SYSENTER

Fast System Call

Opcodes

Hex Mnemonic Encoding Long Mode Legacy Mode Description
0F 34 SYSENTER A Valid Valid Fast call to privilege level 0 system procedures.

Instruction Operand Encoding

Op/En Operand 0 Operand 1 Operand 2 Operand 3
A NA NA NA NA

Description

Executes a fast call to a level 0 system procedure or routine. SYSENTER is a companion instruction to SYSEXIT. The instruction is optimized to provide the maximum performance for system calls from user code running at privilege level 3 to operating system or executive procedures running at privilege level 0.

Prior to executing the SYSENTER instruction, software must specify the privilege level 0 code segment and code entry point, and the privilege level 0 stack segment and stack pointer by writing values to the following MSRs:

These MSRs can be read from and written to using RDMSR/WRMSR. Register addresses are listed in the following table. The addresses are defined to remain fixed for future Intel 64 and IA-32 processors.

MSRs Used By the SYSENTER and SYSEXIT Instructions
MSR Address
IA32_SYSENTER_CS 174H
IA32_SYSENTER_ESP 175H
IA32_SYSENTER_EIP 176H

When SYSENTER is executed, the processor:

The processor does not save a return IP or other state information for the calling procedure.

The SYSENTER instruction always transfers program control to a protected-mode code segment with a DPL of 0. The instruction requires that the following conditions are met by the operating system:

The SYSENTER instruction can be invoked from all operating modes except real-address mode.

The SYSENTER and SYSEXIT instructions are companion instructions, but they do not constitute a call/return pair. When executing a SYSENTER instruction, the processor does not save state information for the user code, and neither the SYSENTER nor the SYSEXIT instruction supports passing parameters on the stack.

To use the SYSENTER and SYSEXIT instructions as companion instructions for transitions between privilege level 3 code and privilege level 0 operating system procedures, the following conventions must be followed:

The SYSENTER and SYSEXIT instructions were introduced into the IA-32 architecture in the Pentium II processor. The availability of these instructions on a processor is indicated with the SYSENTER/SYSEXIT present (SEP) feature flag returned to the EDX register by the CPUID instruction. An operating system that qualifies the SEP flag must also qualify the processor family and model to ensure that the SYSENTER/SYSEXIT instructions are actually present. For example:

IF CPUID SEP bit is set
	THEN
		IF (Family = 6) and (Model < 3) and (Stepping < 3)
			THEN
				SYSENTER/SYSEXIT_Not_Supported;
			FI;
		ELSE
			SYSENTER/SYSEXIT_Supported;
		FI;
FI;

When the CPUID instruction is executed on the Pentium Pro processor (model 1), the processor returns a the SEP flag as set, but does not support the SYSENTER/SYSEXIT instructions.

Pseudo Code

IF CR0.PE = 0
	#GP(0);
FI;
IF SYSENTER_CS_MSR[15:2] = 0
	#GP(0);
FI;
EFLAGS.VM = 0;
(* ensures protected mode execution *)
EFLAGS.IF = 0;
(* Mask interrupts *)
EFLAGS.RF = 0;
CS.SEL = SYSENTER_CS_MSR
(* Operating system provides CS *)
(* Set rest of CS to a fixed value *)
CS.SEL.RPL = 0;
CS.BASE = 0;
(* Flat segment *)
CS.ARbyte.G = 1;
(* 4-KByte granularity *)
CS.ARbyte.S = 1;
CS.ARbyte.TYPE = 1011B;
(* Execute + Read, Accessed *)
CS.ARbyte.D = 1;
(* 32-bit code segment *)
CS.ARbyte.DPL = 0;
CS.ARbyte.P = 1;
CS.LIMIT = FFFFFH;
(* with 4-KByte granularity, implies a 4-GByte limit *)
CPL = 0;
SS.SEL = CS.SEL + 8;
(* Set rest of SS to a fixed value *)
SS.SEL.RPL = 0;
SS.BASE = 0;
(* Flat segment *)
SS.ARbyte.G = 1;
(* 4-KByte granularity *)
SS.ARbyte.S = 1;
SS.ARbyte.TYPE = 0011B;
(* Read/Write, Accessed *)
SS.ARbyte.D = 1;
(* 32-bit stack segment *)
SS.ARbyte.DPL = 0;
SS.ARbyte.P = 1;
SS.LIMIT = FFFFFH;
(* with 4-KByte granularity, implies a 4-GByte limit *)
ESP = SYSENTER_ESP_MSR;
EIP = SYSENTER_EIP_MSR;

Flags Affected

VM, IF, RF (see Operation above)

Exceptions

64-Bit Mode Exceptions

Same exceptions as in protected mode.

Compatibility Mode Exceptions

Same exceptions as in protected mode.

Virtual-8086 Mode Exceptions

Same exceptions as in protected mode.

Real-Address Mode Exceptions

Exception Description
#UD If the LOCK prefix is used.
#GP If protected mode is not enabled.

Protected Mode Exceptions

Exception Description
#UD If the LOCK prefix is used.
#GP(0) If IA32_SYSENTER_CS[15:2] = 0.