In a conventionally known virtual machine system, a plurality of operating systems run alternately on a processor by time sharing.
Such a virtual machine system includes a hypervisor for causing a processor to execute processing to control the switching between operating systems.
In order to guarantee reliability of the system, it is necessary for the hypervisor to execute the processing to control the switching between operating systems, which run in a privileged mode, at a higher privileged mode than the operating systems.
For example, in the virtual machine system shown in Patent Literature 1, the processor constituting the virtual machine system includes the privileged modes of supervisor mode and hypervisor mode, which is higher than supervisor mode. The operating systems run in supervisor mode, whereas the hypervisor runs in hypervisor mode.
In a virtual machine system that handles confidential data, however, it is preferable from a security perspective for the confidential data to be protected from access by programs other than a program designated as being reliable (hereinafter referred to as a “secure program”).
Such a virtual machine system thus requires a privileged mode for running the secure program other than the supervisor mode and the hypervisor mode.
For example, Patent Literature 2 discloses a virtual machine system in which the processor constituting the virtual machine system is provided with a secure mode that is a privileged mode at an even higher level than the hypervisor mode. The secure program runs in the secure mode.
FIG. 16 shows the operation modes of the processor constituting the virtual machine system in Patent Literature 2.
As shown in FIG. 16, the processor constituting the virtual machine system is provided with three privileged modes in addition to a user mode 1640, namely a supervisor mode 1630, a hypervisor mode 1620, and a secure mode 1610. Application programs run in the user mode 1640, the operating systems run in the supervisor mode 1630, the hypervisor runs in the hypervisor mode 1620, and the secure program runs in the secure mode 1610.