Ring Protection mechanism



 

 


Chapter:Chapter 02 – Inside OS/2 Warp
Subsection: 01. Base Operating System Architecture
Document Number:06
Topic: Ring Protection mechanism
Date Composed: 10-03-96 06:59:05 PM Date Modified: 03-19-99 08:03:54 PM

OS/2 uses a four level protection mechanism to protect itself, the operating system from interference by other programs. This is not the same as the memory protection, actually memory isolation, which isolates programs’ memory spaces from each other. This ring protection mechanism, diagrammed in Figure 1, is used to ensure that applications cannot alter registers in the CPU or manipulate memory directly by accessing the page tables. The protection mechanism prevents this by refusing requests from programs other than a kernel level process to use the CPU instructions required to access the CPU registers and the page tables. The ring protection mechanism gets its name from the concentric rings used to diagram it.

OS/2 Ring Protection Mechanism

Figure 1: OS/2 Ring Protection Mechanism

 

 

The ring levels

OS/2 runs at ring level 0 which is the highest level of protection. Actually only the kernel of OS/2 and certain other kernel level functions run at this level. This is the most protected level of the CPU and is used only by an operating system. Running at ring 0 gives the operating system access to the privileged CPU instructions which are used to manipulate the CPU registers and the page tables. Access to these privileged instructions allows OS/2 to manage memory and to manage the operation of the CPU and the computer as a whole. It is important to note that the operating system, because it runs at ring 0, can use all of the CPU instructions available to the outer rings as well as those limited to programs running at ring 3.

Ring level 1 not used is not used in OS/2. This was a simple design decision on the part of the OS/2 architects who felt that providing access to this level would not offer any significant advantages to the operating system structure while adding unnecessary complexity. The kernel running at ring 0 can use any of the few instructions provided by this level.

Applications normally run at ring level 3. This is the least protected level, and programs which run at this level are the least trusted. That is, they are to be prevented from manipulating the hardware directly under any circumstances. In most cases, however, it is not necessary for applications to use hardware directly. The device driver structure of OS/2 provides program independent methods for accessing all hardware and so application programs normally have no need to do so.

IOPL

IOPL (I/O Privilege Level) programs run at ring 2. Ring 2 gives some few programs which need it a little more direct access to the hardware of the computer than they can have at ring 3. The sensitive instructions of ring 2 can be used by application programs to use instructions which exercise a little more control over parts of the computer like serial or parallel ports. Even with this additional level of access, however, OS/2 rigidly supervises the program using IOPL.

Any program which requires access to IOPL must first tell OS/2 that it will access ring 2. The programmer’s API which is used for IOPL at ring 2 is tightly controlled by OS/2 to prevent applications from causing problems. Unfortunately, a program written to access I/O Privilege Level can take complete control of a device; this cannot happen at ring 3. If the program does not relinquish control of the device, other programs which need access to the device, including the operating system, may appear to lock up while they wait for access to be granted. Until the program running at ring 2 relinquishes the device, all other programs must wait. It is imperative, therefore, that programmers working with IOPL at ring 2 follow IBM guidelines about programming at that level and release the device as soon as possible.

The statement IOPL=YES is required in the CONFIG.SYS file to allow programs to access ring 2 IOPL level instructions. If this statement has been altered such that a particular program which requires IOPL cannot get access to it, an error is displayed which says, “The system is not configured to support this program.”

IOPL=YES Allows I/O Privilege Level access to be granted to all programs which require it Protect ring level 2.
IOPL=<list> Allows I/O Privilege Level access to be granted to only those programs in the list. All other programs will be refused access to IOPL. The list consists of the names of executable files separated by commas.