SYSCALL and SYSRET stack

[tsdnz]

Hi all,

I am looking at moving my OS to use CPL0,1,2,3

The SYSCALL and SYSRET calls do not change RSP.
How are you doing it?
Are you loading RSP by finding the CPU ID and loading RSP from that?

Thanks.

[alexfru]

Search to the rescue?
See the description of the SWAPGS instruction:

SWAPGS exchanges the current GS base register value with the value contained in
MSR address C0000102H (MSR_KERNELGSbase). KernelGSbase is guaranteed to be
canonical; so SWAPGS does not perform a canonical check. The SWAPGS instruction
is a privileged instruction intended for use by system software.
When using SYSCALL to implement system calls, there is no kernel stack at the OS
entry point. Neither is there a straightforward method to obtain a pointer to kernel
structures from which the kernel stack pointer could be read. Thus, the kernel can't
save general purpose registers or reference memory.

By design, SWAPGS does not require any general purpose registers or memory
operands. No registers need to be saved beforeusing the instruction. SWAPGS exchanges
the CPL 0 data pointer from the KernelGSbase MSR with the GS base register. The
kernel can then use the GS prefix on normal memory references to access kernel
data structures. Similarly, when the OS kernel is entered using an interrupt or
exception (where the kernel stack is already set up), SWAPGS can be used to quickly
get a pointer to the kernel data structures.

[tsdnz]

Search to the rescue?
See the description of the SWAPGS instruction:

SWAPGS exchanges the current GS base register value with the value contained in
MSR address C0000102H (MSR_KERNELGSbase). KernelGSbase is guaranteed to be
canonical; so SWAPGS does not perform a canonical check. The SWAPGS instruction
is a privileged instruction intended for use by system software.
When using SYSCALL to implement system calls, there is no kernel stack at the OS
entry point. Neither is there a straightforward method to obtain a pointer to kernel
structures from which the kernel stack pointer could be read. Thus, the kernel can't
save general purpose registers or reference memory.

By design, SWAPGS does not require any general purpose registers or memory
operands. No registers need to be saved beforeusing the instruction. SWAPGS exchanges
the CPL 0 data pointer from the KernelGSbase MSR with the GS base register. The
kernel can then use the GS prefix on normal memory references to access kernel
data structures. Similarly, when the OS kernel is entered using an interrupt or
exception (where the kernel stack is already set up), SWAPGS can be used to quickly
get a pointer to the kernel data structures.

Thanks, in the above search.

from which the kernel stack pointer could be read

. Right, I read that many times, now I see it? SWAPGS is CPU specific, just point it to a different address for each CPU.

[feryno]

ring0 code sample handling syscall execution (MSR LSTAR is pointing to this address), it is best to enter it with disabled interrupts, so create such mask for corresponding syscall MSR, every CPU has its own private GS base

Code: Select all

swapgs
mov [gs: ring3_rsp],rsp
mov rsp,[gs: ring0_gs]
sti

at OS startup phase it is OK to set [gs: ring0_rsp] to the same as TSS.RSP0 (qword at offset +4 of TSS) so external interrupts coming when running ring3 code or software interrupts executed in ring3 code will use the same stack as stack used for syscall instructions executed in ring3

[tsdnz]

Cheers, this is basically what I have setup.

ring0 code sample handling syscall execution (MSR LSTAR is pointing to this address), it is best to enter it with disabled interrupts, so create such mask for corresponding syscall MSR, every CPU has its own private GS base

Code: Select all

swapgs
mov [gs: ring3_rsp],rsp
mov rsp,[gs: ring0_gs]
sti

at OS startup phase it is OK to set [gs: ring0_rsp] to the same as TSS.RSP0 (qword at offset +4 of TSS) so external interrupts coming when running ring3 code or software interrupts executed in ring3 code will use the same stack as stack used for syscall instructions executed in ring3