开发者

CPU Privilege Rings: Why rings 1 and 2 aren't used?

开发者 https://www.devze.com 2023-03-20 19:55 出处:网络
A couple of questions regarding the x86 CPU privilege rings: Why aren\'t rings 1 and 2 used by most operating systems? Is it just to maintain code compatibility with other architectures, or is there

A couple of questions regarding the x86 CPU privilege rings:

  • Why aren't rings 1 and 2 used by most operating systems? Is it just to maintain code compatibility with other architectures, or is there a better reason?

  • Are there any operating systems which actually use those rings? Or are they compl开发者_如何转开发etely unused?


As a hobbyist operating system writer, I found that because paging (a major part of the modern protection model) only has a concept of privileged (ring 0,1,2) and unprivileged, the benefit to rings 1 and 2 were diminished greatly.

The intent by Intel in having rings 1 and 2 is for the OS to put device drivers at that level, so they are privileged, but somewhat separated from the rest of the kernel code.

Rings 1 and 2 are in a way, "mostly" privileged. They can access supervisor pages, but if they attempt to use a privileged instruction, they still GPF like ring 3 would. So it is not a bad place for drivers as Intel planned...

That said, they definitely do have use in some designs. In fact, not always directly by the OS. For example, VirtualBox, a Virtual Machine, puts the guest kernel code in ring 1. I am also sure some operating systems do make use of them, I just don't think it is a popular design at the moment.


From the perspective of OS design, having multiple privileged rings is an oddity of x86 -- most other CPUs only have two modes (supervisor and user). As such, designing an OS to require multiple privileged modes will immediately prevent it from being ported to any other CPU. Additionally, many modern virtualization packages don't correctly emulate privilege levels other than 0 and 3, making OSes that use these levels much more difficult to test.


According to Wikipedia’s page on Ring Security, rings 1 and 2 are used for drivers(ring 1), guest operating systems(ring 1), and i/o privileged code(ring 2), hypervisors sit in -1/0 (depending on the hyper-visor) not 1 as I previously stated.

However, the extra two rings never really helped and thus became rarely used. TBH, most code using rings 1 and 2 these have semi-repurposed them from their original use (such as the hypervisors). Most windows code these days seems to treat the system as only having two levels (kernel and user), probably due to the overhead associated with entering and leaving kernel land.

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号