Privilege Levels

The 80386 implements a four-level protection mechanism. Level 0 is the most privileged, and level 3 is the least privileged. The privilege level is assigned on a segment basis, and therefore applies to both code and data. The four levels may be visualized as concentric "rings", with the most privileged segments in the center.

Figure "80386 Ring-Oriented Privilege Scheme"

All code and data segments in the system are assigned a privilege, which is stored in the segment descriptor. At any one moment, a task executes only on one of the four rings:

Ring 0

This is the most privileged type of segment, and code executing in this ring may use all protected mode processor instructions. This ring is used by those routines in an operating system which are essential for resource allocation and control. This part of the system is often referred to as the kernel or nucleus.

This is the second most privileged ring and is normally used for the remainder of the operating system routines and for the input/output support routines. Note that ring 1 is not used by OS/2 Version 2.0.

This ring is typically used as the application services level. It should be used for routines that do not belong to the operating system, but should still be protected from user code. Communications support and database management programs are good examples.

This is the least privileged ring and is typically assigned to user application code and data.

A task executing in one ring cannot access data in a more privileged ring (for example, ring 3 cannot access data at ring 1), nor can it invoke a procedure in a less privileged ring (for example, ring 1 cannot invoke ring 3). Thus, both access to data and transfer of control are restricted in appropriate ways. The processor interprets the protection parameters and automatically performs all the checking necessary to implement this protection.

Although at the segment level there are these four levels of privilege, at the page level there are only two privilege levels: