Privilege levels implementation

Question

I understand that in general a cpu can run in one of two modes: a high level permission mode that in which access to "secure" zones in the hardware is enabled, and a low level permission mode that is used when accessing the rest of the cpu functions.

I also understand that there is some form of protection mechanism that enforces that only the operating system can run on the processor while it is in the high level privileged mode (sometimes called ring 0) and that when any user-space process is running the processor is in the low level privileged mode (ring 3).

My question is this: How does the cpu make the distinction between an OS process running in ring 0 mode and a user-space process running in ring 3? What mechanism is there that makes sure a user level process can never get ring 0 privilege levels?

Answer 1

This is processor dependent, but I'll go with x86.

The CPU does not understand the idea of a process. That is an OS abstraction of switching out the currently running code. The CPU understands the privileges of running code by which page it resides in.

In a paging operating system, OS code live in pages marked as supervisor in the page table, while user mode code is marked as user mode in the page table. When the CPU accesses any memory location, in this case the current instruction through EIP, the CPU does a virtual memory lookup. Upon doing this lookup, the CPU looks at the page table and is able to check the supervisor/user mode flag and interpret the current instruction in that way.