7

From the Art of Intel x86 Assembly, Page 149,

The 80386 added four control registers: CR0-CR3. These registers extend the msw registers of the 80286 [...]

The book says earlier that,

The 80286 microprocessor adds one major programmer-visible feature to the 8086 protected mode operation. This text will not cover the 80286 protected mode of operation for a variety of reasons. First, the protected mode of the 80286 was poorly designed. Second, it is of interest only to programmers who are writing their own operating system or low-level systems programs for such operating systems. Even if you are writing software for a protected mode operating system like UNIX or OS/2, you would not use the protected mode features of the 80286. Nonetheless, it’s worthwhile to point out the extra registers and status flags present on the 80286 just in case you come across them.

Wikipedia says this about it,

Real mode also served as a more basic mode in which protected mode could be set up, solving a sort of chicken-and-egg problem. To access the extended functionality of the 286, the operating system would set up some tables in memory that controlled memory access in protected mode, set the addresses of those tables into some special registers of the processor, and then set the processor into protected mode. This enabled 24 bit addressing which allowed the processor to access 224 bytes of memory, equivalent to 16 megabytes.[9]

I believe today CR0 puts the CPU in Protected Mode. How did the 80286 do it?

Emily
  • 103
  • 2
Evan Carroll
  • 3,398
  • 2
  • 16
  • 45

1 Answers1

12

Actually this is a lot easier than I thought, after trying to link to another MSW note, I found it in the Intel Instruction Set: Machine Status Word (286+ only).

The machine status word seems to be a predecessor to CR0, and protected mode was set in first bit.

Of note, you can't return from Protected Mode on the 286.

MSW - Machine Status Word (286+ only)


      |31|30-5|4|3|2|1|0|  Machine Status Word
        |   |  | | | | +---- Protection Enable (PE)
        |   |  | | | +----- Math Present (MP)
        |   |  | | +------ Emulation (EM)
        |   |  | +------- Task Switched (TS)
        |   |  +-------- Extension Type (ET)
        |   +---------- Reserved
        +------------- Paging (PG)


        Bit 0   PE      Protection Enable, switches processor between
                        real and protected mode (no return on 286)
        Bit 1   MP      Math Present, controls function of the WAIT
                        instruction
        Bit 2   EM      Emulation, indicates whether coprocessor functions
                        are to be emulated
        Bit 3   TS      Task Switched, set and interrogated by coprocessor
                        on task switches and when interpretting coprocessor
                        instructions
        Bit 4   ET      Extension Type, indicates type of coprocessor in
                        system (386)
        Bits 5-30       Reserved
        bit 31  PG      Paging, indicates whether the processor uses page
                        tables to translate linear addresses to physical
                        addresses (386+)

        - see   SMSW  LMSW

Also seems to be some good follow-up material on

tofro
  • 34,832
  • 4
  • 89
  • 170
Evan Carroll
  • 3,398
  • 2
  • 16
  • 45
  • 4
    Note that the 286 only used the lower four bits of the MSW. You also need to set up a GDT and interrupt table and enable the A20 line before switching to protected mode, and do a far jump immediately afterwards to load CS properly. – Stephen Kitt Sep 21 '18 at 15:52
  • 1
    (But I suppose your question is only about the part of the quote that’s in bold.) – Stephen Kitt Sep 21 '18 at 15:57
  • @StephenKitt The question is, but you get a carte blanch to edit all of my stuff on this site any way you want. So feel free to edit my answer, or copy my contribution into your own and I'll mark it as chosen. Extra information is always good. – Evan Carroll Sep 21 '18 at 15:58
  • 2
    The description of the PE bit seems to be the wrong way round, or at least misleading for the 286 - You can set it to enter Protected Mode, but never come back to real mode. As it is worded it seems to go "back to real mode" which doesn't work on an 80286 – tofro Sep 21 '18 at 16:24
  • @tofro updated to be more explicit. I think this msw pin layout is from a 486. – Evan Carroll Sep 21 '18 at 16:29
  • @StephenKitt -- IIRC, a long jump to your protected mode code isn't enough. My recollection is that long jumps are decoded on entry to the instruction buffer, and are decoded differently in protected mode, therefore before the long jump you need a short jump to clear the instruction buffer, otherwise the long jump will jump to the wrong location. – Jules Sep 21 '18 at 16:34
  • @Jules neither wikibooks nor osdev mention that, if you find information on that please self-answer a question here "Does entering into Protected Mode require a short jump before a far jump to clear the instruction buffer?" – Evan Carroll Sep 21 '18 at 16:37
  • @Jules I don’t think so, the jump itself clears the prefetch buffer, and it’s decoded just before execution (the prefetch buffer doesn’t store decoded instructions). See Robert Collins’ tutorial for a working example with code. – Stephen Kitt Sep 21 '18 at 16:45
  • 1
    @StephenKitt - the comment in the example in appendix A of the iAPX286 Programmers Reference suggests otherwise, but I'm having a hard time figuring out what that example actually does ... It has a JMP $+2 but then seems to go nowhere after that. I'll look at it in more depth when I'm not trying to read it on my phone... – Jules Sep 21 '18 at 17:04
  • @Jules The pages in appendix A are out of order. The correct order appears to be 1, 4, 3, 2, 6, 5, 8, 7, 9. It's probably not the best example to use because it does odd things like load the GDTR after entering protected mode. –  Sep 22 '18 at 02:34
  • 1
    Re "of note, you can't return from Protected Mode on the 286", you could actually do this on the IBM PC. It involved a lunatic scheme to store state into various other chips then totally reset the CPU, letting the BIOS restore that state and carry on in real mode. I can only imagine the architects of this "solution" had been drinking heavily the night before. –  Sep 27 '18 at 07:02
  • 3
    @paxdiablo workarounds for problems not directly fixable are not uncommon. Systems engineers can't change the silicon. They can find ways of dealing with it. And then those who assigned them to can decide it's not worth the trouble after all. But it's not really fair to blame the systems engineers for what they had to resort to in order to fix a mistake made at the silicon vendor. – Chris Stratton Sep 29 '18 at 23:21
  • 9
    I know I am a little late to the party, but I am a former Microsoft engineer. While I was not involved in this coding, I spoke with the engineers that got the 286 processor to switch back and forth between protected and real mode. It was like @paxdiablo says - it was a hack that was not directly supported by Intel, and it really was a nightmare to get back from protected mode to real mode. Coding it was truly an act of faith - it was the only code we never could get to execute in a debugger. I believe Intel never considered a person would want to switch back to real mode. – skew Oct 13 '18 at 02:39
  • 1
    There was another way to return from protected mode in a 286 besides the warm reset method: the LOADALL instruction. https://retrocomputing.stackexchange.com/q/1006/105 – mcleod_ideafix Sep 07 '19 at 00:46
  • 3
    I was pretty sure that returning from protected mode was something LOADALL couldn't do. You could get at all the memory in the system from real mode, and switch to a weird "unreal" mode while staying in protected mode, but actually switching back still required a triple fault and BIOS/KBD assistance. – throx Sep 11 '19 at 02:48