background image

Vol. 3A 5-17

PROTECTION

If a call is made to a more privileged (numerically lower privilege level) nonconforming destination code segment, 
the CPL is lowered to the DPL of the destination code segment and a stack switch occurs (see Section 5.8.5, “Stack 
Switching”). If a call or jump is made to a more privileged conforming destination code segment, the CPL is not 
changed and no stack switch occurs. 

Call gates allow a single code segment to have procedures that can be accessed at different privilege levels. For 
example, an operating system located in a code segment may have some services which are intended to be used 
by both the operating system and application software (such as procedures for handling character I/O). Call gates 
for these procedures can be set up that allow access at all privilege levels (0 through 3). More privileged call gates 
(with DPLs of 0 or 1) can then be set up for other operating system services that are intended to be used only by 
the operating system (such as procedures that initialize device drivers).

5.8.5 Stack 

Switching

Whenever a call gate is used to transfer program control to a more privileged nonconforming code segment (that 
is, when the DPL of the nonconforming destination code segment is less than the CPL), the processor automatically 
switches to the stack for the destination code segment’s privilege level. This stack switching is carried out to 
prevent more privileged procedures from crashing due to insufficient stack space. It also prevents less privileged 
procedures from interfering (by accident or intent) with more privileged procedures through a shared stack.
Each task must define up to 4 stacks: one for applications code (running at privilege level 3) and one for each of 
the privilege levels 2, 1, and 0 that are used. (If only two privilege levels are used [3 and 0], then only two stacks 
must be defined.) Each of these stacks is located in a separate segment and is identified with a segment selector 
and an offset into the stack segment (a stack pointer).
The segment selector and stack pointer for the privilege level 3 stack is located in the SS and ESP registers, respec-
tively, when privilege-level-3 code is being executed and is automatically stored on the called procedure’s stack 
when a stack switch occurs. 
Pointers to the privilege level 0, 1, and 2 stacks are stored in the TSS for the currently running task (see 
Figure 7-2). Each of these pointers consists of a segment selector and a stack pointer (loaded into the ESP 
register). These initial pointers are strictly read-only values. The processor does not change them while the task is 
running. They are used only to create new stacks when calls are made to more privileged levels (numerically lower 

Figure 5-12.  Example of Accessing Call Gates At Various Privilege Levels

Code

Segment A

Stack Switch

No Stack

Switch Occurs

Occurs

Lowest Privilege

Highest Privilege

3

2

1

0

Call

Gate A

Code

Segment B

Call

Gate B

Code

Segment C

Code

Segment D

Code

Segment E

Nonconforming

Code Segment

Conforming

Code Segment

Gate Selector A

RPL=3

Gate Selector B1

RPL=2

Gate Selector B2

RPL=1

CPL=3

CPL=2

CPL=1

DPL=3

DPL=2

DPL=0

DPL=0

Gate Selector B3

RPL=3