Intel IA-32 User Manual
Page 158
4-28 Vol. 3A
PROTECTION
new CPL (excluding conforming code segments), the segment register is loaded with a null
segment selector.
See the description of the RET instruction in Chapter 3, Instruction Set Reference, of the IA-32
Intel Architecture Software Developer’s Manual, Volume 2, for a detailed description of the priv-
ilege level checks and other protection checks that the processor performs on a far return.
4.8.7
Performing Fast Calls to System Procedures with the
SYSENTER and SYSEXIT Instructions
The SYSENTER and SYSEXIT instructions were introduced into the IA-32 architecture in the
Pentium II processors for the purpose of providing a fast (low overhead) mechanism for calling
operating system or executive procedures. SYSENTER is intended for use by user code running
at privilege level 3 to access operating system or executive procedures running at privilege level
0. SYSEXIT is intended for use by privilege level 0 operating system or executive procedures
for fast returns to privilege level 3 user code. SYSENTER can be executed from privilege levels
3, 2, 1, or 0; SYSEXIT can only be executed from privilege level 0.
The SYSENTER and SYSEXIT instructions are companion instructions, but they do not consti-
tute a call/return pair. This is because SYSENTER does not save any state information for use
by SYSEXIT on a return.
The target instruction and stack pointer for these instructions are not specified through instruc-
tion operands. Instead, they are specified through parameters entered in MSRs and general-
purpose registers.
For SYSENTER, target fields are generated using the following sources:
•
Target code segment — Reads this from IA32_SYSENTER_CS.
•
Target instruction — Reads this from IA32_SYSENTER_EIP.
•
Stack segment — Computed by adding 8 to the value in IA32_SYSENTER_CS.
•
Stack pointer — Reads this from the IA32_SYSENTER_ESP.
For SYSEXIT, target fields are generated using the following sources:
•
Target code segment — Computed by adding 16 to the value in the
IA32_SYSENTER_CS.
•
Target instruction — Reads this from EDX.
•
Stack segment — Computed by adding 24 to the value in IA32_SYSENTER_CS.
•
Stack pointer — Reads this from ECX.
The SYSENTER and SYSEXIT instructions preform “fast” calls and returns because they force
the processor into a predefined privilege level 0 state when SYSENTER is executed and into a
predefined privilege level 3 state when SYSEXIT is executed. By forcing predefined and consis-
tent processor states, the number of privilege checks ordinarily required to perform a far call to
another privilege levels are greatly reduced. Also, by predefining the target context state in