Boot Loading and CPU Isolation

Why This Matters

Before a single line of kernel code runs, a carefully orchestrated sequence of low-level hardware events must take place. Understanding the boot process demystifies what happens in the first milliseconds after power-on, and the CPU isolation mechanisms introduced here—privilege rings and segmentation—underpin every security guarantee your OS makes. If an attacker can break isolation, they own the machine. If you understand how isolation is enforced in hardware, you can reason about where it can and cannot be relied upon.

The Boot Sequence

Firmware: BIOS and UEFI

The first software to run on an x86 machine is firmware stored in ROM—either the legacy BIOS (Basic Input/Output System) or the modern UEFI (Unified Extensible Firmware Interface). The firmware initializes hardware and then looks for something to boot.

BIOS follows a simple convention: it scans bootable devices (hard disk, USB, CD-ROM) in order, reads the very first sector (512 bytes, called the Master Boot Record) into physical memory at address 0x7C00, and checks that the last two bytes of that sector are the boot signature 0x55 0xAA. If the signature is present, the BIOS transfers control to that address. If not, the device is skipped. This signature is purely a marker—it does not verify any checksum or authenticate the code.

The Bootloader

The 512-byte program loaded at 0x7C00 is the bootloader. In xv6 it is compiled from two source files:

• bootasm.S — x86 assembly that runs first
• bootmain.c — C code that loads the kernel ELF

The bootloader's job is narrow but critical:

1. Switch from real mode to protected mode. The CPU starts in 16-bit real mode on every power-on. The bootloader sets the CR0_PE (Protection Enable) bit in control register CR0 and executes a long jump (ljmp) to flush the instruction pipeline, transitioning the CPU to 32-bit protected mode.
2. Load the kernel ELF from disk. bootmain() reads the kernel starting at disk sector 1 and copies it to physical address 0x100000 (1 MiB).
3. Jump to the kernel entry point. The ELF header tells bootmain exactly where to jump.

xv6 Disk Layout

The Makefile assembles this image with dd:

xv6.img: bootblock kernel fs.img
    dd if=/dev/zero of=xv6.img count=10000
    dd if=bootblock of=xv6.img conv=notrunc
    dd if=kernel of=xv6.img seek=1 conv=notrunc

Physical Memory Layout at Boot

CPU Isolation: Privilege Rings

Modern x86 processors define four privilege levels called rings, numbered 0–3. Only rings 0 and 3 are used in practice:

The current privilege level (CPL) is stored in the lowest two bits of the %cs (Code Segment) register. When CPL = 0, the CPU is in ring 0; when CPL = 3, it is in ring 3.

Ring 0 protects:

• Writes to %cs (preventing user code from forging its own CPL)
• Access to I/O ports
• Access to control registers (%cr3, eflags, etc.)

User code in ring 3 that attempts any of these operations triggers a general protection fault, which the kernel handles.

x86 Segmentation

Real Mode (16-bit)

In real mode, memory addresses are computed as:

physical address = [segment register] × 16 + offset

For example, if %cs = 0x0010 and %ip = 0x00aa:

0x0010 × 16 = 0x0100
0x0100 + 0x00aa = 0x01aa   ← physical address

There is no paging and no hardware protection between programs.

Protected Mode / Long Mode (32/64-bit)

In protected mode and 64-bit long mode, segment registers (%cs, %ds, %ss, %es, %fs, %gs) hold selectors, not base addresses. A selector is an index into the Global Descriptor Table (GDT), plus two bits that encode the Requested Privilege Level (RPL).

The format of a selector stored in %cs:

Bits 15:3 — GDT index
Bit  2    — Table indicator (0 = GDT, 1 = LDT)
Bits 1:0  — CPL (Current Privilege Level)

So if %cs = 0x2b = 0b0010_1011:

• Bits 1:0 = 11 → CPL = 3 (user mode)
• Bits 15:3 = 0x2b >> 3 = 5 → GDT[5] is the active code segment descriptor

Segment Descriptors

Each GDT entry (segment descriptor) encodes:

• Base address of the segment
• Limit (size)
• DPL (Descriptor Privilege Level) — minimum ring required to use this segment
• Type (code/data, readable/writable, executable)

xv6 Flat Segmentation

xv6 uses flat segmentation: all segments have base = 0 and limit = unlimited. This means segmentation adds no address translation—virtual addresses equal physical addresses (before paging). The GDT's real job is to carry DPL for enforcement.

main() calls seginit() to initialize the GDT:

gdt[SEG_KCODE] = SEG((STA_X|STA_R), 0, 0, APP_SEG, !DPL_USER, 1);  // ring 0, executable
gdt[SEG_KDATA] = SEG(STA_W,         0, 0, APP_SEG, !DPL_USER, 0);  // ring 0, writable
gdt[SEG_UCODE] = SEG((STA_X|STA_R), 0, 0, APP_SEG, DPL_USER,  1);  // ring 3, executable
gdt[SEG_UDATA] = SEG(STA_W,         0, 0, APP_SEG, DPL_USER,  0);  // ring 3, writable

The selector constants in mmu.h bake the DPL into the lowest bits:

#define USER_CS  ((SEG_UCODE<<3)|DPL_USER)   // user code selector
#define KERNEL_CS (SEG_KCODE<<3)              // kernel code selector

Switching Between Rings: System Calls

User code cannot change its own CPL—the hardware forbids it. The only sanctioned way to enter the kernel from user space is via a controlled transfer:

You can observe this in GDB. Set a breakpoint in a user-space binary's main(), then single-step through a syscall instruction: the CPL bits in %cs flip from 11 to 00 as execution enters the kernel, then flip back to 11 on sysret.

Key Takeaways

• BIOS loads 512 bytes from sector 0 to 0x7C00 and checks the 0x55AA signature before handing control to the bootloader.
• The bootloader switches the CPU to protected mode, loads the kernel ELF to 0x100000, and jumps to the kernel entry.
• CPU rings (0 = kernel, 3 = user) are enforced by the hardware; the CPL lives in the bottom 2 bits of %cs.
• Segmentation in xv6 is flat (base = 0) but still enforces DPL: user segments have DPL=3, kernel segments have DPL=0.
• syscall/sysret are the only hardware-sanctioned way to cross the ring boundary—this is what makes system calls safe.