Vol. 3A 5-21
PROTECTION
SYSENTER is intended for use by user code running at privilege level 3 to access operating system or executive
procedures running at privilege level 0. SYSEXIT is intended for use by privilege level 0 operating system or exec-
utive procedures for fast returns to privilege level 3 user code. SYSENTER can be executed from privilege levels 3,
2, 1, or 0; SYSEXIT can only be executed from privilege level 0.
The SYSENTER and SYSEXIT instructions are companion instructions, but they do not constitute a call/return pair.
This is because SYSENTER does not save any state information for use by SYSEXIT on a return.
The target instruction and stack pointer for these instructions are not specified through instruction operands.
Instead, they are specified through parameters entered in MSRs and general-purpose registers.
For SYSENTER, target fields are generated using the following sources:
•
Target code segment — Reads this from IA32_SYSENTER_CS.
•
Target instruction — Reads this from IA32_SYSENTER_EIP.
•
Stack segment — Computed by adding 8 to the value in IA32_SYSENTER_CS.
•
Stack pointer — Reads this from the IA32_SYSENTER_ESP.
For SYSEXIT, target fields are generated using the following sources:
•
Target code segment — Computed by adding 16 to the value in the IA32_SYSENTER_CS.
•
Target instruction — Reads this from EDX.
•
Stack segment — Computed by adding 24 to the value in IA32_SYSENTER_CS.
•
Stack pointer — Reads this from ECX.
The SYSENTER and SYSEXIT instructions preform “fast” calls and returns because they force the processor into a
predefined privilege level 0 state when SYSENTER is executed and into a predefined privilege level 3 state when
SYSEXIT is executed. By forcing predefined and consistent processor states, the number of privilege checks ordi-
narily required to perform a far call to another privilege levels are greatly reduced. Also, by predefining the target
context state in MSRs and general-purpose registers eliminates all memory accesses except when fetching the
target code.
Any additional state that needs to be saved to allow a return to the calling procedure must be saved explicitly by
the calling procedure or be predefined through programming conventions.
5.8.7.1
SYSENTER and SYSEXIT Instructions in IA-32e Mode
For Intel 64 processors, the SYSENTER and SYSEXIT instructions are enhanced to allow fast system calls from user
code running at privilege level 3 (in compatibility mode or 64-bit mode) to 64-bit executive procedures running at
privilege level 0. IA32_SYSENTER_EIP MSR and IA32_SYSENTER_ESP MSR are expanded to hold 64-bit addresses.
If IA-32e mode is inactive, only the lower 32-bit addresses stored in these MSRs are used. The WRMSR instruction
ensures that the addresses stored in these MSRs are canonical. Note that, in 64-bit mode, IA32_SYSENTER_CS
must not contain a NULL selector.
When SYSENTER transfers control, the following fields are generated and bits set:
•
Target code segment — Reads non-NULL selector from IA32_SYSENTER_CS.
•
New CS attributes — CS base = 0, CS limit = FFFFFFFFH.
•
Target instruction — Reads 64-bit canonical address from IA32_SYSENTER_EIP.
•
Stack segment — Computed by adding 8 to the value from IA32_SYSENTER_CS.
•
Stack pointer — Reads 64-bit canonical address from IA32_SYSENTER_ESP.
•
New SS attributes — SS base = 0, SS limit = FFFFFFFFH.
When the SYSEXIT instruction transfers control to 64-bit mode user code using REX.W, the following fields are
generated and bits set:
•
Target code segment — Computed by adding 32 to the value in IA32_SYSENTER_CS.
•
New CS attributes — L-bit = 1 (go to 64-bit mode).
•
Target instruction — Reads 64-bit canonical address in RDX.
•
Stack segment — Computed by adding 40 to the value of IA32_SYSENTER_CS.