3.5 Implementing Memory Protection
selector of the data segment. Keep in mind that the process trying to access
data in another segment has control over the RPL value of the segment selec¬
tor for that data segment.
When attempting to load the stack-segment register with a segment selector
for a new stack segment, the DPL of the stack segment and the RPL of the
corresponding segment selector must both match the CPL.
A nonconforming code segment is a code segment that cannot be accessed
by a program that is executing with less privilege (i.e., with a higher CPL).
When transferring control to a nonconforming code segment, the calling
routine's CPL must be equal to the DPL of the destination segment (i.e., the
privilege level must be the same on both sides of the fence). In addition, the
RPL of the segment selector corresponding to the destination code segment
must be less than or equal to the CPL.
When transferring control to a conforming code segment, the calling routine's
CPL must be greater than or equal to the DPL of the destination segment (i.e.,
the DPL defines the lowest CPL value that a calling routine may execute at
and still successfully make the jump). The RPL value for the segment selector
of the destination segment is not checked in this case.
Restricted Instruction Checks
Restricted instruction checks verify that a program isn't trying to use instruc¬
tions that are restricted to a lower CPL value. The following is a sample list¬
ing of instructions that may only execute when the CPL is 0 (highest privilege
level). Many of these instructions, like LGDT and LIDT, are used to build and
maintain system data structures that user applications should not access.
Other instructions are used to manage system events and perform actions that
affect the machine as a whole.
Table 3,8 Restricted Instructions
Instruction
Description
LGDT
Load the GDTR register
LIDT
Load the LDTR register
MOV
Move a value into a control register
HLT
Halt the processor
WRMSR
Write to a model-specific register
Parti I 105