Intel® Architecture Instruction Set Extensions Programming Reference

9.3 PAGING-MODE ACCESS ENHANCEMENT
ADDITIONAL NEW INSTRUCTIONS
Intel 64 architecture provided two paging mode modifiers that regulate instruction fetches from linear memory
address spaces: Execute-Disable (XD) and supervisor mode execution prevention (SMEP) are described in Chapter
4 of Intel® 64 and IA-32 Architectures Software Developer’s Manual, Volume 3A.
A third paging mode modifier is introduced to regulate data accesses, referred to as supervisor mode access
prevention (SMAP).
When SMAP is enabled, the processor disallows supervisor data accesses to pages that are accessible in user
mode. Disallowed accesses result in page-fault exceptions. Software may find it necessary to allow certain supervisor
accesses to user-accessible pages. For this reason, the SMAP architecture allows software to disable the
SMAP protections temporarily.
SMAP applies in all paging modes (32-bit paging, PAE paging, and IA-32e paging) and to all page sizes (4-KByte,
2-MByte, 4-MByte, and 1-GByte). SMAP has no effect on processor operation if paging is disabled. SMAP has no
effect on the address translation provided by EPT. SMAP has no effect in operating modes that paging is not used.
9.3.1 Enumeration and Enabling
System software enables SMAP by setting the SMAP flag in control register CR4 (bit 21).
Processor support for SMAP is enumerated by the CPUID instruction. Specifically, the processor supports SMAP
only if CPUID.(EAX=07H,ECX=0H):EBX.SMAP[bit 20] = 1.
A processor will allow CR4.SMAP to be set only if SMAP is enumerated by CPUID as described above. CR4.SMAP
may be set if paging is disabled (if CR0.PG = 0), but it has no effect on processor operation in that case.
In addition, two new instructions: CLAC and STAC (see Section 9.6) are supported if and only if SMAP is enumerated
by CPUID as described above.
9.3.2 SMAP and Access Rights
Every access to a linear address is either a supervisor-mode access or a user-mode access. All accesses performed
while the current privilege level (CPL) is less than 3 are supervisor-mode accesses. If CPL = 3, accesses are generally
user-mode accesses. However, some operations implicitly access system data structures, and the resulting
accesses to those data structures are supervisor-mode accesses regardless of CPL. Examples of such implicit
supervisor accesses include the following: accesses to the global descriptor table (GDT) or local descriptor table
(LDT) to load a segment descriptor; accesses to the interrupt descriptor table (IDT) when delivering an interrupt or
exception; and accesses to the task-state segment (TSS) as part of a task switch or change of CPL.
If CR4.SMAP = 1, supervisor-mode data accesses are not allowed to linear addresses that are accessible in user
mode. If CPL < 3, SMAP protections are disabled if EFLAGS.AC = 1. If CPL = 3, SMAP applies to all supervisor-mode
data accesses (these are implicit supervisor accesses) regardless of the value of EFLAGS.AC.
The following items detail how paging determines access rights for supervisor-mode data accesses:
• Data reads that are allowed:
— If CR4.SMAP = 0, data may be read from any linear address with a valid translation.
— If CR4.SMAP = 1, access rights depend on CPL and EFLAGS.AC.
• If CPL < 3 and EFLAGS.AC = 1, data may be read from any linear address with a valid translation.
• If CPL = 3 (an implicit supervisor access) or EFLAGS.AC = 0, data may be read from any linear address
with a valid translation for which the U/S flag (bit 2) is 0 in at least one of the paging-structure entries
controlling the translation.
• Data writes that are allowed:
— If CR0.WP = 0 and CR4.SMAP = 0, data may be written to any linear address with a valid translation.
— If CR0.WP = 0 and CR4.SMAP = 1, access rights depend on CPL and EFLAGS.AC.
• If CPL < 3 and EFLAGS.AC = 1, data may be written to any linear address with a valid translation.
Ref. # 319433-014 9-3