SYSENTER--Fast Transition to System Call Entry Point

Opcode

Instruction

Description

0F 34

SYSENTER

Transition to System Call Entry Point

Description

The SYSENTER instruction is part of the "Fast System Call" facility introduced on the Pentium® II processor. The SYSENTER instruction is optimized to provide the maximum performance for transitions to protection ring 0 (CPL 0).

The SYSENTER instruction sets the following registers according to values specified by the operating system in certain model-specific registers.

CS register set to the value of (SYSENTER_CS_MSR) EIP register set to the value of (SYSENTER_EIP_MSR) SS register set to the sum of (8 plus the value in SYSENTER_CS_MSR) ESP register set to the value of (SYSENTER_ESP_MSR)

The processor does not save user stack or return address information, and does not save any registers.

The SYSENTER and SYSEXIT instructions do not constitute a call/return pair; therefore, the system call "stub" routines executed by user code (typically in shared libraries or DLLs) must perform the required register state save to create a system call/return pair.

The SYSENTER instruction always transfers to a flat protected mode kernel at CPL 0. SYSENTER can be invoked from all modes except real mode. The instruction requires that the following conditions are met by the operating system:

    The CS selector for the target ring 0 code segment is 32 bits, mapped as a flat 0-4 GB address space with execute and read permissions The SS selector for the target ring 0 stack segment is 32 bits, mapped as a flat 0-4 GB address space with read, write, and accessed permissions. This selector (Target Ring 0 SS Selector) is assigned the value of the new (CS selector + 8).

An operating system provides values for CS, EIP, SS, and ESP for the ring 0 entry point through use of model-specific registers within the processor. These registers can be read from and written to by using the RDMSR and WRMSR instructions. The register addresses are defined to remain fixed at the following addresses on future processors that provide support for this feature.

 

Name

Description

Address

SYSENTER_CS_MSR

Target Ring 0 CS Selector

174H

SYSENTER_ESP_MSR

Target Ring 0 ESP

175H

SYSENTER_EIP_MSR

Target Ring 0 Entry Point EIP

176H

The presence of this facility is indicated by the SYSENTER Present (SEP) bit 11 of CPUID. An operating system that detects the presence of the SEP bit must also qualify the processor family and model to ensure that the SYSENTER/SYSEXIT instructions are actually present. For example:

IF (CPUID SEP bit is set)
IF (Family == 6) AND (Model < 3) AND (Stepping < 3)
THEN
Fast System Call NOT supported
FI;
ELSE Fast System Call is supported
FI

The Pentium Pro processor (Model 1) returns a set SEP CPUID feature bit, but does not support the SYSENTER/SYSEXIT instructions.

Operation

SYSENTER
IF CR0.PE == 0 THEN #GP(0)
IF SYSENTER_CS_MSR == 0 THEN #GP(0)

EFLAGS.VM := 0 // Prevent VM86 mode
EFLAGS.IF := 0 // Mask interrupts

CS.SEL := SYSENTER_CS_MSR // Operating system provides CS

// Set rest of CS to a fixed value
CS.SEL.CPL := 0 // CPL 0
CS.SEL.BASE := 0 // Flat segment
CS.SEL.LIMIT := 0xFFFF // 4G limit
CS.SEL.G := 1 // 4 KB granularity
CS.SEL.S := 1
CS.SEL.TYPE_xCRA := 1011 // Execute + Read, Accessed
CS.SEL.D := 1 // 32 bit code
CS.SEL.DPL := 0
CS.SEL.RPL := 0
CS.SEL.P := 1
SS.SEL := CS.SEL+8

// Set rest of SS to a fixed value
SS.SEL.BASE := 0 // Flat segment
SS.SEL.LIMIT := 0xFFFF // 4G limit
SS.SEL.G := 1 // 4 KB granularity
SS.SEL.S := 1
SS.SEL.TYPE_xCRA := 0011 // Read/Write, Accessed
SS.SEL.D := 1 // 32 bit stack
SS.SEL.DPL := 0
SS.SEL.RPL := 0
SS.SEL.P := 1

ESP := SYSENTER_ESP_MSR
EIP := SYSENTER_EIP_MSR

Exceptions

#GP(0) - If SYSENTER_CS_MSR contains zero.

Numeric Exceptions

None.

Real Address Mode Exceptions

#GP(0) - If protected mode is not enabled.