How's IRQL implemented in ARM64?

wc2023 · February 1, 2024, 12:21am

I know that the IRQL is implemented as a register in the Intel’s x64 CPUs. But how is it implemented in ARM64?

Tim_Roberts · February 1, 2024, 2:10am

The ARM architecture only has two interrupt signals, so IRQL is managed by the interrupt controller. The CPU doesn’t really need the IRQL – the interrupt controller does.

wc2023 · February 1, 2024, 10:07am

@Tim_Roberts hmm, interesting. So then what CPU instructions is KeRaiseIrql translated to?

Tim_Roberts · February 2, 2024, 5:36am

The ARM architecture calls its tightly coupled peripherals “co-processors”. The MCR and MRC instructions are used to communicate with the co-processors. I don’t know the exact details of KeRaiseIrql; I’ve never had my hand on a Windows ARM system. If you have one, you could use windbg to disassemble it.

wc2023 · February 2, 2024, 9:44pm

@Tim_Roberts Yeah, it’s interesting. Here’s the disassembly.

nt!KeGetCurrentIrql is the easiest:

ldrb    w0, [xpr, #0x38]
ret

While nt!KfRaiseIrql is slightly more complex:

    uxtb   w1, w0
    ldrb    w0, [xpr, #0x38]
    cmp    w0, w1
    bhs      lbl_ret
    strb     w1, [xpr, #0x38]
    adrp    x8, PpmPolicyConfig ....
    ldr       w8, [x8, KiIrqlFlags]
    cbz      w8, bl_ret
    b          lbl_raise_proc_irql_flags
lbl_ret:
    ret

So it basically doesn’t do much with it, and just reads or writes it into _KPCR::CurrentIrql. Am I seeing it correctly?