protection of instructions from using it in user mode in linux

Question

I read in a tutorial that some 15 instructions in x86 architecture is not allowed to be used in user mode.

I know there is something called code segment register which keeps track of current previlege level

My question is
a)does cpu, before executing every instructions has to check current previlege level it is running?

b)What actually happens if there is an instruction which cannot be used in user mode present in a user program?How CPU comes to know about this before executing?

Answer 1

The CPU does check CPL, RPL and things alike before executing certain instructions or certain parts of them (there are a number of instructions with very complex logic and the set of checks to perform depends on a number of conditions).

If an instruction is not allowed to execute, the CPU generates an exception event, which is then dispatched to its handler. Exception handlers are similar to interrupt handlers in nature and are defined by the OS. So, when the OS gets to handle an exception that it cannot anyhow correct, it terminates the program that's caused the exception.

An example of a "correctable" exception is page faults for virtual memory that's been offloaded to the disk. The OS loads the code/data that the application is trying to use back from the disk into the memory.

Answer 2

The Current Privilege Level is saved in one of the bit of CS register(technically 2 bits on x86).
Certain instructions are not allowed in the code, Ex - users canbe prevented from making certain system call .int X (in assembly (x86) results in system call),with X being an index into the IDT(interrupt descriptor table).This index points to the system call.Also a field called DPL is stored in each entry of IDT.
This are the steps followed by an int instruction:
• Fetch the n’th descriptor from the IDT, where n is the argument of int.
• Check that CPL in %cs is <= DPL, where DPL is the privilege level in the descriptor.
• If yes then the user code has enough privilege to do this system call,the current execution context is saved ( registers etc), because we now switch to kernel mode.
• If not then the user didn't have enough privilege to execute this and will result in an int 13 instruction (general protection fault) being executed
Well for 1 category of DO NOT DO instruction this how checking is done , I am not aware about how it done for other instruction.
Also for accessing different segments through the GDT ( gate descriptor table).the approach is the same.

PS : This is valid only on x86 based systems. Please comment the link where you saw the list of reserved instruction.