Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

CPU Privilege Rings: Why rings 1 and 2 aren't used?

People also ask

Which ring level is most privileged in CPU virtualization?

There are 4 privilege levels ranging from 0 which is the most privileged, to 3 which is least privileged. Most modern operating systems use level 0 for the kernel/executive, and use level 3 for application programs. Any resource available to level n is also available to levels 0 to n, so the privilege levels are rings.

What ring number has the highest privileges?

Ring 0 (most privileged) and 3 (least privileged) Ring 0 is accessible to the kernel, which is a central part of most operating systems and can access everything.

What are protection rings explain how it is used in virtualization?

Protection Rings, are a mechanism to protect data and functionality from faults (fault tolerance) and malicious behavior (computer security). This approach is diametrically opposite to that of capability-based security.

What is the concept of protection rings in security architecture?

Definition. Protection rings are a hierarchical system architecture that separates levels of interaction within an operating system in order to provide fault protection among computer users, components, applications, and processes.


As a hobbyist operating system writer, I found that because paging (a major part of the modern protection model) only has a concept of privileged (ring 0,1,2) and unprivileged, the benefit to rings 1 and 2 were diminished greatly.

The intent by Intel in having rings 1 and 2 is for the OS to put device drivers at that level, so they are privileged, but somewhat separated from the rest of the kernel code.

Rings 1 and 2 are in a way, "mostly" privileged. They can access supervisor pages, but if they attempt to use a privileged instruction, they still GPF like ring 3 would. So it is not a bad place for drivers as Intel planned...

That said, they definitely do have use in some designs. In fact, not always directly by the OS. For example, VirtualBox, a Virtual Machine, puts the guest kernel code in ring 1. I am also sure some operating systems do make use of them, I just don't think it is a popular design at the moment.


From the perspective of OS design, having multiple privileged rings is an oddity of x86 -- most other CPUs only have two modes (supervisor and user). As such, designing an OS to require multiple privileged modes will immediately prevent it from being ported to any other CPU. Additionally, many modern virtualization packages don't correctly emulate privilege levels other than 0 and 3, making OSes that use these levels much more difficult to test.


According to Wikipedia’s page on Ring Security, rings 1 and 2 are used for drivers(ring 1), guest operating systems(ring 1), and i/o privileged code(ring 2), hypervisors sit in -1/0 (depending on the hyper-visor) not 1 as I previously stated.

However, the extra two rings never really helped and thus became rarely used. TBH, most code using rings 1 and 2 these have semi-repurposed them from their original use (such as the hypervisors). Most windows code these days seems to treat the system as only having two levels (kernel and user), probably due to the overhead associated with entering and leaving kernel land.