NOTE: The Intel® 64 and IA-32 Architectures Software Developer's Manual
consists of five volumes: Basic Architecture, Order Number 253665;
Instruction Set Reference A-M, Order Number 253666; Instruction Set
Reference N-Z, Order Number 253667; System Programming Guide,
Part 1, Order Number 253668; System Programming Guide, Part 2, Order
Number 253669. Refer to all five volumes when evaluating your design
needs.
Order Number: 253668-032US
September 2009
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE,
EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS
GRANTED BY THIS DOCUMENT. EXCEPT AS PROVID ED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR
SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR
IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR
WARRANTIES RELA TING TO FITNESS FOR A PAR TICULAR PURPOSE, MERCHANT ABILITY , OR INFRINGEMENT
OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.
UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESI GNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR.
Intel may make changes to specifications and product descriptions at any time, without notice. Designers
must not rely on the absence or characteristics of any features or instructions marked "reserved" or "un
defined." Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts
or incompatibilities arising from future changes to them. The information here is subject to change without
notice. Do not finalize a design with this information.
The Intel® 64 architecture processors ma y conta in de sign defects o r err ors kn own as err a ta. Curr ent c haracterized errata are available on request.
Intel® Hyper-Threading T echnology requires a computer system with an Intel® processor supporting Hyper Threading Technology and an Intel
Performance will vary depending on the specific hardware and software you use. F or more information, see
http://www.intel.com/technology/hyperthread/index.htm; including details on which processors support Intel HT
Technology.
Intel® Virtualization T echnol ogy requires a computer syste m with an enabled Intel® processor , BIOS, virtual
machine monitor (VMM) and for some uses, certain platform software enabled for it. Functionality, perfor
mance or other benefits will vary depending on hardware and software configurations. Intel® Virtualization
Technology-enabled BIOS an d V MM app lications are currently in development.
64-bit computing on Intel architecture requires a computer system with a processor, chipset, BIOS, operating system, device drivers and appli cations enabled for Intel® 64 architecture. Processors will not operate
(including 32-bit operation) without an Intel
ing on your hardware and software configurations. Consult with your system vendor for more information.
Enabling Execute Disable Bit functionality requires a PC with a processor with Execute Disable Bit capability
and a supporting operating system. Ch eck with y our PC man ufactur er on wheth er your system del iver s Ex
®
HT Technology enabled chipset, BIOS and operating system.
®
64 architecture-enabled BIOS. Performance will v ary depend-
Intel Core 2 Extreme, Intel Pentium D, Itanium, Intel SpeedStep, MMX, Intel Atom, and VTune are trade
marks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
*Other names and brands may be claimed as the property of others.
Contact your local Intel sales office or your distributor to obtain the latest specifications and befo re plac ing
your product order.
Copies of documents which have an ordering number and are referenced in this document, or other Intel
literature, may be obtained by calling 1-800-548-4725, or by visiting Intel’s website at http://www.intel.com
Table A-18.Performance Monitoring Events Modified on Intel® Pentium® M Processors . . A-216
Table A-19.Events That Can Be Counted with the P6 Family Performance-
Table A-20.Events That Can Be Counted with Pentium Processor
The Intel® 64 and IA-32 Architectures Software Developer’s Manual, Volume 3A:
System Programming Guide, Part 1 (order number 253668) and the Intel® 64 and
IA-32 Architectures Software Developer’s Manual, Volume 3B: System Programming
Guide, Part 2 (order number 253669) are part of a set that describes the architecture
and programming environment of Intel 64 and IA-32 Architecture processors. The
other volumes in this set are:
•Intel® 64 and IA-32 Architectures Software Developer’s Manual, Volumes
2A & 2B: Instruction Set Reference (order numbers 253666 and 253667).
The Intel® 64 and IA-32 Architectures Software Developer’s Manual, Volume 1,
describes the basic architecture and programming environment of Intel 64 and IA-32
processors. The
Volumes 2A & 2B, describe the instruction set of the processor and the opcode structure. These volumes apply to application programmers and to programmers who
write operating system s or executiv es. The
ware Developer’s Manual, Volumes 3A & 3B, describe the operating-system support
environment of Intel 64 and IA-32 processors. These volumes target operatingsystem and BIOS designers. In addition,
Developer’s Manual, Volume 3B, addresses the programming environment for
classes of software that host operating systems.
Intel® 64 and IA-32 Architectures Software Developer’s Manual,
Intel® 64 and IA-32 Architectures Soft-
Intel® 64 and IA-32 Architectures Software
1.1 PROCESSORS COVERED IN THIS MANUAL
This manual set includes information pertaining primarily to the most recent Intel®
64 and IA-32 processors, which include:
•Pentium
®
processors
•P6 family processors
•Pentium
•Pentium
•Intel
•Pentium
•Pentium
•64-bit Intel
•Intel
•Intel
®
4 processors
®
M processors
®
Xeon® processors
®
D processors
®
processor Extreme Editions
®
Xeon® processors
®
Core™ Duo processor
®
Core™ Solo processor
Vol. 3 1-1
ABOUT THIS MANUAL
•Dual-Core Intel
•Intel
•Intel
•Intel
•Intel
•Intel
•Intel
•Intel
•Intel
•Intel
•Intel
•Intel
•Intel
•Intel
•Intel
•Intel
•Intel
•Intel
•Intel
P6 family processors are IA-32 processors based on the P6 family microarchitecture.
This includes the Pentium® Pro, Pentium® II, Pentium® III, and P entium® III Xeon®
processors.
The Pentium® 4, Pentium® D, and Pentium® processor Extreme Editions are based
on the Intel NetBurst® microarchitecture. Most early Intel® Xeon® processors are
based on the Intel NetBurst
series are based on the Intel NetBurst
The Intel® Core™ Duo, Intel® Core™ Solo and dual-core Intel® Xeon® processor LV
are based on an improved Pentium
The Intel® Xeon® processor 3000, 3200, 5100, 5300, 7200, and 7300 series, Intel®
Pentium® dual-core, Intel® Core™2 Duo, Intel® Core™2 Quad and Intel® Core™2
Extreme processors are based on Intel
The Intel® Xeon® processor 5200, 5400, 7400 series, Intel® CoreTM2 Quad processor
Q9000 series, and Intel
Core
ture.
The Intel® AtomTM processor family is based on the Intel® AtomTM microarchitecture
and supports Intel 64 architecture.
®
Core™2 Duo processor
®
Core™2 Quad processor Q6000 series
®
Xeon® processor 3000, 3200 series
®
Xeon® processor 5000 series
®
Xeon® processor 5100, 5300 series
®
Core™2 Extreme processor X7000 and X6800 series
®
Core™2 Extreme QX6000 series
®
Xeon® processor 7100 series
®
Pentium® Dual-Core processor
®
Xeon® processor 7200, 7300 series
®
Core™2 Extreme QX9000 series
®
Xeon® processor 5200, 5400, 7400 series
®
CoreTM2 Extreme processor QX9000 and X9000 series
®
CoreTM2 Quad processor Q9000 series
®
CoreTM2 Duo processor E8000, T9000 series
®
AtomTM processor family
®
CoreTM i7 processor
®
Core
TM
2 processor E8000 series are based on Enhanced Intel® CoreTM microarchitec-
Intel® microarchitecture (Nehalem) and support Intel 64 architecture.
Processors based on the Next Generation Intel Processor, codenamed Westmere,
support Intel 64 architecture.
P6 family , Pentium® M, Intel® Core™ Solo, Intel® Core™ Duo processors, dual-core
Intel® Xeon® processor LV, and early generations of Pentium 4 and Intel Xeon
processors support IA-32 architecture. The Intel® AtomTM processor Z5xx series
support IA-32 architecture.
Core™2 Duo, Intel® Core™2 Extreme processors,
Intel Core 2 Quad processors, Pentium® D processors, Pentium® Dual-Core
processor, newer generations of Pentium 4 and Intel Xeon processor family support
®
64 architecture.
Intel
IA-32 architecture is the instruction set architecture and programming environment
for Intel's 32-bit microprocessors. Intel® 64 architecture is the instruction set architecture and programming environment which is a superset of and compatible with
IA-32 architecture.
1.2 OVERVIEW OF THE SYSTEM PROGRAMMING GUIDE
A description of this manual’s content follows:
Chapter 1— About This Manual. Gives an overview of all five volumes of the
Intel® 64 and IA-32 Architectures Software Developer’s Manual. It also describes
the notational conventions in these manuals and lists related Intel manuals and
documentation of interest to programmers and hardware designers.
Chapter 2 — System Architecture Overview. Describes the modes of operation
used by Intel 64 and IA-32 processors and the mechanisms provided by the architectures to support operating systems and executives, including the system-oriented
registers and data structures and the system-oriented instructions. The steps neces
sary for switching between real-address and protected modes are also identified.
Chapter 3 — Protected-Mode Memory Management. Describes the data structures, registers, and instructions that support segmentation and paging. The chapter
explains how they can be used to implement a “flat” (unsegmented) memory model
or a segmented memory model.
Chapter 4 — Paging. Describes the paging modes supported by Intel 64 and IA -32
processors.
Chapter 5 — Protection. Describes the support for page and segment protection
provided in the Intel 64 and IA-32 architectures. This chapter also explains the
implementation of privilege rules, stack switching, pointer validation, user and
supervisor modes.
-
Vol. 3 1-3
ABOUT THIS MANUAL
Chapter 6 — Interrupt and Exception Handling. Describes the basic interrupt
mechanisms defined in the Intel 64 and IA-32 architectures, shows how interrupts
and exceptions relate to protection, and de scribes how the architecture handles each
exception type. Reference information for each exception is given at the end of this
chapter.
Chapter 7 — Task Management. Describes mechanisms the Intel 64 and IA-32
architectures provide to support multitasking and inter-task protection.
Chapter 8 — Multiple-Processor Management. Describes the instructions and
flags that support multiple processors with shared memory , memory ordering, and
Intel® Hyper- Threading Technology.
Chapter 9 — Processor Management and Initialization. Defines the state of an
Intel 64 or IA-32 processor after reset initialization. This chapter also explains how to
set up an Intel 64 or IA-32 processor for real-address mode operation and protectedmode operation, and how to switch between modes.
Chapter 10 — Advanced Progr ammable Inte rrupt Contro ller (APIC) .
Describes the programming interface to the local APIC and gives an overview of the
interface between the local APIC and the I/O APIC.
Chapter 11 — Memory Ca che Control. Describes the general concept of caching
and the caching mechanisms supported by the Intel 64 or IA-32 architectures. This
chapter also describes the memory type range registers (MTRRs) and how they can
be used to map memory types of physical memory . Information on using the new
cache control and memory streaming instructions introduced with the Pentium III,
Pentium 4, and Intel Xeon processors is also giv en.
Chapter 12 — I ntel® MMX™ Technology System Programming. Describes
those aspects of the Intel® MMX™ technology that must be handled and considered
at the system programming level, including: task switching, exception handling, and
compatibility with existing system environments.
Chapter 13 — System Programming For Instruction Set Extensions And
Processor Extended States. Describes the operating system requirements to
support SSE/SSE2/SSE3/S SSE3/SSE4 ex tensions, including task switching, excep
tion handling, and compatibility with existing system environments. The latter part of
this chapter describes the extensible framework of operating system requirements to
support processor extended states. Processor extended state may be required by
instruction set extensions beyond those of SSE/SSE2/SSE3/SSSE3/SSE4 extensions.
Chapter 14 — Power and Thermal Management . Describes facilities of Intel 64
and IA-32 architecture used for power management and thermal monitoring.
Chapter 15 — Machine-Check Architecture.Describes the machine-check
-
architecture and machine-check except ion mechanism found in the Pentium
4, Intel Xeon, and P6 family processors
. Additional ly , a signaling mechanism
for software to respond to hardware corrected machine check error is
covered.
1-4 Vol. 3
ABOUT THIS MANUAL
Chapter 16 — Debugging, Branch Profiles and Time-Stamp Counter.
Describes the debugging registers and other debug mechanism provided in Intel 64
or IA-32 processors. This chapter also describes the time-stamp counter.
Chapter 17 — 8086 Emulation. Describes the real-address and virtual-8086
modes of the IA-32 architecture.
Chapter 18 — Mixing 16-Bit and 32-Bit Code. Describes how to mix 16-bit and
32-bit code modules within the same program or task.
Chapter 20 — Introduction to Virtual-Machine Extensions. Describes the basic
elements of virtual machine architecture and the virtual-machine extensions for
64 and IA-32 Architectures.
Intel
Chapter 21 — Virtual-Machine Control Structures. Describes components that
manage VMX operation. These include the working-VMCS pointer and the controlling-VMCS pointer.
Chapter 22— VMX Non-Root Operation. Describes the operation of a VMX nonroot operation. Processor operation in VMX non-root mode can be restricted
programmatically such that certain operations, events or conditions can cause the
processor to transfer control from the guest (running in VMX non-root mode) to the
monitor software (running in VMX root mode).
Chapter 23 — VM Entries. Describes VM entries. VM entry transitions the processor
from the VMM running in VMX root-mode to a VM running in VMX non-root m ode.
VM-Entry is performed by the execution of VMLAUNCH or VMRESUME instructions.
Chapter 24 — VM Exits. Describes VM exits. Certain events, operations or situations while the processor is in VMX non-root operation may cause VM-exit transitions.
In addition, VM exits can also occur on failed VM entries.
Chapter 25 — VMX Support for Address Translation. Describes virtual-machine
extensions that support address translation and the virtualization of physical
memory.
Chapter 26 — System Management Mode. Describes Intel 64 and IA -32 architectures’ system management mode (SMM) facilities.
Describes programming considerations for VMMs. VMMs manage virtual machines
(VMs).
Chapter 28 — Virtualization of System Resources. Describes the virtualization
of the system resources. These include: debugging facilities, address translation,
physical memory, and microcode update facilities.
Chapter 29 — Handling Boundary Conditions in a Virtual Machine Monitor.
Describes what a VMM must consider when handling exceptions, interrupts, error
conditions, and transitions between activity states.
Vol. 3 1-5
ABOUT THIS MANUAL
Chapter 30 — Performance Monitoring. Describes the Intel 64 and IA-32 architectures’ facilities for monitoring performance.
Appendix A — Performance-Monitoring Events. Lists architectural performance
events. Non-architectural performance events (i.e. model-specific events) are listed
for each generation of microarchitecture.
Appendix B — Model-Specific Registers (MSRs). Lists the MSRs available in the
Pentium processors, the P6 family processors, the Pentium 4, Intel Xeon, Intel Core
Solo, Intel Core Duo processors, and Intel Core 2 processor family and describes
their functions.
Appendix C — MP Initialization For P6 Family Processors. Gives an example of
how to use of the MP protocol to boot P6 family processors in n MP system.
Appendix D — Programming the LINT0 and LINT1 Inputs. Gives an example of
how to program the LINT0 and LINT1 pins for specific interrupt vectors.
Appendix E — Interpreting Machine -Check Erro r Codes. Giv es an example of
how to interpret the error codes for a machine-check error that occurred on a P6
family processor.
Appendix F — APIC Bus Message Formats. Describes the message formats for
messages transmitted on the APIC bus for P6 family and Pentium processors.
Appendix G — VMX Capability Reporting Facility. Describes the VMX capability
MSRs. Support for specific VMX features is determined by reading capability MSRs.
Appendix H — Field Encoding in VMCS. Enumerates all fields in the VMCS and
their encodings. Fields are grouped by width (16-bit, 32-bit, etc.) and type (gueststate, host-state, etc.).
Appendix I — VM Basic Exit Reasons. Describes the 32-bit fields that encode
reasons for a VM exit. Examples of exit reasons include, but are not limited to: software interrupts, processor exceptions, software traps, NMIs, external interrupts, and
triple faults.
1.3 NOTATIONAL CONVENTIONS
This manual uses specific notation for data-structure formats, for symbolic representation of instructions, and for hexadecimal and binary numbers. A review of this
notation makes the manual easier to read.
1.3.1 Bit and Byte Order
In illustrations of data structures in memory , smaller addresses appear toward the
bottom of the figure; addresses increase toward the top. Bit positions are numbered
from right to left. The numerical value of a set bit is equal to two raised to the power
of the bit position. Intel 64 and IA-32 processors are “little endian” machines; this
1-6 Vol. 3
ABOUT THIS MANUAL
means the bytes of a word are numbered starting from the least significant byte.
Figure 1-1 illustrates these conventions.
1.3.2 Reserved Bits and Software Compatibility
In many register and memory layout descriptions, certain bits are marked as
reserved. When bits are marked as reserved, it is essential for compatibility with
future processors that software treat these bits as having a future, though unkno wn,
effect. The behavior of reserved bits should be regarded as not only undefined, but
unpredictable. Software should follow these guidelines in dealing with reserved bits:
•Do not depend on the states of any reserved bits when testing the values of
registers which contain such bits. Mask out the reserved bits before testing.
•Do not depend on the states of any reserved bits when storing to memory or to a
register.
•Do not depend on the ability to retain information written into any reserved bits.
•When loading a register, always load the reserved bits with the values indicated
in the documentation, if any , or reload them with values previously read from the
same register.
NOTE
Avoid any softw are dependence upon the st ate of reserved bits in
Intel 64 and IA-32 registers. Depending upon the values of reserved
register bits will make software dependent upon the unspecified
manner in which the processor handles these bits. Programs that
depend upon reserved values risk incompatibility with future
processors.
Highest
Address
Data Structure
23
31
Byte 3
24
Byte 2
16
15
Byte 1
Figure 1-1. Bit and Byte Order
8
7
Byte 0
Byte Offset
Bit offset
0
28
24
20
16
12
8
4
Lowest
0
Address
Vol. 3 1-7
ABOUT THIS MANUAL
1.3.3 Instruction Operands
When instructions are represented symbolically , a subset of assembly language is
used. In this subset, an instruction has the following format:
label: mnemonic argument1, argument2, argument3
where:
•A label is an identifier which is followed by a colon.
•A mnemonic is a reserved name for a class of instruction opcodes which have
the same function.
•The operands argument1, argument2, and argument3 are optional. There
may be from zero to three operands, depending on the opcode. When present,
they take the form of either literals or identifiers for data items. Operand
identifiers are either reserved names of registers or are assumed to be assigned
to data items declared in another part of the program (which may not be shown
in the example).
When two operands are present in an arithmetic or logical instruction, the right
operand is the source and the left operand is the destination.
For example:
LOADREG: MOV EAX, SUBTOTAL
In this example LOADREG is a label, MOV is the mnemonic identifier of an opcode,
EAX is the destination operand, and SUBT OTAL is the source operand. Some
assembly languages put the source and destination in reverse order.
1.3.4 Hexadecimal and Binary Numbers
Base 16 (hexadecimal) numbers are represented by a string of hexadecimal digits
followed by the character H (for example, F82EH). A hexadecimal digit is a character
from the following set: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, and F.
Base 2 (binary) numbers are represented by a string of 1s and 0s, sometimes
followed by the character B (for example, 1010B). The “B” designation is only used in
situations where confusion as to the type of number might arise.
1.3.5 Segmented Addressing
The processor uses byte addressing. This means memory is organized and accessed
as a sequence of bytes. Whether one or more bytes are being accessed, a byte
address is used to locate the byte or bytes memory . The range of memory that can
be addressed is called an address space.
The processor also supports segmented addressing. This is a form of addressing
where a program may have many independent address spaces, called segments.
1-8 Vol. 3
ABOUT THIS MANUAL
For example, a program can keep its code (instructions) and stack in separate
segments. Code addresses would always refer to the code space, and stack
addresses would always refer to the stack space. The following notation is used to
specify a byte address within a segment:
Segment-register:Byte-address
For example, the following segment address identifies the byte at address FF79H in
the segment pointed by the DS register:
DS:FF79H
The following segment address identifies an instruction address in the code segment.
The CS register points to the code segment and the EIP register contains the address
of the instruction.
CS:EIP
1.3.6 Syntax for CPUID, CR, and MSR Values
Obtain feature flags, status, and system information by using the CPUID instruction,
by checking control register bits, and by reading model-specific registers. We are
moving toward a single syntax to represent this type of information. See Figure 1-2.
Figure 1-2. Syntax for CPUID, CR, and MSR Data Presentation
1.3.7 Exceptions
An exception is an event that typically occurs when an instruction causes an error.
For example, an attempt to divide by zero gener ates an exception. However, some
exceptions, such as breakpoints, occur under other conditions. Some types of excep
tions may provide error codes. An error code reports additional information about th e
error . An example of the notation used to show an exception and error code is shown
below:
#PF(fault code)
-
1-10 Vol. 3
ABOUT THIS MANUAL
This example refers to a page-fault exception under conditions where an error code
naming a type of fault is reported. Under some conditions, exceptions which produce
error codes may not be able to report an accurate code. In this case, the error code
is zero, as shown below for a general-protection exception:
#GP(0)
1.4 RELATED LITERATURE
Literature related to Intel 64 and IA-32 processors is listed on-line at:
Some of the documents listed at this web site can be viewed on-line; others can be
ordered. The literature available is listed by Intel processor and then by the following
literature types: applications notes, data sheets, manuals, papers, and specification
updates.
See also:
•The data sheet for a particular Intel 64 or IA-32 processor
•The specification update for a particular Intel 64 or IA-32 processor
IA-32 architecture (beginning with the Intel386 processor family) provides extensive
support for operating-system and system-development software. This support offers
multiple modes of operation, which include:
•Real mode, protected mode, virtual 8086 mode, and system management mode.
These are sometimes referred to as legacy modes.
Intel 64 architecture supports almost all the system programming facilities available
in IA-32 architecture and extends them to a new operating mode (IA-32e mode) that
supports a 64-bit programming environment. IA-32e mode allows software to
operate in one of two sub-modes:
•64-bit mode supports 64-bit OS and 64-bit applications
•Compatibility mode allows most legacy software to run; it co-exists with 64-bit
applications under a 64-bit OS.
The IA-32 system-level architecture and includes features to assist in the following
operations:
•Memory management
•Protection of software modules
•Multitasking
•Exception and interrupt handling
•Multiprocessing
•Cache management
•Hardware resource and power management
•Debugging and performance monitoring
This chapter provides a description of each part of this architecture. It also describes
the system registers that are used to set up and control the processor at the system
level and gives a brief overview of the processor’s system-level (operating system)
instructions.
Many features of the system-level architectural are used only by system programmers. However, application programmers may need to read this chapter and the
following chapters in order to create a reliable and secure environment for application programs.
This overview and most subsequent chapters of this book focus on protected-mode
operation of the IA-32 architecture. IA-32e mode operation of the Intel 64 architec
ture, as it differs from protected mode operation, is also described.
All Intel 64 and IA-32 processors enter real-address mode following a power-up or
reset (see
Chapter 9, “Processor Management and Initialization”). Software then
-
Vol. 3 2-1
SYSTEM ARCHITECTURE OVERVIEW
initiates the switch from real-address mode to protected mode. If IA-32e mode operation is desired, software also initiates a switch from protected mode to IA-32e
mode.
2.1 OVERVIEW OF THE SYSTEM-LEVEL ARCHITECTURE
System-level architecture consists of a set of registers, data structures, and instructions designed to support basic system-level operations such as memory management, interrupt and exception handling, task management, and control of multiple
processors.
Figure 2-1 provides a summary of system registers and data structures that applies
to 32-bit modes. System registers and data structures that apply to IA-32e mode are
shown in
Figure 2-2.
2-2 Vol. 3
SYSTEM ARCHITECTURE OVERVIEW
EFLAGS Register
Control Registers
Task Register
Interrupt
Vector
Interrupt Descriptor
Table (IDT)
Interrupt Gate
Task Gate
Trap Gate
IDTR
XCR0 (XFEM)
CR4
CR3
CR2
CR1
CR0
Segment Sel.
TSS Seg. Sel.
Call-Gate
Segment Selector
LDTR
Physical Address
Linear Address
Segment Selector
Register
Global Descriptor
Table (GDT)
Seg. Desc.
TSS Desc.
Seg. Desc.
TSS Desc.
LDT Desc.
GDTR
Local Descriptor
Table (LDT)
Seg. Desc.
Call Gate
Code, Data or
Stack Segment
Task-State
Segment (TSS)
Current
TSS
Task-State
Segment (TSS)
Current
TSS
Current
TSS
Task
Code
Data
Stack
Interrupt Handler
Code
Stack
Task
Code
Data
Stack
Exception Handler
Code
Stack
Protected Procedure
Code
Stack
Linear Address Space
Linear Addr.
0
Figure 2-1. IA-32 System-Level Registers and Data Structures
Page Directory
Pg. Dir. Entry
CR3*
*Physical Address
This page mapping example is for 4-KByte pages
and the normal 32-bit physical address size.
Dir
Linear Address
TableOffset
Page Table
Pg. Tbl. Entry
Page
Physical Addr.
Vol. 3 2-3
SYSTEM ARCHITECTURE OVERVIEW
RFLAGS
Control Register
CR8
CR4
CR3
CR2
CR1
CR0
Task Register
Physical Address
Linear Address
Segment Selector
Register
Global Descriptor
Table (GDT)
Code, Data or Stack
Segment (Base =0)
Task-State
Segment (TSS)
Segment Sel.
Interrupt
Vector
Interrupt Descriptor
Table (IDT)
Interrupt Gate
Interrupt Gate
IDTR
XCR0 (XFEM)
Linear Address Space
Linear Addr.
TR
Trap Gate
Segment Selector
Call-Gate
LDTR
PML4
PML4.
Entry
Seg. Desc.
TSS Desc.
Seg. Desc.
Seg. Desc.
LDT Desc.
GDTR
Local Descriptor
Table (LDT)
Seg. Desc.
Call Gate
Dir. Pointer
PML4
Pg. Dir. Ptr.
Current TSS
IST
Linear Address
Page Dir.
Pg. Dir.
Entry
Interrupt Handler
NULL
Exception Handler
NULL
Protected Procedure
NULL
TableDirectory
Page Table
Offset
Entry
Code
Stack
Interr. Handler
Code
Stack
Code
Stack
Code
Stack
Page
Physical
Addr.Page Tbl
0
CR3*
*Physical Address
This page mapping example is for 4-KByte pages
and 40-bit physical address size.
Figure 2-2. System-Level Registers and Data Structures in IA-32e Mode
2-4 Vol. 3
SYSTEM ARCHITECTURE OVERVIEW
2.1.1 Global and Local Descriptor Tables
When operating in protected mode, all memory accesses pass through either the
global descriptor table (GDT) or an optional local descriptor table (LDT) as shown in
Figure 2-1. These tables contain entries called segment descriptors. Segment
descriptors provide the base address of segments well as access rights, type, and
usage information.
Each segment descriptor has an associated segment selector. A segment selector
provides the software that uses it with an index into the GDT or LDT (the offset of its
associated segment descriptor), a global/local flag (determines whether the selector
points to the GDT or the LDT), and access rights information.
T o access a byte in a segment, a segment selector and an offset must be supplied.
The segment selector provides access to the segment descriptor for the segment (in
the GDT or LDT). From the segment descriptor, the processor obtains the base
address of the segment in the linear address space. The offset then provides the
location of the byte relative to the base address. This mechanism can be used to
access any valid code, data, or stack segment, provided the segment is accessible
from the current privilege level (CPL) at which the processor is operating. The CPL is
defined as the protection level of the currently ex ecuting code segme nt.
See Figure 2-1. The solid arrows in the figure indicate a linear address, dashed lines
indicate a segment selector, and the dotted arrows indicate a physical address. For
simplicity , many of the segment selectors are shown as direct pointers to a segment.
However , the actual path from a segment selector to its associated segment is always
through a GDT or LDT .
The linear address of the base of the GDT is contained in the GDT register (GD TR);
the linear address of the LDT is contained in the LDT register (LDTR).
2.1.1.1 Global and Local Descriptor Tables in IA-32e Mode
GDTR and LDTR registers are expanded to 64-bits wide in both IA -32e sub-modes
(64-bit mode and compatibility mode). For more information: see
“Segment Descriptor T ables in IA -32e Mode.”
Global and local descriptor tables are expanded in 64-bit mode to support 64-bit base
addresses, (16-byte LDT descriptors hold a 64-bit base address and various
attributes). In compatibility mode, descriptors are not expanded.
Section 3.5.2,
2.1.2 System Segments, Segment Descriptors, and Gates
Besides code, data, and stack segments that make up the execution environment of
a program or procedure, the architecture defines two system segments: the taskstate segment (TSS) and the LDT. The GDT is not considered a segment because it is
not accessed by means of a segment selector and segment descriptor . TSSs and LD Ts
have segment descriptors defined for them.
Vol. 3 2-5
SYSTEM ARCHITECTURE OVERVIEW
The architecture also defines a set of special descriptors called gates (call gates,
interrupt gates, trap gates, and task gates). These pro vide protected gateways to
system procedures and handlers that may operate at a different privilege level than
application programs and most procedures. For example, a CALL to a call gate can
provide access to a procedure in a code segment that is at the same or a numerically
lower privilege level (more privileged) than the current code segment. To access a
procedure through a call gate, the calling procedure1 supplies the selector for the call
gate. The processor then performs an access rights check on the call gate, comparing
the CPL with the privilege level of the call gate and the destination code segment
pointed to by the call gate.
If access to the destination code segment is allowed, the processor gets the segment
selector for the destination code segment and an offset into that code segment from
the call gate. If the call requires a change in privilege level, the processor also
switches to the stack for the targeted privilege level. The segment selector for the
new stack is obtained from the TSS for the currently running task. Gates also facili
tate transitions between 16-bit and 32-bit code segments, and vice versa.
-
2.1.2.1 Gates in IA-32e Mode
In IA-32e mode, the following descriptors are 16-byte descriptors (expanded to allow
a 64-bit base): LDT descriptors, 64-bit TSSs, call gates, interrupt gates, and trap
gates.
Call gates facilitate transitions between 64-bit mode and compatibility mode. Task
gates are not supported in IA-32e mode. On privilege level changes, stack segment
selectors are not read from the TSS. Instead, they are set to NULL.
2.1.3 Task-State Segments and Task Gates
The TSS (see Figure 2-1) defines the state of the execution environment for a task.
It includes the state of general-purpose registers, segment registers, the EFLAGS
register, the EIP register, and segment selectors with stack pointers for three stack
segments (one stack for each privilege level). The TSS also includes the segment
selector for the LDT
structure hierarchy.
All program execution in protected mode happens within the context of a task (called
the current task). The segment selector for the TSS for the current task is stored in
the task register. The simplest method for switching to a task is to make a call or
jump to the new task. Here, the segment selector for the TSS of the new task is given
in the CALL or JMP instruction. In switching tasks, the processor performs the
following actions:
1. Stores the state of the current task in the current TSS.
1. The word “procedure” is commonly used in this document as a general term for a logical unit or
block of code (such as a program, procedure, function, or routine).
2-6 Vol. 3
associated with the task and the base address of the paging-
SYSTEM ARCHITECTURE OVERVIEW
2. Loads the task register with the segment selector for the new task.
3. Accesses the new TSS through a segment descriptor in the GD T.
4. Loads the state of the new task from the new TS S into the general-purpose
registers, the segment registers, the LDTR, control register CR3 (base address of
the paging-structure hierarchy), the EFLAGS register, and the EIP register .
5. Begins execution of the new task.
A task can also be accessed through a task gate. A task gate is similar to a call gate,
except that it provides access (through a segment selector) to a TSS r ather than a
code segment.
2.1.3.1 Task-State Segments in IA-32e Mode
Hardware task switches are not supported in IA-32e mode. However, TSSs continue
to exist. The base address of a TSS is specified by its descriptor.
A 64-bit TSS holds the following information that is important to 64-bit operation:
•Stack pointer addresses for each privilege level
•Pointer addresses for the interrupt stack table
•Offset address of the IO-permission bitmap (from the TSS base)
The task register is expanded to hold 64-bit base addresses in IA-32e mode. See
also: Section 7.7, “Task Management in 64-bit Mode. ”
2.1.4 Interrupt and Exception Handling
External interrupts, software interrupts and exceptions are handled through the
interrupt descriptor table (IDT). The ID T stores a collection of gate descriptors that
provide access to interrupt and exception handlers. Like the GDT, the IDT is not a
segment. The linear address for the base of the IDT is contained in the IDT register
(IDTR).
Gate descriptors in the IDT can be interrupt, trap, or task gate descriptors. To access
an interrupt or exception handler, the processor first receives an interrupt vector
(interrupt number) from internal hardware, an external interrupt controller, or from
software by means of an INT, INTO, INT 3, or BOUND instruction. The interrupt
vector provides an index into the IDT. If the selected gate descriptor is an interrupt
gate or a trap gate, the associated handler procedure is accessed in a manner similar
to calling a procedure through a call gate. If the descriptor is a task gate, the handler
is accessed through a task switch.
2.1.4.1 Interrupt and Exception Handling IA-32e Mode
In IA-32e mode, interrupt descriptors are expanded to 16 bytes to support 64-bit
base addresses. This is true for 64-bit mode and compatibility mode.
Vol. 3 2-7
SYSTEM ARCHITECTURE OVERVIEW
The IDTR register is expanded to hold a 64-bit base address. Task gates are not
supported.
2.1.5 Memory Management
System architecture supports either direct physical addressing of memory or virtual
memory (through paging). When physical addressing is used, a linear address is
treated as a physical address. When paging is used: all code, data, stack, and system
segments (including the GDT
accessed pages being held in physical memory.
The location of pages (sometimes called page frames) in physical memory is
contained in the paging structures. These structures reside in physical memory (see
Figure 2-1 for the case of 32-bit paging).
The base physical address of the paging-structure hierarchy is contained in control
register CR3. The entries in the paging structures determine the physical address of
the base of a page frame, access rights and memory management information.
T o use this paging mechanism, a linear address is broken into parts. The parts
provide separate offsets into the paging structures and the page frame. A system can
have a single hierarchy of paging structures or several. For example, each task can
have its own hierarchy.
and IDT) can be paged with only the most recently
2.1.5.1 Memory Management in IA-32e Mode
In IA-32e mode, physical memory pages are managed by a set of system data structures. In compatibility mode and 64-bit mode, four levels of system data structures
are used. These include:
•The page map level 4 (PML4) — An entry in a PML4 table contains the physical
address of the base of a page directory pointer table, access rights, and memory
management information. The base physical address of the PML4 is stored in
CR3.
•A set of page directory pointer tables — An entry in a page directory pointer
table contains the physical address of the base of a page directory table, access
rights, and memory management information.
•Sets of page directories — An entry in a page directory table contains the
physical address of the base of a page table, access rights, and memory
management information.
•Sets of page tables — An entry in a page table contains the physical address of
a page frame, access rights, and memory management information.
2-8 Vol. 3
SYSTEM ARCHITECTURE OVERVIEW
2.1.6 System Registers
T o assist in initializing the processor and controlling system operations, the system
architecture provides system flags in the EFLAGS register and several system
registers:
•The system flags and IOPL field in the EFLAGS register control task and mode
switching, interrupt handling, instruction tracing, and access rights. See also:
Section 2.3, “System Flags and Fields in the EFLAGS Register.”
•The control registers (CR0, CR2, CR3, and CR4) contain a variety of flags and
data fields for controlling system-level operations. Other flags in these registers
are used to indicate support for specific processor capabilities within the
operating system or ex ecutive . See also:
Section 2.5, “Control Registers. ”
•The debug registers (not shown in Figure 2-1) allow the setting of breakpoints for
use in debugging programs and systems software. See also: Chapter 16,
“Debugging, Profiling Branches and Time-Stamp Counter.”
•The GDTR, LDTR, and IDTR registers contain the linear addresses and sizes
(limits) of their respective tables. See also: Section 2.4, “Memory-Management
Registers. ”
•The task register contains the linear address and size of the TSS for the current
task. See also:
Section 2.4, “Memory-Management Registers.”
•Model-specific registers (not shown in Figure 2-1).
The model-specific registers (MSRs) are a group of registers available primarily to
operating-system or executive procedures (that is, code running at privilege leve l 0).
These registers control items such as the debug extensions, the performance-moni
toring counters, the machine- check architecture, and the memory type ranges
(MTRRs).
The number and function of these registers varies among diff erent members of the
Intel 64 and IA-32 processor families. See also:
ters (MSRs), ” and Appendix B , “Model-Specific Registers (MSRs).”
Most systems restrict access to system registers (other than the EFLAGS register) by
application programs. Systems can be designed, however, where all programs and
procedures run at the most privileged level (privilege level 0). In such a case, application programs would be allowed to modify the system registers.
Section 9.4, “Model-Specific Regis-
-
2.1.6.1 System Registers in IA-32e Mode
In IA-32e mode, the four system-descriptor-table registers (GDTR, IDTR, LDTR, and
TR) are expanded in hardware to hold 64-bit base addresses. EFLAGS becomes the
64-bit RFLAGS register. CR0-CR4 are expanded to 64 bits. CR8 becomes available.
CR8 provides read-write access to the task priority register (TPR) so that the oper
ating system can control the priority classes of external interrupts.
In 64-bit mode, debug registers DR0–DR7 are 64 bits. In compatibility mode,
address-matching in DR0-DR3 is also done at 64-bit granularity .
-
Vol. 3 2-9
SYSTEM ARCHITECTURE OVERVIEW
On systems that support IA-32e mode, the extended feature enable register
(IA32_EFER) is available. This model-specific register controls activation of IA-32e
mode and other IA-32e mode operations. In addition, there are several modelspecific registers that govern IA-32e mode instructions:
•IA32_KernelGSbase — Used by SWAPGS instruction.
•IA32_LSTAR — Used by SYSCALL instruction.
•IA32_SYSCALL_FLAG_MASK — Used by SYSCALL instruction.
•IA32_STAR_CS — Used by SYSCALL and SYSR ET instruction.
2.1.7 Other System Resources
Besides the system registers and data structures described in the previous sections,
system architecture provides the following additional resources:
•Operating system instructions (see also: Section 2.7, “System Instruction
Summary”).
•Performance-monitoring counters (not shown in Figure 2-1).
•Internal caches and buffers (not shown in Figure 2-1).
Performance-monitoring counters are event counters that can be programmed to
count processor events such as the number of instructions decoded, the number of
interrupts received, or the number of cache loads. See also:
tion to Virtual-Machine Extensions. ”
The processor provides several internal caches and buffers. The caches are used to
store both data and instructions. The buffers are used to store things like decoded
addresses to system and application segments and write operations waiting to be
performed. See also:
Chapter 11, “Memory Cache Control.”
Section 20, “Introduc-
2.2 MODES OF OPERATION
The IA-32 supports three operating modes and one quasi-operating mode:
•Protected mode — This is the native operating mode of the processor . It
provides a rich set of architectural features, flexibility , high performance and
backward compatibility to existing software base.
•Real-address mode — This operating mode provides the programming
environment of the Intel 8086 processor, with a few extensions (such as the
ability to switch to protected or system management mode).
•System management mode (SMM) — SMM is a standard architectural feature
in all IA-32 processors, beginning with the Intel386 SL processor . This mode
provides an operating system or executive with a tr ansparent mechanism for
implementing power management and OEM differentiation features. SMM is
entered through activation of an external system interrupt pin (SMI#), which
generates a system management interrupt (SMI). In SMM, the processor
switches to a separate address space while saving the context of the currently
2-10 Vol. 3
SYSTEM ARCHITECTURE OVERVIEW
running program or task. SMM-specific code may then be ex ecuted transparently .
Upon returning from SMM, the processor is placed back into its state prior to the
SMI.
•Virtual-8086 mode — In protected mode, the processor supports a quasi-
operating mode known as virtual-8086 mode. This mode allows the processor
execute 8086 software in a protected, multitasking environment.
Intel 64 architecture supports all operating modes of IA-32 architecture and IA-32e
modes:
•IA-32e mode — In IA-32e mode, the processor supports two sub-modes:
compatibility mode and 64-bit mode. 64-bit mode provides 64-bit linear
addressing and support for physical address space larger than 64 GBytes.
Compatibility mode allows most legacy protected-mode applications to run
unchanged.
Figure 2-3 shows how the processor moves between operating modes.
SMI#
System
Reset
Real-Address
Reset or
PE=0
Protected Mode
Mode
PE=1
Reset
or
RSM
SMI#
RSM
Management
VM=1VM=0
Virtual-8086
Mode
LME=1, CR0.PG=1*
See**
SMI#
RSM
IA-32e
Mode
SMI#
RSM
Mode
* See Section 9.8.5
** See Section 9.8.5.4
Figure 2-3. Transitions Among the Processor’s Operating Modes
The processor is placed in real-address mode following power-up or a reset. The PE
flag in control register CR0 then controls whether the processor is operating in realaddress or protected mode. See also:
4.1.2, “Paging-Mode Enabling. ”
Section 9.9, “Mode Switching.” and Section
Vol. 3 2-11
SYSTEM ARCHITECTURE OVERVIEW
The VM flag in the EFLAGS register determines whether the processor is operating in
protected mode or virtual-8086 mode. Tr ansitions between protected mode and
virtual-8086 mode are generally carried out as part of a task switch or a return from
an interrupt or exception handler. See also:
Mode.”
The LMA bit (IA32_EFER.LMA .LMA[bit 10 ]) determin es whether the processor is
operating in IA-32e mode. When running in IA-32e mode, 64-bit or compatibility
sub-mode operation is determined by CS.L bit of the code segment. The processor
enters into IA-32e mode from protected mode by enabling paging and setting the
LME bit (IA32_EFER.LME[bit 8]). See also:
Initialization.”
The processor switches to SMM whenever it receives an SMI while the processor is in
real-address, protected, virtual-8086, or IA-32e modes. Upon execution of the RSM
instruction, the processor always returns to the mode it was in when the SMI
occurred.
Section 17.2.5, “Entering Virtual-8086
Chapter 9, “Processor Management and
2.3 SYSTEM FLAGS AND FIELDS IN THE EFLAGS
REGISTER
The system flags and IOPL field of the EFLAGS register control I/O, maskable hardware interrupts, debugging, task switching, and the virtual-8086 mode (see
Figure 2-4). Only privileged code (typically operating system or executive code)
should be allowed to modify these bits.
The system flags and IOPL are:
TFTrap (bit 8) — Set to enable single-step mode for debugging; clear to
disable single-step mode. In single-step mode, the processor generates a
debug exception after each instruction. This allows the execution state of a
program to be inspected after each instruction. If an application program
sets the TF flag using a POPF, POPFD, or IRET instruction, a debug exception
is generated after the instruction that follows the POPF, POPFD, or IRET .
2-12 Vol. 3
SYSTEM ARCHITECTURE OVERVIEW
31
Reserved (set to 0)
21 20 191817 16
22
V
V
I
I
I
D
P
F
A
C
V
M
15131412
N
R
0
T
F
I
O
P
L
11 10
9876543
O
DFIFTFSFZ
F
1
0
2
P
A
F
F
C
1
00
F
F
ID — Identification Flag
VIP — Virtual Interrupt Pending
VIF — Virtual Interrupt Flag
AC — Alignment Check
VM — Virtual-8086 Mode
RF — Resume Flag
NT — Nested Task Flag
IOPL— I/O Privilege Level
IF— Interrupt Enable Flag
TF — Trap Flag
Reserved
Figure 2-4. System Flags in the EFLAGS Register
IFInterrupt enable (bit 9) — Controls the response of the processor to
maskable hardware interrupt requests (see also: Section 6.3.2, “Maskable
Hardware Interrupts”). The flag is set to respond to maskable hardware
interrupts; cleared to inhibit maskable hardware interrupts. The IF flag does
not affect the generation of exceptions or nonmaskable interrupts (NMI
interrupts). The CPL, IOPL, and the state of the VME flag in control register
CR4 determine whether the IF flag can be modified by the CLI, STI, POPF,
POPFD, and IRET.
IOPLI/O privilege level field (bits 12 and 13) — Indicates the I/O privilege
level (IOPL) of the currently running program or task. The CPL of the
currently running program or task must be less than or equal to the IOPL to
access the I/O address space. This field can only be mod ified by the POPF
and IRET instructions when operating at a CPL of 0.
The IOPL is also one of the mechanisms that controls the modification of the
IF flag and the handling of interrupts in virtual-8086 mode when virtual
mode extensions are in effect (when CR4.VME = 1). See also:
“Input/Output,” in the Intel® 64 and IA-32 Architectures Software Devel-oper’s Manual, Volume 1.
NTNested task (bit 14) — Controls the chaining of interrupted and called
tasks. The processor sets this flag on calls to a task initiated with a CALL
instruction, an interrupt, or an exception. It examines and modifies this flag
on returns from a task initiated with the IRET instruction. The flag can be
explicitly set or cleared with the POPF/POPFD instructions; however,
Chapter 13,
Vol. 3 2-13
SYSTEM ARCHITECTURE OVERVIEW
changing to the state of this flag can generate unexpected exceptions in
application programs.
See also: Section 7.4, “T ask Linking.”
RFResume (bit 16) — Controls the processor’s response to instruction-break-
point conditions. When set, this flag temporarily disables debug exceptions
(#DB ) f r o m b e i n g generated for instruction breakpoints (although other
exception conditions can cause an exception to be generated). Wh en cl ear,
instruction breakpoints will generate debug exceptions.
The primary function of the RF flag is to allow the restarting of an instruction
following a debug exception that was caused by an instruction breakpoint
condition. Here, debug software must set this flag in the EFLAGS image on
the stack just prior to returning to the interrupted program with IRETD (to
prevent the instruction breakpoint from causing another debug exception).
The processor then automatically clears this flag after the instruction
returned to has been successfully executed, enabling instruction breakpoint
faults again.
See also: Section 16.3.1.1, “Instruction-Breakpoint Exception Condition.”
VMVirtual-8086 mode (bit 17) — Set to enable virtual-8086 mode; clear to
return to protected mode.
See also: Section 17.2.1, “Enabling Virtual-8086 Mode. ”
ACAlignment check (bit 18) — Set this flag and the AM flag in control register
CR0 to enable alignment checking of memory references; clear the AC flag
and/or the AM flag to disable alignment checking. An alignment-check
exception is generated when reference is made to an unaligned operand,
such as a word at an odd byte address or a doubleword at an address which
is not an integral multiple of four . Alignment-check exceptions are gener ated
only in user mode (privilege level 3). Memory references that default to priv
ilege level 0, such as segment descriptor loads, do not generate this exception even when caused by instructions executed in user-mode.
The alignment-check exception can be used to check alignment of data. This
is useful when exchanging data with processors which require all data to be
aligned. The alignment-check exception can also be used by interpreters to
flag some pointers as special by misaligning the pointer. This eliminates
overhead of checking each pointer and only handles the special pointer when
used.
VIFVirtual Interrupt (bit 19 ) — Contains a virtual image of the IF flag. This
flag is used in conjunction with the VIP flag. The processor only recognizes
the VIF flag when either the VME flag or the PVI flag in control register CR4 is
set and the IOPL is less than 3. (The VME flag enables the virtual-8086 mode
extensions; the PVI flag enables the protected-mode virtual interrupts.)
See also: Section 17.3.3.5, “Method 6: Software Interrupt Handling, ” and
Section 17.4, “Protected-Mode Virtual Interrupts.”
-
2-14 Vol. 3
SYSTEM ARCHITECTURE OVERVIEW
VIPVirtual interrupt pending (bit 20) — Set by software to indicate that an
interrupt is pending; cleared to indicate that no interrupt is pending. This flag
is used in conjunction with the VIF flag. The processor reads this flag but
never modifies it. The processor only re cognizes the VIP flag when either the
VME flag or the PVI flag in control register CR4 is set and the IOPL is less than
3. The VME flag enables the virtual-8086 mode extensions; the PVI flag
enables the protected-mode virtual interrupts.
See Section 17.3.3.5, “Method 6: Software Interrupt Handling, ” and Section
17.4, “Protected-Mode Virtual Interrupts.”
IDIdentification (bit 21). — The ability of a program or procedure to set or
clear this flag indicates support for the CPUID instruction.
2.3.1 System Flags and Fields in IA-32e Mode
In 64-bit mode, the RFLAGS register expands to 64 bits with the upper 32 bits
reserved. System flags in RFLAGS (64-bit mode) or EFLAGS (compatibility mode)
are shown in
In IA-32e mode, the processor does not allow the VM bit to be set because virtual8086 mode is not supported (attempts to set the bit are ignored). Also, the processor
will not set the NT bit. The processor does, however, allow software to set the NT bit
(note that an IRET causes a general protection fault in IA-32e mode if the NT bit is
set).
In IA-32e mode, the SYSCALL/SYSRET instructions have a programmable method of
specifying which bits are cleared in RFLAGS/EFLAGS. These instructions save/restore
EFLAGS/RFLAGS.
Figure 2-4.
2.4 MEMORY-MANAGEMENT REGISTERS
The processor provides four memory-management registers (GDTR, LDTR, ID TR,
and TR) that specify the locations of the data structures which control segmented
memory management (see Figure 2-5). Special instructions are provided for loading
and storing these registers.
Vol. 3 2-15
SYSTEM ARCHITECTURE OVERVIEW
GDTR
IDTR
Task
Register
LDTR
47(79)
32(64)-bit Linear Base Address
32(64)-bit Linear Base Address
32(64)-bit Linear Base Address
32(64)-bit Linear Base Address
0
Attributes
Segment Limit
Segment Limit
Figure 2-5. Memory Management Registers
2.4.1 Global Descriptor Table Register (GDTR)
The GDTR register holds the base address (32 bits in protected mode; 64 bits in
IA-32e mode) and the 16-bit table limit for the GDT . The base address specifies the
linear address of byte 0 of the GDT ; the table limit specifies the number of bytes in
the table.
The LGDT and SGDT instructions load and store the GDTR register, respectively . On
power up or reset of the processor, the base address is set to the default value of 0
and the limit is set to 0FFFFH. A new base address must be loaded into the GDTR as
part of the processor initialization process for protected-mode operation.
See also: Section 3.5.1, “Segment Descriptor Tables.”
2.4.2 Local Descriptor Table Register (LDTR)
The LDTR register holds the 16-bit segment selector, base address (32 bits in
protected mode; 64 bits in IA-32e mode), segment limit, and descriptor attributes
for the LDT. The base address specifies the linear address of byte 0 of the LDT
segment; the segment limit specifies the number of bytes in the segment. See also:
Section 3.5.1, “Segment Descriptor T ables.”
The LLDT and SLDT instructions load and store the segment selector part of the LDTR
register, respectively. The segment that contains the LDT must have a segment
descriptor in the GDT. When the LLDT instruction loads a segment selector in the
LDTR: the base address, limit, and descriptor attributes from the LDT descriptor are
automatically loaded in the LDTR.
When a task switch occurs, the LDTR is automatically loaded with the segment
selector and descriptor for the LDT for the new task. The contents of the LDTR are not
automatically saved prior to writing the new LDT information into the register.
On power up or reset of the processor , the segment selector and base address are set
to the default value of 0 and the limit is set to 0FFFFH.
2-16 Vol. 3
SYSTEM ARCHITECTURE OVERVIEW
2.4.3 IDTR Interrupt Descriptor Table Register
The IDTR register holds the base address (32 bits in protected mode; 64 bits in
IA-32e mode) and 16-bit table limit for the IDT . The base address specifies the linear
address of byte 0 of the IDT ; the table limit specifies the number of bytes in the table.
The LIDT and SIDT instructions load and store the IDTR register, respectively . On
power up or reset of the processor, the base address is set to the default value of 0
and the limit is set to 0FFFFH. The base address and limit in the register can then be
changed as part of the processor initialization process.
See also: Section 6.10, “Interrupt Descriptor Table (ID T).”
2.4.4 Task Register (TR)
The task register holds the 16-bit segment selector, base address (32 bits in
protected mode; 64 bits in IA-32e mode), segment limit, and descriptor attributes
for the TSS of the current task. The selector references the TSS descriptor in the GDT .
The base address specifies the linear address of byte 0 of the TSS; the segment limit
specifies the number of bytes in the TSS. See also:
The L TR and STR instructions load and store the segment selector part of the task
register, respectively . When the LTR instruction loads a segment selector in the task
register, the base address, limit, and descriptor attributes from the TSS descriptor
are automatically loaded into the task register . On power up or reset of the processor,
the base address is set to the default value of 0 and the limit is set to 0FFFFH.
When a task switch occurs, the task register is automatically loaded with the
segment selector and descriptor for the TSS for the new task. The contents of the
task register are not automatically saved prior to writing the new TSS information
into the register.
Section 7.2.4, “Task Register.”
2.5 CONTROL REGISTERS
Control registers (CR0, CR1, CR2, CR3, and CR4; see Figure 2-6) determine operating mode of the processor and the characteristics of the currently executing task.
These registers are 32 bits in all 32-bit modes and compatibility mode.
In 64-bit mode, control registers are expanded to 64 bits. The MOV CRn instructions
are used to manipulate the register bits. Operand-size prefixes fo r these instructions
are ignored. The following is also true:
•Bits 63:32 of CR0 and CR4 are reserved and must be written with zeros. Writing
a nonzero value to any of the upper 32 bits results in a general-protection
exception, #GP(0).
•All 64 bits of CR2 are writable by software.
•Bits 51:40 of CR3 are reserved and must be 0.
Vol. 3 2-17
SYSTEM ARCHITECTURE OVERVIEW
•The MOV CRn instructions do not check that addresses written to CR2 and CR3
are within the linear-address or physical-address limitations of the implementation.
•Register CR8 is available in 64-bit mode only .
The control registers are summarized below, and each architecturally defined control
field in these control registers are described individually . In Figure 2-6, the width of
the register in 64-bit mode is indicated in parenthesis (except for CR0).
•CR0 — Contains system control flags that control operating mode and states of
the processor.
•CR1 — Reserved.
•CR2 — Contains the page-fault linear address (the linear address that caused a
page fault).
•CR3 — Contains the physical address of the base of the paging-structure
hierarchy and two flags (PCD and PWT). Only the most-significant bits (less the
lower 12 bits) of the base address are specified; the lower 12 bits of the address
are assumed to be 0. The first paging structure must thus be aligned to a page
(4-KByte) boundary . The PCD and PWT flags control caching of that paging
structure in the processor’s internal data caches (they do not control TLB caching
of page-directory information).
When using the physical address extension, the CR3 register contains the base
address of the page-directory-pointer table In IA-32e mode, the CR3 register
contains the base address of the PML4 table.
See also: Chapter 4, “Paging. ”
•CR4 — Contains a group of flags that enable several architectur al extensions,
and indicate operating system or executive support for specific processor capabilities. The control registers can be read and loaded (or modified) using the moveto-or-from-control-registers forms of the MOV instruction. In protected mode,
the MOV instructions allow the control registers to be read or loaded (at privilege
level 0 only). This restriction means that application programs or operatingsystem procedures (running at privilege levels 1, 2, or 3) are prevented from
reading or loading the control registers.
•CR8 — Provides read and write access to the Task Priority Register (TPR). It
specifies the priority threshold value that operating systems use to control the
priority class of external interrupts allowed to interrupt the processor. This
register is available only in 64-bit mode. However, interrupt filtering continues to
apply in compatibility mode.
2-18 Vol. 3
SYSTEM ARCHITECTURE OVERVIEW
31(63)
Reserved (set to 0)
31(63)
31(63)
31(63)
31293028
P
N
C
G
W
D
Reserved
18
OSXSAVE
OSXMMEXCPT
Page-Directory Base
Page-Fault Linear Address
19
18
A
M
Figure 2-6. Control Registers
OSFXSR
17
16
W
P
13 12 11 10
14
S
V
M
M
X
X
E
E
15
P
P
M
C
G
E
E
543210
T
P
P
D
S
A
S
C
E
D
E
E
E
543
2
P
P
C
W
T
D
P
V
I
V
M
E
0
CR4
CR3
(PDBR)
9876
00
12
11
CR2
0
CR1
543
6
N
E
1
0
2
E
P
M
T
E
S
T
CR0
M
E
P
When loading a control register, reserved bits should always be set to the values
previously read. The flags in control registers are:
PGPaging (bit 31 of CR0) — Enables paging when set; disables paging when
clear. When paging is disabled, all linear addresses are treated as physical
addresses. The PG flag has no effect if the PE flag (bit 0 of register CR0) is
not also set; setting the PG flag when the PE flag is clear causes a generalprotection exception (#GP). See also:
Chapter 4, “Paging.”
On Intel 64 processors, enabling and disabling IA-32e mode operation also
requires modifying CR0.PG.
CDCache Disable (bit 30 of CR0) — When the CD and NW flags are clear,
caching of memory locations for the whole of physical memory in the
processor’s internal (and external) caches is enabled. When the CD flag is
set, caching is restricted as described in
T able 11-5. T o prevent the processor
from accessing and updating its caches, the CD flag must be set and the
caches must be invalidated so that no cache hits can occur.
Vol. 3 2-19
SYSTEM ARCHITECTURE OVERVIEW
See also: Section 11.5.3, “Preventing Caching,” and Section 11.5, “Cache
Control.”
NWNot Write-through (bit 29 of CR0) — When the NW and CD flags are
clear, write-back (for Pentium 4, Intel Xeon, P6 family, and Pentium processors) or write-through (for Intel486 processors) is enabled for writes that hit
the cache and invalidation cycles are enabled. See
Table 11-5 for detailed
information about the affect of the NW flag on caching for other settings of
the CD and NW flags.
when set; disables alignment checking when clear. Alignment checking is
performed only when the AM flag is set, the AC flag in the EFLAGS register is
set, CPL is 3, and the processor is operating in either protected or virtual8086 mode.
WPWrite Protect (bit 16 of CR0) — When set, inhibits supervisor-level proce-
dures from writing into read-only pages; when clear, allows supervisor-level
procedures to write into read-only pages (regardless of the U/S bit setting;
see Section 4.1.3 and Section 4.6). This flag facilitates implementation of the
copy-on-write method of creating a new process (forking) used by oper ating
systems such as UNIX.
NENumeric Error (bit 5 of CR0) — Enables the native (internal) mechanism
for reporting x87 FPU errors when set; enables the PC-style x87 FPU error
reporting mechanism when clear. When the NE flag is clear and the IGNNE#
input is asserted, x87 FPU errors are ignored. When the NE flag is clear and
the IGNNE# input is deasserted, an unmasked x87 FPU error causes the
processor to assert the FERR# pin to generate an external interrupt and to
stop instruction execution immediately before executing the next waiting
floating-point instruction or WAIT/FWAIT instruction.
The FERR# pin is intended to drive an input to an external interrupt
controller (the FERR# pin emulates the ERROR# pin of the Intel 287 and
387 DX math coprocessors). The NE flag, IGNNE# pin, and FERR# pin
Intel
are used with external logic to implement PC-style error reporting. Using
FERR# and IGNNE# to handle floating-point exceptions is deprecated by
modern operating systems; this non-native approach also limits newer
processors to operate with one logical processor active.
See also: “Software Exception Handling” in Chapter 8, “Programming with
the x87 FPU,” and Appendix A, “EFLAGS Cross-Reference,” in the Intel® 64 and IA-32 Architectures Software Developer’s Manual, Volume 1.
ETExtension Type (bit 4 of CR0) — Reserv ed in the Pentium 4, Intel Xeon, P6
family , and P entium processors. In the Pentium 4, Intel X eon, and P6 family
processors, this flag is hardcoded to 1. In the Intel386 and Intel486 proces
sors, this flag indicates support of Intel 387 DX math coprocessor instructions when set.
TSTask Switched (bit 3 of CR0) — Allows the saving of the x87
FPU/MMX/SSE/SSE2/SSE3/SSSE3/S SE4 context on a task switch to be
-
2-20 Vol. 3
SYSTEM ARCHITECTURE OVERVIEW
delayed until an x87 FPU/MMX/SSE/SSE2/SSE3/SSSE3/S SE4 instruction is
actually executed by the new task. The processor sets this flag on every task
switch and tests it when executing x87
FPU/MMX/SSE/SSE2/SSE3/SSSE3/SSE4 instructions.
•If the TS flag is set and the EM flag (bit 2 of CR0) is clear, a device-not-
available exception (#NM) is raised prior to the execution of any x87
FPU/MMX/SSE/ SSE2/SSE3/SSSE3/SSE4 instruction; with the exception
of PAUSE, PREFETCHh, SFENCE, LFENCE, MFENCE, MOVNTI, CLFLUSH,
CRC32, and POPCNT . See the paragr aph below for the special case of the
WAIT/FWAIT instructions.
•If the TS flag is set and the MP flag (bit 1 of CR0) and EM flag are clear , an
#NM exception is not raised prior to the execution of an x87 FPU
WAIT/FWAIT instruction.
•If the EM flag is set, the setting of the TS flag has no affect on the
execution of x87 FPU/MMX/SSE/SSE2/SSE3/SSSE3/SSE4 instructions.
Table 2-1 shows the actions taken when the processor encounters an x87
FPU instruction based on the settings of the TS, EM, and MP flags. T able 12-1
and 13-1 show the actions taken when the processor encounters an
MMX/SSE/SSE2/SSE3/SSSE3/SSE4 instruction.
The processor does not automatically save the context of the x87 FPU, XMM,
and MXCSR registers on a task switch. Instead, it sets the TS flag, which
causes the processor to raise an #NM exception whenever it encounters an
x87 FPU/MMX/SSE /SSE2/SSE3/SSSE3/SSE4 instruction in the instruction
stream for the new task (with the exception of the instructions listed above).
The fault handler for the #NM exception can then be used to clear the TS flag (with
the CL TS instruction) and save the context of the x87 FPU, XMM, and MXCSR registers. If the task never encounters an x87 FPU/MMX/SSE/SSE2/SSE3//SSSE3/SSE4
instruction; the x87 FPU/MMX/SSE/SSE2/ SSE3/SSSE3/SSE4 context is never saved.
Table 2-1. Action Taken By x87 FPU Instructions for Different
Combinations of EM, MP, and TS
CR0 Flagsx87 FPU Instruction Type
EMMPTSFloating-Point WAIT/FWAIT
000ExecuteExecute.
001#NM ExceptionExecute.
010ExecuteExecute.
011#NM Exception#NM exception.
100#NM ExceptionExecute.
101#NM ExceptionExecute.
110#NM ExceptionExecute.
Vol. 3 2-21
SYSTEM ARCHITECTURE OVERVIEW
Table 2-1. Action Taken By x87 FPU Instructions for Different
Combinations of EM, MP, and TS
CR0 Flagsx87 FPU Instruction Type
111#NM Exception#NM exception.
EMEmulation (b it 2 of CR0) — Indicates that the processor does not have an
internal or external x87 FPU when set; indicates an x87 FPU is present wh en
clear. This flag also affects the execution of
MMX/SSE/SSE2/SSE3/SSSE3/SSE4 instructions.
When the EM flag is set, execution of an x87 FPU inst ruction generate s a
device-not-available exception (#NM). This flag must be set when the
processor does not have an internal x87 FPU or is not connected to an
external math coprocessor. Setting this flag forces all floating-po int instruc
tions to be handled by software emulation. Table 9-2 shows the recommended setting of this flag, depending on the IA-32 processor and x87 FPU
or math coprocessor present in the system.
of the EM, MP, and TS flags.
Also, when the EM flag is set, execution of an MMX instruction causes an
invalid-opcode exception (#UD) to be generated (see Table 12-1). Thus, if an
IA-32 or Intel 64 processor incorporates MMX technology , the EM flag must
be set to 0 to enable execution of MMX instructions.
Similarly for SSE/SSE2/SSE3/SSSE3/SSE4 extensions, when the EM flag is
set, execution of most SSE/SSE2/SSE3/SSSE3/S SE4 instructions causes an
invalid opcode exception (#UD) to be generated (see
or Intel 64 processor incorporates the SSE/SSE2/SSE3/SSSE3/SSE4 extensions, the EM flag must be set to 0 to enable execution of these extensions.
SSE/SSE2/SSE3/SSSE3/SSE4 instructions not affected by the EM flag
include: PAUSE, PREFETCHh, S FENCE, LFENCE, MFENCE, MOVNTI, CLFLUSH,
CRC32, and POPCNT.
MPMonitor Coprocessor (bit 1 of CR0). — Controls the interaction of the
WAIT (or FWAIT) instruction with the TS flag (bit 3 of CR0). If the MP flag is
set, a WAIT instruction generates a device-not-available exception (#NM) if
the TS flag is also set. If th e MP flag is clear, the WAIT instruction ignores the
setting of the TS flag.
depending on the IA-32 processor and x87 FPU or math coproce ssor present
in the system.
PEProtection Enable (bit 0 of CR0) — Enables protected mode when set;
enables real-address mode when clear. This flag does not enable paging
directly . It only enables segment-level protection. T o enable paging, both the
PE and PG flags must be set.
See also: Section 9.9, “Mode Switching. ”
PCD Page-level Cache Disable (bit 4 of CR3) — Controls caching of the first
paging structure of the current paging-structure hierarchy . When the PCD
Table 2-1 shows the interaction of the MP , EM, and T S flags.
Table 9-2 shows the recommended setting of this flag,
Table 2-1 shows the interaction
Table 13-1). If an IA-32
-
2-22 Vol. 3
SYSTEM ARCHITECTURE OVERVIEW
flag is set, caching of the page-directory is prevented; when the flag is clear,
the page-directory can be cached. This flag affects only the processor’s
internal caches (both L1 and L2, when present). The processor ignores this
flag if paging is not used (the PG flag in register CR0 is clear) or the CD
(cache disable) flag in CR0 is set.
See also: Chapter 11, “Memory Cache Control” (for more about the use of
the PCD flag) and Section 4.9, “Paging and Memory T yping” (for a discussion
of a companion PCD flag in page-directory and page-table entries).
PWTPage-level Write-Through (bit 3 of CR3) — Controls the write-through or
write-back caching policy of the first paging structure of the current pagingstructure hierarchy. When the PWT flag is set, write-through caching is
enabled; when the flag is clear, write-back caching is enabled. This flag
affects only internal caches (both L1 and L2, when present). The processor
ignores this flag if paging is not used (the PG flag in register CR0 is clear) or
the CD (cache disable) flag in CR0 is set.
See also: Section 11.5, “Cache Control” (for more information about the use
of this flag), and Section 4.9, “Paging and Memory T yping” (for a discussion
of a companion PCD flag in the page-directory and page-table entries).
VMEVirtual-8086 Mode Extensions (bit 0 of CR4) — Enables interrupt- and
exception-handling extensions in virtual-8086 mode when set; disables the
extensions when clear. Use of the virtual mode extensions can improve the
performance of virtual-8086 applications by eliminating the overhead of
calling the virtual-8086 monitor to handle interrupts and exceptions that
occur while executing an 8086 program and, instead, redirecting the inter
rupts and exceptions back to the 8086 program’s handlers. It also provides
hardware support for a virtual interrupt flag (VIF) to improve reliability of
running 8086 programs in multitasking and multiple-pro cessor environ
-
ments.
See also: Section 17.3, “Interrupt and Exception Handling in Virtual-8086
support for a virtual interrupt flag (VIF) in protected mode when set; disables
the VIF flag in protected mode when clear .
See also: Section 17.4, “Protected-Mode Virtual Interrupts.”
TSDTime Stamp Disable (bit 2 of CR4) — Restricts the execution of the
RDTSC instruction (including RDTSCP instruction if
CPUID.80000001H:EDX[27] = 1) to procedures running at privilege level 0
when set; allows RDTSC instruction (including RDTSCP instruction if
CPUID.80000001H:EDX[27] = 1) to be executed at any privilege level when
clear.
DEDebugging Extensions (bit 3 of CR4) — References to debug registers
DR4 and DR5 cause an undefined opcode (#UD) exception to be generated
Vol. 3 2-23
SYSTEM ARCHITECTURE OVERVIEW
when set; when clear , processor aliases references to registers DR4 and DR5
for compatibility with software written to run on earlier IA-32 processors.
See also: Section 16.2.2, “Debug Registers DR4 and DR5.”
PSEPage Size Extensions (bit 4 of CR4) — Enables 4-MByte pages with 32-bit
paging when set; restricts 32-bit paging to pages to 4 KBytes when clear .
See also: Section 4.3, “32-Bit Paging. ”
PAEPhysical Address Extension (bit 5 of CR4) — When set, enables paging
to produce physical addresses with more than 32 bits. When clear, restricts
physical addresses to 32 bits. PAE must be set before entering IA-32e mode.
See also: Chapter 4, “Paging.”
MCEMachine-Check Enable (bit 6 of CR4) — Enables the machine-check
exception when set; disables the machine-check exception when clear.
See also: Chapter 15, “Machine-Check Architecture.”
PGEPage Global Enable (bit 7 of CR4) — (Introduced in the P6 family proces-
sors.) Enables the global page feature when set; disables the global page
feature when clear . The global page feature allows frequently used or shared
pages to be marked as global to all users (done with the global flag, bit 8, in
a page-directory or page-table entry). Global pages are not flushed from the
translation-lookaside buffer (TLB) on a task switch or a write to register CR3.
When enabling the global page feature, paging must be enabled (by setting
the PG flag in control register CR0) before the PGE flag is set. Reversing this
sequence may affect program correctness, and processor performance will
be impacted.
See also: Section 4.10, “Caching Translation Information.”
PCEPerformance-Monitoring Counter Enable (bit 8 of CR4) — Enables
execution of the RDPMC instruction for programs or procedures running at
any protection level when set; RDPMC instruction can be executed only at
protection level 0 when clear.
OSFXSR
Operating System Support for FXSAVE an d FXRSTOR instru ctions
(bit 9 of CR4) — When set, this flag: (1) indicates to software that the oper -
ating system supports the use of the FXSAVE and FXRSTOR instructions, (2)
enables the FXSAVE and FXRST OR instructions to sav e and restore the
contents of the XMM and MXCSR registers along with the contents of the x87
FPU and MMX registers, and (3) enables the processor to execute
SSE/SSE2/SSE3/SSSE3/SSE4 instructions, with the exception of the PAUSE,
PREFETCHh, SFENCE, LFENCE, MFENCE, MOVNTI, CLFLUSH, CRC32, and
POPCNT.
If this flag is clear, the FXSAVE and FXRSTOR instructions will save and
restore the contents of the x87 FPU and MMX instructions, but they may not
save and restore the contents of the XMM and MXCSR registers. Also, the
2-24 Vol. 3
SYSTEM ARCHITECTURE OVERVIEW
processor will generate an invalid opcode exception (#UD) if it attempts to
execute any SSE/SSE2/SSE3and instruction, with the exception of PAUSE,
PREFETCHh, SFENCE, LFENCE, MFENCE, MOVNTI, CLFLUSH, CRC32, and
POPCNT. The operating system or executive must explicitly set this flag.
NOTE
CPUID feature flags FXSR indicates availability of the
FXSAVE/FXRSTOR instructions. The OSFXSR bit provides operating
system software with a means of enabling FXSAVE/FXRST OR to
save/restore the contents of the X87 FPU, XMM and MXCSR registers.
Consequently OSFXSR bit indicates that the operating system
provides context switch support for SSE/SSE2/SSE3/SSSE3/SSE4.
OSXMMEXCPT
Operating System Support for Unmasked SIMD Floating-Point Exceptions (bit 10 of CR4) — When set, indicates that the opera ting system
supports the handling of unmasked SIMD floating-point exceptions through
an exception handler that is invok ed when a SIMD floating-point exceptio n
(#XF) is generated. SIMD floating-point exceptions are only generated by
SSE/SSE2/SSE3/SSE4.1 SIMD floating-point instructions.
The operating system or executive must explicitly set this flag. If this flag is
not set, the processor will generate an invalid opcode exception (#UD)
whenever it detects an unmasked SIMD floating-point exception.
VMXE
VMX-Enable Bit (bit 13 of CR4) — Enables VMX operation when set. See
Chapter 20, “Introduction to Virtual-Machine Extensions.”
SMXE
SMX-Enable Bit (bit 14 of CR4) — Enables SMX operation when set. See
Chapter 6, “Safer Mode Extensions Reference” of Intel® 64 and IA-32 Archi-tectures Software Developer’s Manual, Volume 2B.
OSXSAVE
XSAVE and Processor Extended States-Enable Bit (bit 18 of CR4) —
When set, this flag: (1) indicates (via CPUID.01H:ECX.OSXSA VE[bit 27])
that the operating system supports the use of the XGETBV, XSAVE and
XRSTOR instructions by general software; (2) enables the XSAVE and
XRSTOR instructions to save and restore the x87 FPU state (including MMX
registers), the SSE state (XMM registers and MXCSR), along with other
processor extended states enabled in the XFEATURE_ENABLED_MASK
register (XCR0); (3) enables the processor to execute XGETBV and XSETBV
instructions in order to read and write XCR0. See
13, “System Programming for Instruction Set Extensions and Processor
Extended States”.
TPLTask Priority Level (bit 3:0 of CR8) — This sets the threshold value corre-
sponding to the highest-priority interrupt to be blocked. A value of 0 means
Section 2.6 and Chapter
Vol. 3 2-25
SYSTEM ARCHITECTURE OVERVIEW
all interrupts are enabled. This field is available in 64-bit mode. A value of 15
means all interrupts will be disabled.
2.5.1 CPUID Qualification of Control Register Flags
The VME, PVI, TSD, DE , PSE, PAE, MCE, PGE, PCE, OSFXSR, and OSXMMEXCPT flags
in control register CR4 are model specific. All of these flags (except the PCE flag) can
be qualified with the CPUID instruction to determine if they are implemented on the
processor before they are used.
The CR8 register is available on processors that support Intel 64 architecture.
2.6 EXTENDED CONTROL REGISTERS (INCLUDING THE
XFEATURE_ENABLED_MASK REGISTER)
If CPUID.01H:ECX.XSAVE[bit 26] is 1, the processor suppo rts one or more
extended control registers (XCRs). Currently, the only such register defined is
XCR0, the XFEATURE_ENABLED_MASK register. This register specifies the set of
processor states that the operating system enables on that processor, e.g. x87 FPU
States, SSE states, and other processor extended states that Intel 64 architecture
may introduce in the future. The OS programs XCR0 to reflect the features it
supports.
63
Reserved for XCR0 bit vector expansion
Reserved / Future processor extended states
SSE state
x87 FPU/MMX state (must be 1)
Reserved (must be 0)
1
0
2
1
Figure 2-7. XFEATURE_ENABLED_MASK Register (XCR0)
Software can access XCR0 only if CR4.OSXSAVE[bit 18] = 1. (This bit is also readable
as CPUID.01H:ECX.OSXSAVE[bit 27].) The la yout of XCR0 is architected to allow
software to use CPUID leaf function 0DH to enumer ate the set of bits that the
processor supports in XCR0 (see CPUID instruction in
tures Software Developer’s Manual, Volume 2A). Each processor state (X87 FPU
2-26 Vol. 3
Intel® 64 and IA-32 Architec-
SYSTEM ARCHITECTURE OVERVIEW
state, SSE state, or a future processor extended state) is represented by a bit in
XCR0. The OS can enable future processor extended states in a forward manner by
specifying the appropriate bit mask value using the XSETBV instruction according to
the results of the CPUID leaf 0DH.
With the exception of bit 63, each bit in the XFEATURE_ENABLED_MASK register
(XCR0) corresponds to a subset of the processor states. XCR0 thus provides space
for up to 63 sets of processor state extensions. Bit 63 of XCR0 is reserved for future
expansion and will not represent a processor extended state.
Currently , the XFEA TURE_ENABLED_MASK register (XCR0) has two processor states
defined, with up to 61 bits reserved for future processor extended states:
•XCR0.X87 (bit 0): If 1, indicates x87 FPU state (including MMX register states) is
supported in the processor. Bit 0 must be 1. An attempt to write 0 causes a #GP
exception.
•XCR0.SSE (bit 1): If 1, indicates MXCSR and XMM registers (XMM0-XMM15 in 64-
bit mode, otherwise XMM0-XMM7) are supported by XSAVE/XRESTOR in the
processor.
Any attempt to set a reserved bit (as determined by the contents of EAX and EDX
after executing CPUID with EAX=0DH, ECX= 0H) in the XFEATU RE_ENABLED_MASK
register for a given processor will result in a #GP exception. An attempt to write 0 to
XFEATURE_ENABLED_MASK.x87 (bit 0) will result in a #GP exception.
If a bit in the XFEATURE_ENABLED_MASK register is 1, XSAVE instruction can selectively (in conjunction with a save mask) save a partial or full set of processor states
to memory (See XSAVE instruction in Intel® 64 and IA-32 Architectures Software Developer’s Manual, Volume 2B).
After reset all bits (except bit 0) in the XFEA TURE_ENABLED_MASK register (XCR0)
are cleared to zero. XCR0[0] is set to 1.
2.7 SYSTEM INSTRUCTION SUMMARY
System instructions handle system-level functions such as loading system registers,
managing the cache, managing interrupts, or setting up the debug registers. Many of
these instructions can be executed only by operating-system or executive proce
dures (that is, procedures running at privilege level 0). Others can be executed at
any privilege level and are thus available to application programs.
Table 2-2 lists the system instructions and indicates whether they are available and
useful for application programs. These instructions are described in the Intel® 64 and IA-32 Architectures Software Developer’s Manual, Volumes 2A & 2B.
Table 2-2. Summary of System Instructions
Instruction
LLDTLoad LDT RegisterNoYes
Description
Useful to
Application?
Protected from
Application?
-
Vol. 3 2-27
SYSTEM ARCHITECTURE OVERVIEW
Table 2-2. Summary of System Instructions (Contd.)
Instruction
SLDTStore LDT RegisterNoNo
LGDTLoad GDT RegisterNoYes
SGDTStore GDT RegisterNoNo
LTRLoad Task RegisterNoYe s
STRStore Task RegisterNoNo
LIDTLoad IDT RegisterNoYes
SIDTStore IDT RegisterNoNo
MOV CRnLoad and store control registersNoYes
SMSWStore MSWYesNo
LMSWLoad MSWNoYes
CLTSClear TS flag in CR0NoYes
ARPLAdjust RPLYes
LARLoad Access RightsYesNo
LSLLoad Segment LimitYesNo
VERRVerify for ReadingYesNo
VERWVerify for WritingYesNo
MOV DRnLoad and store debug registersNoYes
INVDInvalidate cache, no writebackNoYes
WBINVDInvalidate cache, with writebackNoYes
INVLPGInvalidate TLB entryNoYes
HLTHalt ProcessorNoYes
LOCK (Prefix)Bus LockYesNo
RSMReturn from system management
3
RDMSR
3
WRMSR
Description
Useful to
Application?
1, 5
Protected from
Application?
NoYes
mode
Read Model-Specific RegistersNoYe s
Write Model-Specific RegistersNoYes
No
4
RDPMC
3
RDTSC
RDTSCP
2-28 Vol. 3
Read Performance-Monitoring
YesYes
2
Counter
Read Time-Stamp CounterYesYes
7
Read Serialized Time-Stamp CounterYesYes
2
2
SYSTEM ARCHITECTURE OVERVIEW
Table 2-2. Summary of System Instructions (Contd.)
Instruction
XGETBVReturn the state of the the
XSETBVEnable one or more processor
NOTES:
1. Useful to application programs running at a CPL of 1 or 2.
2. The TSD and PCE flags in control register CR4 control access to these instructions by application
programs running at a CPL of 3.
3. These instructions were introduced into the IA-32 Architecture with the Pentium processor.
4. This instruction was introduced into the IA-32 Architecture with the Pentium Pro processor and
the Pentium processor with MMX technology.
5. This instruction is not supported in 64-bit mode.
6. Application uses XGETBV to query which set of processor extended states are enabled.
7. RDTSCP is introduced in Intel Core i7 processor.
Description
XFEATURE_ENABLED_MASK register
extended states
Useful to
Application?
YesNo
6
No
Protected from
Application?
Yes
2.7.1 Loading and Storing System Registers
The GDTR, LDTR, ID TR, and TR registers each hav e a load and store instruction for
loading data into and storing data from the register:
•LGDT (Load GDTR Register) — Loads the GDT base address and limit from
memory into the GDTR register.
•SGDT (Store GDTR Register) — Stores the GDT base address and limit from
the GDTR register into memory.
•LIDT (Load IDTR Register) — Loads the IDT base address and limit from
memory into the IDTR register.
•SIDT (Load IDTR Register — Stores the IDT base address and limit from the
IDTR register into memory.
•LLDT (Load LDT Register) — Loads the LDT segment selector and segment
descriptor from memory into the LDTR. (The segment selector operand can also
be located in a general-purpose register.)
•SLDT (Store LDT Register) — Stores the LDT segment selector from the LDTR
register into memory or a general-purpose register.
for a TSS from memory into the task register . (The segment selector operand can
also be located in a general-purpose register.)
•STR (Store Task Register) — Stores the segment selector for the current task
TSS from the task register into memory or a general-purpose register.
Vol. 3 2-29
SYSTEM ARCHITECTURE OVERVIEW
The LMSW (load machine status word) and SMSW (store machine status word)
instructions operate on bits 0 through 15 of control register CR0. These instructions
are provided for compatibility with the 16-bit Intel 286 processor. Programs written
to run on 32-bit IA-32 processors should not use these instructions. Instead, they
should access the control register CR0 using the MOV instruction.
The CLTS (clear TS flag in CR0) instruction is provided for use in handling a
device-not-available exception (#NM) that occurs when the processor attempts to
execute a floating-point instruction when the TS flag is set. This instruction allows
the TS flag to be cleared after the x87 FPU context has been saved, preventing
further #NM exceptions. See
on the TS flag.
The control registers (CR0, CR1, CR2, CR3, CR4, and CR8) are loaded using the MOV
instruction. The instruction loads a control register from a general-purpose register
or stores the content of a control register in a general-purpose register.
Section 2.5, “Control Registers, ” for more information
2.7.2 Verifying of Access Privileges
The processor provides several instruct ions for examining segment selectors
and segment descriptors to determine if access to their associated segments
is allowed. These instructions duplicate some of the automatic access rights
and type checking done by the processor, thus allowing operating-system or
executive software to prev ent excep tions from being gener ated.
The ARPL (adjust RPL) instruction adjusts the RPL (requestor privilege level)
of a segment selector to match that of the program or procedure that
supplied the segment selector. See
Privileges (ARPL Instruction), ” fo r a detailed explanation of the function and
use of this instruction. Note that ARPL is not supported in 64-bit mode.
The LAR (load access right s) instruction verifies the ac cessibility of a speci -
fied segment and loads access rights information from the segment’ s
segment descriptor into a general-purpose register. Software can then
examine the access rights to determine if the segment type is compatible
with its intended use. See
Section 5.10.1, “Checking Access Rights (LAR
Instruction),” for a detailed explanation of the function and use of this
instruction.
The LSL (load segment limit) instruction verifies the accessibility of a speci-
fied segment and loads the segment limit from the segment’ s segment
descriptor into a general-purpose register. Software can then compare the
segment limit with an offset into the segment to determine whether the
offset lies within the segment. See
Pointer Offset Is Within Limits (LSL Instruction), ” fo r a detailed explanation
of the function and use of this instruction.
The VERR (verify for reading) and VERW (verify for writing) instructions
verify if a selected segment is readable or writable, respectively, at a given
CPL. See
Section 5.10.2, “Checking Read/W rite Rights (VERR and VERW
Section 5.10.4, “Checking Caller Access
Section 5.10.3, “Checking That the
2-30 Vol. 3
SYSTEM ARCHITECTURE OVERVIEW
Instructions),” for a detailed explanation of the function and use of this
instruction.
2.7.3 Loading and Storing Debug Registers
Internal debugging facilities in the processor are controlled by a set of 8 debug registers (DR0-DR7). The MOV instruction allows setup data to be loaded to and stored
from these registers.
On processors that support Intel 64 architecture, debug registers DR0-DR7 are 64
bits. In 32-bit modes and compatibility mode, writes to a debug register fill the upper
32 bits with zeros. Reads return the lower 32 bits. In 64-bit mode, the upper 32 bits
of DR6-DR7 are reserved and must be written with zeros. Writing one to any of the
upper 32 bits causes an exception, #GP(0).
In 64-bit mode, MOV DRn instructions read or write all 64 bits of a debug register
(operand-size prefixes are ignored). All 64 bits of DR0-DR3 are writable by software.
However , MOV DRn instructions do not check that addresses written to DR0-DR3 are
in the limits of the implementation. Address matching is supported only on valid
addresses generated by the processor implementation.
2.7.4 Invalidating Caches and TLBs
The processor provides several instructions for use in explicitly invalidating its caches
and TLB entries. The INVD (invalidate cache with no writeback) instruction invalidates all data and instruction entries in the internal caches and sends a signal to the
external caches indicating that they should be also be invalidated.
The WBINVD (invalidate cache with writeback) instruction performs the same function as the INVD instruction, except that it writes back modified lines in its internal
caches to memory before it invalidates the caches. After invalidating the internal
caches, WBINVD signals external caches to write back modified data and invalidate
their contents.
The INVLPG (invalidate TLB entry) instruction invalidates (flushes) the TLB entry for
a specified page.
2.7.5 Controlling the Processor
The HL T (halt processor) instruction stops the processor until an enabled interrupt
(such as NMI or SMI, which are normally enabled), a debug exception, the BINIT#
signal, the INIT# signal, or the RESET# signal is received. The processor generates a
special bus cycle to indicate that the halt mode has been entered.
Hardware may respond to this signal in a number of ways. An indicator light on the
front panel may be turned on. An NMI interrupt for recording diagnostic information
may be generated. Reset initialization may be invoked (note that the BINIT# pin was
Vol. 3 2-31
SYSTEM ARCHITECTURE OVERVIEW
introduced with the Pentium Pro processor). If any non-w ake ev ents are pending
during shutdown, they will be handled after the wake event from shutdown is
processed (for example, A20M# interrupts).
The LOCK prefix invokes a locked (atomic) read-modify-write operation when modifying a memory operand. This mechanism is used to allow reliable communications
between processors in multiprocessor systems, as described below:
•In the Pentium processor and earlier IA-32 processors, the LOCK prefix causes
the processor to assert the LOCK# signal during the instruction. This always
causes an explicit bus lock to occur.
•In the Pentium 4, Intel Xeon, and P6 family processors, the locking operation is
handled with either a cache lock or bus lock. If a memory access is cacheable and
affects only a single cache line, a cache lock is invoked and the system bus and
the actual memory location in system memory are not locked during the
operation. Here, other Pentium 4, Intel Xeon, or P6 family processors o n the bus
write-back any modified data and invalidate their caches as necessary to
maintain system memory coherency . If the memory access is not cacheable
and/or it crosses a cache line boundary , the processor’s LOCK# signal is asserted
and the processor does not respond to requests for bus control during the locked
operation.
The RSM (return from SMM) instruction restores the processor (from a context
dump) to the state it was in prior to an system management mode (SMM) interrupt.
2.7.6 Reading Performance-Monitoring and Time-Stamp Counters
The RDPMC (read performance-monitoring counter) and RD TSC (r ead time-stamp
counter) instructions allow application programs to read the processor’s performance-monitoring and time-stamp counters, respectively . Processors based on Intel
NetBurst microarchitecture have eighteen 40-bit performance-monitor ing counters;
P6 family processors have two 40-bit counters. Intel Atom processors and most of
the processors based on the Intel Core microarchitecture support two types of
performance monitoring counters: two programmable performance counters similar
to those available in the P6 family, and three fixed-function performance monitoring
counters.
The programmable performance counters can support counting either the occurrence
or duration of events. Events that can be m onitored on programmable coun ters
generally are model specific (except for architectural performance events enumer
ated by CPUID leaf 0AH); they may includ e the number of instructions de coded,
interrupts received, or the number of cache loads. Individual counters can be set up
to monitor different events. Use the system instruction WRMSR to set up values in
IA32_PERFEVTSEL0/1 (for Intel Atom, Intel Core 2, Intel Core Duo, and Intel
Pentium M processors), in one of the 45 ESCRs and one of the 18 CCCR MSRs (for
Pentium 4 and Intel Xeon processors); or in the P erfEvtSel0 or the PerfEvtSel1 MSR
(for the P6 family processors). The RDPMC instruction loads the current count from
the selected counter into the EDX:EAX registers.
2-32 Vol. 3
-
SYSTEM ARCHITECTURE OVERVIEW
Fixed-function performance counters record only specific events that are defined in
Chapter 20, “Introduction to Virtual-Machine Extensions”, and the width/number of
fixed-function counters are enumerated by CPUID leaf 0AH.
The time-stamp counter is a model-specific 64-bit counter that is reset to zero each
time t h e processor is reset. If not reset, the counter will increment ~9.5 x 10
times per year when the processor is operating at a clock rate of 3GHz. At this
clock frequency , it would take over 190 years for the counter to wrap around. The
RDTSC instruction loads the current count of the time-stamp counter into the
EDX:EAX registe rs.
See Section 30.1, “Performance Monitoring Overview,” and Section 16.11, “TimeStamp Counter,” for more information about the performance monitoring and timestamp counters.
The RDTSC instruction was introduced into the IA-32 architecture with the Pentium
processor . The RDPMC instruction was introduced into the IA -32 architecture with the
Pentium Pro processor and the Pentium processor with MMX technology. Earlier
Pentium processors have two performance-monitoring counters, but they can be
read only with the RDMSR instruction, and only at privilege level 0.
16
2.7.6.1 Reading Counters in 64-Bit Mode
In 64-bit mode, RDTSC operates the same as in protected mode. The count in the
time-stamp counter is stored in EDX:EAX (or RDX[31:0]:RAX[31:0] with
RDX[63:32]:RAX[63:32] cleared).
RDPMC requires an index to specify the offset of the performance-monitoring
counter. In 64-bit mode for Pentium 4 or Intel Xeon processor families, the index is
specified in ECX[30:0]. The current count of the performance-monitoring counter is
stored in EDX:EAX (or RDX[31:0]:RAX[31:0] with RDX[63:32]:RAX[63:32]
cleared).
2.7.7 Reading and Writing Model-Specific Registers
The RDMSR (read model-specific register) and WRMSR (write model-specific
register) instructions allow a processor’s 64-bit model-specific registers (MSRs) to be
read and written, respectively . The MSR to be read or written is specified by the v alue
in the ECX register.
RDMSR reads the value from the specified MSR to the EDX:EAX registers; WRMSR
writes the value in the EDX:EAX registers to the specified MSR. RDMSR and WRMSR
were introduced into the IA-32 architecture with the Pentium processor.
See Section 9.4, “Model-Specific Registers (MSRs), ” for more information.
Vol. 3 2-33
SYSTEM ARCHITECTURE OVERVIEW
2.7.7.1 Reading and Writing Model-Specific Registers in 64-Bit Mode
RDMSR and WRMSR require an index to specify the address of an MSR. In 64-bit
mode, the index is 32 bits; it is specified using ECX.
2.7.8 Enabling Processor Extended States
The XSETBV instruction is required to enable OS support of individual processor
extended states in the XFEATURE_ENABLED_MASK register (see Section 2.6).
2-34 Vol. 3
CHAPTER 3
PROTECTED-MODE MEMORY MANAGEMENT
This chapter describes the Intel 64 and IA-32 architecture’s protected-mode memory
management facilities, including the physical memory requirements, segmentation
mechanism, and paging mechanism.
See also: Chapter 5, “Protection” (for a description of the processor’s protection
mechanism) and Chapter 17, “8086 Emulation” (for a description of memory
addressing protection in real-address and virtual-8086 modes).
3.1 MEMORY MANAGEMENT OVERVIEW
The memory management facilities of the IA-32 architecture are divided into two
parts: segmentation and paging. Segmentation provides a mechanism of isolating
individual code, data, and stack modules so that multiple programs (or tasks) can
run on the same processor without interfering with one another. Paging provides a
mechanism for implementing a conventional demand-paged, virtual-memory system
where sections of a program’s execution environment are mapped into physical
memory as needed. Paging can also be used to provide isolation between multiple
tasks. When operating in protected mode, some form of segmentation must be used.
There is no mode bit to disable segmentation. The use of paging, however, is
optional.
These two mechanisms (segmentation and paging) can be configured to support
simple single-program (or single-task) systems, multitasking systems, or multipleprocessor systems that used shared memory .
As shown in Figure 3-1, segmentation provides a mechanism for dividing the
processor’s addressable memory space (called the linear address space) into
smaller protected address spaces called segments. Segments can be used to hold
the code, data, and stack for a program or to hold system data structures (such as a
TSS or LDT). If more than one program (or task) is running on a processor, each
program can be assigned its own set of segments. The processor then enforces the
boundaries between these segments and insures that one program does not interfere
with the execution of another program by writing into the oth er program’s segments.
The segmentation mechanism also allows typing of segments so that the operations
that may be performed on a particular type of segment can be restricted.
All the segments in a system are contained in the processor’s linear address space.
T o locate a byte in a particular segment, a logical address (also called a far pointer)
must be provided. A logical address consists of a segment selector and an offset. The
segment selector is a unique identifier for a segment. Among other things it provides
an offset into a descriptor table (such as the global descriptor table, GDT) to a data
structure called a segment descriptor . Each segment has a segment descriptor , which
specifies the size of the segment, the access rights and privilege level for the
Vol. 3 3-1
PROTECTED-MODE MEMORY MANAGEMENT
segment, the segment type, and the location of the first byte of the segment in the
linear address space (called the base address of the segment). The offset part of the
logical address is added to the base address for the segment to locate a byte within
the segment. The base address plus the offset thus forms a linear address in the
processor’s linear address space.
Logical Address
(or Far Pointer)
Segment
Selector
Offset
Linear Address
Space
Global Descriptor
Table (GDT)
Segment
Descriptor
Segment
Base Address
Segment
Page Directory
Lin. Addr.
Page
Segmentation
Dir
Entry
Linear Address
TableOffset
Page Table
Entry
Paging
Physical
Address
Space
Page
Phy. Addr.
Figure 3-1. Segmentation and Paging
If paging is not used, the linear address space of the processor is mapped directly
into the physical address space of processor . The physical address space is defined as
the range of addresses that the processor can generate on its address bus.
Because multitasking computing systems commonly define a linear address space
much larger than it is economically feasible to contain all at once in physical memory ,
some method of “virtualizing” the linear address space is needed. This virtualization
of the linear address space is handled through the processor’s paging mechanism.
Paging supports a “virtual memory” environment wh ere a large linear address space
is simulated with a small amount of physical memory (RAM and ROM) and some disk
3-2 Vol. 3
PROTECTED-MODE MEMORY MANAGEMENT
storage. When using paging, each segment is divided into pages (typically 4 KBytes
each in size), which are stored either in physical memory or on the disk. The operating system or executive maintains a page directory and a set of page tables to keep
track of the pages. When a program (or task) attempts to access an address location
in the linear address space, the processor uses the page directory and page tables to
translate the linear address into a physical address and then performs the requested
operation (read or write) on the memory location.
If the page being accessed is not currently in physical memory, the processor interrupts execution of the program (by generating a page-fault exception). The operating system or executive then reads the page into physical memory from the disk
and continues executing the program.
When paging is implemented properly in the operating-system or executive, the
swapping of pages between physical memory and the disk is tr ansparent to the
correct execution of a program. Even programs written for 16-bit IA-32 processors
can be paged (transparently) when they are run in virtual-8086 mode.
3.2 USING SEGMENTS
The segmentation mechanism supported by the IA-32 architecture can be used to
implement a wide variety of system designs. These designs range from flat models
that make only minimal use of segmentation to protect programs to multisegmented models that employ segmentation to create a robust operating environ
ment in which multiple programs and tasks can be executed reliably .
The following sections give several examples of how segmentation can be employed
in a system to improve memory management performance and reliability .
-
3.2.1 Basic Flat Model
The simplest memory model for a system is the basic “flat model, ” in which the operating system and application programs have access to a continuous, unsegmented
address space. T o the greatest extent possible, this basic flat model hides the
segmentation mechanism of the architecture from both the system designer and the
application programmer.
To implement a basic flat memory model with the IA-32 architecture, at least two
segment descriptors must be created, one for referencing a code segment and one
for referencing a data segment (see
are mapped to the entire linear address space: that is, both segment descriptors
have the same base address value of 0 and the same segment limit of 4 GBytes. By
setting the segment limit to 4 GBytes, the segmentation mechanism is kept from
generating exceptions for out of limit memory references, even if no physical
memory resides at a particular address. ROM (EPROM) is generally located at the top
of the physical address space, because the processor begins execution at
Figure 3-2). Both of these segments, however,
Vol. 3 3-3
PROTECTED-MODE MEMORY MANAGEMENT
FFFF_FFF0H. RAM (DRAM) is placed at the bottom of the address space because the
initial base address for the DS data segment after reset initialization is 0.
3.2.2 Protected Flat Model
The protected flat model is similar to the basic flat model, except the segment limits
are set to include only the range of addresses for which physical memory actually
exists (see
any attempt to access nonexistent memory . This model provides a minimum lev el of
hardware protection against some kinds of program bugs.
Figure 3-3). A general-protection exception (#GP) is then gener ated on
Linear Address Space
Segment
Registers
CS
SS
DS
ES
FS
GS
Code- and Data-Segment
Descriptors
LimitAccess
Base Address
(or Physical Memory)
Code
Not Present
Data and
Stack
FFFFFFFFH
0
3-4 Vol. 3
Segment
Registers
CS
ES
SS
DS
FS
GS
Figure 3-2. Flat Model
Segment
Descriptors
LimitAccess
Base Address
LimitAccess
Base Address
Linear Address Space
(or Physical Memory)
Not Present
Memory I/O
Data and
Figure 3-3. Protected Flat Model
Code
Stack
FFFFFFFFH
0
PROTECTED-MODE MEMORY MANAGEMENT
More complexity can be added to this protected flat model to provide more protection. For example, for the paging mechanism to provide isolation between user and
supervisor code and data, four segments need to be defined: code and data
segments at privilege level 3 for the user, and code and data segments at privilege
level 0 for the supervisor. Usually these segments all overlay each other and start at
address 0 in the linear address space. This flat segmentation model along with a
simple paging structure can protect the operating system from applications, and by
adding a separate paging structure for each task or process, it can also protect appli
cations from each other. Similar designs are used by several popular multitasking
operating systems.
3.2.3 Multi-Segment Model
A multi-segment model (such as the one shown in Figure 3-4) uses the full capabilities of the segmentation mechanism to provided hardware enforced protection of
code, data structures, and programs and tasks. Here, each program (or task) is given
its own table of segment descriptors and its own segments. The segments can be
completely private to their assigned programs or shared among progr ams. Access to
all segments and to the execution environments of individual programs running on
the system is controlled by hardware.
-
Vol. 3 3-5
PROTECTED-MODE MEMORY MANAGEMENT
Segment
Registers
CS
SS
DS
ES
FS
GS
Segment
Descriptors
LimitAccess
Base Address
LimitAccess
Base Address
LimitAccess
Base Address
LimitAccess
Base Address
LimitAccess
Base Address
LimitAccess
Base Address
LimitAccess
Base Address
LimitAccess
Base Address
LimitAccess
Base Address
LimitAccess
Base Address
Linear Address Space
(or Physical Memory)
Stack
Code
Data
Data
Data
Data
Figure 3-4. Multi-Segment Model
Access checks can be used to protect not only against referencing an address outside
the limit of a segment, but also against performing disallowed operations in certain
segments. For example, since code segments are designated as read-only segments,
hardware can be used to prevent writes into code segments. The access rights infor
mation created for segments can also be used to set up protection rings or levels.
Protection levels can be used to protect operating-system procedures from unauthorized access by application programs.
3.2.4 Segmentation in IA-32e Mode
In IA-32e mode of Intel 64 architecture, the effects of segmentation depend on
whether the processor is running in compatibility mode or 64-bit mode. In compati
bility mode, segmentation functions just as it does using legacy 16-bit or 32-bit
protected mode semantics.
3-6 Vol. 3
-
-
PROTECTED-MODE MEMORY MANAGEMENT
In 64-bit mode, segmentation is generally (but not completely) disabled, creating a
flat 64-bit linear-address space. The processor treats the segment base of CS, DS,
ES, SS as zero, creating a linear address that is equal to the effective address. The FS
and GS segments are exceptions. These segment registers (which hold the segment
base) can be used as an additional base registers in linear address calculations. They
facilitate addressing local data and certain operating system data structures.
Note that the processor does not perform segment limit checks at runtime in 64-bit
mode.
3.2.5 Paging and Segmentation
Paging can be used with any of the segmentation models described in Figures 3-2,
3-3, and 3-4. The processor’s paging mechanism divides the linear address space
(into which segments are mapped) into pages (as shown in Figure 3-1). These linearaddress-space pages are then mapped to pages in the physical address space. The
paging mechanism offers several page-level protection facilities that can be used
with or instead of the segment-protection facilities. For example, it lets read-write
protection be enforced on a page-by-page basis. The paging mechanism also
provides two-level user-supervisor protection that can also be specified on a pageby-page basis.
3.3 PHYSICAL ADDRESS SPACE
In protected mode, the IA-32 architecture provides a normal physical address space
of 4 GBytes (2
its address bus. This address space is flat (unsegmented), with addresses ranging
continuously from 0 to FFFFFFFFH. This physical address space can be mapped to
read-write memory , read-only memory, and memory mapped I/O. The memory
mapping facilities described in this chapter can be used to divide this physical
memory up into segments and/or pages.
Starting with the Pentium Pro processor, the IA-32 architecture also supports an
extension of the physical address space to 2
physical address of FFFFFFFFFH. This extension is invoked in either of two ways:
32
bytes). This is the address space that the processor can address on
36
bytes (64 GBytes); with a maximum
•Using the physical address extension (PAE) flag, located in bit 5 of control
register CR4.
•Using the 36-bit page size extension (PSE-36) feature (introduced in the Pentium
III processors).
Physical address support has since been extended beyond 36 bits. See Chapter 4,
“Paging” for more information about 36-bit physical addressing.
Vol. 3 3-7
PROTECTED-MODE MEMORY MANAGEMENT
3.3.1 Intel® 64 Processors and Physical Address Space
On processors that support Intel 64 architecture (CPUID.80000001:EDX[29] = 1),
the size of the physical address range is implementation-specific and indicated by
CPUID.80000008H:EAX[bits 7-0].
For the format of information returned in EAX, see “CPUID—CPU Identification” in
Chapter 3 of the Intel® 64 and IA-32 Architectures Software Developer’s Manual, Volume 2A. See also: Chapter 4, “Paging.”
3.4 LOGICAL AND LINEAR ADDRESSES
At the system-architecture level in protected mode, the processor uses two stages of
address translation to arrive at a physical address: logical- address translation and
linear address space paging.
Even with the minimum use of segments, every byte in the processor’s address
space is accessed with a logical address. A logical address consists of a 16-bit
segment selector and a 32-bit offset (see Figure 3-5). The segment selector identifies the segment the byte is located in and the offset specifies the location of the byte
in the segment relative to the base address of the segment.
The processor translates every logical address into a linear address. A linear address
is a 32-bit address in the processor’s linear address space. Like the physical address
space, the linear address space is a flat (unsegmented), 232-byte address space,
with addresses ranging from 0 to FFFFFFFFH. The linear address space contains all
the segments and system tables defined for a system.
T o tr anslate a logical address into a linear address, the processor does the following:
1. Uses the offset in the segment selector to locate the segment descriptor for the
segment in the GDT or LDT and reads it into the processor. (This step is needed
only when a new segment selector is loaded into a segment register.)
2. Examines the segment descriptor to check the access rights and range of the
segment to insure that the segment is accessible and that the offset is within the
limits of the segment.
3. Adds the base address of the segment fr om the segment descriptor to the offset
to form a linear address.
3-8 Vol. 3
PROTECTED-MODE MEMORY MANAGEMENT
Logical
Address
Seg. Selector
Descriptor Table
Segment
Descriptor
015
31(63)
Offset (Effective Address)
Base Address
Linear Address
+
0
031(63)
Figure 3-5. Logical Address to Linear Address Translation
If paging is not used, the processor maps the linear address directly to a physical
address (that is, the linear address goes out on the processor’s address bus). If the
linear address space is paged, a second level of address translation is used to trans
late the linear address into a physical address.
See also: Chapter 4, “Paging. ”
3.4.1 Logical Address Translation in IA-32e Mode
In IA-32e mode, an Intel 64 processor uses the steps described above to translate a
logical address to a linear address. In 64-bit mode, the offset and base address of the
segment are 64-bits instead of 32 bits. The linear address format is also 64 bits wide
and is subject to the canonical form requirement.
Each code segment descriptor provides an L bit. This bit allows a code segment to
execute 64-bit code or legacy 32-bit code by code segment.
-
3.4.2 Segment Selectors
A segment selector is a 16-bit identifier for a segment (see Figure 3-6). It does not
point directly to the segment, but instead points to the segment descriptor that
defines the segment. A segment selector contains the following items:
Index(Bits 3 through 15) — Selects one of 8192 descriptors in the GD T or
LDT. The processor multiplies the index value by 8 (the number of
bytes in a segment descriptor) and adds the result to the base address
of the GDT or LDT (from the GDTR or LDTR registe r, respectively).
Vol. 3 3-9
PROTECTED-MODE MEMORY MANAGEMENT
TI (table indicator) flag
(Bit 2) — Specifies the descriptor table to use: clearing this flag
selects the GDT; setting this flag selects the current LDT.
15
Index
Table Indicator
0 = GDT
1 = LDT
Requested Privilege Level (RPL)
1
3
0
2
T
RPL
I
Figure 3-6. Segment Selector
Requested Privilege Level (RPL)
(Bits 0 and 1) — Specifies the privilege level of the selector. The privilege level can range from 0 to 3, with 0 being the most privileged
level. See
tionship of the RPL to the CPL of the executing program (or task) and
the descriptor privilege level (DPL) of the descriptor the segment
selector points to.
The first entry of the GDT is not used by th e processor . A segment selector that points
to this entry of the GDT (that is, a segment selector with an index of 0 and the TI flag
set to 0) is used as a “null segment selector .” The processor does not generate an
exception when a segment register (other than the CS or SS registers) is loaded with
a null selector. It does, however, generate an exception when a segment register
holding a null selector is used to access memory . A null selector can be used to
initialize unused segment registers. Loading the CS or SS register with a null
segment selector causes a general-protection exception (#GP) to be generated.
Segment selectors are visible to application programs as part of a pointer variable,
but the values of selectors are usually assigned or modified by link editors or linking
loaders, not application programs.
Section 5.5, “Privilege Levels”, for a description of the rela-
3.4.3 Segment Registers
T o reduce address tr anslation time and coding complexity, the processor provides
registers for holding up to 6 segment selectors (see
segment registers support a specific kind of memory reference (code, stack, or
data). For virtually any kind of program execution to take place, at least the codesegment (CS), data-segment (DS), and stack-segment (SS) registers must be
loaded with valid segment selectors. The processor also provides three additional
data-segment registers (ES, FS, and GS), which can be used to make additional data
segments available to the currently executing program (or task).
3-10 Vol. 3
Figure 3-7). Each of these
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.