Last modified: Mon Jun 29 08:17:08 UTC+0200 2026 © A. Tarpai
Protected Mode hardware model and registers
1982: the 80286
"The iAPX 286 represents a revolutionary extension of the iAPX 86 architecture." (iAPX 286 Programmer's Reference Manual 1983)
The 286 introduced the Protected mode extension and protected operation. It's really an extension: the 286 is an extended 8086 and even starts up as a 8086.
References:
- Introduction to the iAPX 286, #210308-001
- iAPX 286 Programmer's Reference Manual,#210498-002
- iAPX 286 Operating System Writer's Guide,#121960-001
The 16-bit 286 CPU hardware model
The 286 is an extended 8086 and has the same 16-bit architecture: same registers, instructions, addressing modes and binary compatible with programs written for 8086. Same segmented memory model and a 16-bit data bus. But the 286 can address up to 16MB physical memory: the CPU has 24 address pins.
As the main hardware addition, each SR is extended with an associated 48-bit Descriptor Cache holding a 24-bit SEGMENT BASE and protection bits – achieving two things:
- address space extension to 16MB
- hardware protection mechanism for every memory access
16-bit 286 CPU Hardware model 16MB RAM
+-----------+
| |
| |
+-----------+
| | 16-bit
24-bit | 64 KB | <-- EA OFFSET
segment | |
base -----> +-----------+
| |
___________________________________ | |
| "8086 CPU" | PROTECTION | |
+----------------------+--------------+---------------|---+ | |
| | on-chip SR | | | | |
| | ________ | ___________ _|_ | | |
| 16-bit registers | |___CS___|-|-|___________|___| | | |
| | |___DS___|-|-|___________|___| | | |
| | |___SS___|-|-|___________|___| | | |
| 16-bit instr OFFS --|-> |___ES___|-|-|___________|___| | -----/---> | |
| | 16-bit | 24-bit base | 24-bit | |
| | | | address | |
+----------------------+--------------+-------------------+ +-----------+
256 x 64KB
For ALL memory references, the BASE value stored in the Descriptor Cache is used for ALL memory access as the actual segment base. Also in RM.
286 Address Space Extension
Like the 8086, still not a real Address Space Extension. Instructions can only address 64K continous memory – only the physical address space is larger. The 16MB memory is still composed of 64KB segments.
286 PHYSICAL ADDRESS PATH
+---+---+---------------+ +-----------------------+
| 0 | 0 | 16-BIT OFFS | | 24-BIT SR BASE |
+---+---+---------------+ +-----------------------+
| |
LIMIT/ACCESS |
CHECK |
| 24-bit adder |
| ___ |
+------------/ + \------------+
\___/
|
A23 | A0
+-----------------------+
| |
+-----------------------+
24-BIT PHYSICAL
ADDRESS
This mechanism cannot be turned off and is always in effect, even after RESET. See the Real Mode Emulation.
286 Register Model
286 16-bit Protected Mode
15 0 15 0
+------+------+ +-------------+
AX | AH AL | ACCUMULATOR | FLAGS | STATUS FLAGS (3 extra FLAGS)
+------+------+ +-------------+
BX | BH BL | BASE | IP | INSTRUCTION POINTER
+------+------+ +-------------+
CX | CH CL | COUNT
+------+------+ +-------------+
DX | DH DL | DATA MSW |..TS|EM|MP|PE| MACHINE STATUS WORD
+------+------+ +-------------+ 4 control bits
SP | | STACK POINTER
+-------------+
BP | | BASE POINTER
+-------------+
SI | | SOURCE INDEX
+-------------+
DI | | DESTINATION INDEX
+-------------+
16-BIT
SELECTORS DESCRIPTOR CACHE: 3 WORDS
15 2 1 0 47 0
+-------------+ +------+------+------+------+------+------+
CS | idx |T|PL| | AR | BASE 23..0 | LIMIT 15..0 | CODE SEGMENT DESCRIPTOR CACHE
+-------------+ +------+--------------------+-------------+
DS | | | | | | DATA SEGMENT DESCRIPTOR CACHE
+-------------+ +------+--------------------+-------------+
SS | | | | | | STACK SEGMENT DESCRIPTOR CACHE
+-------------+ +------+--------------------+-------------+
ES | | | | | | EXTRA SEGMENT DESCRIPTOR CACHE
+-------------+ +------+--------------------+-------------+
+-------------+ +------+------+------+------+------+------+
TR | idx |0|00| | AR | BASE 23..0 | LIMIT 15..0 | Addr of TASK STRUCTURE
+-------------+ +------+--------------------+-------------+
LDTR | idx |0|00| | | | | Addr of LD TABLE
+-------------+ +------+--------------------+-------------+
+------+------+------+------+------+
GDTR | BASE 23..0 | LIMIT 15..0 | Addr of GD TABLE <-- LGDT [mem]
+--------------------+-------------+
IDTR | | | Addr of ID TABLE <-- LIDT [mem]
+--------------------+-------------+
286 RESET:
FLAGS = 0002 MSW = FFF0H
IP = FFF0H
CS Selector= F000H CS.AR= 9BH CS.base= FF0000H CS.limit= FFFFH (top 64KB of 16MB)
DS Selector= 0000H DS.AR= 93H DS.base= 000000H DS.limit= FFFFH (first 64KB of memory)
ES Selector= 0000H ES.AR= 93H ES.base= 000000H ES.limit= FFFFH
SS Selector= 0000H SS.AR= 93H SS.base= 000000H SS.limit= FFFFH
IDT base = 000000H IDT.limit = 03FFH
Maskable interrupts are disabled, and no processor extension is assumed or emulated (EM=MP=0).
Loading the Descriptor Cache
When PE=1.. explicit loading these registers:
For CS/DS/SS/ES normal program instructions load these registers:
- MOV, POP, LDS (386: LSS, LGS, LFS)
- far CALL/JMP, IRET etc. for CS
For TR/LDTR:
LTR - Load Task Register
LLDT - Load Local Descriptor Table Register
LTR/LLDT r/m16 loads Selector value into TR/LDTR (which will load descriptor from GDT, only allowed).
386 REGISTER MODEL
Essentially the same as the 286. Every user register is extended to 32-bit.
P-mode is the same 286 P-mode, but every BASE- and LIMIT registers are extended to 32-bit. MSW is emulated in CR0-LO. DESCRIPTORS has additional 4-bits ATTRIBUTES.
386 32-bit Protected Mode
31 15 0 31 15 0
+-------------+------+------+ +-------------+-------------+
EAX | | AH AL | AX | | FLAGS | EFLAGS
+-------------+------+------+ +-------------+-------------+
EBX | | BH BL | BX | | IP | EIP
+-------------+------+------+ +-------------+-------------+
ECX | | CH CL | CX | | MSW | CR0
+-------------+------+------+ +-------------+-------------+
EDX | | DH DL | DX
+-------------+------+------+
ESP | | SP |
+-------------+-------------+
EBP | | BP |
+-------------+-------------+
ESI | | SI |
+-------------+-------------+
EDI | | DI |
+-------------+-------------+
16-BIT
SELECTORS DESCRIPTOR CACHE
15 0
+-------------+ +----+------+------+------+------+------+------+------+------+------+
CS | idx |T|PL| |ATTR AR | BASE 31..0 | LIMIT 31..0 |
+-------------+ +-----------+---------------------------+---------------------------+
DS | | | | | |
+-------------+ +-----------+---------------------------+---------------------------+
SS | | | | | |
+-------------+ +-----------+---------------------------+---------------------------+
ES | | | | | |
+-------------+ +-----------+---------------------------+---------------------------+
FS | | | | | |
+-------------+ +-----------+---------------------------+---------------------------+
GS | | | | | |
+-------------+ +-----------+---------------------------+---------------------------+
+-------------+ +----+------+---------------------------+---------------------------+
TR | idx |0|00| |ATTR AR | BASE 31..0 | LIMIT 31..0 |
+-------------+ +-----------+---------------------------+---------------------------+
LDTR | idx |0|00| | | | |
+-------------+ +-----------+---------------------------+---------------------------+
+---------------------------+-------------+
GDTR | BASE 31..0 | LIMIT 15..0 |
+---------------------------+-------------+
IDTR | | |
+---------------------------+-------------+
Note that GDTR/IDTR limit not extended (selectors remain 16-bit)
About Protection Mechanisms
- new system registers and instructions
- 4 privilege levels for code- and data access protection
- GATE descriptors (controlled function pointers) to subroutines
- hw task switch for isolated stack
- multitasking support (optional to use)
- IDT mechanism for vectored exc and interrupts
- new memory protection- and virtual memory exceptions (not-present bit)
- a gigabyte (230 bytes) of virtual address space
- built-in support for virtual memory management