Intel 253668-032US User Manual
Vol. 3 5-33
PROTECTION
When SYSRET transfers control to 32-bit mode user code using a 32-bit operand size,
the processor gets the privilege level 3 target instruction and stack pointer from:
the processor gets the privilege level 3 target instruction and stack pointer from:
•
Target code segment — Reads a non-NULL selector from IA32_STAR[63:48].
•
Target instruction — Copies the value in ECX into EIP.
•
Stack segment — IA32_STAR[63:48] + 8.
•
EFLAGS — Loaded from R11.
It is the responsibility of the OS to ensure the descriptors in the GDT/LDT correspond
to the selectors loaded by SYSCALL/SYSRET (consistent with the base, limit, and
attribute values forced by the instructions).
Any address written to IA32_LSTAR is first checked by WRMSR to ensure canonical
form. If an address is not canonical, an exception is generated (#GP).
See Figure 5-14 for the layout of IA32_STAR, IA32_LSTAR and IA32_FMASK.
to the selectors loaded by SYSCALL/SYSRET (consistent with the base, limit, and
attribute values forced by the instructions).
Any address written to IA32_LSTAR is first checked by WRMSR to ensure canonical
form. If an address is not canonical, an exception is generated (#GP).
See Figure 5-14 for the layout of IA32_STAR, IA32_LSTAR and IA32_FMASK.
5.9 PRIVILEGED
INSTRUCTIONS
Some of the system instructions (called “privileged instructions”) are protected from
use by application programs. The privileged instructions control system functions
(such as the loading of system registers). They can be executed only when the CPL is
0 (most privileged). If one of these instructions is executed when the CPL is not 0, a
use by application programs. The privileged instructions control system functions
(such as the loading of system registers). They can be executed only when the CPL is
0 (most privileged). If one of these instructions is executed when the CPL is not 0, a
Figure 5-14. MSRs Used by SYSCALL and SYSRET
63
32 31
0
63
0
63
0
Target RIP for 64-bit Mode Calling Program
SYSRET CS and SS
SYSCALL CS and SS
48 47
IA32_STAR
IA32_LSTAR
IA32_FMASK
32 31
SYSCALL EFLAGS Mask
Reserved
Reserved