>
> "Kevin P. Lawton" <[EMAIL PROTECTED]> wrote:
>
> > Then why not do the same for guest OS code, since it's
> > also running at ring3? We have to look at a few issues
> > here. The most obvious one is that the RPL (lower
> > bits) of the selector define the privilege level,
> > and if you're running in the wrong privilege
> > level, a "PUSH CS; POP EAX" will see this difference.
>
> B.t.w. is it possible to actually let the guest load a
> segment register with RPL 0 (but the *DPL* still remains 3)?
AIUI if you can get into SMM on a Pentium you can set
the RPL of the segment seperately from the lower 2 bits
of the selector by monkeying with the saved state map
(undocumented feature though and I don't think there
is a portable way to get your code executed in SMM).
