CPU Privilege Rings: Why rings 1 and 2 aren't used?

X86CpuPrivileges

X86 Problem Overview

A couple of questions regarding the x86 CPU privilege rings:

  • Why aren't rings 1 and 2 used by most operating systems? Is it just to maintain code compatibility with other architectures, or is there a better reason?

  • Are there any operating systems which actually use those rings? Or are they completely unused?

X86 Solutions

Solution 1 - X86

As a hobbyist operating system writer, I found that because paging (a major part of the modern protection model) only has a concept of privileged (ring 0,1,2) and unprivileged, the benefit to rings 1 and 2 were diminished greatly.

The intent by Intel in having rings 1 and 2 is for the OS to put device drivers at that level, so they are privileged, but somewhat separated from the rest of the kernel code.

Rings 1 and 2 are in a way, "mostly" privileged. They can access supervisor pages, but if they attempt to use a privileged instruction, they still GPF like ring 3 would. So it is not a bad place for drivers as Intel planned...

That said, they definitely do have use in some designs. In fact, not always directly by the OS. For example, VirtualBox, a Virtual Machine, puts the guest kernel code in ring 1. I am also sure some operating systems do make use of them, I just don't think it is a popular design at the moment.

Solution 2 - X86

From the perspective of OS design, having multiple privileged rings is an oddity of x86 -- most other CPUs only have two modes (supervisor and user). As such, designing an OS to require multiple privileged modes will immediately prevent it from being ported to any other CPU. Additionally, many modern virtualization packages don't correctly emulate privilege levels other than 0 and 3, making OSes that use these levels much more difficult to test.

Solution 3 - X86

According to Wikipedia’s page on Ring Security, rings 1 and 2 are used for drivers(ring 1), guest operating systems(ring 1), and i/o privileged code(ring 2), hypervisors sit in -1/0 (depending on the hyper-visor) not 1 as I previously stated.

However, the extra two rings never really helped and thus became rarely used. TBH, most code using rings 1 and 2 these have semi-repurposed them from their original use (such as the hypervisors). Most windows code these days seems to treat the system as only having two levels (kernel and user), probably due to the overhead associated with entering and leaving kernel land.

Categories
Recommended X86 Solutions
Recommended Cpu Solutions
Recommended Privileges Solutions

Previous Solution:

Declare variable in table valued function

Sql ServerFunctionUser Defined-Functions

Next Solution:

How to get result of console.trace() as string in javascript with chrome or firefox?

JavascriptFirefoxGoogle ChromeConsoleStack Trace

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
Questionuser541686View Question on Stackoverflow
Solution 1 - X86Evan TeranView Answer on Stackoverflow
Solution 2 - X86user149341View Answer on Stackoverflow
Solution 3 - X86NecrolisView Answer on Stackoverflow