User's Manual
PROTECTION
7.3
PRIVILEGE LEVELS
AND
PROTECTION
As
explained
in
section 6.2, each task has its
own
separate virtual address space defined by its LDT.
All tasks share a common address space defined by the GDT. The system software then has direct
access to task data and can treat all pointers in the same way.
Protection
is
required to prevent programs from improperly using code
or
data that belongs to the
operating system. The four privilege levels of the 80286 provide the isolation needed between the various
layers of the system. The 80286 privilege levels are numbered from 0 to
3,
where 0
is
the most trusted
level, 3 the least.
Privilege level
is
a protection attribute assigned to all segments.
It
determines which procedures can
access the segment. Like access rights and limit checks, privilege checks are automatically performed
by the hardware, and thus protect both data and code segments.
Privilege
on
the 80286
is
hierarchical. Operating system code and data segments placed at the most
privileged level (0) cannot be accessed directly
by
programs
at
other privilege levels. Programs at
privilege level
0 may access data at all other levels. Programs at privilege levels
1-3
may only access
data
at
the same or less trusted (numerically greater) privilege levels. Figure
7-6
illustrates the privi-
lege level protection of code or data within tasks.
In
figure
7-6,
programs can access data at the same or outer level, but not at inner levels. Code and
data segments placed at level 1 cannot be accessed
by
programs executing at levels 2 or
3.
Programs
at
privilege level 0 can access data at level 1
in
the course of providing service to that level. 80286
provides mechanisms for inter-level transfer of control when needed (see section 7.5).
The four privilege levels of the 80286 are an extension of the typical two-level user/supervisor privilege
mechanism. Like user mode, application programs
in
the outer level are not permitted direct access to
data belonging to more privileged system services (supervisor mode). The 80286 adds two more
privilege levels to provide protection
for
different layers of system software (system services,
I/O
drivers,
etc.).
7.3.1 Example of Using Four Privilege Levels
Two extra privilege levels allow development of more reliable, and flexible system software. This
is
achieved by dividing the system into small, independent units. Figure
7-6
shows an example of the
usage of different protection levels. Here, the most privileged level
is
called the kernel. This software
would provide basic, application-independent, CPU-oriented services to all tasks.
Such services include
memory management, task isolation, multitasking, inter-task communication, and
I/O
resource control.
Since the kernel
is
only concerned with simple functions and cannot be affected
by
software
at
other
privilege levels, it can be kept small, safe, and understandable.
Privilege level one
is
designated system services. This software provides high-level functions like file
access scheduling, character
I/O,
data communcations, and resource allocation policy which are
commonly expected in all systems.
Such software remains isolated from applications programs and
relies
on
the services of the kernel, yet cannot affect the integrity of level
O.
Privilege level 2
is
the custom operating system extensions level.
It
allows standard system software to
be customized.
Such customizing can be kept isolated from errors in applications programs, yet cannot
affect the basic integrity of the system software. Examples of customized software are the data base
manager, logical file access services, etc.
7-8