Vol. 1 17-11
INTEL® MEMORY PROTECTION EXTENSIONS
17.5.4
BOUND Instruction and Intel MPX
If Intel MPX in enabled (see Section 13.5) and a #BR was caused due to a BOUND instruction, then BOUND instruc-
tion will write zero to the BNDSTATUS register. In all other situations, BOUND instruction will not modify
BNDSTATUS. Specifically, the operation of the BOUND instruction can be described as:
IF ( ( BOUND instruction caused #BR) AND ( CR4.OXXSAVE =1 AND XCR0.BNDREGS=1 AND XCR0.BNDCSR =1) AND
( (CPL=3 AND BNDCFGU.ENABLE = 1) OR (CPL < 3 AND BNDCFGS.ENABLE = 1) ) ) THEN
BNDSTATUS 0;
ELSE
BNDSTATUS is not modified;
FI;
17.5.5 Programming
Considerations
Intel MPX instruction set does not dictate any calling convention, but allows the calling convention extensions to be
interoperable with legacy code by making use of the of the bound registers and the bound tables to convey argu-
ments and return values.
17.5.6
Intel MPX and System Manage Mode
Upon delivery of an SMI to a processor supporting Intel MPX, the contents of IA32_BNDCFGS is saved to SMM state
save map (at offset 7ED0H) and the register is then cleared when entering into SMM. RSM restores IA32_BNDCFGS
from the SMM state save map. The instruction forces the reserved bits (11:2) to 0 and sign-extends the highest
implemented bit of the linear address to guarantee the canonicality of this address (regardless of what is in SMM
state save map).
The content of IA32_BNDCFGS is cleared after entering into SMM. Thus, Intel MPX is disabled inside an SMM
handler until SMM code enables it explicitly. This will prevent the side-effect of INIT-ing bound registers by legacy
CALL/RET/JMP/Jcc in SMM code.
17.5.7
Support of Intel MPX in VMCS
A new guest-state field for IA32_BNDCFGS is added to the VMCS. In addition, two new controls are added:
•
a VM-exit control called “clear BNDCFGS”
•
a VM-entry control called “load BNDCFGS.”
Table 17-4. Bounds Register INIT Behavior Due to BND Prefix with Branch Instructions
Instruction
Branch Instruction Opcodes
BNDPRESERVE = 0
BNDPRESERVE = 1
CALL
E8, FF/2
Init BND0-BND3
BND0-BND3 unchanged
BND + CALL
F2 E8, F2 FF/2
BND0-BND3 unchanged
BND0-BND3 unchanged
RET
C2, C3
Init BND0-BND3
BND0-BND3 unchanged
BND + RET
F2 C2, F2 C3
BND0-BND3 unchanged
BND0-BND3 unchanged
JMP
E9, FF/4
Init BND0-BND3
BND0-BND3 unchanged
BND + JMP
F2 E9, F2 FF/4
BND0-BND3 unchanged
BND0-BND3 unchanged
Jcc
70 through 7F,
0F 80 through 0F 8F
Init BND0-BND3
BND0-BND3 unchanged
BND + Jcc
F2 70 through F2 7F,
F2 0F 80 through F2 0F 8F
BND0-BND3 unchanged
BND0-BND3 unchanged