CompuWiki ๐Ÿชด

Hardware Privilege Rings

365 words, 2 min read
Last modified: Jun 14, 2026
๐ŸŒŸ Edit this page ย  ๐Ÿ—“๏ธ History

Every modern computer enforces a hierarchy of privilege levels โ€” concentric layers of control where each inner layer can see and override everything above it, but not the reverse. Most people only ever interact with the outermost layer: the applications they run. Underneath sit the kernel, firmware, and a set of management processors that are effectively invisible to the operating system itself.

The classic teaching model is the x86 protection rings (Ring 0โ€“3). Reality is deeper. Below the kernel live the hypervisor (Ring โˆ’1), System Management Mode (Ring โˆ’2), and the platformโ€™s management engine โ€” Intel ME or AMD PSP (Ring โˆ’3) โ€” a separate computer inside your computer that runs before, during, and after the main CPU, and which you cannot audit or disable on consumer hardware.

Why it matters

  • Trust is transitive and one-directional. A higher ring must trust every layer beneath it, and has no technical mechanism to verify them. If a lower layer lies, everything above inherits the lie โ€” silently.
  • The most powerful code is the least auditable. Userspace (Ring 3) is the only layer you can fully observe. The deeper you go, the more absolute the power and the more opaque the implementation.
  • Persistence lives below the OS. A rootkit in UEFI/SMM or drive firmware survives a full format and OS reinstall, because the implant is not in the OS at all.

How to read the diagram

The interactive figure below has four views:

  • Privilege Rings โ€” the layered model as a downward-tapering cone; click any ring to read what runs there and why it matters.
  • Boot Sequence โ€” what actually executes, in order, from power-on to userspace, for both a PC (UEFI / x86-64) and a smartphone (ARM). Click a step to expand the detail.
  • Devices โ€” how these firmware layers map onto everyday hardware: laptops, phones, servers, drives, routers, TVs, printers, and wearables.
  • Trust Chain โ€” the chain of entities you implicitly trust every time you power on, from the silicon foundry down to you.

Common-diagram correction

Ring โˆ’2 is SMM (System Management Mode), a special CPU execution mode invisible to the hypervisor and OS โ€” not UEFI itself. UEFI runs during boot; SMM persists at runtime.

The Hardware Privilege Hierarchy โ€” The One Ring

Privilege rings, firmware layers, boot sequences, and trust chains in modern devices. The deeper the layer, the more absolute its power โ€” and the less you can audit it.

Click any ellipse โ€” bottom = most privileged

Ring 3Userspace / AppsRing 1 / 2Rarely used (x86)Ring 0Kernel ยท Drivers ยท AnticheatRing โˆ’1Hypervisor (VMX)Ring โˆ’2SMM ยท UEFI/iBootRing โˆ’3ME ยท PSP ยท BootromMORE PRIVILEGED โ†’

โ† Click an ellipse
to explore that layer

โš  Correction vs common diagrams: Ring โˆ’2 is SMM (System Management Mode), a special CPU execution mode completely invisible to the hypervisor and OS โ€” not UEFI itself. UEFI runs during boot but SMM persists at runtime. AMD Sinkclose (2024 DEF CON) exposed a 20-year-old CPU flaw enabling Ring โˆ’2 privilege escalation.

Click each step to expand technical detail

๐Ÿ–ฅ PC โ€” UEFI / x86-64

๐Ÿ“ฑ Smartphone โ€” ARM

Firmware layers across everyday devices

๐Ÿ’ป PC / Laptop

ApplicationsRing 3
OS Kernel + Vanguard/EACRing 0
Hypervisor (optional)Ring โˆ’1
UEFI FirmwareRing โˆ’2
SMM (invisible)Ring โˆ’2
Intel ME / AMD PSPRing โˆ’3

๐Ÿ“ฑ Smartphone

Apps (sandboxed)Ring 3
XNU / Linux KernelRing 0
iBoot / BootloaderLocked
Baseband ProcessorParallel
TrustZone Secure WorldParallel
Bootrom (immutable ROM)โˆ’โˆž

๐Ÿ–ง Server

Guest OS Kernels (ร—N)Ring 0
Hypervisor (VMware/KVM)Ring โˆ’1
SMM + UEFIRing โˆ’2
Intel MERing โˆ’3
BMC / iDRAC / iLOAlways ON
BMC has independent network access. Can power cycle, reinstall OS, or access console even when the server is "off". Dell iDRAC, HP iLO, Supermicro IPMI.

๐Ÿ’ฝ SSD / HDD

Direct data accessTotal
Survives full formatPersistent
Drive controller firmwareโš  Invisible
Equation Group (NSA-linked) deployed malware that lived in HDD firmware โ€” discovered by Kaspersky in 2015. Survived complete drive formats and OS reinstalls. The drive itself was the implant.

๐Ÿ“ก Router / Network

Embedded OS (Linux/VxWorks)Kernel
Proprietary firmwareOpaque
Sees ALL your trafficโš  Total
Every packet leaving your network passes through here before the internet. A compromised router is worse than any OS-level malware โ€” it sits above your encryption at the network layer.

๐Ÿ“บ Smart TV

Streaming apps / UIUser
Tizen / WebOS / Android TVKernel
SoC firmware (Samsung/LG)Opaque
Always-on microphone in many models. Remote update subsystems operate independently of the visible OS. Samsung's ACR (Automatic Content Recognition) tracks what you watch by default.

๐Ÿ–จ Printer

Network stackExposed
Embedded Linux / RTOSKernel
ARM CPU + firmwareOpaque
Historically a neglected attack vector on corporate networks. HP and Xerox have had critical firmware RCEs. Printers are often network-connected, rarely patched, and can pivot to other internal systems.

โŒš Wearables / IoT

Biometrics / location / micโš  Sensors
RTOS (FreeRTOS / Zephyr)Kernel
Vendor firmware (opaque)Opaque
Continuous biometric collection (HR, SpO2, GPS, accelerometer). Bluetooth always scanning. Firmware updates delivered OTA with minimal user visibility. Least-audited category of personal devices.

Who do you actually trust?

Trust is transitive โ€” every layer inherits the risks of the layer below it

๐Ÿ‘ค

You โ€” the end user

You see Ring 3. You cannot audit any layer below. You trust every entity above implicitly, transitively, every time you power on your device.

Ring 3
โ†“ trusts โ†“
๐ŸŽฎ

Game Anticheat โ€” Riot Vanguard, EAC, Ricochet

Ring 0. Starts before the game. Vanguard is partially owned by Tencent, which has legal obligations to the Chinese government. You trust all of the above to trust this.

Ring 0
โ†“ trusts โ†“
๐Ÿ›ก๏ธ

Security Software โ€” CrowdStrike, Antivirus vendors

Also Ring 0. A bug here crashed 8.5M Windows machines simultaneously in July 2024. No malicious intent needed โ€” just a bad update.

Ring 0
โ†“ trusts โ†“
๐Ÿ–ฅ๏ธ

OS Vendor โ€” Microsoft, Apple, Google, Linux

Controls Ring 0. Decides which kernel modules are allowed. Windows kernel signing (required since Vista 64-bit) reduced but didn't eliminate malicious Ring 0 code.

Ring 0
โ†“ trusts โ†“
๐Ÿญ

OEM โ€” Dell, Lenovo, Apple, Samsung

Writes UEFI and SMM code, may add proprietary modules. Controls Secure Boot keys. Some OEMs have shipped firmware with backdoors (Lenovo Superfish, 2015).

Ring โˆ’2
โ†“ trusts โ†“
๐Ÿ”ง

Chip Vendor โ€” Intel, AMD, Qualcomm, Apple

Writes Ring โˆ’3 firmware: Intel ME (runs MINIX), AMD PSP, Qualcomm baseband. Closed source, signed, and non-removable on modern hardware.

Ring โˆ’3
โ†“ trusts โ†“
๐Ÿ”ฌ

IP Designer โ€” ARM, x86 (Intel/AMD), RISC-V

Designs the instruction set architecture and core IP. Everyone else licenses it. ARM is now owned by SoftBank; RISC-V is open and the only truly auditable option.

ISA
โ†“ trusts โ†“
โš›๏ธ

Silicon Foundry โ€” TSMC, Samsung, Intel Fabs

Physically manufactures the chip. Could embed hardware backdoors at gate level โ€” undetectable by any software audit. Geopolitically concentrated in Taiwan and South Korea.

Ring โˆ’โˆž
โš  The trust chain is only as strong as its weakest link.
If any lower layer lies, everything above inherits that lie โ€” silently, invisibly.
There is no technical mechanism to verify lower layers from higher ones.
This is not a bug. It is how the architecture was designed.
๐ŸŒฑ The only real escape: RISC-V
Open instruction set architecture. No proprietary ME equivalent. Fully auditable from ISA to silicon (in theory). Projects like Talos II (IBM POWER9) offer fully open firmware stacks today but cost thousands and target servers. RISC-V for general consumer hardware is still a decade away from maturity.