1. Field of the Invention
The present invention relates to computer processors and, more particularly, to changing privilege levels for the execution of instructions in a computer processor.
2. Background of the Related Art
Computer systems are designed around an integrated circuit, known as a “processor,” that executes programmed instructions stored in the system's memory. The processor reads instructions from memory and feeds them into one end of the pipeline. The pipeline is made of several stages, each stage performing some function necessary or desirable to process instructions before passing the instruction to the next stage. For instance, the first stage might fetch the instruction, the next stage might decode the fetched instruction, and the next stage might execute the decoded instruction. Each stage of the pipeline typically moves the instruction closer to completion.
In order to affect security features and provide multi-user capability in processors, including pipelined processors, operating system software needs to prevent the user from performing certain operations. For example, operating system instructions may be assigned one privilege level, while application program instructions may be assigned a lower privilege level. Thus, the operating system instruction would have access to some system resources that the application program instructions would not be able to access. Privilege levels can sometimes be dynamic in the sense that they can occasionally change. To accomplish this, the operating system software assigns a privilege level to the processor. A “current privilege level” (CPL) for the processor is normally maintained in the processor's architectural register set.
A program or process may request a service from the kernel of an operating system, which service the program normally does not have permission to run, by issuing a system call. System calls provide the interface between a process and the operating system. Most operations interacting with the system require permissions that are not available to a user level process, such as I/O performed with a device present on the system, or any form of communication with other processes requires the use of system calls.
The design of the microprocessor architecture on practically all modern systems (except some embedded systems) offers a series of CPU modes. Applications normally execute in a low privilege level that limits the address space of the program so that it cannot access or modify other running applications or the operating system itself. This low privilege level also prevents the application from directly using certain devices, such as the frame buffer or network devices. However, since many normal applications need these abilities, the operating system provides pre-defined system calls to the applications. The operating system executes at the highest level of privilege, and allows applications to request services via system calls, which are often implemented through the use of interrupts. If allowed, the system enters a higher privilege level, executes a specific set of instructions over which the interrupting program has no direct control, returns to the calling application's privilege level, and then returns control to the calling application.
A CPU mode, which may also be referred to as a processor mode, CPU state, and CPU privilege level, is an operating mode for the central processing unit (CPU) of some computer architectures that place restrictions on the type and scope of operations that can be performed by certain processes being run by the CPU. Ideally, only highly-trusted kernel code is allowed to execute in an unrestricted mode. All other processes, including non-supervisory portions of the operating system, must run in a restricted mode and use a system call to request that the kernel perform, on behalf of the process, any operation that could damage or compromise the system. This makes it impossible for an untrusted program to alter or damage other programs or the computing system itself.
At a minimum, any CPU architecture supporting protected execution will offer two distinct operating modes; at least one of the modes must allow completely unrestricted operation of the processor. The unrestricted mode is often called kernel mode, but may also be referred to as master mode, supervisor mode, privileged mode, or supervisor state. A restricted mode is usually referred to as a user mode, but may also be referred to as slave mode, user mode, or problem state.
In kernel mode, the CPU may perform any operation allowed by its architecture; any instruction may be executed, any I/O operation initiated, any area of memory accessed, and so on. In the other CPU modes, certain restrictions on CPU operations are enforced by the hardware. Typically, certain instructions are not permitted, such as I/O operations that could alter the global state of the machine or access some restricted memory areas. User-mode capabilities of the CPU are typically a subset of those available in kernel mode but in some cases, such as hardware emulation of non-native architectures, they may be significantly different from those available in standard kernel mode.
Some CPU architectures support multiple user modes, often with a hierarchy of privileges. These architectures are often said to have ring-based security, wherein the hierarchy of privileges resembles a set of concentric rings, with the kernel mode in the center.