Intel 80287, 80286 manual Privilege Levels and Protection, Example of Using Four Privilege Levels

PROTECTION

7.3 PRIVILEGE LEVELS AND PROTECTION

As explained in section 6.2, each task has its own separate virtual address space defined by its LDT. All tasks share a common address space defined by the GDT. The system software then has direct access to task data and can treat all pointers in the same way.

Protection is required to prevent programs from improperly using code or data that belongs to the operating system. The four privilege levels of the 80286 provide the isolation needed between the various layers of the system. The 80286 privilege levels are numbered from 0 to 3, where 0 is the most trusted level, 3 the least.

Privilege level is a protection attribute assigned to all segments. It determines which procedures can access the segment. Like access rights and limit checks, privilege checks are automatically performed by the hardware, and thus protect both data and code segments.

Privilege on the 80286 is hierarchical. Operating system code and data segments placed at the most privileged level (0) cannot be accessed directly by programs at other privilege levels. Programs at privilege level 0 may access data at all other levels. Programs at privilege levels 1-3 may only access data at the same or less trusted (numerically greater) privilege levels. Figure 7-6 illustrates the privi- lege level protection of code or data within tasks.

In figure 7-6, programs can access data at the same or outer level, but not at inner levels. Code and data segments placed at level 1 cannot be accessed by programs executing at levels 2 or 3. Programs at privilege level 0 can access data at level 1 in the course of providing service to that level. 80286 provides mechanisms for inter-level transfer of control when needed (see section 7.5).

The four privilege levels of the 80286 are an extension of the typical two-level user/supervisor privilege mechanism. Like user mode, application programs in the outer level are not permitted direct access to data belonging to more privileged system services (supervisor mode). The 80286 adds two more privilege levels to provide protection for different layers of system software (system services, I/O drivers, etc.).

7.3.1 Example of Using Four Privilege Levels

Two extra privilege levels allow development of more reliable, and flexible system software. This is achieved by dividing the system into small, independent units. Figure 7-6 shows an example of the usage of different protection levels. Here, the most privileged level is called the kernel. This software would provide basic, application-independent, CPU-oriented services to all tasks. Such services include memory management, task isolation, multitasking, inter-task communication, and I/O resource control. Since the kernel is only concerned with simple functions and cannot be affected by software at other privilege levels, it can be kept small, safe, and understandable.

Privilege level one is designated system services. This software provides high-level functions like file access scheduling, character I/O, data communcations, and resource allocation policy which are commonly expected in all systems. Such software remains isolated from applications programs and relies on the services of the kernel, yet cannot affect the integrity of level O.

Privilege level 2 is the custom operating system extensions level. It allows standard system software to be customized. Such customizing can be kept isolated from errors in applications programs, yet cannot affect the basic integrity of the system software. Examples of customized software are the data base manager, logical file access services, etc.

7-8