4-30 Vol. 3A

PAGING

•

If CR0.WP = 1, access rights depend on the value of CR4.SMAP:
—

If CR4.SMAP = 0, data may be written to any user-mode address with a translation for which the 

R/W flag is 1 in every paging-structure entry controlling the translation and with a protection key 
for which write access is permitted; data may not be written to any user-mode address with a 
translation for which the R/W flag is 0 in any paging-structure entry controlling the translation.

—

If CR4.SMAP = 1, access rights depend on the value of EFLAGS.AC and whether the access is 

implicit or explicit:
•

If EFLAGS.AC = 1 and the access is explicit, data may be written to any user-mode address 

with a translation for which the R/W flag is 1 in every paging-structure entry controlling the 
translation and with a protection key for which write access is permitted; data may not be 
written to any user-mode address with a translation for which the R/W flag is 0 in any paging-
structure entry controlling the translation.

•

If EFLAGS.AC = 0 or the access is implicit, data may not be written to any user-mode address.

Section 4.6.2 explains how protection keys are associated with user-mode addresses and the accesses that 
are permitted for each protection key.

— Instruction fetches from supervisor-mode addresses.

•

For 32-bit paging or if IA32_EFER.NXE = 0, instructions may be fetched from any supervisor-mode 

address.

•

For PAE paging or IA-32e paging with IA32_EFER.NXE = 1, instructions may be fetched from any 

supervisor-mode address with a translation for which the XD flag (bit 63) is 0 in every paging-structure 
entry controlling the translation; instructions may not be fetched from any supervisor-mode address 
with a translation for which the XD flag is 1 in any paging-structure entry controlling the translation.

— Instruction fetches from user-mode addresses.

Access rights depend on the values of CR4.SMEP:

•

If CR4.SMEP = 0, access rights depend on the paging mode and the value of IA32_EFER.NXE:
—

For 32-bit paging or if IA32_EFER.NXE = 0, instructions may be fetched from any user-mode 

address.

—

For PAE paging or IA-32e paging with IA32_EFER.NXE = 1, instructions may be fetched from any 

user-mode address with a translation for which the XD flag is 0 in every paging-structure entry 
controlling the translation; instructions may not be fetched from any user-mode address with a 
translation for which the XD flag is 1 in any paging-structure entry controlling the translation.

•

If CR4.SMEP = 1, instructions may not be fetched from any user-mode address.

•

For user-mode accesses:
— Data reads.

Access rights depend on the mode of the linear address:

•

Data may be read from any user-mode address with a protection key for which read access is 

permitted. Section 4.6.2 explains how protection keys are associated with user-mode addresses and 
the accesses that are permitted for each protection key.

•

Data may not be read from any supervisor-mode address.

— Data writes.

Access rights depend on the mode of the linear address:

•

Data may be written to any user-mode address with a translation for which the R/W flag is 1 in every 

paging-structure entry controlling the translation and with a protection key for which write access is 
permitted. Section 4.6.2 explains how protection keys are associated with user-mode addresses and 
the accesses that are permitted for each protection key.

•

Data may not be written to any supervisor-mode address.

— Instruction fetches.

Access rights depend on the mode of the linear address, the paging mode, and the value of 
IA32_EFER.NXE: