Task State Segment
Encyclopedia
The task state segment is a special structure on x86-based computers which holds information about a task
. It is used by the operating system
kernel for task management. Specifically, the following information is stored in the TSS:
All this information should be stored at specific locations within the TSS as specified in the IA-32
manuals.
. A special segment register called the task register (TR) holds a segment selector that points to a valid TSS segment descriptor which resides in the GDT
(a TSS descriptor may not reside in the LDT
). Therefore, to use a TSS the following must be done by the operating system kernel:
For security purposes, the TSS should be placed in memory that is accessible only to the kernel.
instruction. LTR
is a privileged instruction and acts in a manner similar to other segment register loads. The task register has two parts: a portion visible and accessible by the programmer and an invisible one that is automatically loaded from the TSS descriptor
may load the TSS with the values of the registers that the new task needs and after executing a hardware task switch (such as with an IRET instruction) the x86 CPU will load the saved values from the TSS into the appropriate registers. Note that some modern operating systems such as Windows
and Linux
do not use these fields in the TSS as they implement software task switching.
. This bitmap, usually set up by the operating system when a task is started, specifies individual ports to which the program should have access. The I/O bitmap is a bit array of port access permissions; if the program has permission to access a port, a "0" is stored at the corresponding bit index, and if the program does not have permission, a "1" is stored there. The feature operates as follows: when a program issues an x86 I/O port instruction such as IN or OUT (see x86 instruction listings
), the hardware will do an I/O privilege level (IOPL) check to see if the program has access to all I/O ports. If the CPL of the program is numerically greater than the IOPL (the program is less-privileged than what the IOPL specifies), the program does not have I/O port access to all ports. The hardware will then check the I/O permissions bitmap in the TSS to see if that program can access the specific port in the IN or OUT instruction. If the bit in the I/O port permissions bitmap is clear, the program is allowed access to this port, and the instruction is allowed to execute. If the bit is set, the program does not have access and the processor generates a general protection fault
. This feature allows operating systems to grant selective port access to user programs.
A new feature introduced in the AMD64 extensions is called the Interrupt Stack Table (IST). This also resides in the TSS and contains logical (segment+offset) stack pointers. An interrupt descriptor table
may specify an IST entry to use (there are 8). If that is the case, the processor will load the new stack from the IST instead. This allows known-good stacks to be used in case of serious errors (NMI
or Double fault
for example). Previously, to do this, the entry for the exception or interrupt in the IDT pointed to a task gate. This cause the processor to switch to the task that is pointed by the task gate. The original register values were saved in the TSS current at the time the interrupt or exception occurred, and the processor then set the registers, including SS:ESP, to a known value specified in the TSS and saved the selector to the previous TSS. The problem here is that hardware task switching is not supported on AMD64.
manuals for details.
only creates one TSS for each CPU and uses them for all tasks. Linux only uses the I/O port permission bitmap and inner stack features of the TSS. The other features are only needed for hardware task switches which Linux does not use.
vector 10 is called the Invalid TSS exception (#TS). It is issued by the processor whenever something goes wrong with the TSS access. For example, if an interrupt happens in CPL=3 and is transferring control to CPL=0, the TSS is used to extract SS0 and ESP0/RSP0 for the stack switch. If the task register holds a bad TSS selector, a #TS fault will be generated. The Invalid TSS exception should never happen during normal operating system operation and is always related to kernel bugs or hardware failure.
For more details on the TSS layout and usage, see Volume 3a, Chapter 6 of the IA-32
manual.
architecture does not support hardware task switches. However the TSS can still be used in a machine running in the 64 bit extended modes. In these modes the TSS is still useful as it stores:
Also, the task register is expanded in these modes to be able to hold a 64-bit base address.
Task (computers)
A task is an execution path through address space. In other words, a set of program instructions that are loaded in memory. The address registers have been loaded with the initial address of the program. At the next clock cycle, the CPU will start execution, in accord with the program. The sense is...
. It is used by the operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
kernel for task management. Specifically, the following information is stored in the TSS:
- Processor registerProcessor registerIn computer architecture, a processor register is a small amount of storage available as part of a CPU or other digital processor. Such registers are addressed by mechanisms other than main memory and can be accessed more quickly...
state - I/O port permissions
- Inner-level stack pointers
- Previous TSS link
All this information should be stored at specific locations within the TSS as specified in the IA-32
IA-32
IA-32 , also known as x86-32, i386 or x86, is the CISC instruction-set architecture of Intel's most commercially successful microprocessors, and was first implemented in the Intel 80386 as a 32-bit extension of x86 architecture...
manuals.
Location of the TSS
The TSS may reside anywhere in memoryMemory
In psychology, memory is an organism's ability to store, retain, and recall information and experiences. Traditional studies of memory began in the fields of philosophy, including techniques of artificially enhancing memory....
. A special segment register called the task register (TR) holds a segment selector that points to a valid TSS segment descriptor which resides in the GDT
Global Descriptor Table
The Global Descriptor Table or GDT is a data structure used by Intel x86-family processors starting with the 80286 in order to define the characteristics of the various memory areas used during program execution, including the base address, the size and access privileges like executability and...
(a TSS descriptor may not reside in the LDT
Local Descriptor Table
The Local Descriptor Table is a memory table used in the x86 architecture in protected mode and containing memory segment descriptors: start in linear memory, size, executability, writability, access privilege, actual presence in memory, etc....
). Therefore, to use a TSS the following must be done by the operating system kernel:
- Create a TSS descriptor entry in the GDT
- Load the TR with a segment selector for that segment
- Add information to the TSS in memory as needed
For security purposes, the TSS should be placed in memory that is accessible only to the kernel.
Task register
The TR register is a 16-bit register which holds a segment selector for the TSS. It may be loaded through the LTRLoad Task Register
The LTR x86 instruction stands for load task register and is used in operating systems that support multitasking. LTR is supported only in protected mode and long mode, not in real mode or virtual 8086 mode. It must be executed when the CPL is 0, and therefore cannot be used by application programs...
instruction. LTR
Load Task Register
The LTR x86 instruction stands for load task register and is used in operating systems that support multitasking. LTR is supported only in protected mode and long mode, not in real mode or virtual 8086 mode. It must be executed when the CPL is 0, and therefore cannot be used by application programs...
is a privileged instruction and acts in a manner similar to other segment register loads. The task register has two parts: a portion visible and accessible by the programmer and an invisible one that is automatically loaded from the TSS descriptor
Register states
The TSS may contain saved values of all the x86 registers. This is used for task switching. The operating systemOperating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
may load the TSS with the values of the registers that the new task needs and after executing a hardware task switch (such as with an IRET instruction) the x86 CPU will load the saved values from the TSS into the appropriate registers. Note that some modern operating systems such as Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
and Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
do not use these fields in the TSS as they implement software task switching.
I/O port permissions
The TSS contains a 16-bit pointer to I/O port permissions bitmap for the current taskTask (computers)
A task is an execution path through address space. In other words, a set of program instructions that are loaded in memory. The address registers have been loaded with the initial address of the program. At the next clock cycle, the CPU will start execution, in accord with the program. The sense is...
. This bitmap, usually set up by the operating system when a task is started, specifies individual ports to which the program should have access. The I/O bitmap is a bit array of port access permissions; if the program has permission to access a port, a "0" is stored at the corresponding bit index, and if the program does not have permission, a "1" is stored there. The feature operates as follows: when a program issues an x86 I/O port instruction such as IN or OUT (see x86 instruction listings
X86 instruction listings
The x86 instruction set has been extended several times, introducing wider registers and datatypes and/or new functionality.-x86 integer instructions:...
), the hardware will do an I/O privilege level (IOPL) check to see if the program has access to all I/O ports. If the CPL of the program is numerically greater than the IOPL (the program is less-privileged than what the IOPL specifies), the program does not have I/O port access to all ports. The hardware will then check the I/O permissions bitmap in the TSS to see if that program can access the specific port in the IN or OUT instruction. If the bit in the I/O port permissions bitmap is clear, the program is allowed access to this port, and the instruction is allowed to execute. If the bit is set, the program does not have access and the processor generates a general protection fault
General protection fault
A general protection fault in the Intel x86 and AMD x86-64 architectures, and other unrelated architectures, is a fault that can encompass several cases in which protection mechanisms within the processor architecture are violated by any of the programs that are running, either the kernel or a...
. This feature allows operating systems to grant selective port access to user programs.
Inner-level stack pointers
The TSS contains 6 fields for specifying the new stack pointer when a privilege level change happens. The field SS0 contains the stack segment selector for CPL=0, and the field ESP0/RSP0 contains the new ESP/RSP value for CPL=0. When an interrupt happens in protected (32-bit) mode, the x86 CPU will look in the TSS for SS0 and ESP0 and load their values into SS and ESP respectively. This allows for the kernel to use a different stack than the user program, and also have this stack be unique for each user program.A new feature introduced in the AMD64 extensions is called the Interrupt Stack Table (IST). This also resides in the TSS and contains logical (segment+offset) stack pointers. An interrupt descriptor table
Interrupt descriptor table
The Interrupt Descriptor Table is a data structure used by the x86 architecture to implement an interrupt vector table. The IDT is used by the processor to determine the correct response to interrupts and exceptions....
may specify an IST entry to use (there are 8). If that is the case, the processor will load the new stack from the IST instead. This allows known-good stacks to be used in case of serious errors (NMI
Non-Maskable interrupt
A non-maskable interrupt is a computer processor interrupt that cannot be ignored by standard interrupt masking techniques in the system. It is typically used to signal attention for non-recoverable hardware errors...
or Double fault
Double fault
On the x86 architecture, a double fault exception occurs if the processor encounters a problem while trying to service a pending interrupt or exception. An example situation when a double fault would occur is when an interrupt is triggered but the segment in which the interrupt handler resides is...
for example). Previously, to do this, the entry for the exception or interrupt in the IDT pointed to a task gate. This cause the processor to switch to the task that is pointed by the task gate. The original register values were saved in the TSS current at the time the interrupt or exception occurred, and the processor then set the registers, including SS:ESP, to a known value specified in the TSS and saved the selector to the previous TSS. The problem here is that hardware task switching is not supported on AMD64.
Previous TSS Link
This is a 16-bit selector which allows linking this TSS with the previous one. This is only used for hardware task switching. See the IA-32IA-32
IA-32 , also known as x86-32, i386 or x86, is the CISC instruction-set architecture of Intel's most commercially successful microprocessors, and was first implemented in the Intel 80386 as a 32-bit extension of x86 architecture...
manuals for details.
Use of TSS in Linux
Although a TSS could be created for each task running on the computer, LinuxLinux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
only creates one TSS for each CPU and uses them for all tasks. Linux only uses the I/O port permission bitmap and inner stack features of the TSS. The other features are only needed for hardware task switches which Linux does not use.
Exceptions related to the TSS
The x86 exceptionException handling
Exception handling is a programming language construct or computer hardware mechanism designed to handle the occurrence of exceptions, special conditions that change the normal flow of program execution....
vector 10 is called the Invalid TSS exception (#TS). It is issued by the processor whenever something goes wrong with the TSS access. For example, if an interrupt happens in CPL=3 and is transferring control to CPL=0, the TSS is used to extract SS0 and ESP0/RSP0 for the stack switch. If the task register holds a bad TSS selector, a #TS fault will be generated. The Invalid TSS exception should never happen during normal operating system operation and is always related to kernel bugs or hardware failure.
For more details on the TSS layout and usage, see Volume 3a, Chapter 6 of the IA-32
IA-32
IA-32 , also known as x86-32, i386 or x86, is the CISC instruction-set architecture of Intel's most commercially successful microprocessors, and was first implemented in the Intel 80386 as a 32-bit extension of x86 architecture...
manual.
TSS in x86-64 mode
The x86-64X86-64
x86-64 is an extension of the x86 instruction set. It supports vastly larger virtual and physical address spaces than are possible on x86, thereby allowing programmers to conveniently work with much larger data sets. x86-64 also provides 64-bit general purpose registers and numerous other...
architecture does not support hardware task switches. However the TSS can still be used in a machine running in the 64 bit extended modes. In these modes the TSS is still useful as it stores:
- The stack pointer addresses for each privilege level.
- Pointer Addresses for the Interrupt Stack Table (The inner-level stack pointer section above, discusses the need for this).
- Offset Address of the IO permission bitmap.
Also, the task register is expanded in these modes to be able to hold a 64-bit base address.