Recently, when I read the book "Computer Organization and Design: The Hardware/ Software Interface" by David A. Patterson and John L. Hennessy , it references one resource [Robin and Irvine, 2000] where it says about pop instruction with segment registers in the virtualization context.
The Robin paper referenced the intel doc which says two exceptions:
If the SS register is being loaded and the segment selector's RPL and the segment descriptor’s DPL are not equal to the CPL.
If the DS, ES, FS, or GS register is being loaded and the segment pointed to is a data or nonconforming code segment, but both the RPL and the CPL are greater than the DPL.
And also from the "Operation" section in the doc, SS needs strict equal relation by "or segment selector's RPL ≠ CPL" and "or DPL ≠ CPL"
While in Wikipedia, it says the relation check between DPL,RPL and CPL which is a little different from the above:
max(CPL, RPL) ≤ DPL
The intel doc also says about where the three PLs are stored in the figure 5-4.
Q: Why is SS(stack segment) special that it needs CPL to be equal to the other two? The others like "DS, ES" don't need that (i.e. CPL can be smaller than DPL and higher privilege level in CPL can access lower DPL when in the conforming segment).
I think it might be more philosophical than technical.
DPL > CPL/RPL arises in situations like when kernel code is accessing memory that "belongs" to a less-privileged process (e.g. reading or writing data for a system call). But there is no good reason to have kernel stack located in a segment that belongs to less-privileged code; it would be nonsensical and possibly a security flaw. Your stack is your own data, not anybody else's.
So from that point of view, the architecture designers could assume that trying to load such an SS must be the result of a bug, and therefore should be rejected with an exception.