Modern microprocessors are typically designed so that they may be easily adapted for use in alternative operating environments, and configured for a variety of applications. That is, a given microprocessor might be used in environments as diverse as: 1) within a cell phone; 2) within a video gaming system; and 3) within a computer system. In the cell phone environment, the microprocessor will typically execute only those instructions that are developed by the manufacturer of the cell phone, and stored within a read-only memory in the phone. Within a video gaming system, the microprocessor must execute an “embedded” set of instructions that are developed by the manufacturer of the gaming system, and instructions developed by manufacturers of video games. Within a computer system, the microprocessor must execute instructions developed by the manufacturer of the computer system, instructions developed by an operating system manufacturer, instructions developed by an applications manufacturer, as well as instructions that are developed by the end user.
To allow microprocessors to operate within such diverse environments, and to insure that once they are configured for a particular environment, they are not changed, microprocessors are typically designed to operate in several different security modes or levels. Each of the security modes or levels of a microprocessor define what resources within its operating environment an instruction has access to, what features of the microprocessor are enabled, how the microprocessor is to view external memory, etc.
Simplistically, modern microprocessors have at least two operating modes referred to as “kernel” mode, and “user” mode. When a microprocessor is powered on, it begins operating in kernel mode. This means that the first set of instructions that execute have access to all of the resources of the microprocessor, and can define how the microprocessor is to operate, how it should be configured for its present environment, etc. Once the kernel mode instruction set configures the processor, it may switch the microprocessor to operate in user mode. At this point, instructions have access to general-purpose registers, but not to privileged architecture registers that control the operation, or configuration of the microprocessor. Such a dual mode architecture provides security for the computing system, insures reliability of the operating environment, and prevents user mode instructions from accessing or modifying privileged resources.
Within the privileged architecture of a microprocessor are configuration registers, that establish how the microprocessor is to view memory, whether it is operating in 32 or 64-bit mode, whether it is operating in kernel mode, or user mode, etc. In addition, other resources are provided that assist a developer in designing their product with the microprocessor, including debug registers, count registers, performance counters, etc. Often, these developers are operating within the kernel mode of the microprocessor, and thus have access to these resources. However, it has become desirable, within some environments, to provide access to certain privileged resources, while the microprocessor is in user mode. Unfortunately, in contemporary microprocessors, access to privileged resources has been an all or nothing proposition. That is, while in kernel mode, a bit is set in a configuration register that allows user mode instructions to access the privileged architecture. Unfortunately, once the bit is set, the user mode instructions are provided with full read/write access to all of the privileged resources. This situation defeats all of the security benefits provided by a dual mode microprocessor.
Therefore, what is needed is a mechanism that allows an operating system (operating in kernel mode) to selectively configure particular privileged resources for access by user mode instructions, while still preventing access to other privileged resources.
Furthermore, what is needed is a method and apparatus that maintains the security of an operating environment, while providing the benefit of access by user mode instructions to certain privileged resources, on a case-by-case basis.
And, what is needed is a microprocessor that allows kernel mode instructions to define how user mode instructions access privileged resources.
Furthermore, what is needed is a configurable mechanism within a microprocessor to allow an operating system to virtualize access to privileged resources, from the viewpoint of user mode instructions.