Intel architecture ia-32 User Manual
4-8 Vol. 3A
PROTECTION
— On a call or jump through a call gate (or on an interrupt- or exception-handler call
through a trap or interrupt gate), the processor automatically checks that the segment
descriptor being pointed to by the gate is for a code segment.
descriptor being pointed to by the gate is for a code segment.
— On a call or jump to a new task through a task gate (or on an interrupt- or exception-
handler call to a new task through a task gate), the processor automatically checks that
the segment descriptor being pointed to by the task gate is for a TSS.
the segment descriptor being pointed to by the task gate is for a TSS.
— On a call or jump to a new task by a direct reference to a TSS, the processor automati-
cally checks that the segment descriptor being pointed to by the CALL or JMP
instruction is for a TSS.
instruction is for a TSS.
— On return from a nested task (initiated by an IRET instruction), the processor checks
that the previous task link field in the current TSS points to a TSS.
4.4.1
Null Segment Selector Checking
Attempting to load a null segment selector (see Section 3.4.2, “Segment Selectors”) into the CS
or SS segment register generates a general-protection exception (#GP). A null segment selector
can be loaded into the DS, ES, FS, or GS register, but any attempt to access a segment through
one of these registers when it is loaded with a null segment selector results in a #GP exception
being generated. Loading unused data-segment registers with a null segment selector is a useful
method of detecting accesses to unused segment registers and/or preventing unwanted accesses
to data segments.
or SS segment register generates a general-protection exception (#GP). A null segment selector
can be loaded into the DS, ES, FS, or GS register, but any attempt to access a segment through
one of these registers when it is loaded with a null segment selector results in a #GP exception
being generated. Loading unused data-segment registers with a null segment selector is a useful
method of detecting accesses to unused segment registers and/or preventing unwanted accesses
to data segments.
4.4.1.1
NULL Segment Checking in 64-bit Mode
In 64-bit mode, the processor does not perform runtime checking on NULL segment selectors.
The processor does not cause a #GP fault when an attempt is made to access memory where the
referenced segment register has a NULL segment selector.
The processor does not cause a #GP fault when an attempt is made to access memory where the
referenced segment register has a NULL segment selector.
4.5
PRIVILEGE LEVELS
The processor’s segment-protection mechanism recognizes 4 privilege levels, numbered from 0
to 3. The greater numbers mean lesser privileges. Figure 4-3 shows how these levels of privilege
can be interpreted as rings of protection.
to 3. The greater numbers mean lesser privileges. Figure 4-3 shows how these levels of privilege
can be interpreted as rings of protection.
The center (reserved for the most privileged code, data, and stacks) is used for the segments
containing the critical software, usually the kernel of an operating system. Outer rings are used
for less critical software. (Systems that use only 2 of the 4 possible privilege levels should use
levels 0 and 3.)
containing the critical software, usually the kernel of an operating system. Outer rings are used
for less critical software. (Systems that use only 2 of the 4 possible privilege levels should use
levels 0 and 3.)