In μT-Kernel, four levels from 0 to 3 (meaning privileged mode, user mode, etc.) are defined as the protection level at runtime, and also four levels from 0 to 3 are defined as the protection level of memory to be accessed. The currently running execution task can access only to the memory with the same or lower protection level. This function is useful for protecting a system such as the OS from being illegally accessed by programs.
The uses of each protection level are as follows.
| Protection Levels | Usage |
|---|---|
| 0 | Kernel, subsystems, device drivers, etc. |
| 1 | System application tasks |
| 2 | (reserved) |
| 3 | User application tasks |
Some CPUs support only two protection levels privileged (supervisor mode) and user levels. In such a case protection level 0 is assigned to the privileged level and protection level 3 to the user level. In such a case if protection levels from 0 to 2 are specified in an API the behavior of the system is the same as in the case of privileged level 0 being specified. For example if TA_RNG2 is specified in tskatr when tk_cre_tsk is invoked it is assumed that TA_RNG0 has been specified and the task executes at the privileged level (protection level 0). Another example is specifying TA_RNG2 in mplatr when tk_cre_mpl is invoked. This is assumed to specify TA_RNG0 and the access protection level of the created memory pool is 0. In this case the service profile defines the following macros to be 0: TK_MEM_RNG0, TK_MEM_RNG1, TK_MEM_RNG2.
In the case of CPUs without any distinction for privileged and user modes only protection level 0 is used. In such a case if protection levels 1 to 3 are specified in an API the behavior of the system is the same as in the case of privileged level 0 being specified. In this case the service profile defines the following macros to be 0: TK_MEM_RNG0, TK_MEM_RNG1, TK_MEM_RNG2, TK_MEM_RNG3.
When a protection privilege level of the currently running context is lower than that of the memory being accessed the violation of memory access privilege shall be detected and a CPU exception shall be generated.
Changing from one protection level to another is accomplished by invoking a system call or extended SVC or by interrupt or CPU exception.
A non-task portion (task-independent portion, quasi-task portion, etc.) runs at protection level 0. Only a task portion can run at protection levels 1 to 3. A task portion can also run at protection level 0.