background image

Vol. 1 17-11

INTEL® MEMORY PROTECTION EXTENSIONS

17.5.4 

BOUND Instruction and Intel MPX

If Intel MPX in enabled (see Section 13.5) and a #BR was caused due to a BOUND instruction, then BOUND instruc-
tion will write zero to the BNDSTATUS register. In all other situations, BOUND instruction will not modify 
BNDSTATUS. Specifically, the operation of the BOUND instruction can be described as:
IF ( ( BOUND instruction caused #BR) AND ( CR4.OXXSAVE =1 AND XCR0.BNDREGS=1 AND XCR0.BNDCSR =1) AND 

( (CPL=3 AND BNDCFGU.ENABLE = 1) OR (CPL < 3 AND BNDCFGS.ENABLE = 1) ) ) THEN
BNDSTATUS  0; 

ELSE

BNDSTATUS is not modified;

FI;

17.5.5 Programming 

Considerations

Intel MPX instruction set does not dictate any calling convention, but allows the calling convention extensions to be 
interoperable with legacy code by making use of the of the bound registers and the bound tables to convey argu-
ments and return values. 

17.5.6 

Intel MPX and System Manage Mode

Upon delivery of an SMI to a processor supporting Intel MPX, the contents of IA32_BNDCFGS is saved to SMM state 
save map (at offset 7ED0H) and the register is then cleared when entering into SMM. RSM restores IA32_BNDCFGS 
from the SMM state save map. The instruction forces the reserved bits (11:2) to 0 and sign-extends the highest 
implemented bit of the linear address to guarantee the canonicality of this address (regardless of what is in SMM 
state save map).
The content of IA32_BNDCFGS is cleared after entering into SMM. Thus, Intel MPX is disabled inside an SMM 
handler until SMM code enables it explicitly. This will prevent the side-effect of INIT-ing bound registers by legacy 
CALL/RET/JMP/Jcc in SMM code.

17.5.7 

Support of Intel MPX in VMCS

A new guest-state field for IA32_BNDCFGS is added to the VMCS. In addition, two new controls are added: 

a VM-exit control called “clear BNDCFGS” 

a VM-entry control called “load BNDCFGS.” 

Table 17-4.   Bounds Register INIT Behavior Due to BND Prefix with Branch Instructions

Instruction 

Branch Instruction Opcodes 

BNDPRESERVE = 0

BNDPRESERVE = 1

CALL

E8, FF/2

Init BND0-BND3

BND0-BND3 unchanged

BND + CALL

F2 E8, F2 FF/2

BND0-BND3 unchanged

BND0-BND3 unchanged

RET

C2, C3

Init BND0-BND3

BND0-BND3 unchanged

BND + RET

F2 C2, F2 C3

BND0-BND3 unchanged

BND0-BND3 unchanged

JMP

E9, FF/4

Init BND0-BND3

BND0-BND3 unchanged

BND + JMP

F2 E9, F2 FF/4

BND0-BND3 unchanged

BND0-BND3 unchanged

Jcc

70 through 7F, 

0F 80 through 0F 8F

Init BND0-BND3

BND0-BND3 unchanged

BND + Jcc

F2 70 through F2 7F, 

F2 0F 80 through F2 0F 8F

BND0-BND3 unchanged

BND0-BND3 unchanged