5-8 Vol. 3A

PROTECTION

— TSS — The DPL indicates the numerically highest privilege level that the currently executing program or 

task can be at and still be able to access the TSS. (This is the same access rule as for a data segment.)

•

Requested privilege level (RPL) — The RPL is an override privilege level that is assigned to segment 
selectors. It is stored in bits 0 and 1 of the segment selector. The processor checks the RPL along with the CPL 
to determine if access to a segment is allowed. Even if the program or task requesting access to a segment has 
sufficient privilege to access the segment, access is denied if the RPL is not of sufficient privilege level. That is, 
if the RPL of a segment selector is numerically greater than the CPL, the RPL overrides the CPL, and vice versa. 
The RPL can be used to insure that privileged code does not access a segment on behalf of an application 
program unless the program itself has access privileges for that segment. See Section 5.10.4, “Checking Caller 
Access Privileges (ARPL Instruction),” for a detailed description of the purpose and typical use of the RPL.

Privilege levels are checked when the segment selector of a segment descriptor is loaded into a segment register. 
The checks used for data access differ from those used for transfers of program control among code segments; 
therefore, the two kinds of accesses are considered separately in the following sections.

5.6 

PRIVILEGE LEVEL CHECKING WHEN ACCESSING DATA SEGMENTS

To access operands in a data segment, the segment selector for the data segment must be loaded into the data-
segment registers (DS, ES, FS, or GS) or into the stack-segment register (SS). (Segment registers can be loaded 
with the MOV, POP, LDS, LES, LFS, LGS, and LSS instructions.) Before the processor loads a segment selector into 
a segment register, it performs a privilege check (see Figure 5-4) by comparing the privilege levels of the currently 
running program or task (the CPL), the RPL of the segment selector, and the DPL of the segment’s segment 
descriptor. The processor loads the segment selector into the segment register if the DPL is numerically greater 
than or equal to both the CPL and the RPL. Otherwise, a general-protection fault is generated and the segment 
register is not loaded.

Figure 5-5 shows four procedures (located in codes segments A, B, C, and D), each running at different privilege 
levels and each attempting to access the same data segment. 
1. The procedure in code segment A is able to access data segment E using segment selector E1, because the CPL 

of code segment A and the RPL of segment selector E1 are equal to the DPL of data segment E.

2. The procedure in code segment B is able to access data segment E using segment selector E2, because the CPL 

of code segment B and the RPL of segment selector E2 are both numerically lower than (more privileged) than 
the DPL of data segment E. A code segment B procedure can also access data segment E using segment 
selector E1.

3. The procedure in code segment C is not able to access data segment E using segment selector E3 (dotted line), 

because the CPL of code segment C and the RPL of segment selector E3 are both numerically greater than (less 
privileged) than the DPL of data segment E. Even if a code segment C procedure were to use segment selector 

Figure 5-4.  Privilege Check for Data Access

CPL

RPL

DPL

Privilege

Check

Data-Segment Descriptor

CS Register

Segment Selector

For Data Segment