0环权限高还是3环_环0到环3

0环权限高还是3环

Most likely, you’re aware of the hardware “protection rings” in Intel Architecture processors — the familiar “Ring 0” for the kernel through “Ring 3” for userland. But, have you ever heard of “rings” “minus one” through “minus three”? If not, you’re missing out on three entire levels of processor vulnerabilities.

您很可能知道英特尔架构处理器中的硬件“保护环”，即熟悉的内核“ Ring 0”和内核的“ Ring 3”。 但是，您是否听说过“铃声”，“减一”到“减三”？ 如果不是这样，您将错过三个完整级别的处理器漏洞。

环0到环3 (Ring 0 Through Ring 3)

In Intel Architecture (IA) processors, there are four protection rings, which are implemented in hardware using two bits in the Segment Descriptor Table, called the Descriptor Privilege Level (DPL) bits. The hardware logic behind the rings allows processes running at a given privilege level to access memory at that privilege level (ring number) or higher. Thus, anything running in Ring 0 (DPL of 0) can access anything in any of the other positively-numbered rings. Likewise, anything running in Ring 3 (DPL of 3) can only access other Ring 3 memory. [See notes 1 and 2.]

在英特尔架构(IA)处理器中，有四个保护环，它们是通过使用段描述符表中的两位(称为描述符特权级别(DPL)位)在硬件中实现的。 环后面的硬件逻辑允许以给定特权级别运行的进程访问该特权级别(环号)或更高级别的内存。 因此，在环0(DPL为0)中运行的任何对象都可以访问任何其他正数环中的任何对象。 同样，在Ring 3(DPL为3)中运行的任何对象都只能访问其他Ring 3内存。 [见注1和2。]

In normal usage, the rings are allocated as follows:

在正常使用中，环分配如下：

• Ring 0: Kernel (Highest Privilege)
  环0：内核(最高特权)
• Ring 1: Device Drivers
  环1：设备驱动程序
• Ring 2: Device Drivers
  环2：设备驱动程序
• Ring 3: User Applications (Lowest Privilege)
  第三环：用户应用程序(最低特权)

This concept is illustrated in the “Standard IA Protection Rings” drawing, below. The way to view these rings is that you can only access outward, to a higher-numbered ring. That is, you can never access inward, to a lower-numbered ring.

下面的“标准IA保护环”图对此概念进行了说明。 查看这些环的方法是您只能向外访问编号较高的环。 也就是说，您永远无法向内访问编号较小的环。

Standard Intel Architecture Protection Rings

标准英特尔架构保护环

There are some variations to how the rings are used, but the access limitations remain the same. For example, in many cloud environments, the hypervisor sits in Ring 0, a user’s kernel is in Ring 1, that user’s device drivers are in Ring 2, and that user’s Applications are in Ring 3. This concept is illustrated in the “Alternate (Cloud) IA Protection Rings” drawing, below.

环的使用方式有所不同，但是访问限制保持不变。 例如，在许多云环境中，系统管理程序位于Ring 0，用户内核位于Ring 1，用户的设备驱动程序位于Ring 2，而用户的Applications位于Ring3。该概念在“替代(云)IA保护环”图，如下。

Alternate (Cloud) Intel Architecture Protection Rings

备用(云)英特尔架构保护环

让我们变得负面！ (Let’s Get Negative!)

On Intel Architecture chipsets, there are three more levels of privilege, all with a higher-level privilege than the operating system’s kernel. We call those “Ring ‑1” through “Ring ‑3,” with Ring ‑1 (pronounced, “ring minus one”) being the least privileged of the negative rings, and Ring ‑3 being the most privileged. Thus, Ring ‑3 can access anything in Ring ‑3 through Ring 3. And Ring ‑2 can access anything in Ring ‑2 through Ring 3, but it cannot access Ring ‑3.

在英特尔架构芯片组上，具有三个以上的特权级别，所有特权级别均比操作系统内核更高。 我们称这些环为“环-1”到“环-3”，其中环-1(发音为“环减一”)是负环中特权最小的，环-3是特权最大。 因此，Ring‑3可以访问Ring‑3到Ring 3中的任何内容，而Ring‑2可以访问Ring‑2到Ring 3中的任何内容，但是它不能访问Ring‑3。

Now, allow me to emphasize a point: Negative rings are conceptual levels of privilege, not actual processor protection rings.

现在，让我强调一点： 负环是 概念 特权级别，而不是实际的处理器保护环。

Unlike the “positive rings,” which are implemented in hardware with a pair of bits to specify the Ring number, no equivalent set of bits exist to specify negative ring numbers. There are bits that specify state for Rings ‑1 and ‑2; and, Ring ‑3 is actually a separate processor within the processor chipset. We will briefly discuss how the processor knows it is running a process in a negative ring when we cover that ring.

与“正环”不同，“正环”在硬件中用一对位来指定环号，而没有等效的位集来指定负环号。 有一些位指定环-1和环2的状态。 并且，Ring‑3实际上是处理器芯片集中的一个独立处理器。 我们将简要讨论当覆盖该环时，处理器如何知道它正在负环中运行进程。

Each of the negatively numbered rings is reserved for a specific use. That assignment is as follows:

每个负编号的环都保留用于特定用途。 分配如下：

• Ring ‑1: Hypervisor
  环‑1：管理程序
• Ring ‑2: System Management Mode (SMM)
  第2环：系统管理模式(SMM)
• Ring ‑3: Management Engine (ME)
  第3环：管理引擎(ME)

This concept is illustrated in the IA Negative Rings drawing. Again, the way to view these rings is that you can only access outward, to a higher-numbered ring. That is, you can never access inward, to a lower-numbered ring.

IA Negative Rings图中说明了这一概念。 同样，查看这些环的方法是您只能向外访问编号较高的环。 也就是说，您永远无法向内访问编号较小的环。

Intel Architecture Negative Rings

英特尔架构负环

Thus, the complete view of the ring architecture becomes:

因此，环形体系结构的完整视图变为：

• Ring ‑3: Management Engine (ME) {Highest Privilege}
  第3环：管理引擎(ME){最高特权}
• Ring ‑2: System Management Mode (SMM)
  第2环：系统管理模式(SMM)
• Ring ‑1: Hypervisor
  环‑1：管理程序
• Ring 0: Kernel
  环0：内核
• Ring 1: Device Drivers
  环1：设备驱动程序
• Ring 2: Device Drivers
  环2：设备驱动程序
• Ring 3: User Applications {Lowest Privilege}
  第三环：用户应用程序{最低特权}

Now, let’s take a look at each of the negative rings in more detail.

现在，让我们更详细地了解每个负环。

环‑1：管理程序 (Ring ‑1: Hypervisor)

First, we need to clarify what type of hypervisor we are discussing. There are two widely-recognized types of hypervisors:

首先，我们需要弄清楚我们正在讨论哪种类型的管理程序。 有两种公认的虚拟机管理程序类型：

• Type 1 Hypervisors, which run on “bare metal.”
  类型1虚拟机管理程序，在“裸机”上运行。
• Type 2 Hypervisors, which are “hosted.”
  类型2虚拟机管理程序，“托管”。

A type 1 hypervisor has actual control of the computer. It is what boots upon startup. Examples of type 1 hypervisors include: VMware ESXi, Microsoft Hyper-V, and Linux KVM.

类型1虚拟机管理程序可以实际控制计算机。 它是启动时启动的。 类型1虚拟机管理程序的示例包括：VMware ESXi，Microsoft Hyper-V和Linux KVM。

A type 2 hypervisor runs as an application under the computer’s operating system. Examples of type 2 hypervisors include: VMware Workstation and Fusion, Microsoft Virtual PC, and Oracle VM VirtualBox.

类型2虚拟机管理程序在计算机的操作系统下作为应用程序运行。 类型2虚拟机管理程序的示例包括：VMware Workstation和Fusion，Microsoft Virtual PC和Oracle VM VirtualBox。

For purposes of the following discussion, “hypervisor” always refers to Type 1 Hypervisors, unless explicitly stated otherwise.

出于以下讨论的目的，“超级管理程序”始终是指1类管理程序，除非另有明确说明。

Virtualization must be enabled via a firmware setting to enable the bare metal boot of a hypervisor. When virtualization is set, that enables the Virtual Machine eXtensions (VMX) in the Intel processor. Whenever VMX is enabled, the processor runs in one of two modes:

必须通过固件设置启用虚拟化，以启用虚拟机管理程序的裸机启动。 设置虚拟化后，将在Intel处理器中启用虚拟机扩展(VMX)。 每当启用VMX时，处理器就会以以下两种模式之一运行：

• VMX Root, or
  VMX根目录，或
• VMX non-Root.
  VMX非根目录。

VMX Root is the mode in which the hypervisor runs. In VMX Root, the hypervisor has access to special virtualization instructions unavailable to any other processes. The hypervisor runs with DPL set to 0. But, the hypervisor (running in VMX Root mode) is isolated from the virtualized guest operating system whose kernel runs in VMX non-Root mode, with its virtual DPL also set to 0.

VMX根是管理程序运行的模式。 在VMX Root中，管理程序可以访问其他任何进程都无法使用的特殊虚拟化指令。 系统管理程序在DPL设置为0的情况下运行。但是，系统管理程序(以VMX Root模式运行)与虚拟化来宾操作系统隔离，该操作系统的内核以VMX非Root模式运行，其虚拟DPL也设置为0。

Thus the boot process becomes:

因此，引导过程变为：

• Firmware enables VMX.
  固件启用VMX。
• Firmware boots the hypervisor and passes control to it. It runs in VMX Root DPL 0.
  固件引导管理程序并将控制权传递给它。 它在VMX Root DPL 0中运行。
• Hypervisor then boots each guest operating system kernel. Each guest runs in VMX non-Root, with each operating system’s kernel running in their own virtualized DPL 0.
  然后ÿ