Vol. 3A 4-29

PAGING

Section 4.6.1 describes how the processor determines the access rights for each linear address. Section 4.6.2 
provides additional information about how protection keys contribute to access-rights determination. (They do so 
only with IA-32e paging and only if CR4.PKE = 1.) 

4.6.1 

Determination of Access Rights

Every access to a linear address is either a supervisor-mode access or a user-mode access. For all instruction 
fetches and most data accesses, this distinction is determined by the current privilege level (CPL): accesses made 
while CPL < 3 are supervisor-mode accesses, while accesses made while CPL = 3 are user-mode accesses.
Some operations implicitly access system data structures with linear addresses; the resulting accesses to those 
data structures are supervisor-mode accesses regardless of CPL. Examples of such accesses include the following: 
accesses to the global descriptor table (GDT) or local descriptor table (LDT) to load a segment descriptor; accesses 
to the interrupt descriptor table (IDT) when delivering an interrupt or exception; and accesses to the task-state 
segment (TSS) as part of a task switch or change of CPL. All these accesses are called implicit supervisor-mode 
accesses regardless of CPL. Other accesses made while CPL < 3 are called explicit supervisor-mode accesses.
Access rights are also controlled by the mode of a linear address as specified by the paging-structure entries 
controlling the translation of the linear address. If the U/S flag (bit 2) is 0 in at least one of the paging-structure 
entries, the address is a supervisor-mode address. Otherwise, the address is a user-mode address.
The following items detail how paging determines access rights:

•

For supervisor-mode accesses:
— Data may be read (implicitly or explicitly) from any supervisor-mode address.
— Data reads from user-mode pages.

Access rights depend on the value of CR4.SMAP:

•

If CR4.SMAP = 0, data may be read from any user-mode address with a protection key for which read 

access is permitted.

•

If CR4.SMAP = 1, access rights depend on the value of EFLAGS.AC and whether the access is implicit or 

explicit:

—

If EFLAGS.AC = 1 and the access is explicit, data may be read from any user-mode address with a 

protection key for which read access is permitted.

—

If EFLAGS.AC = 0 or the access is implicit, data may not be read from any user-mode address.

Section 4.6.2 explains how protection keys are associated with user-mode addresses and the accesses that 
are permitted for each protection key.

— Data writes to supervisor-mode addresses.

Access rights depend on the value of CR0.WP:

•

If CR0.WP = 0, data may be written to any supervisor-mode address.

•

If CR0.WP = 1, data may be written to any supervisor-mode address with a translation for which the 

R/W flag (bit 1) is 1 in every paging-structure entry controlling the translation; data may not be written 
to any supervisor-mode address with a translation for which the R/W flag is 0 in any paging-structure 
entry controlling the translation.

— Data writes to user-mode addresses.

Access rights depend on the value of CR0.WP:

•

If CR0.WP = 0, access rights depend on the value of CR4.SMAP:
—

If CR4.SMAP = 0, data may be written to any user-mode address with a protection key for which 

write access is permitted.

—

If CR4.SMAP = 1, access rights depend on the value of EFLAGS.AC and whether the access is 

implicit or explicit:
•

If EFLAGS.AC = 1 and the access is explicit, data may be written to any user-mode address 

with a protection key for which write access is permitted.

•

If EFLAGS.AC = 0 or the access is implicit, data may not be written to any user-mode address.