Privilege Levels

The 80386 implements a four-level protection mechanism. Level 0 is the most privileged, and level 3 is the least privileged. The privilege level is assigned on a segment basis, and therefore applies to both code and data. The four levels may be visualized as concentric "rings", with the most privileged segments in the center.

Figure "80386 Ring-Oriented Privilege Scheme"

All code and data segments in the system are assigned a privilege, which is stored in the segment descriptor. At any one moment, a task executes only on one of the four rings:

Ring 0

Ring 1 Ring 2 Ring 3

A task executing in one ring cannot access data in a more privileged ring (for example, ring 3 cannot access data at ring 1), nor can it invoke a procedure in a less privileged ring (for example, ring 1 cannot invoke ring 3). Thus, both access to data and transfer of control are restricted in appropriate ways. The processor interprets the protection parameters and automatically performs all the checking necessary to implement this protection.

Although at the segment level there are these four levels of privilege, at the page level there are only two privilege levels:

  • Supervisor level, for the operating system, privileged programs, such as device drivers, and system data including page tables

  • User level for application code and data.

    The privilege levels used for segmentation are mapped into the page level privilege levels. Tasks running in ring 0, 1 or 2 are all assumed to at supervisor privilege level.


    [Back: Limit Checking]
    [Next: Restriction of Procedure Entry Points]