss:
+ db 'Wrong SS=%RX16, expected %RX16 (line 0x%RX32)', 0
+
+
+;;
+; Asserts a test.
+;
+; @param %1 First cmp operand.
+; @param %2 First cmp operand.
+; @param %3 Which kind of conditional jump to make
+; @param %4 The message to print (format string, no arguments please).
+;
+%macro ASSERT_SIMPLE 4
+ cmp %1, %2
+ %3 %%.ok
+ push dword __LINE__
+ %ifdef TMPL_16BIT
+ push ds
+ %endif
+ push %%.s_szMsg
+ call TMPL_NM_CMN(TestFailedF)
+ add xSP, sCB*2
+ jmp %%.ok
+%%.s_szMsg: db %4, " (0x%RX32)", 0
+%%.ok:
+%endmacro
+
+
+ ;;
+ ; Asserts that the IF flag is set or clear when the trap handler was called.
+ ;
+ ; @param 1 jnz or jz.
+ ;
+ ; @uses rax, flags, and stack.
+ ;
+ %macro ASSERT_TRAP_EFLAGS_IF 1
+ test word [g_u64LastTrapHandlerRFlags xWrtRIP], X86_EFL_IF
+ %1 %%.ok
+ %ifdef TMPL_LM64
+ push __LINE__
+ push qword [g_u64LastTrapHandlerRFlags xWrtRIP]
+ lea rax, [g_szWrongIfStateFmt wrt RIP]
+ push rax
+ call TMPL_NM_CMN(TestFailedF)
+ add xSP, 24
+ %elifdef TMPL_16
+ push dword __LINE__
+ push dword [g_u64LastTrapHandlerRFlags]
+ push cs
+ push g_szWrongIfStateFmt
+ call TMPL_NM_CMN(TestFailedF)
+ add xSP, 12
+ %else
+ push __LINE__
+ push dword [g_u64LastTrapHandlerRFlags]
+ push g_szWrongIfStateFmt
+ call TMPL_NM_CMN(TestFailedF)
+ add xSP, 12
+ %endif
+ %%.ok:
+ %endmacro
+
+
+ ;;
+ ; Asserts that a certain CS value when the trap handler was called.
+ ;
+ ; @param 1 The CS value.
+ ;
+ ; @uses rax, flags, and stack.
+ ;
+ %macro ASSERT_TRAP_CS_VALUE 1
+ cmp word [g_u16LastTrapHandlerCS xWrtRIP], (%1)
+ je %%.ok
+ %ifdef TMPL_LM64
+ push __LINE__
+ push (%1)
+ movzx eax, word [g_u16LastTrapHandlerCS xWrtRIP]
+ push rax
+ lea rax, [g_szWrongHandlerCsFmt wrt RIP]
+ push rax
+ call TMPL_NM_CMN(TestFailedF)
+ add xSP, 32
+ %elifdef TMPL_16
+ push dword __LINE__
+ push word (%1)
+ push word [g_u16LastTrapHandlerCS]
+ push cs
+ push g_szWrongHandlerCsFmt
+ call TMPL_NM_CMN(TestFailedF)
+ add xSP, 12
+ %else
+ push __LINE__
+ push (%1)
+ movzx eax, word [g_u16LastTrapHandlerCS]
+ push eax
+ push g_szWrongHandlerCsFmt
+ call TMPL_NM_CMN(TestFailedF)
+ add xSP, 16
+ %endif
+ %%.ok:
+ %endmacro
+
+ ;;
+ ; Asserts that a certain CS value right now, CS being loaded in BX.
+ ;
+ ; @param bx The CS value.
+ ; @param 1 The expected CS value.
+ ;
+ ; @uses rax, flags, and stack.
+ ;
+ %macro ASSERT_CUR_CS_VALUE_IN_BX 1
+ cmp bx, (%1)
+ je %%.ok
+ %ifdef TMPL_LM64
+ push __LINE__
+ push (%1)
+ push rbx
+ lea rax, [g_szWrongCurCsFmt wrt RIP]
+ push rax
+ call TMPL_NM_CMN(TestFailedF)
+ add xSP, 32
+ %elifdef TMPL_16
+ push dword __LINE__
+ push word (%1)
+ push bx
+ push g_szWrongCurCsFmt
+ call TMPL_NM_CMN(TestFailedF)
+ add xSP, 12
+ %else
+ push __LINE__
+ push (%1)
+ push ebx
+ push g_szWrongCurCsFmt
+ call TMPL_NM_CMN(TestFailedF)
+ add xSP, 16
+ %endif
+ %%.ok:
+ %endmacro
+
+ ;;
+ ; Asserts that the given segment register has a certain value right now.
+ ;
+ ; @param 1 The segment register
+ ; @param 2 The value.
+ ;
+ ; @uses rax, flags, and stack.
+ ;
+ %macro ASSERT_CUR_SREG_VALUE 2
+ mov ax, %1
+ cmp ax, (%2)
+ je %%.ok
+ %ifdef TMPL_LM64
+ push __LINE__
+ push (%2)
+ push rax
+ lea rax, [g_szWrongCurSRegFmt_ %+ %1 wrt RIP]
+ push rax
+ call TMPL_NM_CMN(TestFailedF)
+ add xSP, 32
+ %elifdef TMPL_16
+ push dword __LINE__
+ push word (%2)
+ push ax
+ push g_szWrongCurSRegFmt_ %+ %1
+ call TMPL_NM_CMN(TestFailedF)
+ add xSP, 12
+ %else
+ push __LINE__
+ push (%2)
+ push eax
+ push g_szWrongCurSRegFmt_ %+ %1
+ call TMPL_NM_CMN(TestFailedF)
+ add xSP, 16
+ %endif
+ %%.ok:
+ %endmacro
+
+
+%endif
+
+
+;;
+; Checks different gate types.
+;
+BEGINPROC TMPL_NM(TestGateType)
+ push xBP
+ mov xBP, xSP
+ push sAX
+ push xBX
+ push xCX
+ push xDX
+ push xDI
+ push xSI
+
+ mov xAX, .s_szSubTestName
+ call TMPL_NM_CMN(TestSub)
+
+
+ ;
+ ; Check that int3 works and save the IDTE before making changes.
+ ;
+ ; We'll be changing X86DESCGATE.u4Type, which starts at bit 0x28 (that
+ ; is byte 5) and is 4-bit wide, and X86DESCGATE.u1DescType, which is
+ ; at bit 2c.
+ ;
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3 ; check that int3 works before we start messing around...
+
+%ifdef TMPL_LM64
+ push qword [bs2Idt_BP xWrtRIP]
+ push qword [bs2Idt_BP + 8 xWrtRIP]
+%else
+ push dword [bs2Idt_BP xWrtRIP]
+ push dword [bs2Idt_BP + 4 xWrtRIP]
+%endif
+ mov xDI, xSP ; for catching stack errors
+
+ ;
+ ; Check all kinds of none system selectors first (they should all GP(3+IDT))
+ ;
+%assign u4Type 0
+%rep 16
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0e0h
+ or byte [bs2Idt_BP + 5 xWrtRIP], RT_BIT(4) | u4Type
+ BS2_TRAP_INSTR X86_XCPT_GP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+ %assign u4Type (u4Type + 1)
+%endrep
+
+ ;
+ ; Illegal system types.
+ ;
+%ifdef TMPL_LM64
+ %assign u4Type 0
+ %rep 14
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0e0h
+ or byte [bs2Idt_BP + 5 xWrtRIP], u4Type
+ BS2_TRAP_INSTR X86_XCPT_GP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+ %assign u4Type (u4Type + 1)
+ %endrep
+%else
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0e0h
+ or byte [bs2Idt_BP + 5 xWrtRIP], X86_SEL_TYPE_SYS_UNDEFINED
+ BS2_TRAP_INSTR X86_XCPT_GP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0e0h
+ or byte [bs2Idt_BP + 5 xWrtRIP], X86_SEL_TYPE_SYS_286_TSS_AVAIL
+ BS2_TRAP_INSTR X86_XCPT_GP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0e0h
+ or byte [bs2Idt_BP + 5 xWrtRIP], X86_SEL_TYPE_SYS_LDT
+ BS2_TRAP_INSTR X86_XCPT_GP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0e0h
+ or byte [bs2Idt_BP + 5 xWrtRIP], X86_SEL_TYPE_SYS_286_TSS_BUSY
+ BS2_TRAP_INSTR X86_XCPT_GP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0e0h
+ or byte [bs2Idt_BP + 5 xWrtRIP], X86_SEL_TYPE_SYS_286_CALL_GATE
+ BS2_TRAP_INSTR X86_XCPT_GP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0e0h
+ or byte [bs2Idt_BP + 5 xWrtRIP], X86_SEL_TYPE_SYS_UNDEFINED2
+ BS2_TRAP_INSTR X86_XCPT_GP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0e0h
+ or byte [bs2Idt_BP + 5 xWrtRIP], X86_SEL_TYPE_SYS_386_TSS_AVAIL
+ BS2_TRAP_INSTR X86_XCPT_GP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0e0h
+ or byte [bs2Idt_BP + 5 xWrtRIP], X86_SEL_TYPE_SYS_UNDEFINED3
+ BS2_TRAP_INSTR X86_XCPT_GP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0e0h
+ or byte [bs2Idt_BP + 5 xWrtRIP], X86_SEL_TYPE_SYS_386_TSS_BUSY
+ BS2_TRAP_INSTR X86_XCPT_GP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0e0h
+ or byte [bs2Idt_BP + 5 xWrtRIP], X86_SEL_TYPE_SYS_UNDEFINED4
+ BS2_TRAP_INSTR X86_XCPT_GP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0e0h
+ or byte [bs2Idt_BP + 5 xWrtRIP], X86_SEL_TYPE_SYS_386_CALL_GATE
+ BS2_TRAP_INSTR X86_XCPT_GP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+%endif
+
+ ;
+ ; Legal types.
+ ;
+ pushf
+ sti ; make sure interrupts are enabled.
+
+%ifdef TMPL_LM64
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0e0h
+ or byte [bs2Idt_BP + 5 xWrtRIP], AMD64_SEL_TYPE_SYS_INT_GATE
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ ASSERT_TRAP_EFLAGS_IF jz
+
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0e0h
+ or byte [bs2Idt_BP + 5 xWrtRIP], AMD64_SEL_TYPE_SYS_TRAP_GATE
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ ASSERT_TRAP_EFLAGS_IF jnz
+%else
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0e0h
+ or byte [bs2Idt_BP + 5 xWrtRIP], X86_SEL_TYPE_SYS_386_INT_GATE
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ ASSERT_TRAP_EFLAGS_IF jz
+
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0e0h
+ or byte [bs2Idt_BP + 5 xWrtRIP], X86_SEL_TYPE_SYS_386_TRAP_GATE
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ ASSERT_TRAP_EFLAGS_IF jnz
+
+ ;; @todo X86_SEL_TYPE_SYS_TASK_GATE, X86_SEL_TYPE_SYS_286_INT_GATE, X86_SEL_TYPE_SYS_286_TRAP_GATE, X86_SEL_TYPE_SYS_386_CALL_GATE
+%endif
+
+ popf
+
+ ;
+ ; Check that a not-present gate GPs. The not-present bit is 0x2f.
+ ;
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0e0h
+%ifdef TMPL_LM64
+ or byte [bs2Idt_BP + 5 xWrtRIP], AMD64_SEL_TYPE_SYS_INT_GATE
+%else
+ or byte [bs2Idt_BP + 5 xWrtRIP], X86_SEL_TYPE_SYS_386_TRAP_GATE
+%endif
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+
+ and byte [bs2Idt_BP + 5 xWrtRIP], 07fh
+ BS2_TRAP_INSTR X86_XCPT_NP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+
+ ;
+ ; Restore the descriptor and make sure it works.
+ ;
+ ASSERT_SIMPLE xDI, xSP, je, "Someone busted xSP during this test."
+%ifdef TMPL_LM64
+ pop qword [bs2Idt_BP + 8 xWrtRIP]
+ pop qword [bs2Idt_BP xWrtRIP]
+%else
+ pop dword [bs2Idt_BP + 4 xWrtRIP]
+ pop dword [bs2Idt_BP xWrtRIP]
+%endif
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+
+ ;
+ ; Done.
+ ;
+ call TMPL_NM_CMN(TestSubDone)
+
+ pop xSI
+ pop xDI
+ pop xDX
+ pop xCX
+ pop xBX
+ pop sAX
+ leave
+ ret
+
+.s_szSubTestName:
+ db TMPL_MODE_STR, ', IDTE type checks', 0
+ENDPROC TMPL_NM(TestGateType)
+
+
+;;
+; Checks different code selector types.
+;
+; @uses No registers, but BS2_SEL_SPARE0 is trashed.
+;
+BEGINPROC TMPL_NM(TestCodeSelector)
+ push xBP
+ mov xBP, xSP
+ push sAX
+ push xBX
+ push xCX
+ push xDX
+ push xDI
+ push xSI
+
+ mov xAX, .s_szSubTestName
+ call TMPL_NM_CMN(TestSub)
+
+
+ ;
+ ; Modify the first extra selector to be various kinds of invalid code
+ ; selectors.
+ ;
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3 ; check that int3 works before we start messing around...
+
+%ifdef TMPL_LM64
+ push qword [bs2Idt_BP xWrtRIP]
+ push qword [bs2Idt_BP + 8 xWrtRIP]
+%else
+ push dword [bs2Idt_BP xWrtRIP]
+ push dword [bs2Idt_BP + 4 xWrtRIP]
+%endif
+
+ mov ecx, [bs2Gdt + MY_R0_CS xWrtRIP]
+ mov [bs2GdtSpare0 xWrtRIP], ecx
+ mov ecx, [bs2Gdt + MY_R0_CS + 4 xWrtRIP]
+ mov [bs2GdtSpare0 + 4 xWrtRIP], ecx ; GdtSpare0 is a copy of the CS descriptor now.
+
+ mov word [bs2Idt_BP + 2 xWrtRIP], BS2_SEL_SPARE0
+
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3 ; check again to make sure the CS copy is fine.
+
+
+ ; Data selector (u4Type starts at bit 0x28, that is byte 5) .
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 0f0h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_RO
+ BS2_TRAP_INSTR X86_XCPT_GP, BS2_SEL_SPARE0, int3
+
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 0f0h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_RO_ACC
+ BS2_TRAP_INSTR X86_XCPT_GP, BS2_SEL_SPARE0, int3
+
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 0f0h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_RW
+ BS2_TRAP_INSTR X86_XCPT_GP, BS2_SEL_SPARE0, int3
+
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 0f0h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_RW_ACC
+ BS2_TRAP_INSTR X86_XCPT_GP, BS2_SEL_SPARE0, int3
+
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 0f0h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_RO_DOWN
+ BS2_TRAP_INSTR X86_XCPT_GP, BS2_SEL_SPARE0, int3
+
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 0f0h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_RO_DOWN_ACC
+ BS2_TRAP_INSTR X86_XCPT_GP, BS2_SEL_SPARE0, int3
+
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 0f0h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_RW_DOWN
+ BS2_TRAP_INSTR X86_XCPT_GP, BS2_SEL_SPARE0, int3
+
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 0f0h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_RW_DOWN_ACC
+ BS2_TRAP_INSTR X86_XCPT_GP, BS2_SEL_SPARE0, int3
+
+ ; Executable selector types (works fine).
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 0f0h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_EO
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 0f0h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_EO_ACC
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 0f0h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_ER
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 0f0h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_ER_ACC
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 0f0h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_EO_CONF
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 0f0h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_EO_CONF_ACC
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 0f0h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_ER_CONF
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 0f0h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_ER_CONF_ACC
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+
+ ;
+ ; Test with the code selector set to NULL.
+ ;
+ mov word [bs2Idt_BP + 2 xWrtRIP], 0
+ BS2_TRAP_INSTR X86_XCPT_GP, 0, int3
+
+ mov word [bs2Idt_BP + 2 xWrtRIP], 1
+ BS2_TRAP_INSTR X86_XCPT_GP, 0, int3
+
+ mov word [bs2Idt_BP + 2 xWrtRIP], 2
+ BS2_TRAP_INSTR X86_XCPT_GP, 0, int3
+
+ mov word [bs2Idt_BP + 2 xWrtRIP], 3
+ BS2_TRAP_INSTR X86_XCPT_GP, 0, int3
+
+ mov word [bs2Idt_BP + 2 xWrtRIP], BS2_SEL_SPARE0 ; restore our CS
+
+ ;
+ ; Test with the code selector marked as not present but otherwise valid.
+ ;
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 0f0h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_ER_ACC
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 07fh
+ BS2_TRAP_INSTR X86_XCPT_NP, BS2_SEL_SPARE0, int3
+
+ ;
+ ; Invalid CS selector and not present, we should get a GP.
+ ; Intel states that the present bit is checked after the type.
+ ;
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 070h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_RW_DOWN_ACC
+ BS2_TRAP_INSTR X86_XCPT_GP, BS2_SEL_SPARE0, int3
+
+%ifdef TMPL_LM64
+ ; Long mode variations on invalid (L and D bits) pitted against NP.
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 070h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_ER_ACC
+ and byte [bs2GdtSpare0 + 6 xWrtRIP], ~(RT_BIT(5) | RT_BIT(6)) ; (0x35=u1Long, 0x36=u1DefBig) = (0, 0)
+ BS2_TRAP_INSTR X86_XCPT_GP, BS2_SEL_SPARE0, int3
+
+ or byte [bs2GdtSpare0 + 6 xWrtRIP], RT_BIT(6) ; (0x35=u1Long, 0x36=u1DefBig) = (0, 1)
+ BS2_TRAP_INSTR X86_XCPT_GP, BS2_SEL_SPARE0, int3
+
+ or byte [bs2GdtSpare0 + 6 xWrtRIP], RT_BIT(5) ; (0x35=u1Long, 0x36=u1DefBig) = (1, 1)
+ BS2_TRAP_INSTR X86_XCPT_GP, BS2_SEL_SPARE0, int3
+
+ and byte [bs2GdtSpare0 + 6 xWrtRIP], ~(RT_BIT(5) | RT_BIT(6))
+ or byte [bs2GdtSpare0 + 6 xWrtRIP], RT_BIT(5) ; restored
+%endif
+
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 070h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_ER_ACC | 080h ; restore CS to present & valid.
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3 ; make sure this is so.
+
+ ;
+ ; Check the CS DPL vs IDTE DPL.
+ ; X86DESCGENERIC.u2Dpl is at bit 0x2d (i.e. in byte 5).
+ ;
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], ~(RT_BIT(5) | RT_BIT(6))
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], 0 ; CS.DPL == 0 == CPL
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], ~(RT_BIT(5) | RT_BIT(6))
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], 1 << 5 ; CS.DPL == 1 < CPL
+ BS2_TRAP_INSTR X86_XCPT_GP, BS2_SEL_SPARE0, int3
+
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], ~(RT_BIT(5) | RT_BIT(6))
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], 2 << 5 ; CS.DPL == 2 < CPL
+ BS2_TRAP_INSTR X86_XCPT_GP, BS2_SEL_SPARE0, int3
+
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], ~(RT_BIT(5) | RT_BIT(6))
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], 3 << 5 ; CS.DPL == 3 < CPL
+ BS2_TRAP_INSTR X86_XCPT_GP, BS2_SEL_SPARE0, int3
+
+ ; Restore.
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 010h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_ER_ACC | 080h ; restore CS to present, valid and DPL=0
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3 ; make sure it's restored.
+
+ ;
+ ; Is RPL is ignored? Yes, it is.
+ ;
+ and word [bs2Idt_BP + 2 xWrtRIP], X86_SEL_MASK_OFF_RPL ; RPL = 0
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ ASSERT_TRAP_CS_VALUE BS2_SEL_SPARE0
+
+ and word [bs2Idt_BP + 2 xWrtRIP], X86_SEL_MASK_OFF_RPL
+ or byte [bs2Idt_BP + 2 xWrtRIP], 1 ; RPL = 1
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ ASSERT_TRAP_CS_VALUE BS2_SEL_SPARE0
+
+ and word [bs2Idt_BP + 2 xWrtRIP], X86_SEL_MASK_OFF_RPL
+ or byte [bs2Idt_BP + 2 xWrtRIP], 2 ; RPL = 2
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ ASSERT_TRAP_CS_VALUE BS2_SEL_SPARE0
+
+ and word [bs2Idt_BP + 2 xWrtRIP], X86_SEL_MASK_OFF_RPL
+ or byte [bs2Idt_BP + 2 xWrtRIP], 3 ; RPL = 3
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ ASSERT_TRAP_CS_VALUE BS2_SEL_SPARE0
+
+ ;
+ ; Conforming CS.
+ ;
+ or byte [bs2Idt_BP + 5 xWrtRIP], (3 << 5) ; IDTE.DPL = 3
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 090h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_ER_CONF_ACC ; CS.DPL=0, code, read, conforming
+
+ call TMPL_NM_CMN(Bs2ToRing1)
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ call TMPL_NM_CMN(Bs2ToRing0)
+ ASSERT_TRAP_CS_VALUE BS2_SEL_SPARE0 | 1
+
+ call TMPL_NM_CMN(Bs2ToRing2)
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ call TMPL_NM_CMN(Bs2ToRing0)
+ ASSERT_TRAP_CS_VALUE BS2_SEL_SPARE0 | 2
+
+ call TMPL_NM_CMN(Bs2ToRing3)
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ call TMPL_NM_CMN(Bs2ToRing0)
+ ASSERT_TRAP_CS_VALUE BS2_SEL_SPARE0 | 3
+
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ ASSERT_TRAP_CS_VALUE BS2_SEL_SPARE0 | 0
+
+ ; RPL is ignored. Only CPL matters.
+ or byte [bs2Idt_BP + 2 xWrtRIP], (3 << 5) ; IDTE.CS.RPL=3
+ call TMPL_NM_CMN(Bs2ToRing2)
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ call TMPL_NM_CMN(Bs2ToRing0)
+ ASSERT_TRAP_CS_VALUE BS2_SEL_SPARE0 | 2
+
+ and word [bs2Idt_BP + 2 xWrtRIP], X86_SEL_MASK_OFF_RPL
+ or byte [bs2Idt_BP + 2 xWrtRIP], (1 << 5) ; IDTE.CS.RPL=1
+ call TMPL_NM_CMN(Bs2ToRing2)
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ call TMPL_NM_CMN(Bs2ToRing0)
+ ASSERT_TRAP_CS_VALUE BS2_SEL_SPARE0 | 2
+
+ and word [bs2Idt_BP + 2 xWrtRIP], X86_SEL_MASK_OFF_RPL
+ or byte [bs2Idt_BP + 2 xWrtRIP], (2 << 5) ; IDTE.CS.RPL=2
+ call TMPL_NM_CMN(Bs2ToRing2)
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ call TMPL_NM_CMN(Bs2ToRing0)
+ ASSERT_TRAP_CS_VALUE BS2_SEL_SPARE0 | 2
+
+ ; Change the CS.DPL to 1 and try it from ring-0.
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 09fh
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], (1 << 5) ; CS.DPL=1
+ BS2_TRAP_INSTR X86_XCPT_GP, BS2_SEL_SPARE0, int3
+
+ ; Restore.
+ and word [bs2Idt_BP + 2 xWrtRIP], X86_SEL_MASK_OFF_RPL
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0x9f ; IDTE.DPL=0
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 010h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_ER_ACC | 080h ; restore CS to present, valid and DPL=0
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3 ; make sure it's restored.
+
+ ;
+ ; Limit / canonical checks.
+ ;
+ ; Messing with X86DESCGENERIC.u16LimitLow which is at bit 0,
+ ; X86DESCGENERIC.u4LimitHigh which is at bit 0x30, and
+ ; X86DESCGENERIC.u1Granularity which is at bit 0x37.
+ ;
+ mov word [bs2GdtSpare0 xWrtRIP], 0010h
+ and byte [bs2GdtSpare0 + 6 xWrtRIP], 070h ; setting limit to 0x10, ASSUMES IDTE.off > 0x10
+%ifdef TMPL_LM64
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+%else
+ BS2_TRAP_INSTR X86_XCPT_GP, 0, int3
+%endif
+
+%ifdef TMPL_LM64
+ or dword [bs2Idt_BP + 8 xWrtRIP], 0x007f7f33
+ BS2_TRAP_INSTR X86_XCPT_GP, 0, int3
+%endif
+
+ ; Who takes precedence? CS NP or the above GP? NP does.
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 07fh
+ BS2_TRAP_INSTR X86_XCPT_NP, BS2_SEL_SPARE0, int3
+
+
+%ifdef TMPL_LM64
+ ; Who takes precedence? IDTE NP or the not canoncial GP? NP does.
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], 80h
+ and byte [bs2Idt_BP + 5 xWrtRIP], 07fh
+ BS2_TRAP_INSTR X86_XCPT_NP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+%endif
+
+ ;
+ ; Restore the descriptor and make sure it works.
+ ;
+%ifdef TMPL_LM64
+ pop qword [bs2Idt_BP + 8 xWrtRIP]
+ pop qword [bs2Idt_BP xWrtRIP]
+%else
+ pop dword [bs2Idt_BP + 4 xWrtRIP]
+ pop dword [bs2Idt_BP xWrtRIP]
+%endif
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+
+ ;
+ ; Done.
+ ;
+ call TMPL_NM_CMN(TestSubDone)
+
+ pop xSI
+ pop xDI
+ pop xDX
+ pop xCX
+ pop xBX
+ pop sAX
+ leave
+ ret
+
+.s_szSubTestName:
+ db TMPL_MODE_STR, ', IDTE CS checks', 0
+ENDPROC TMPL_NM(TestCodeSelector)
+
+
+;;
+; Checks that the IDTE type is checked before the CS type.
+;
+; @uses No registers, but BS2_SEL_SPARE0 is trashed.
+;
+BEGINPROC TMPL_NM(TestCheckOrderCsTypeVsIdteType)
+ push xBP
+ mov xBP, xSP
+ push sAX
+ push xBX
+ push xCX
+ push xDX
+ push xDI
+ push xSI
+
+ mov xAX, .s_szSubTestName
+ call TMPL_NM_CMN(TestSub)
+
+
+ ;
+ ; Check the int3 and save its IDTE.
+ ;
+ ; We'll be changing X86DESCGATE.u4Type, which starts at bit 0x28 (that
+ ; is byte 5) and is 4-bit wide, and X86DESCGATE.u1DescType, which is
+ ; at bit 2c.
+ ;
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3 ; check that int3 works before we start messing around...
+
+%ifdef TMPL_LM64
+ push qword [bs2Idt_BP xWrtRIP]
+ push qword [bs2Idt_BP + 8 xWrtRIP]
+%else
+ push dword [bs2Idt_BP xWrtRIP]
+ push dword [bs2Idt_BP + 4 xWrtRIP]
+%endif
+
+ ;
+ ; Make a copy of our CS descriptor into spare one and make INT3 use it.
+ ;
+ mov ecx, [bs2Gdt + MY_R0_CS xWrtRIP]
+ mov [bs2GdtSpare0 xWrtRIP], ecx
+ mov ecx, [bs2Gdt + MY_R0_CS + 4 xWrtRIP]
+ mov [bs2GdtSpare0 + 4 xWrtRIP], ecx ; GdtSpare0 is a copy of the CS descriptor now.
+
+ mov word [bs2Idt_BP + 2 xWrtRIP], BS2_SEL_SPARE0
+
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3 ; check again to make sure the CS copy is fine.
+
+ ;
+ ; Make both the IDTE type and CS invalid, we should end up with a IDT GP not the CS one.
+ ; CS = data selector and IDTE invalid 0 type.
+ ;
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 0f0h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_RO
+
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0e0h
+ or byte [bs2Idt_BP + 5 xWrtRIP], X86_SEL_TYPE_SYS_UNDEFINED
+ BS2_TRAP_INSTR X86_XCPT_GP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+
+ ;
+ ; Make the IDTE not-present but otherwise fine, keeping CS invalid.
+ ;
+ and byte [bs2Idt_BP + 5 xWrtRIP], 070h
+%ifdef TMPL_LM64
+ or byte [bs2Idt_BP + 5 xWrtRIP], AMD64_SEL_TYPE_SYS_INT_GATE
+%else
+ or byte [bs2Idt_BP + 5 xWrtRIP], X86_SEL_TYPE_SYS_386_TRAP_GATE
+%endif
+ BS2_TRAP_INSTR X86_XCPT_NP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+
+ ;
+ ; Make the CS not present as well.
+ ;
+ and byte [bs2GdtSpare0 + 5 xWrtRIP], 070h
+ or byte [bs2GdtSpare0 + 5 xWrtRIP], X86_SEL_TYPE_EO
+ BS2_TRAP_INSTR X86_XCPT_NP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+
+ ;
+ ; CS not present, IDTE invalid but present.
+ ;
+ and byte [bs2Idt_BP + 5 xWrtRIP], 0f0h
+ or byte [bs2Idt_BP + 5 xWrtRIP], X86_SEL_TYPE_SYS_UNDEFINED | 0x80
+ BS2_TRAP_INSTR X86_XCPT_GP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+
+ ;
+ ; CS NULL, IDTE invalid but present.
+ ;
+ mov word [bs2Idt_BP + 2 xWrtRIP], 0
+ BS2_TRAP_INSTR X86_XCPT_GP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+
+ ;
+ ; CS NULL, IDTE valid but not present.
+ ;
+ and byte [bs2Idt_BP + 5 xWrtRIP], 070h
+%ifdef TMPL_LM64
+ or byte [bs2Idt_BP + 5 xWrtRIP], AMD64_SEL_TYPE_SYS_INT_GATE
+%else
+ or byte [bs2Idt_BP + 5 xWrtRIP], X86_SEL_TYPE_SYS_386_TRAP_GATE
+%endif
+ BS2_TRAP_INSTR X86_XCPT_NP, (3 << X86_TRAP_ERR_SEL_SHIFT) | X86_TRAP_ERR_IDT, int3
+
+ ;
+ ; Restore the descriptor and make sure it works.
+ ;
+%ifdef TMPL_LM64
+ pop qword [bs2Idt_BP + 8 xWrtRIP]
+ pop qword [bs2Idt_BP xWrtRIP]
+%else
+ pop dword [bs2Idt_BP + 4 xWrtRIP]
+ pop dword [bs2Idt_BP xWrtRIP]
+%endif
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+
+ ;
+ ; Done.
+ ;
+ call TMPL_NM_CMN(TestSubDone)
+
+ pop xSI
+ pop xDI
+ pop xDX
+ pop xCX
+ pop xBX
+ pop sAX
+ leave
+ ret
+
+.s_szSubTestName:
+ db TMPL_MODE_STR, ', IDTE.type before CS.type', 0
+ENDPROC TMPL_NM(TestCheckOrderCsTypeVsIdteType)
+
+
+;;
+; Checks stack switching behavior.
+;
+; @uses none
+;
+BEGINPROC TMPL_NM(TestStack)
+ push xBP
+ mov xBP, xSP
+ push sAX
+ push xBX
+ push xCX
+ push xDX
+ push xDI
+ push xSI
+ pushf
+ cli
+
+ mov xAX, .s_szSubTestName
+ call TMPL_NM_CMN(TestSub)
+
+
+ ;
+ ; Check the int3, save its IDTE, then make it ring-3 accessible.
+ ;
+ ; X86DESCGENERIC.u2Dpl is at bit 0x2d (i.e. in byte 5).
+ ;
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3 ; check that int3 works before we start messing around...
+
+%ifdef TMPL_LM64
+ push qword [bs2Idt_BP xWrtRIP]
+ push qword [bs2Idt_BP + 8 xWrtRIP]
+%else
+ push dword [bs2Idt_BP xWrtRIP]
+ push dword [bs2Idt_BP + 4 xWrtRIP]
+%endif
+
+ and byte [bs2Idt_BP + 5 xWrtRIP], ~(RT_BIT(5) | RT_BIT(6))
+ or byte [bs2Idt_BP + 5 xWrtRIP], 3 << 5 ; DPL == 3
+
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+
+
+ ;
+ ; In ring-0 no stack switching is performed.
+ ;
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ mov xBX, [g_u64LastTrapHandlerRSP]
+%ifdef TMPL_64BIT
+ mov rax, rsp
+ and rax, ~15
+ sub rax, 7*8
+%else
+ lea eax, [esp - 5*4]
+%endif
+ ASSERT_SIMPLE sAX, xBX, je, "Wrong xSP value for ring-0 -> ring-0 int3."
+ mov bx, [g_u16LastTrapHandlerSS]
+ mov ax, ss
+ ASSERT_SIMPLE ax, bx, je, "Wrong SS value for ring-0 -> ring-0 int3."
+
+ ;
+ ; Switch to ring-1 and watch stack switching take place.
+ ;
+ call TMPL_NM_CMN(Bs2ToRing1)
+
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ mov xBX, [g_u64LastTrapHandlerRSP]
+ mov sAX, BS2_R0_STACK_ADDR
+%ifdef TMPL_64BIT
+ and rax, ~15
+ sub rax, 7*8
+%else
+ sub eax, 7*4
+%endif
+ ASSERT_SIMPLE sAX, xBX, je, "Wrong xSP value for ring-1 -> ring-0 int3."
+ mov bx, [g_u16LastTrapHandlerSS]
+%ifdef TMPL_64BIT
+ mov ax, 0
+%else
+ mov ax, MY_R0_SS
+%endif
+ ASSERT_SIMPLE ax, bx, je, "Wrong SS value for ring-1 -> ring-0 int3."
+
+ call TMPL_NM_CMN(Bs2ToRing0)
+
+ ;
+ ; Missaligned stack, ring-0 -> ring-0.
+ ;
+ mov xDI, xSP ; save the stack pointer.
+%rep 15
+ sub xSP, 1h
+
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ mov xBX, [g_u64LastTrapHandlerRSP]
+%ifdef TMPL_64BIT
+ mov rax, rsp
+ and rax, ~15
+ sub rax, 7*8
+%else
+ lea eax, [esp - 5*4]
+%endif
+ ASSERT_SIMPLE sAX, xBX, je, "Wrong xSP value for ring-0 -> ring-0 int3, w/ unaligned stack."
+ mov bx, [g_u16LastTrapHandlerSS]
+ mov ax, ss
+ ASSERT_SIMPLE ax, bx, je, "Wrong SS value for ring-0 -> ring-0 int3, w/ unaligned stack."
+
+%endrep
+ mov xSP, xDI ; restore the stack pointer.
+
+ ;
+ ; Missaligned stack, ring-1 -> ring-0.
+ ;
+ call TMPL_NM_CMN(Bs2ToRing1)
+
+ mov sSI, BS2_R0_STACK_ADDR - 16
+%rep 16
+ add sSI, 1
+%ifdef TMPL_64BIT
+ mov [bs2Tss64Bit + 4], sSI
+%else
+ mov [bs2Tss32Bit + 4], sSI
+%endif
+
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ mov xBX, [g_u64LastTrapHandlerRSP]
+ mov sAX, sSI
+%ifdef TMPL_64BIT
+ and rax, ~15
+ sub rax, 7*8
+%else
+ sub eax, 7*4
+%endif
+ ASSERT_SIMPLE sAX, xBX, je, "Wrong xSP value for ring-1 -> ring-0 int3, w/ unaligned ring-0 stack."
+ mov bx, [g_u16LastTrapHandlerSS]
+%ifdef TMPL_64BIT
+ mov ax, 0
+%else
+ mov ax, MY_R0_SS
+%endif
+ ASSERT_SIMPLE sAX, xBX, je, "Wrong SS value for ring-1 -> ring-0 int3, w/ unaligned ring-0 stack."
+
+%endrep
+ call TMPL_NM_CMN(Bs2ToRing0)
+
+
+%ifdef TMPL_64BIT
+ ;
+ ; Stack table (AMD64 only), ring-0 -> ring-0.
+ ;
+ and byte [bs2Idt_BP + 4], ~7
+ or byte [bs2Idt_BP + 4], 3 ; IDTE.IST=3
+
+ mov rdi, [bs2Tss64Bit + X86TSS64.ist3]
+ mov rsi, BS2_R0_STACK_ADDR - 128
+ %rep 16
+ sub rsi, 1h
+ mov [bs2Tss64Bit + X86TSS64.ist3], rsi
+
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ mov rbx, [g_u64LastTrapHandlerRSP]
+ mov rax, rsi
+ and rax, ~15
+ sub rax, 7*8
+ ASSERT_SIMPLE rax, rbx, je, "Wrong xSP value for ring-0 -> ring-0 int3, w/ unaligned IST."
+ mov bx, [g_u16LastTrapHandlerSS]
+ mov ax, ss
+ ASSERT_SIMPLE ax, bx, je, "Wrong SS value for ring-0 -> ring-0 int3, w/ unaligned IST."
+
+ %endrep
+
+ ; Continue in ring-1,2,3.
+ %assign uCurRing 1
+ %rep 3
+ call TMPL_NM_CMN(Bs2ToRing %+ uCurRing)
+ %rep 16
+ sub rsi, 1h
+ mov [bs2Tss64Bit + X86TSS64.ist3], rsi
+
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ mov rbx, [g_u64LastTrapHandlerRSP]
+ mov rax, rsi
+ and rax, ~15
+ sub rax, 7*8
+ ASSERT_SIMPLE rax, rbx, je, "Wrong xSP value for ring-X -> ring-0 int3, w/ unaligned IST."
+ mov bx, [g_u16LastTrapHandlerSS]
+ mov ax, 0
+ ASSERT_SIMPLE ax, bx, je, "Wrong SS value for ring-X -> ring-0 int3, w/ unaligned IST."
+ %endrep
+ call TMPL_NM_CMN(Bs2ToRing0)
+ %assign uCurRing (uCurRing + 1)
+ %endrep
+
+ mov [bs2Tss64Bit + X86TSS64.ist3], rdi ; restore original value
+ and byte [bs2Idt_BP + 4], ~7 ; IDTE.IST=0
+
+
+ ;
+ ; Check SS handling when interrupting 32-bit code with a 64-bit handler.
+ ;
+ call Bs2Thunk_lm64_lm32
+ BITS 32
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ mov bx, [g_u16LastTrapHandlerSS]
+ mov ax, ss
+ call Bs2Thunk_lm32_lm64
+ BITS 64
+ ASSERT_SIMPLE ax, bx, je, "Wrong SS value for ring-0-32 -> ring-0-64 int3, w/ 32-bit stack."
+
+ call Bs2Thunk_lm64_lm32
+ BITS 32
+ mov cx, ss
+ mov ax, BS2_SEL_SS16
+ mov ss, ax
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+ mov bx, [g_u16LastTrapHandlerSS]
+ mov ss, cx
+ call Bs2Thunk_lm32_lm64
+ BITS 64
+ ASSERT_SIMPLE ax, bx, je, "Wrong SS value for ring-0-32 -> ring-0-64 int3, w/ 16-bit stack."
+
+%endif ; TMPL_64BIT
+
+
+ ;
+ ; Restore the descriptor and make sure it works.
+ ;
+%ifdef TMPL_LM64
+ pop qword [bs2Idt_BP + 8 xWrtRIP]
+ pop qword [bs2Idt_BP xWrtRIP]
+%else
+ pop dword [bs2Idt_BP + 4 xWrtRIP]
+ pop dword [bs2Idt_BP xWrtRIP]
+%endif
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+
+ ;
+ ; Done.
+ ;
+ call TMPL_NM_CMN(TestSubDone)
+
+ popf
+ pop xSI
+ pop xDI
+ pop xDX
+ pop xCX
+ pop xBX
+ pop sAX
+ leave
+ ret
+
+.s_szSubTestName:
+ db TMPL_MODE_STR, ', Stack switching', 0
+ENDPROC TMPL_NM(TestStack)
+
+
+
+;;
+; Loads MY_R0_CS into CS.
+;
+; @uses stack, cs, flags
+;
+BEGINPROC TMPL_NM(TestLoadMyCS)
+ push 0
+ push xAX
+
+ ; Make it a far return with MY_R0_CS + CPL.
+ mov xAX, [xSP + xCB*2]
+ mov [xSP + xCB*1], xAX
+ mov xAX, ss
+%ifdef TMPL_64BIT
+ sub xAX, BS2_SEL_GRP_SS64 - BS2_SEL_GRP_CS64
+%elifdef TMPL_32BIT
+ sub xAX, BS2_SEL_GRP_SS32 - BS2_SEL_GRP_CS32
+%elifdef TMPL_16BIT
+ sub xAX, BS2_SEL_GRP_SS16 - BS2_SEL_GRP_CS16
+%else
+ TMPL_xxBIT is not defined
+%endif
+ mov [xSP + xCB*2], xAX
+
+ pop xAX
+ retf
+ENDPROC TMPL_NM(TestLoadMyCS)
+
+
+;;
+; Checks our understanding of how conforming segments are handled.
+;
+; @uses No registers, but BS2_SEL_SPARE0 is trashed.
+;
+BEGINPROC TMPL_NM(TestConforming)
+ push xBP
+ mov xBP, xSP
+ push sAX
+ push xBX
+ push xCX
+ push xDX
+ push xDI
+ push xSI
+
+ mov xAX, .s_szSubTestName
+ call TMPL_NM_CMN(TestSub)
+
+ ;
+ ; Check the int3.
+ ;
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3 ; check that int3 works before we start messing around...
+
+ mov xDI, xSP ; save the stack pointer.
+ sub xSP, 20h
+
+ ;
+ ; In this test we will do various experiments with code using a
+ ; conforming CS. The main purpose is to check that CS.RPL is always the
+ ; same as CPL, despite earlier beliefs to the contrary. Because if it
+ ; is different, iret cannot dermine the CPL to return to among other
+ ; interesting problems.
+ ;
+ mov ecx, [bs2Gdt + MY_R0_CS xWrtRIP]
+ mov [bs2GdtSpare0 xWrtRIP], ecx
+ mov ecx, [bs2Gdt + MY_R0_CS + 4 xWrtRIP]
+ mov [bs2GdtSpare0 + 4 xWrtRIP], ecx ; GdtSpare0 is a copy of the CS descriptor now.
+ and byte [bs2GdtSpare0 + 5], 0x90 ; DPL = 0
+ or byte [bs2GdtSpare0 + 5], X86_SEL_TYPE_ER_CONF_ACC
+
+%assign uCurRing 0
+%rep 4
+ ; Far jumps.
+ %assign uSpecifiedRpl 0
+ %rep 4
+ call TMPL_NM_CMN(Bs2ToRing %+ uCurRing)
+ lea xAX, [.far_jmp_target_ %+ uSpecifiedRpl %+ uCurRing]
+ %ifdef TMPL_64BIT ; AMD doesn't have an jmp far m16:m64 instruction, it ignores REX.W apparently. Intel does though.
+ ; Tested on: Bulldozer
+ mov dword [xSP + 4], BS2_SEL_SPARE0 | uSpecifiedRpl
+ mov [xSP], eax
+ jmp far dword [xSP]
+ %else
+ mov dword [xSP + xCB], BS2_SEL_SPARE0 | uSpecifiedRpl
+ mov [xSP], xAX
+ jmp far xPRE [xSP]
+ %endif
+.far_jmp_target_ %+ uSpecifiedRpl %+ uCurRing:
+ mov bx, cs
+ call TMPL_NM(TestLoadMyCS)
+ call TMPL_NM_CMN(Bs2ToRing0)
+ ASSERT_CUR_CS_VALUE_IN_BX BS2_SEL_SPARE0 | uCurRing
+ %assign uSpecifiedRpl uSpecifiedRpl + 1
+ %endrep
+
+ ; Far calls.
+ %assign uSpecifiedRpl 0
+ %rep 4
+ call TMPL_NM_CMN(Bs2ToRing %+ uCurRing)
+ mov xSI, xSP
+ lea xAX, [.far_call_target_ %+ uSpecifiedRpl %+ uCurRing]
+ %ifdef TMPL_64BIT ; AMD doesn't have an call far m16:m64 instruction, it ignores REX.W apparently. Intel does though.
+ ; Tested on: Bulldozer
+ mov dword [xSP + 4], BS2_SEL_SPARE0 | uSpecifiedRpl
+ mov [xSP], eax
+ call far dword [xSP]
+ %else
+ mov dword [xSP + xCB], BS2_SEL_SPARE0 | uSpecifiedRpl
+ mov [xSP], xAX
+ call far xPRE [xSP]
+ %endif
+.far_call_target_ %+ uSpecifiedRpl %+ uCurRing:
+ mov bx, cs
+ %ifdef TMPL_64BIT
+ add xSP, 4 * 2
+ %else
+ add xSP, xCB * 2
+ %endif
+ call TMPL_NM(TestLoadMyCS)
+ call TMPL_NM_CMN(Bs2ToRing0)
+ ASSERT_CUR_CS_VALUE_IN_BX BS2_SEL_SPARE0 | uCurRing
+ %assign uSpecifiedRpl uSpecifiedRpl + 1
+ %endrep
+
+ %assign uCurRing uCurRing + 1
+%endrep
+
+ ;
+ ; While at it, lets check something about RPL and non-conforming
+ ; segments. The check when loading is supposed to be RPL >= DPL,
+ ; except for when loading SS, where RPL = DPL = CPL.
+ ;
+
+ ; ring-0
+ mov dx, MY_R0_DS | 0
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R0_DS | 0
+ mov dx, MY_R0_DS | 1
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R0_DS, mov fs, dx
+ mov dx, MY_R0_DS | 2
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R0_DS, mov fs, dx
+ mov dx, MY_R0_DS | 3
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R0_DS, mov fs, dx
+
+ ; ring-0 - Lower DPL isn't an issue, only RPL vs DPL.
+ mov dx, MY_R1_DS | 0
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R1_DS | 0
+ mov dx, MY_R1_DS | 1
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R1_DS | 1
+ mov dx, MY_R1_DS | 2
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R1_DS, mov fs, dx
+
+ mov dx, MY_R2_DS | 0
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R2_DS | 0
+ mov dx, MY_R2_DS | 2
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R2_DS | 2
+ mov dx, MY_R2_DS | 3
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R2_DS, mov fs, dx
+
+ mov dx, MY_R3_DS | 0
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R3_DS | 0
+ mov dx, MY_R3_DS | 1
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R3_DS | 1
+ mov dx, MY_R3_DS | 2
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R3_DS | 2
+ mov dx, MY_R3_DS | 3
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R3_DS | 3
+
+ ; ring-0 - What works above doesn't work with ss.
+ mov dx, MY_R1_DS | 0
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R1_DS, mov ss, dx
+ mov dx, MY_R1_DS | 1
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R1_DS, mov ss, dx
+ mov dx, MY_R1_DS | 2
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R1_DS, mov ss, dx
+ mov dx, MY_R2_DS | 0
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R2_DS, mov ss, dx
+ mov dx, MY_R3_DS | 0
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R3_DS, mov ss, dx
+ mov dx, MY_R3_DS | 3
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R3_DS, mov ss, dx
+
+
+ ; ring-1
+ call TMPL_NM_CMN(Bs2ToRing1)
+
+ mov dx, MY_R1_DS | 0
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R1_DS | 0
+ mov dx, MY_R1_DS | 1
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R1_DS | 1
+ mov dx, MY_R1_DS | 2
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R1_DS, mov fs, dx
+ mov dx, MY_R1_DS | 3
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R1_DS, mov fs, dx
+
+ mov dx, MY_R0_DS | 0
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R0_DS, mov fs, dx
+ mov dx, MY_R0_DS | 1
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R0_DS, mov fs, dx
+ mov dx, MY_R0_DS | 2
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R0_DS, mov fs, dx
+ mov dx, MY_R0_DS | 3
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R0_DS, mov fs, dx
+
+ ; ring-1 - Lower DPL isn't an issue, only RPL vs DPL.
+ mov dx, MY_R2_DS | 0
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R2_DS | 0
+ mov dx, MY_R2_DS | 1
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R2_DS | 1
+ mov dx, MY_R2_DS | 2
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R2_DS | 2
+ mov dx, MY_R2_DS | 3
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R2_DS, mov fs, dx
+
+ mov dx, MY_R3_DS | 0
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R3_DS | 0
+ mov dx, MY_R3_DS | 1
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R3_DS | 1
+ mov dx, MY_R3_DS | 2
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R3_DS | 2
+ mov dx, MY_R3_DS | 3
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R3_DS | 3
+
+ ; ring-1 - What works above doesn't work with ss.
+ mov dx, MY_R1_DS | 0
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R1_DS, mov ss, dx
+ mov dx, MY_R1_DS | 2
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R1_DS, mov ss, dx
+ mov dx, MY_R2_DS | 0
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R2_DS, mov ss, dx
+ mov dx, MY_R3_DS | 0
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R3_DS, mov ss, dx
+ mov dx, MY_R3_DS | 3
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R3_DS, mov ss, dx
+
+
+ ; ring-2
+ call TMPL_NM_CMN(Bs2ToRing2)
+
+ mov dx, MY_R2_DS | 0
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R2_DS | 0
+ mov dx, MY_R2_DS | 1
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R2_DS | 1
+ mov dx, MY_R2_DS | 2
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R2_DS | 2
+ mov dx, MY_R2_DS | 3
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R2_DS, mov fs, dx
+
+ mov dx, MY_R0_DS | 0
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R0_DS, mov fs, dx
+ mov dx, MY_R0_DS | 1
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R0_DS, mov fs, dx
+ mov dx, MY_R0_DS | 2
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R0_DS, mov fs, dx
+ mov dx, MY_R0_DS | 3
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R0_DS, mov fs, dx
+ mov dx, MY_R1_DS | 1
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R1_DS, mov fs, dx
+ mov dx, MY_R1_DS | 2
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R1_DS, mov fs, dx
+
+ ; ring-2 - Lower DPL isn't an issue, only RPL vs DPL.
+ mov dx, MY_R3_DS | 0
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R3_DS | 0
+ mov dx, MY_R3_DS | 1
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R3_DS | 1
+ mov dx, MY_R3_DS | 2
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R3_DS | 2
+ mov dx, MY_R3_DS | 3
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R3_DS | 3
+
+ ; ring-2 - What works above doesn't work with ss.
+ mov dx, MY_R2_DS | 1
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R2_DS, mov ss, dx
+ mov dx, MY_R2_DS | 3
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R2_DS, mov ss, dx
+ mov dx, MY_R3_DS | 0
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R3_DS, mov ss, dx
+ mov dx, MY_R3_DS | 1
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R3_DS, mov ss, dx
+ mov dx, MY_R3_DS | 2
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R3_DS, mov ss, dx
+ mov dx, MY_R3_DS | 3
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R3_DS, mov ss, dx
+
+
+ ; ring-3
+ call TMPL_NM_CMN(Bs2ToRing3)
+
+ mov dx, MY_R3_DS | 0
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R3_DS | 0
+ mov dx, MY_R3_DS | 1
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R3_DS | 1
+ mov dx, MY_R3_DS | 2
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R3_DS | 2
+ mov dx, MY_R3_DS | 3
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, MY_R3_DS | 3
+
+ mov dx, MY_R0_DS | 0
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R0_DS, mov fs, dx
+ mov dx, MY_R0_DS | 1
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R0_DS, mov fs, dx
+ mov dx, MY_R0_DS | 2
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R0_DS, mov fs, dx
+ mov dx, MY_R0_DS | 3
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R0_DS, mov fs, dx
+
+ mov dx, MY_R1_DS | 1
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R1_DS, mov fs, dx
+ mov dx, MY_R1_DS | 2
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R1_DS, mov fs, dx
+
+ mov dx, MY_R2_DS | 0
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R2_DS, mov fs, dx
+ mov dx, MY_R2_DS | 1
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R2_DS, mov fs, dx
+ mov dx, MY_R2_DS | 2
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R2_DS, mov fs, dx
+ mov dx, MY_R2_DS | 3
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R2_DS, mov fs, dx
+
+ ; ring-0 - What works above doesn't work with ss.
+ mov dx, MY_R3_DS | 0
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R3_DS, mov ss, dx
+ mov dx, MY_R3_DS | 1
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R3_DS, mov ss, dx
+ mov dx, MY_R3_DS | 2
+ BS2_TRAP_INSTR X86_XCPT_GP, MY_R3_DS, mov ss, dx
+
+ call TMPL_NM_CMN(Bs2ToRing0)
+
+
+ ;
+ ; One more odd thing, NULL selectors and RPL.
+ ;
+ pushf
+ cli
+
+%assign uCurRing 0
+%rep 4
+ ; Null sectors.
+ call TMPL_NM_CMN(Bs2ToRing %+ uCurRing)
+ mov si, ss
+
+ mov dx, 0
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, 0
+ %if MY_IS_64BIT == 0 || uCurRing != 0
+ %ifdef TMPL_64BIT ; AMD is doing something inconsistent.
+ %if uCurRing != 3
+ test byte [g_fCpuAmd], 1
+ jz .null_0_not_amd_ %+ uCurRing
+ mov ss, dx
+ ASSERT_CUR_SREG_VALUE ss, 0
+ jmp .null_0_next_ %+ uCurRing
+.null_0_not_amd_ %+ uCurRing:
+ %endif
+ %endif
+ BS2_TRAP_INSTR X86_XCPT_GP, 0, mov ss, dx
+.null_0_next_ %+ uCurRing:
+ %else
+ mov ss, dx
+ ASSERT_CUR_SREG_VALUE ss, 0
+ %endif
+ mov ss, si
+
+ mov dx, 1
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, 1
+ %if MY_IS_64BIT == 0 || uCurRing != 1
+ %ifdef TMPL_64BIT ; AMD is doing something inconsistent.
+ %if uCurRing != 3
+ test byte [g_fCpuAmd], 1
+ jz .null_1_not_amd_ %+ uCurRing
+ mov ss, dx
+ ASSERT_CUR_SREG_VALUE ss, 1
+ jmp .null_1_next_ %+ uCurRing
+.null_1_not_amd_ %+ uCurRing:
+ %endif
+ %endif
+ BS2_TRAP_INSTR X86_XCPT_GP, 0, mov ss, dx
+.null_1_next_ %+ uCurRing:
+ %else
+ mov ss, dx
+ ASSERT_CUR_SREG_VALUE ss, 1
+ %endif
+ mov ss, si
+
+ mov dx, 2
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, 2
+ %if MY_IS_64BIT == 0 || uCurRing != 2
+ %ifdef TMPL_64BIT ; AMD is doing something inconsistent.
+ %if uCurRing != 3
+ test byte [g_fCpuAmd], 1
+ jz .null_2_not_amd_ %+ uCurRing
+ mov ss, dx
+ ASSERT_CUR_SREG_VALUE ss, 2
+ jmp .null_2_next_ %+ uCurRing
+.null_2_not_amd_ %+ uCurRing:
+ %endif
+ %endif
+ BS2_TRAP_INSTR X86_XCPT_GP, 0, mov ss, dx
+.null_2_next_ %+ uCurRing:
+ %else
+ mov ss, dx
+ ASSERT_CUR_SREG_VALUE ss, 2
+ %endif
+ mov ss, si
+
+ mov dx, 3
+ mov fs, dx
+ ASSERT_CUR_SREG_VALUE fs, 3
+ %ifdef TMPL_64BIT ; AMD is doing something inconsistent.
+ %if uCurRing != 3
+ test byte [g_fCpuAmd], 1
+ jz .null_3_not_amd_ %+ uCurRing
+ mov ss, dx
+ ASSERT_CUR_SREG_VALUE ss, 3
+ jmp .null_3_next_ %+ uCurRing
+.null_3_not_amd_ %+ uCurRing:
+ %endif
+ %endif
+ BS2_TRAP_INSTR X86_XCPT_GP, 0, mov ss, dx
+.null_3_next_ %+ uCurRing:
+ mov ss, si
+
+ %assign uCurRing uCurRing + 1
+%endrep
+ call TMPL_NM_CMN(Bs2ToRing0)
+
+ ; Restore the selectors.
+ mov dx, MY_R0_DS
+ mov ds, dx
+ mov es, dx
+ mov fs, dx
+ mov gs, dx
+ popf
+
+
+ ;
+ ; Restore the descriptor and make sure it works.
+ ;
+ mov xSP, xDI ; restore the stack pointer.
+ BS2_TRAP_INSTR X86_XCPT_BP, 0, int3
+
+ ;
+ ; Done.
+ ;
+ call TMPL_NM_CMN(TestSubDone)
+
+ pop xSI
+ pop xDI
+ pop xDX
+ pop xCX
+ pop xBX
+ pop sAX
+ leave
+ ret
+
+.s_szSubTestName:
+ db TMPL_MODE_STR, ', Conforming CS, ++', 0
+ENDPROC TMPL_NM(TestConforming)
+
+
+
+;;
+; Returning from interrupt/trap/whatever handlers.
+;
+; @uses No registers, but BS2_SEL_SPARE0 is trashed.
+;
+BEGINPROC TMPL_NM(TestReturn)
+ push xBP
+ mov xBP, xSP
+ push sAX
+ push xBX
+ push xCX
+ push xDX
+ push xDI
+ push xSI
+ sub xSP, 80h ; iret stack frame space.
+ mov xSI, xSP ; Save the stack register.
+
+ mov xAX, .s_szSubTestName
+ call TMPL_NM_CMN(TestSub)
+
+%ifdef TMPL_64BIT
+ pushfq
+ pop rdi ; rdi contains good flags register value.
+
+ ;
+ ; 64-bit mode: IRETQ unconditional pop of SS:RSP.
+ ;
+ mov qword [rsp + 20h], MY_R0_SS
+ mov [rsp + 18h], rsp
+ mov [rsp + 10h], rdi
+ mov qword [rsp + 08h], MY_R0_CS
+ lea rax, [.resume1 wrt rip]
+ mov [rsp + 00h], rax
+ iretq
+
+.resume1:
+ pushfq
+ pop rbx
+ ASSERT_SIMPLE rsp, rsi, je, "Wrong RSP after IRETQ."
+ mov rsp, rsi
+ ASSERT_SIMPLE rbx, rdi, je, "Wrong flags after IRETQ."
+ mov ax, ss
+ ASSERT_SIMPLE ax, MY_R0_SS, je, "Wrong SS after IRETQ."
+ mov ax, cs
+ ASSERT_SIMPLE ax, MY_R0_CS, je, "Wrong CS after IRETQ."
+
+ ; 64-bit mode: The NT flag causes #GP(0)
+ mov qword [rsp + 20h], MY_R0_SS
+ lea rax, [rsp - 100h]
+ mov [rsp + 18h], rax
+ mov [rsp + 10h], rdi
+ mov qword [rsp + 08h], MY_R0_CS
+ lea rax, [.resume2 wrt rip]
+ mov [rsp + 00h], rax
+ push rdi
+ or dword [rsp], X86_EFL_NT
+ popfq
+ BS2_TRAP_BRANCH_INSTR X86_XCPT_GP, 0, .resume2, iretq
+ pushfq
+ pop rbx
+ push rdi
+ popfq
+ ASSERT_SIMPLE rsp, rsi, je, "Wrong RSP after IRETQ."
+ mov rsp, rsi
+ mov rax, rdi
+ or rax, X86_EFL_NT
+ ASSERT_SIMPLE rbx, rax, je, "Wrong flags after IRETQ GP(0)-NT."
+ mov ax, ss
+ ASSERT_SIMPLE ax, MY_R0_SS, je, "Wrong SS after IRETQ."
+ mov ax, cs
+ ASSERT_SIMPLE ax, MY_R0_CS, je, "Wrong CS after IRETQ."
+
+ ; 64-bit mode: The VM flag is disregarded.
+ mov qword [rsp + 20h], MY_R0_SS
+ lea rax, [rsp - 88h]
+ mov [rsp + 18h], rax
+ mov [rsp + 10h], rdi
+ or dword [rsp + 10h], X86_EFL_VM
+ mov qword [rsp + 08h], MY_R0_CS
+ lea rax, [.resume3 wrt rip]
+ mov [rsp + 00h], rax
+ iretq
+.resume3:
+ pushfq
+ pop rbx
+ add rsp, 88h
+ ASSERT_SIMPLE rsp, rsi, je, "Wrong RSP after IRETQ."
+ mov rsp, rsi
+ mov rax, rdi
+ ASSERT_SIMPLE rbx, rax, je, "Wrong flags after IRETQ GP(0)-NT."
+ mov ax, ss
+ ASSERT_SIMPLE ax, MY_R0_SS, je, "Wrong SS after IRETQ."
+ mov ax, cs
+ ASSERT_SIMPLE ax, MY_R0_CS, je, "Wrong CS after IRETQ."
+
+ ;
+ ; 64-bit mode: IRETD unconditionally pops SS:ESP as well.
+ ;
+ mov dword [rsp + 10h], MY_R0_SS
+ lea eax, [esp - 18h]
+ mov [rsp + 0ch], eax
+ mov [rsp + 08h], edi
+ mov dword [rsp + 04h], MY_R0_CS
+ lea eax, [.resume20 wrt rip]
+ mov [rsp + 00h], eax
+ iretd
+.resume20:
+ pushfq
+ pop rbx
+ add rsp, 18h
+ ASSERT_SIMPLE rsp, rsi, je, "Wrong RSP after IRETD."
+ mov rsp, rsi
+ ASSERT_SIMPLE rbx, rdi, je, "Wrong flags after IRETD."
+ mov ax, ss
+ ASSERT_SIMPLE ax, MY_R0_SS, je, "Wrong SS after IRETD."
+ mov ax, cs
+ ASSERT_SIMPLE ax, MY_R0_CS, je, "Wrong CS after IRETD."
+
+ ;
+ ; 64-bit mode: IRET unconditionally pops SS:SP as well.
+ ;
+ mov word [rsp + 08h], MY_R0_SS
+ lea eax, [esp - 1ah]
+ mov [rsp + 06h], ax
+ mov [rsp + 04h], di
+ mov word [rsp + 02h], MY_R0_CS
+ mov word [rsp + 00h], .resume30
+ o16 iret
+BEGINCODELOW
+.resume30:
+ jmp .high1
+BEGINCODEHIGH
+.high1:
+ pushfq
+ pop rbx
+ add rsp, 1ah
+ ASSERT_SIMPLE rsp, rsi, je, "Wrong RSP after IRET."
+ mov rsp, rsi
+ ASSERT_SIMPLE rbx, rdi, je, "Wrong flags after IRET."
+ mov ax, ss
+ ASSERT_SIMPLE ax, MY_R0_SS, je, "Wrong SS after IRET."
+ mov ax, cs
+ ASSERT_SIMPLE ax, MY_R0_CS, je, "Wrong CS after IRET."
+
+
+%elifdef TMPL_32BIT
+ ; later...
+%endif
+
+ ;
+ ; Returning to 16-bit code, what happens to upper ESP bits?
+ ;
+ cli
+ mov xBX, xSP ; save the current stack address
+
+ mov sAX, BS2_SEL_R3_SS16 | 3
+ push sAX ; Return SS
+ movzx edi, bx
+ or edi, 0xdead0000
+ push sDI ; Return sSP
+%ifdef TMPL_64BIT
+ pushfq
+%else
+ pushfd
+%endif
+ mov sAX, BS2_SEL_R3_CS16 | 3
+ push sAX ; Return CS
+ lea sAX, [.resume100 xWrtRIP]
+ push sAX ; Return sIP
+%ifdef TMPL_64BIT
+ iretq
+%else
+ iretd
+%endif
+
+BEGINCODELOW
+BITS 16
+.resume100:
+ xchg ebx, esp
+ call Bs2ToRing0_p16
+ call TMPL_NM(Bs2Thunk_p16)
+BITS TMPL_BITS
+ jmp .high100
+BEGINCODEHIGH
+.high100:
+ and edi, 0ffffh
+ ASSERT_SIMPLE ebx, edi, je, "IRET to 16-bit didn't restore ESP as expected [#1]."
+
+%ifndef TMPL_16BIT
+ ;
+ ; Take two on 16-bit return, does the high word of ESP leak?
+ ;
+ cli
+ mov sBX, sSP ; save the current stack address
+ mov xSP, BS2_MUCK_ABOUT_BASE + 1000h
+
+ mov sAX, BS2_SEL_R3_SS16 | 3
+ push sAX ; Return SS
+ mov sDI, sBX
+ push sDI ; Return sSP
+ %ifdef TMPL_64BIT
+ pushfq
+ %else
+ pushfd
+ %endif
+ mov sAX, BS2_SEL_R3_CS16 | 3
+ push sAX ; Return CS
+ lea sAX, [.resume101 xWrtRIP]
+ push sAX ; Return sIP
+ %ifdef TMPL_64BIT
+ iretq
+ %else
+ iretd
+ %endif
+
+BEGINCODELOW
+BITS 16
+.resume101:
+ xchg ebx, esp
+ call Bs2ToRing0_p16
+ call TMPL_NM(Bs2Thunk_p16)
+BITS TMPL_BITS
+ jmp .high101
+BEGINCODEHIGH
+.high101:
+ or edi, (BS2_MUCK_ABOUT_BASE + 1000h) & 0ffff0000h
+ ASSERT_SIMPLE ebx, edi, je, "IRET to 16-bit didn't restore ESP as expected [#2]."
+%endif ; Not 16-bit.
+
+ ;
+ ; Done.
+ ;
+ call TMPL_NM_CMN(TestSubDone)
+
+ mov xSP, xSI
+ add xSP, 80h
+ pop xSI
+ pop xDI
+ pop xDX
+ pop xCX
+ pop xBX
+ pop sAX
+ leave
+ ret
+
+.s_szSubTestName:
+ db TMPL_MODE_STR, ', IRET', 0
+ENDPROC TMPL_NM(TestReturn)
+
+;;
+; Do the tests for this mode.
+;
+; @uses nothing
+;
+BEGINCODELOW
+BITS 16
+BEGINPROC TMPL_NM(DoTestsForMode_rm)
+ push bp
+ mov bp, sp
+ push ax
+
+ ;
+ ; Check if the mode and NX is supported, do the switch.
+ ;
+ call TMPL_NM(Bs2IsModeSupported_rm)
+ jz .done
+ call TMPL_NM(Bs2EnterMode_rm)
+BITS TMPL_BITS
+
+ ;
+ ; Test exception handler basics using INT3 and #BP.
+ ;
+
+ call TMPL_NM(TestGateType)
+ call TMPL_NM(TestCodeSelector)
+ call TMPL_NM(TestCheckOrderCsTypeVsIdteType)
+ call TMPL_NM(TestStack)
+ call TMPL_NM(TestConforming)
+ call TMPL_NM(TestReturn)
+
+ ;
+ ; Back to real mode.
+ ;
+ call TMPL_NM(Bs2ExitMode)
+BITS 16
+ call Bs2DisableNX_r86
+
+.done:
+ pop ax
+ leave
+ ret
+ENDPROC TMPL_NM(DoTestsForMode_rm)
+TMPL_BEGINCODE
+BITS TMPL_BITS
+
+%include "bootsector2-template-footer.mac"
+