Protection ring

A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system.

OpenVMS uses four modes called (in order of decreasing privileges) Kernel, Executive, Supervisor and User.

A renewed interest in this design structure came with the proliferation of the Xen VMM software, ongoing discussion on monolithic vs. micro-kernels (particularly in Usenet newsgroups and Web forums), Microsoft's Ring-1 design structure as part of their NGSCB initiative, and hypervisors based on x86 virtualization such as Intel VT-x (formerly Vanderpool).

The hardware remains aware of the current ring of the executing instruction thread at all times, with the help of a special machine register.

One example is the Data General Eclipse MV/8000, in which the top three bits of the program counter (PC) served as the ring register.

Using x86 as an example, there is a special[clarification needed] gate structure which is referenced by the call instruction that transfers control in a secure way[clarification needed] towards predefined entry points in lower-level (more trusted) rings; this functions as a supervisor call in many operating systems that use the ring architecture.

The hardware restrictions are designed to limit opportunities for accidental or malicious breaches of security.

ARM version 7 architecture implements three privilege levels: application (PL0), operating system (PL1), and hypervisor (PL2).

[10] ARM version 8 implements four exception levels: application (EL0), operating system (EL1), hypervisor (EL2), and secure monitor / firmware (EL3), for AArch64[11]: D1-2454  and AArch32.

Often the security model is simplified to "kernel" and "user" even if hardware provides finer granularity through rings.

In computer terms, supervisor mode is a hardware-mediated flag that can be changed by code running in system-level software.

The Linux kernel, for instance, injects into processes a vDSO section which contains functions that would normally require a system call, i.e. a ring transition.

Recent CPUs from Intel and AMD offer x86 virtualization instructions for a hypervisor to control Ring 0 hardware access.

Although they are mutually incompatible, both Intel VT-x (codenamed "Vanderpool") and AMD-V (codenamed "Pacifica") allow a guest operating system to run Ring 0 operations natively without affecting other guests or the host OS.

Any attempt that requires a higher privilege level to perform (ring 0) will produce an interrupt and then be handled using software; this is called "Trap and Emulate".

To assist virtualization and reduce overhead caused by the reason above, VT-x and AMD-V allow the guest to run under Ring 0.

[19] Potential future uses for the multiple privilege levels supported by the x86 ISA family include containerization and virtual machines.

A host operating system kernel could use instructions with full privilege access (kernel mode), whereas applications running on the guest OS in a virtual machine or container could use the lowest level of privileges in user mode.

[21] Many CPU hardware architectures provide far more flexibility than is exploited by the operating systems that they normally run.

Today, this high degree of interoperation between the OS and the hardware is not often cost-effective, despite the potential advantages for security and stability.

Only "trusted" portions of system software are allowed to execute in the unrestricted environment of kernel mode, and then, in paradigmatic designs, only when absolutely necessary.

Microkernel operating systems attempt to minimize the amount of code running in privileged mode, for purposes of security and elegance, but ultimately sacrificing performance.

Privilege rings for the x86 available in protected mode
While x86 has 4 protection rings, it is more common for architectures to only have two. Even on x86, most operating systems only use ring 0 and 3.