background image

Vol. 3A 4-31


For 32-bit paging or if IA32_EFER.NXE = 0, instructions may be fetched from any user-mode address.

For PAE paging or IA-32e paging with IA32_EFER.NXE = 1, instructions may be fetched from any user-

mode address with a translation for which the XD flag is 0 in every paging-structure entry controlling 
the translation.

Instructions may not be fetched from any supervisor-mode address.

A processor may cache information from the paging-structure entries in TLBs and paging-structure caches (see 
Section 4.10). These structures may include information about access rights. The processor may enforce access 
rights based on the TLBs and paging-structure caches instead of on the paging structures in memory.
This fact implies that, if software modifies a paging-structure entry to change access rights, the processor might 
not use that change for a subsequent access to an affected linear address (see Section See Section for how softw
are can ensure that the processor uses the modified access rights.

4.6.2 Protection 


The protection-key feature provides an additional mechanism by which IA-32e paging controls access to user-
mode addresses. When CR4.PKE = 1, every linear address is associated with the 4-bit protection key located in 
bits 62:59 of the paging-structure entry that mapped the page containing the linear address (see Section 4.5). The 
PKRU register determines, for each protection key, whether user-mode addresses with that protection key may be 
read or written.
If CR4.PKE = 0, or if IA-32e paging is not active, the processor does not associate linear addresses with protection 
keys and does not use the access-control mechanism described in this section. In either of these cases, a reference 
in Section 4.6.1 to a user-mode address with a protection key should be considered a reference to any user-mode 
The PKRU register (protection key rights for user pages) is a 32-bit register with the following format: for each i 
(0 ≤ i ≤ 15), PKRU[2i] is the access-disable bit for protection key i (ADi); PKRU[2i+1] is the write-disable bit 
for protection key i (WDi).
Software can use the RDPKRU and WRPKRU instructions with ECX = 0 to read and write PKRU. In addition, the 
PKRU register is XSAVE-managed state and can thus be read and written by instructions in the XSAVE feature set. 
See Chapter 13, “Managing State Using the XSAVE Feature Set,” of Intel® 64 and IA-32 Architectures Software 
Developer’s Manual, Volume 1
 for more 
information about the XSAVE feature set.
How a linear address’s protection key controls access to the address depends on the mode of a linear address:

A linear address’s protection controls only data accesses to the address. It does not in any way affect instruc-
tions fetches from the address.

The protection key of a supervisor-mode address is ignored and does not control data accesses to the address. 
Because of this, Section 4.6.1 does not refer to protection keys when specifying the access rights for 
supervisor-mode addresses.

Use of the protection key i of a user-mode address depends on the value of the PKRU register:
— If  AD= 1, no data accesses are permitted.
— If  WD= 1, permission may be denied to certain data write accesses:

User-mode write accesses are not permitted.

Supervisor-mode write accesses are not permitted if CR0.WP = 1. (If CR0.WP = 0, WDi does not affect 

supervisor-mode write accesses to user-mode addresses with protection key i.)



Accesses using linear addresses may cause page-fault exceptions (#PF; exception 14). An access to a linear 
address may cause a page-fault exception for either of two reasons: (1) there is no translation for the linear 
address; or (2) there is a translation for the linear address, but its access rights do not permit the access.