8.10 Enforcing the Privileged Boundary

<< Click to Display Table of Contents >>

Navigation:  ASA-EMulatR Reference Guide > Introduction > Architecture Overview > Chapter 8 - PAL and Privileged Boundary >

8.10 Enforcing the Privileged Boundary

The privileged boundary in EMulatR is absolute. Execution state is either inside PAL mode or outside PAL mode — there is no intermediate state, no partial privilege, and no legal mechanism to blur this boundary.

 

8.10.1 Single Entry, Single Exit

 

CALL_PAL is the only legal entry into PAL mode. HW_REI is the only legal exit from PAL mode. Any attempt to jump directly to a PAL address, modify PAL mode bits manually, execute HW_REI outside PAL mode, or return from PAL using a normal branch is architecturally illegal and raises a fault.

 

8.10.2 Instruction-Level Enforcement

 

Privilege is enforced at instruction decode and execution time. Outside PAL mode, privileged instructions (HW_MFPR, HW_MTPR, HW_LD, HW_ST, HW_REI) fault with OPCDEC. IPR reads and writes fault. Cache and TLB control operations fault. Inside PAL mode, all of these operations are legal.

 

8.10.3 Pipeline Enforcement

 

The pipeline enforces privilege separation by serializing PAL entry, flushing speculative instructions, preventing fetch across privilege transitions, blocking speculative execution past CALL_PAL, and restarting execution cleanly after HW_REI. This ensures no speculative instruction executes with elevated privileges, no user-mode instruction executes in PAL context, and no PAL instruction retires in user context.

 

8.10.4 Memory System Enforcement

 

The memory system contributes to privilege enforcement: IPR-backed regions are inaccessible outside PAL, certain MMIO regions require PAL access, memory barriers enforce visibility at transitions, LL/SC reservations are cleared on PAL entry and exit, and write buffers are drained as required.

 

8.10.5 Exception-Based Enforcement

 

Any violation of the privileged boundary results in an architectural fault. Privileged instruction executed outside PAL, illegal IPR access, invalid return from PAL, or unauthorized control register modification — all are detected synchronously, delivered precisely, and enter PAL through normal exception vectors. These faults cannot be suppressed or ignored.

 

8.10.6 SMP Considerations

 

In SMP systems, each CPU enforces its own privileged boundary independently. PAL mode is per-CPU. Privilege violations do not affect other CPUs. IPIs are delivered through PAL mode. This ensures isolation between CPUs and deterministic privilege behavior.

 

See Also: 3.14 Precise Exceptions; Chapter 6 - Serialization and Stall Model.