How to properly set privileges in page directory entries?

First of all: this question is about the IA-32 (x86) architecture.

I have a question about legacy (non-PSE, non-PAE) paging. In legacy paging, we have a page directory with 1024 entries, each one pointing to a page table. Each page tables contains 1024 entries (these are the pages), each one pointing to a 4096-byte aligned physical address.

Meanwhile, every single page directory entry and page table entry hold some flags, and both of them has an 'U' flag (bit #2): if this flag is set, then the page may be accessed by both user (ring3) and supervisor (ring0); if this flag is not set, however, only the supervisor (ring0) can access it. This flag is often called the "User/Supervisor bit".

The question: What should I do if I want to have both ring0 and ring3 pages in the same page table? I can set up the entries in the page table with the appropriate privileges, but what privilege should the corresponding page directory entry specify?

For example: I set up the first page table (virtual address range: 0x00000000 - 0x003FFFFF) to map physical address range 0x00000000 - 0x003FFFFF (this covers 4 megabytes). The first megabyte (0x00000000 - 0x000FFFFF) should be only accessible by the supervisor (ring0), therefore, the "User/Supervisor bit" is cleared. The following three megabytes (0x00100000 - 0x003FFFFF) should be accessible by both user (ring3) and supervisor (ring0), therefore, the "User/Supervisor bit" is set.

This page table is pointed to by the first page directory entry. But the "User/Supervisor bit" for that page directory entry should be cleared (only supervisor) or set (both user and supervisor)? What is the difference?

The CPU will use the most restrictive privilege in either the Page Directory Entry (PDE) or the Page Table Entries (PTE). If a PDE has Supervisor privilege then all the page tables below it will have Supervisor privilege no matter what individual PTEs use. If a PDE has User privilege level then the protection level of the PTE determines the final privilege level.

This behaviour is defined in the Intel® 64 and IA-32 Architectures Software Developer’s Manual Volume 3A.

4.11.4 Combining Protection of Both Levels of Page Tables

For any one page, the protection attributes of its page-directory entry (first-level page table) may differ from those of its page-table entry (second-level page table). The processor checks the protection for a page in both its page-directory and the page-table entries. Table 4-3 shows the protection provided by the possible combinations of protection attributes when the WP flag is clear.

Table 4-3 appears as:

Answer to the question: If you want to have a mix of pages with User and Supervisor privilege under a particular PDE then set the PDE to User privilege and the PTEs accordingly (User or Supervisor).