Sysenter/Sysexit
The SYSENTER and SYSEXIT instructions were introduced into the IA-32 architecture
in the Pentium II processors for the purpose of providing a fast (low overhead)
mechanism for calling operating system or executive procedures. The SYSENTER
instruction is intended for use by user code running at privilege level 3 to access
operating system or executive procedures running at privilege level 0. The SYSEXIT
procedure is intended for use by privilege level 0 operating system or executive
procedures for fast returns to privilege level 3 user code. The SYSENTER instruction
can be executed from privilege levels 3, 2, or 1; the SYSEXIT instruction can only be
executed from privilege level 0.
The SYSENTER and SYSEXIT instructions are companion instructions, but they do not
constitute a call/return pair because the SYSENTER instruction does not save any
state information for use by the SYSEXIT instruction on a return.
The target instruction and stack pointer for these instructions are not specified
through instruction operands. Instead, they are specified through parameters
entered in several MSRs and general-purpose registers. For the SYSENTER instruction,
the processor gets the privilege level 0 target instruction and stack pointer from
the following sources:
. Target code segment - Reads it from the SYSENTER_CS_MSR.
. Target instruction - Reads it from the SYSENTER_EIP_MSR.
. Stack segment - Computes it adding 8 to the value in the SYSENTER_CS_MSR.
. Stack pointer - Reads it from the SYSENTER_ESP_MSR.
// GDTbase=80036000 Limit=03FF
//
// Sel. Type Base Limit DPL Attributes
// 0008 Code32 00000000 FFFFFFFF 0 P RE ====> SYSENTER_CS_MSR
// 0010 Data32 00000000 FFFFFFFF 0 P RW ====> SYSENTER_CS_MSR + 8
// 001B Code32 00000000 FFFFFFFF 3 P RE ====> SYSENTER_CS_MSR +16
// 0023 Data32 00000000 FFFFFFFF 3 P RW ====> SYSENTER_CS_MSR +24
// 0028 TSS32 8024D000 000020AB 0 P B
// 0030 Data32 FFDFF000 00001FFF 0 P RW ====> R0:fs ==> KPCR
// 003B Data32 7FFD9000 00000FFF 3 P RW ====> R3:fs
// 0043 Data16 00000400 0000FFFF 3 P RW
// DPL RPL
// FEDCBA9876543 2 10 =====> 段选择子
// 00110 0 00 =====> 0x30
For the SYSEXIT instruction, the privilege level 3 target instruction and stack
pointer are specified as follows:
构成SYSEXIT的目标域的来源可以分为如下几种:
. Target code segment - Computes it by adding 16 to the value in the
SYSENTER_CS_MSR.
. Target instruction - Reads it from the EDX register.
. Stack segment - Computes it by adding 24 to the value in the
SYSENTER_CS_MSR.
. Stack pointer - Reads it from the ECX register.
The SYSENTER and SYSEXIT instructions preform “fast” calls and returns because
they force the processor into a predefined privilege level 0 state when a SYSENTER
instruction is executed and into a predefined privilege level 3 state when a SYSEXIT
instruction is executed. By forcing predefined and consistent processor states, the
number of privilege checks ordinarily required to perform a far call to another
privilege levels are greatly reduced. Also, by predefining the target context state
in MSRs and general-purpose registers eliminates all memory accesses except when
fetching the target code.
Any additional state that needs to be saved to allow a return to the calling
procedure must be saved explicitly by the calling procedure or be predefined through
programming conventions.