Good question.

CPL vs DPL vs RPL

To make this easier, first look at CPL and DPL:

• CPL is your current privilege level.
• DPL is the segment privilege level. It defines the minimum privilege level ¹ required to access a segment.
• Privilege levels range from 0-3; lower rooms are more privileged.
• So: to access the segment, the CPL must be less than or equal to the DPL of the segment

RPL is the privilege level associated with the segment selector. A segment selector is just a 16-bit value that refers to a segment. Each memory access (implicitly ² or otherwise) uses a segment selector as part of the access.

When accessing a segment, two checks are actually performed. Access to a segment is permitted only if one of the following conditions is met:

• CPL <= DPL
• RPL <= DPL

Thus, even if the CPL is privileged enough to access the segment, access will still be denied if the segment selector that refers to that segment is not privileged enough.

Motivation RPL

What is the purpose of this? Well, the argument is a bit outdated, but Intel documentation offers a scenario that looks something like this:

• Suppose that the operating system provides a system call that receives a logical address (selector selector + offset) from the caller and writes to this address
• Normal applications work with CPL of 3; system calls are made with CPL 0
• Let say that some segment (we will call it X) has DPL 0

An application will usually not be able to access memory in segment X (because CPL> DPL). But depending on how the system call was implemented, the application may call the system call with an address parameter in segment X. Then, since the system call has privilege, it will be able to write to segment X on behalf of the application. This could lead to an escalation of privileges in the operating system.

To mitigate this, the official recommendation is that when a privileged procedure accepts a segment selector provided by an unprivileged code, it must first set the segment selector RPL to the non-privileged code ³ Thus, the operating system will not be able to make any calls to this segment. which an unprivileged caller can no longer do. This helps to ensure the boundary between the operating system and applications.

Then and now

Segment protection was introduced with 286 before swap existed in the x86 processor family. At that time, segmentation was the only way to limit access to kernel memory from a user-mode context. RPL provides a convenient way to enforce this restriction when passing pointers at different privilege levels.

Modern operating systems use paging to limit access to memory, which eliminates the need for segmentation. Since we do not need segmentation, we can use the flat memory model, which means the CS , DS , SS , and ES segment registers all have a zero base and go through the entire address space. In fact, the 64-bit "long mode" uses a flat memory model, regardless of the contents of these four segment registers. Segments are still used sometimes (for example, Windows uses FS and GS to indicate the information block on topics, and 0x23 and 0x33 switch between 32- and 64-bit code , and Linux is similar), but you just don't go through the segments anymore. Thus, the RPL remains largely unused, left over from the old days.

RPL: Was it ever necessary?

You asked why you need to have both DPL and RPL. Even in context 286, there was really no need for an RPL. Given the scenario described above, a privileged procedure can always simply retrieve the DPL of the provided segment through the LAR instruction, compare this with the privilege of the caller, and proactively bail out if the privileges of the caller are not enough to access the segment. However, installing RPL, in my opinion, is a more elegant and simple way to control access to segments at different privilege levels.

To learn more about privilege levels, see Volume 3 of the Intel Software Developer Guide , in particular the sections entitled “Privilege Levels” and “Verifying Caller Access Privileges”.

¹ Technically, DPL can have different meanings depending on which type of segments or gates are being accessed. For simplicity, everything I describe relates to data segments. Check Intel Docs for More Information
² For example, an instruction pointer implicitly uses a segment selector stored in CS when retrieving instructions; most types of data access implicitly use a segment selector stored in DS, etc.
³ See ARPL instruction (only for 16-bit / 32-bit protected mode)