In a Xen/x86 system, only the hypervisor runs with full processor
privileges (ring 0 in the x86 four-ring model). It has full
access to the physical memory available in the system and is
responsible for allocating portions of it to running domains.
On a 32-bit x86 system, guest operating systems may use rings 1,
2 and 3 as they see fit. Segmentation is used to prevent
the guest OS from accessing the portion of the address space that is
reserved for Xen. We expect most guest operating systems will use
ring 1 for their own operation and place applications in ring 3.
On 64-bit systems it is not possible to protect the hypervisor from
untrusted guest code running in rings 1 and 2. Guests are therefore
restricted to run in ring 3 only. The guest kernel is protected from its
applications by context switching between the kernel and currently
In this chapter we consider the basic virtual architecture provided by
Xen: CPU state, exception and interrupt handling, and time.
Other aspects such as memory and device access are discussed in later