CA1159965A - Authorization mechanism for transfer of program control or data between different address spaces having different storage protect keys - Google Patents

Authorization mechanism for transfer of program control or data between different address spaces having different storage protect keys

Info

Publication number
CA1159965A
CA1159965A CA000373340A CA373340A CA1159965A CA 1159965 A CA1159965 A CA 1159965A CA 000373340 A CA000373340 A CA 000373340A CA 373340 A CA373340 A CA 373340A CA 1159965 A CA1159965 A CA 1159965A
Authority
CA
Canada
Prior art keywords
program
key
mask
asn
bit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired
Application number
CA000373340A
Other languages
French (fr)
Inventor
Andrew R. Heller
William S. Worley, Jr.
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Application granted granted Critical
Publication of CA1159965A publication Critical patent/CA1159965A/en
Expired legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • G06F12/1466Key-lock mechanism
    • G06F12/1475Key-lock mechanism in a virtual system, e.g. with translation means

Abstract

ABSTRACT
One program in one address space is permitted to obtain access to data in another address space or to call a program in another address space without invoking a supervisor, with authorization to use a storage protect key other than that specifically assigned to the program by a supervisor program when in a new semi-privileged state. Programs executing in a particular address space have supervisor assigned storage protect key masks permitting the program, when authorized, to utilize a storage protect key other than the one specifically assigned by the supervisor. A second address space can be designated by a program, and when authorized, can cause transfer of data in main memory from one physical location to another associated with the different address space, and two different storage protect keys can be utilized. A calling program can provide addres-sability to data in its address space by combining storage protect key masks from the calling program with a key mask of a called program to permit access to data by the called program. Entering the called program causes the saving and changing of a problem/supervisor control bit and instruction address.

Description

PO ~/-022 ~9~

AUTHORIZATION MECHANISM FOR TRANSFER OF PROGRAM
_ CONTROL OR DATA BETWEEN DIFFERENT ADDRESS SPACES
HAVING DIFFERENT STORAGE PROTECT KEYS

Field Of The Invention This invention relates generally to data processing systems and more particularly to program or data pro-tection hardware and techniques.

Description Of The Prior Art Any stored program data processing system that provides for multi.programming, multiprocessing, virtual memories, or a supervisor program providing for a multiple virtual system must be concerned with the protection of data and/or programs from inadvertent or unauthorized use or modification. A widely published form of this protection is that described in connection with Multics which is an operating system developed primarily by Massachusetts Institute of Technology in cooperation with Ger.eral Electric Company and others, and first implemented on a Honeywell 635 Computer. This technique has been recently described in U.S. patent 4,177,510. Another form of protection mechanism is disclosed in U.S. patent 4,038,645, assigned to the PO t7-022 il~;9965 assignee of the present invention, and is descriptive of the technique utilized in the IBM* Series/l computer system.

A particular form of prior protection mechanism, more closely associated with the present invention, is that defined for the IBM System/370 series of data processing systems. The organizational and hardware/architectural aspects of the IBM System/370 are described in the "IBM
System/370 Principles of Operation", Form No. GA22-7000-4, File No. S/370-01. In the IBM System/370, the basic form of data protection is accomplished by the storage protect keys associated with physical blocks of memory and associ-ated with particular programs. This concept is disclosed and claimed in U.S. patent RE27,251 entitled "Memory Prot-ection System", issued 12/21/71 to G.M. Amdahl et al, and assigned to International Business Machines Corp. A four-bit coded storage protect key associated with physical blocks of memory is compared with a PSW key associated with a program to control access to data. In present IBM System/370 systems, the method by which programs are controlled in their access to data or the ability to call other programs in the data processing system is under strict control of an operating system or supervisor. one such control program is the Multiple Virtual System (MVS) control program. One program can call another program only by alerting the supervisor program by means of a Supervisor Call instruction (SVC), leaving to the super-visor program the determination of the authorization of the calling program to call the called program.
A major IBM System/370 user requirement addressed by this invention is to provide an enhanced method of communi-cation between address spaces in a system operating under MVS. In present systems, there are a number of multi-address space program subsystems, e.g. IMS, TSO/VTAM, VSPC, and JES.
These subsystems use a multiple address space structure to separate themselves from their users. This separation provides them with a number of advantages.

_ * Registered Trademark ~-77-~22 il~9~65 By providing their own address space in which to run their programs and keep their private data, they are able to better ensure a recovery environment for their programs and data. If users of the subsystem were to run in the same address space as the subsystem control, the suksystem's recovery could be affected by the user's recovery. If the subsystem's control information is kept in common storage, storage protect keys become the only mechanism to protect the data. However, there are not enough keys (16) to guarantee that the information is protected from an inadvertent store by another subsystem or authorized program since it is commonly addressable.

By using their own private area for keeping their control information, subsystems are able to have up to eight megabytes of addressability for their data. If more than eight megabytes of data is required, the subsystem may use more than one private address space for the data; in effect, extending the 24-bit addressability limit of the 370 architecture. By keeping sensitive data in their own private address space they are able to isolate their data from all unauthorized users in the system.

These are some of the reasons that subsystems use a multi-address space structure; however, there are problems with the communication mechanisms available in MVS for calling programs in another address space and moving/
referencing data between two address spaces.

To permit calling of programs or reference data in another address space, the user must be authorized;
therefore, most subsystems must embed the mechanisms within Supervisor Call instructions (SVC) to give an interface to the unauthorized user. Solutions require the user to do his own synchronization if a synchronous call is desired and are extremely slow.

`9-7~-022 i:~59965 Since the 370 architecture supports only one address space at any instant in time, subsystems must put any data that must be shared or moved between the subsystem and its user in common storage. This has a number of unde-sirable effects. The amount of common storage availablefor other uses is reduced because it is being used by only a few address spaces. Since the data is globally address-able in all address spaces, the only means of protecting the data against an inadvertent store is through keys.
However, there are only sixteen keys, thus no guaranteed way of limiting access to the data can be ensured. If the data contains proprietary information, the only way to protect the security of the data is to fetch protect the data. Opportunities to exploit virtual storage such as virtual data bases are severely limited. If a virtual data base is to be shared among two or more users, the data base must be placed in common storage or the performance benefit of the virtual data will be negated by the slow private-to-private access mechanisms available.
However, common storage is a limited resource; therefore virtual data bases must be relatively small.

SUMMARY OF THE INVENTION

To provide enhancement needed for a System/370 to operate with MVS, the present invention introduces the concept of the use of storage protect key masks, and is included in a new subsystem control facility that provides: 1) basic authority control with dual address space memory references; 2) program subsystem li~kages;
and 3) Address Space Number translation to main memory addresses with authorization control.

~159~6S

BRIEF DESCRIPTION OF DRAWINGS
.

FIGURE 1 is a general bloc~ diagram of a store~
program general purpose computer.
FIGURE 2 depicts three of the System/370 instruction formats utilized in the present invention.
.
FIGURE 3 depicts the information or data stored in the System/370 defined control registers utilized in practicing the present invention.

FIGURE 4 depicts the program status word (PSW) showing one newly defined binary bit position controlling address space operations.

FIGURE 5 depicts the information stored in new system control tables utilized in practicing the present invention.

FIGURE 6 is a combined logic and data flow diagram for effecting address space number (ASN) translation.

~ FIGURE 7 is a combined logic and data flow diagram for effecting program call (PC) number translation.
FIGURE 8 is a combined logic and data blow diagram for establishing a secondary address space number.

FIGURES 9, 10 and 11 are a combined logic and data flow diagram for effecting transfer of control from a calling program to a called program in accordance with the present invention.

FIGURES 12 and 13 are combined logic and data flow diagrams for returning control from a called program to a calling program in accordance with the present invention.

FIGURE 14 is a table summarizing the authorization mechanism of the present invention controlling transfer of program control or data between address spaces.
, i. .

6 115~6~
1 FIGURE 15 depicts the interaction bet~een programs, system control tables, and data in a main memory under control of information contained in control registers to effect transfer of control between programs or transfer of data between address spaces.

FIGURE 16 depicts programs and system control tables in main memory and their interaction with control registers and general registers to effect transfer of program control to a called program in another address space.

FIGURE 17 depicts programs and system control tables in main memory interacting with information in control registers and general registers of a central processing unit to effect return of program control from a called program in one address space to a calling progra~ in another address space.

Basic authority control makes available to problem programs a gradation of privilege or authority. It includes extraction-authority control indicated by bit 4 of control register 0, which allows the following instructions to be executed in the problem state: Insert Address Space Control, Insert PSW Key, and Insert Virtual Storage Xey. A PSW-key mask is placed in control regis-ter 3. This 16-bit mask is used to control the keys that may be placed in the current PSW by the instruction Set PSW ~ey From Address. When in the problem program state, the key mask is used to control the keys that may be specified by three move instructions in order to access one of their operands with a key different from the PSW key. The instructions are Move With Key, Move To Primary, and Move To Secondary. The mask is also ~Ded with an authorization key mask in an entry-table entry during execution of a Program Call instruction to determine if the program is authorized to call this particular entry point.

~n Insert Virtual Storage Key instruction a'lows the virtual address of a location to be used to examine the storage key associated with the location. For ~ove With Key, the access key for the source operand is specified as an operand and authorized by the PSW-key mask.

~159~;5 1 Instructions that can be e~ecuted in either the problem state or the supervisor state when certain authority requirements are met are called semiprivilesed instruc~ions. Failure to meet the requirements of tne extraction-authority control or the PSW-key mask causes a privileged-operation exception to be recognized. The requirements of the extraction-authority control and the PSW-key mask are not enforced when execution is in superv~sor state. Other au~horlty requirements for 1) semiprivileged instructions can cause other program exceptions to be recognized, and these other requirements are enforced regardless of whether execution is in the problem state or the supervisor state.

The dual address space concept provides, for the problem program, the ability to move informa~ion from one address space into another and also to specify in which address space the operands of the program are to be accessed. It includes, in control register 7, a secondary-segment-table origin and the secondary-segment-table length, which together define the location and extent of the secondary-segment table. The secondary-segment table is used to translate the secondary virtual addresses of ~he secondary address space, while a primary-segment table in control register 1 is used for the primary virtual addresses of the primary address space.
When the normal 370 dynamic address translation facility (DAT) is on, the CPU is said to be in either primary-space mode or seçondary-space mode, depending on which 3~ segment table is being used.

Bit 5 in control register 0 authorizes the execution of the instructions Set Address Space Control, Move To Primary, and Move to Sec?ndary which move data between the primary and secondary address spaces. The secondary-space access key is specified as an operand and authorized by the PSW-key mask in control register 3.

~159~36~i 1 Address-space control in bit 16 of the PSW, which, when on, causes any logical address to be treated as secondary virtual addresses. The implication is that instructions that are executed in secondary-space mode should be in both address spaces through being in the common area. Instr-~ctions Insert Address Space Control and Set Address Space Control, allow the program to ins~ect and set, respectively, the address-space control bit 16 in the PSW.
Another feature of the present invention provides for direct linkage between problem programs e~ecuting at different levels of authority, without the use of the Supervisor Call instruction. Control register 5 includes a subsystem-linkage control valid bit, a linkage-table origin, and the linkage-table length. The subsystem-linkage control authorizes the execution of a Program Call and Program Transfer instruction. The linkage-table origin and linkage-table length define the location and extent of the linkage table. The linka~e table and the associated entry tables are used during a PC-number-iranslation process. The contents of an entry-tzble entry are: authorization key mask, ASN, entry addressing-mode bit, entry instruction address, entry problem-state bit, entry parameter, and entry key mask. The PC-number-translation process occurs during the execution of the Program Call instruction.

Program Call (PC) specifies a PC number, which is used to locate an entry-table entry. If the Program Call is executed in problem state, the authorization key mask in the entry table entry is ~Ded with the PSW-Xey mask in control register 3, with a nonzero result indicating that the program issuing the Program Call is authorized to access the entry. The PSW-key mask and primary ASN, and the addressing-mode bit, instruction address, and problem-state bit of the current PSW, are saved in general registers. The entry instruction address, and entry problem-state bit are placed in the current PSW. The entry key mask is ORed 115~39~`5 1 with the ~SI~-key mask, and the PS~N-~ey mask is replaceG
by the result. The secondary AS2~ and secondary-segment-table designation are set equal to the primary ASN and primary-segment-table desi~nation, respectively. If the ASN in the entry-table entry is zero, it indicates the current-primary AS~ is still effective.
Program Transfer (PT) specifies general registers containing a key mask, ASN, addressing-mode bit, instruction address, and problem-state bit. These contents are normally the ones that were saved by a Program Call. The addressing-mode bit, instruction address, and pro~lem-state bit are placed in the current PSW, except that this is not allowed to cause a change from problem to supervisor state. The key mask is ANDed with the PSW-key mask, and the PSW-key mask is replaced by the result. The secondary ASN is set equal to the specified ASN. If the specified ASN is equal to the current primary ASN, the secondary-segment-table desig-nation is set equal to the primary-segment-table designa-tion.

The Address Space Number (ASN) facility and feature provides the translation tables and authorization controls whereby a program in the problem state can designate an address space as being the primary address space or a secondary address space. This involves possible space-switching operations of the Program Call and Program Transfer Instructions. A Set Secondary ASN instruction - is also provided.
ASN translation control is provided by a bit in control register 14 which also stores an ASN first-table origin (AFTO) which defines the location of an ASN first table. The ASN first table and an associated ASN second table are used during the ASN-translation process. The contents of an ASN-second-table entry are: ASX-invalid bit, authority-table origin, authorization index, authority table length, segment table designation, and linkase-table designation. An authority-table entry contains a primary authority bit and secondary authority bit.

.~ .

~09-77-022 ii~996~

` 1~
The Primary ASN in control register 4 is set equal to the ASN in an entry-table entry by a Program CaLl instruction with space switching (PC-ss) and the ASN in a general register by a space stYitching Program Transfer instruction (PT-ss).

A secondary ASN is set in control register 3 equal to (1) the old primary ASN by PC-ss, (2) the new primary ASN by PT-ss, (3) the primary ASN by PC-cp (current primary) and PT-cp, and (4) the ASN in a general register by Set Secondary ASN (SSAR). The corresponding primary-segment-table designation or secondary-segment-table designation is set whenever the primary ASN or secondary ASN, respectively, is set.

An authorization index in control register 4 is used, along with an authority table, to authorize a PT-ss or SSAR-ss operation. It is set during a PC-ss or PT-ss operation.

The Set Secondary AS~ (SSAR) instruction sets the secondary ASN equal to an ASN in a general register.
SSAR performs either a current-primary (SSAR-cp) oper-ation or a space-switching (SSAR-ss) operation. For SSAR-cp, the specified ASN equals the primary ASN. The specified ASN replaces the secondary ASN, and the primary-segment-table designation replaces the secondary-segment-table designation.

For SSAR-ss, the specified ASN is different from the primary ASN. The speci~ied ASN is used to locate an ASN-second-table entry. The current authorization index and the authority-table origin and length in the ASN-second-table entry are used to locate an authority-table entry, and then the secondary-authority bit is examined to deter-.... .

11 i~ ;;9~36S

mine if the operation is authorized. If it is, thespecified ASN replaces the secondary ASN, and the segment-table designation in the ASN-second-table entry replaces the secondary-segment-table designation.

For Program Call, if the ASN in the entry-table entry - is nonzero, it indicates the space-switching (PC-ss) ~ operation. The ASN replaces the primary ASN and is used to locate an ASN-second-table entry. The authorization index, segment table designation, the linkage-table designation in the ASN-second-table entry replace the current authorization index, primary-segment-table designation, and current linkage-table designation, respectively.

For Program Transfer, the specified ASN is different from the primary ASN, indicating the space-switching (PT-ss) operation. The specified ASN is used to locate an ASN-second-table entry. The current authorization index and the authority-table origin and length in the AS~-second-table entry are used to locate an authority-table entry, and then the primary-authority bit is examined to determine if the operation is authorized.
If it is, the specified ASN replaces the primary ASN, and the authorization index, segment-table designation, and linkage-table designation in the ASN-second-table entry replace the current authorization index, primary-segment-table designation, and current linkage-table designation, respectively. The segment-table designation in the ASN-second-table entry also replaces the secondary-segment-table designation.
, 12 ~ 6S

DET.~ILED DESCRIPTION OF INVE~TION
. .
FIGURE 1 shows the major functional units of any stored program general purpose computer. The major units include a central processing unit 20, main memory 21, and input/output equipment 22. The central pro-cessing unit 20 includes a nu~ber of subunits. These include an arithmetic/logic unit 23 where arithmetic and logic functions are accomplished in response to program instructions. During the execution of program instructions, local storage/registers 24 provide temporary storage for intermediate results during instruction execution. The program status word (PSW) 25 is comprised of many fields, and includes an instruc-tion address counter utilized for accessing program instructions from main memory 21 in sequence. ~rogram instructions accessed from main memory 21 will be transferred to an instruction register/decode mechanism i -77-Q~2 ~ 6~

26 for determining the operation to be performed within the central processing uni~ 20. In response to the decoding of an instruction, execution control apparatus 27 will be rendered effective to accomplish the opera-tion called for by the instruction.

The subunits just described in connection with thecentral processing unit 20 are found in almost any general purpose computer. As defined in the above cited IBM System/370 Principles of Operation, program-instruction-addressable registers are identified and include sixteen general registers 28 and sixteen control registers 29.

Main memory 21 is comprised of a number of address-able blocks of individual addressable locations. Each block has an associated addressable coded storage protect key as defined in the above cited U.S. Patent Re 27,251.
The main memory 21 is adapted to store information which includes data 30, application or problem programs 31, system control or supervisor programs 32, and a number of system control tables 33.

In describing the present invention, details will be given concerning new system control tables 33, use of control registers 29, not previously used or defined in the IBM System/370 Principles of Operation and certain general registers 28 required for practicing the present invention. Further, reference will be made to the existing fields of the PSW 25 which include the four-bit PSW protect key, P-bit which designates whether the system is in the problem or supervisor program state, and the instruction address portion. An additional bit, not previously defined for the PSW in the IBM System/
370 Principles of Operation will also be defined.

~ -77-022 It is noted at this time that a number of alter-natives for the implementation of execution control 27 are available. In the case of IBM data processing systems which implement the System/370 architecture, U.S. Patent 3,400,371 is representative of an execution control mechanism consisting of a read only store micro-programming technique utilized in the recently announced 4300 series of computers. Recently issued U.S. Patent 4,200,927 discloses the execution control apparatus for the IBM 3033 data processing system, which includes a combination of hardware sequencers and a microprogram control store.

Some other representative data processing systems which implement the IBM System/370 Principles of Opera-tion include systems manufactured by Fujitsu and AmdahlCorporation which are considered hardwired execution control systems. In the past, these two companies have accomplished the changes and additions to System/370 without the need for changing the hardwixed sequencing.
It is done by implementing the new System/370 features by means of simulation programs accessed from main memory 21. Systems provided by Magnuson, National Advanced System, IPL, CDC, and Hitachi provide their changes to System/370 functions by means of micro-programming techniques.

FIGURE 2 shows the System/370 instruction formatsutilized in practicing the present invention. The RRE
format includes a 16-bit OP code and provides address-ability to a first general register (Rl) and to a second general register (R2). The S format instruction includes a 16-bit OP code, addressability to one of the general registers (B2) specifying a base address to which the 12-bit displacement field (D2) is added to obtain an operand, and the operation specified by the OP code il5~65 utili2es an implied operand. The SS ormat includes a 8-bit OP code, two 4-bit fields specifying one general register (Rl) and another general register (R3). The operation specified by the OP code will involve the two general registers and two operands addressed in main memory utilizing two displacement fields (Dl and D2) added to base address values contained in associated general registers (Bl and B2).

FIGURE 3 and FIGURE 4 depict the 16 control registers (CR0-15) and the program status word (PSW), respectively, defined in the IBM System/370 Principles of Operation.
The control bits or control fields of the CR's not necessary for understanding the present invention have not been shown in FIGURE 3. Of the control bits and fields shown in FIGURE 3, the information in CRl has been previously defined for IBM System/370 systems.
CRl provides the address of the origin in main memory, and the length of, a segment table used by a program for implementing the dynamic address translation (DAT) facility for translating virtual or logical addresses to real main memory addresses.

CRl represents a first addressing control register for storing the main memory address of a particular address translation table. In accordance with the present invention, a second address control register for storing the main memory address of another address translation table is implemented in CR7. There is thus created a primary segment table and a secondary segment table for purposes of virtual to real address trans-lation. Each of the segment tables identified by CR1and CR7 is associated with an address space number (AS~).
The ASN is a 16-bit symbolic identifier of an address space currently defined and connected to the system in accordance with control techniques provided by a ~ -77-02~

supervisor program. An address space is a consecutive sequence of numbers and a specific transformation mechanism which allows each number to be associated with a byte location in main memory. A Primary 16-bit ASN (PASN) associated with the primary segment table origin (PSTO) in CRl is contained in CR4, bits 16-31. The secondary address space number (SASN) is contained in bit positions 16-31 of CR3 and is associated with the secondary segment table origin (SSTO) in CR7.

A supervisor program must still establish, for any particular address space, an appropriate segment table for address translation. When a secondary segment table has been established for an address space, the supervisor will set the CR0 bit position 5 to a binary 1 indicating that other program instruc-tion operations to be described can utilize and established secondary ASN.

Also under supervisor control, is the entry of information into CR14 relative to providing dual address spaces. Bit 12 of CR14 will be set by the supervisor to indicate that certain other program instructions can attempt to establish access to an address space other than that specified by the primary ASN and primary segment table. Whenever a program instruction operation results in the attempt to load a new ASN into either CR3 or CR4, an ASN translation mechanism must be invoked. The result of the ASN translation will be to identify the segment table origin (STO) for the ASN
which is being loaded into CR3 or CR4. The translation process will be more thoroughly described but includes an first entry a system control table identified as the ASN-first-table, and the origin (AFTO) of this table in main memory is specified in bit positions 20-31 of CR14.

~ -,7-02~
6~

3it position 16 of the PSW shown in FIGURE 4 has been newly defined. When set to binary 0, àll logical or virtual addresses utilized in the data processing system will be translated utilizing the primary ASN segment table. ~Ihen bit 16 is binary 1, address translation takes place utilizing the secondary ASN segment table. Completing discussion of the PSW in connection with the present invention, the only other fields to be discussed concern the previously defined PSW-key field in bit positions 8-11 which define the storage protect key for the program currently being executed in the system, and the instruction address portion which is manipulated to execute program instructions in a specified sequence.

In accordance with the present invention, one further authority control provided is that represented by bit position 4 of CR0. Prior to the present invention, there were two classes of programs identi-fied by the P bit 15 of ~he PSW, specifying either a problem program state or a supervisor program state.
Any manipulation of the PSW or control data in the CR's had to be done by a supervisor program and only when the PSW indicated that the system was in the supervisor program state. The present invention provides certain manipulation capabilities to programs in the problem program state. This state is known as a "semiprivileged state" and is indicated when bit position 4 of CR0 is a binary 1.

As part of address space management, each program being executed in the system is provided with a super-visor program created authorization index (AX) which is stored in bit positions 0-15 of CR4. Any program executing in the system which attempts to establish addressability to an address space other than its own F -/7-0-~
i~996S

address space, by attempting to store an ASN in either CR3 or CR~, will be authorized to establish the addressability if the AX used for entry into an author-ization table indicates that use of the ASN is author-5 ized. ~his process will be further described.

As part of the program linkage or calling process, programs executing in the system which attempt to call another program will utilize a program identification code (PC) of the called program to address an entry in a linkage table. The main memory address origin of the linkage table (LTO), and its length, is stored in CR5.

A final feature of the present invention relates to allowing problem programs, when the system is in the problem program state, to utilize coded storage protect 15 key values other than the coded storage protect key assigned in bit positions 8-11 of the PSW. Storage of a key mask (KM) is provided in CR3 bit pOSitiOIl 0-15. The PSW key mask provides for levels of control for the access key at entry points made available to a particular program running in the problem state. Bits 0-15 in CR3 correspond to key values 0-15, respectively, which can be expressed by the 4-bit coded storage protect key values. If the mask bit associated with a specified key is 1, then the operation desiring use of a key other than that specified in the PSW is allowed. Also, during the process of calling another program, the key mask in CR3 will be compared with a key mask associated with the called program to determine whether or not the calling program has authority to call the called program without invoking supervisor control.
FIGURE 5 depicts the entry format in each of a number of new system control tables utilized in practicing the present invention. When a calling program has identified a called program, the identification of the ?~ 7-02~

called program (PC number) is combined with the linkage table origin value in CR5 to obtain entry into a linkage table (LT). The LT entry 34 includes the main memory address of the origin of an entry table (ET) specified in bit positions 8-25. The ET length is in bit positions 26-31. A further portion of the PC number is combined with the entry table origin (ETO) to provide an inde~ to the ET to obtain an entry 35 comprised of an 8-byte entry. The ET entry 35 includes an authority ~ey mask (A~) in bit positions 0-15, an entry address space number (EASN) in bit position 16-31 which specifies the address space number assigned to the called program.
The first instruction of the called program will be accessed from the entry instruction address (EIA) in bit positions 40-62 which will be inserted into the corresponding field of the PSW. Bit position 63 is the P bit also inserted in tke ~SW to specify either problem or supervisor state. Various parameters to be utilized by the called program will be stored in general registers and are contained in bit positions 64-95. The key mask to be associated with the called program is found in the entry key mask (EKM) in bit positions 96-111.

As part of any attempt to load a new address space number (ASN) into address control registers CR3 or CR4, an ASN translation process is effected. A first table origin (AFTO) is specified in CR14 and a first part of the ASN is utilized as an en~ry into that table to obtain an ASN first table entry (ASTE) 36 which, in bit positions 8-27 specifies the main memory address of an ASN second table origin (ASTO) which enters into ~he translation process. The origin of the ASN second table is combined with a further portion of the ASN number to provide an inde~ to an 8-byte ASN second table entry 37. The AST entry 37 includes, in bit positions 8-29, the main ~-77-~2`~
~1~159~fiS

memory address of the origin of an authority table (ATO).
For the new ~SN to be established in the CR's, bit positions 32-47 contain a new authority index (AX).
Positions 48-59 indicate the length of the authority table identified in the ATO. Associated with the new ASN being established, is ~ segment table description (STD) which provides for identifying the length of a segment table in bit positions 64-71 (STL) and the main memory address of the origin of the segment table associated with the ASN in bit positions 72-89 (STO).
The linkage table description ~LTD) to be inserted in CR5 as part of a change of program control includes, in bit positions 104-120, the main memory address of a new linkage table origin (LTO) and the length (LTL) in bit positions 121-127 of the linkage table.

As part of the ASN translation process for estab-lishing addressability to a new ASN, the authority index (AX) in CR4 of the program currently being executed is used to access an authority table (AT) entry 38, the main memory address of which is specified in the ATO of the ASN second table entry 37. The AX
accesses a 2-bit field from the authority table. The binary 0 or 1 state of a P bit or a S bit specify whether or not the ASN being established can be made either a primary (P) or secondary (S) address space.
FIGURE 6 is a data flow and logic diagram explaining the process of ASN translation which must be accomplished in certain cases when program instructions cause a new ASN to be inserted in the control registers. Three new instructions, as part of the System/370 instruction set may cause the ASN translation process to be invoked.
The new instructions are program call (PC), program transfer (PT), and set secondary ASN (SSAR). All three of these instructions, which may be accessed from a pr 7 7 ~ 0 2 2 1~9~; S

program operating in a primary address space, may specify an ASN to be loaded which is equal to 'he primary ASN presently effective. If this is the situation, the three instructions are identified as being "current primary" (cp) instructions. If the ASN being l~aded as a result of the instruction execution is different from the current primary ASN~
a "space switching" tss) execution is effected causing the ASN translation process to be invoked.

During execution of the PC instruction, the called program, identified by its PC number, may reside in another address space. This will be determined by a PC translation process to be described subsequently.
Prior to the execution of PT or SSAR, information to be utilized during the execution of these instructions will have been loaded into designated ones of the general registers which will be identified and addressed by the R1 and/or R2 fields of these instructions.

In FIGURE 6, the PT instruction is shown at 39 and the information contained in general registers identified by R1 and R2 is shown at 40 and 41. The SSAR instruction is shown at 42 and the information contained in general register Rl is shown at 43. The new ASN which may or may not require translation is also shown at 44.
During the explanation of the data and logic flow shown in FIGURE 6, previous references to system control table entries are shown with the same numerals utilized in FIGURE 5.

ASN translation is the process of translating the 16-bit ASN to locate address-space control parameters.
ASN translation is performed as part of Program Call l ~--o~
il59~6S

with space switching (PC-ss), Program Transfer with space switching (PT-ss), and Set Secondary ASN with space switching (SSAR-ss). For PC-ss and PT-ss, the ASN which is translated replaces the primary ASN in CR4. For SSAR-ss, the ASN which is translated replaces the secondary ASN in CR3. These two translation processes are called primary ASN translation and secondary ASN translation, respectively. The ASN
translation process is the same for both primary and secondary ASN translation; only the results of the process are used differently.

The ASN translation process uses two system control tables stored in main memory 21, the ASN first table (AFT) 45 and the ASN second table (AST) 46. They are used to locate the address-space-control parameters, and a third table, the authority table (AT) 47, which is used in PT-ss and SSAR-ss to perform an authorization test.

For the purposes of translation, the 16-bit ASN
shown at 44 is considered to consist of two parts: the ASN-first-table index tAFX) comprises the high-order lO bits of the ASN, and the ASN-second-table index (ASX) comprises the six low-order bits.

The AFX portion of the ASN shown at 44 is used at 48 to select an AFT entry 36 that designates the AST 46 to be used for the second lookup. The 31-bit real address of the AFT 45 is obtained by appending 12 low-order zeros to the AFT origin contained in bit positions 13-31 of CRl4. The address of the AFT
entry is obtained by appending two low-order zeros and 19-high order zeros to the AFX and adding 'his 31-bit value to the real address of the AFT, iynoring any carry intc bit position 0. All four bytes of the ~ -77-0~_ 3~3~;5 ASN-first-table entry are fetched concurrently. The fetch access is not subject to protection. Bit 0 of the four-byte AFT entry specifies whether the corres-ponding AST is available.

The ASX portion of the ASN shown at 44, in con-junction with the ASN-second-table origin (ASTO) derived from the AFT entry 36, is used at 49 to select an entry 37 from the AST 46. Bits 1-27 of the AFT entry 36, with four low-order zeros appended, form the 31-bit real address of the AST 46. The address of the AST entry 37 is obtained by appending four low-order zeros and 21 high-order zeros to the ASX and adding this 31-bit value to the real address of the AST, ignoring any carry into bit position 0.

The 16 bytes of the AST entry 37 are fetched left to right, a doubleword at a time. The fetch access is not subject to protection~ Bit 0 of the 16-byte AST entry 37 specifies whether the address space is accessible.
If this bit is one, an ASX-translation exception is recognized, and the operation is nullified.

ASN authorization is the process of testing whether the program associated with the current authorization index (P~) in CR4 is permitted-to obtain addressability to a particular address space. The ASN authorization is performed as part of PT-ss and SSAR-ss. ASN author-ization is performed after the ASN translation process for these two instructions.

When performed as part of PT-ss, the ASN author-ization checks tests whether the ASN can be loaded into CR4 as the primary ASN, and is called primary-ASN
authorization. When performed as part of SSPAR-ss, the ASN authorization checks whether the ASN can be loaded into CR3 as the secondary ASN and is called secondary-ASN authorization.

The ASN authorization is performed by means of the authority table 47 which is desiynated by the authority-5 table-origin (ATO) and authority-table-length (AL) fields in the AST entry 37.

The authority table 47 consists of a plurality of entries 38 of two bits each. The left bit (P) of an authority table entry 38 controls whether the program with the AX corresponding to the entry is permitted to load the address space as a primary address space using PT. If the P bit is one, the access is permitted.
If the P bit is zero, the access is not permitted; a primary authority exception is recognized and the operation is nullified.

The right bit (S) of an authority table entry 38 controls whether the program with the corresponding AX is permitted to load the address space as a secondary address space using SSAR-ss. If the S bit is one, the access is permitted. If the S bit is zero, the access is not permitted; a secondary authority exception is recognized, and the operation is nullified.

The ASN authorization process is performed by using the AX currently in CR~ shown at 50, in conjunction with the authority table origin and length from the AST entry 37 to select at 51 an authority table entry 38. The entry is fetched, and either the primary or secondary authority bit is examined, depending on whether the ; primary or secondary authorization process is being performed. An AX value greater than the table length (AL) signals an error 52.

~ -77-~2, 9~36S

Bit positions 8-29 of the AST entry 37 contain the real address of the authority table 47 that controls access authority to the address space, and bit positions 48-59 contain the length of the table (AL).

As part of the authority-table-entry-lo~kup process, bits ~-11 of the AX are compared against the AL. If the compared portion is greater, then an authority exception (primary for PT-ss and secondary for SSAR-ss) is recognized, and the operation is nullified.

The address of a byte in the AT 47 is o~tained by appending 10 high-order zeros to the 14 high-order bits of the AX obtained from bit positions 0-13 of CR4 and adding this value to the authority table origin obtained from the AST entry 37, with two low-order zeros appended.
A carry, if any, into bit position 0 is ignored. If the real address thus generated designates a location which is not provided, an addressing exception is recognized, and the operation is suppressed. Protection does not apply to this access.

The byte contains four authority table entries 38 of two bits each. The low-order two bits of the authori-zation index, bits 14 and 15 of CR4, are used to select one of the four entries. The left or right bit of the entry is then tested, depending on whether the author-ization test is for a primary ASN (PT-ss) or a secondary ASN tSSAR-ss). If the selected bit is one, the ASN
translation is authorized, and the appropriate address-space~control parameters from the AST entry 37 are loaded into the appropriate control registers. If the selected bit is zero, the ASN translation is not authorized, and a primary authority exception or secondary authority exception is recognized or PT-ss or SSA~-ss, respectively.

77-~22 9~5 Some additional logic decisions are made in FIGURE
6, not previously referred to. During a PT instruction execution, the ASN shown at 40 is compared with the primary ASN currently in CR4, and the decision shown at 53 is made indicating whether or not the ASN to be loaded equals the current primary ASN. If yes, (Y) there is no requirement for ASN translation. If the primary ASN does not equal the ASN being loaded, the new ASN shown at 40 will be stored into CR4 to become the new primary ASN.

During a SSAR instruction execution, the decision shown at 54 is made. Here again, the ASN to be loaded into CR3 to become the secondary ASN is compared with the current primary ASN and if equal, an SSAR-cp is indicated showing that the current primary ASN and secondary ASN are the same, and again indicating that no ASN translation is required. An inequality indicates SSAR-ss and will cause the ASN translation to take place.
When an SSAR-cp is performed, the primary segment table description in CRl is transferred at 55 to CR7 to become the secondary segment table description.

During a PT-ss or PC-ss, the linkage table descrip-tor (LTD) of the AST entry 37 is transferred at 56 to CR5. The segment table descriptor (STD) is transferred to CRl at 57. For any PT instruction, the primary segment table descriptor in CRl is transferred at 58 to CR7 to become the secondary segment table descriptor.
A new AX is transferred at 59 to CR4.

If an SSAR-ss is being executed, the STD is trans-ferred at 60 to CR7 to become the new secondary segmenttable descriptor.

po i7-022 1153965 To be more completely described subsequently, FIGURE
6 shows that during any PT instruction execution, the ASN shown at 40 is transferred at 61 to CR3 to become the secondary ASN A logical AND combination shown at 62 is performed on the key mask contained in Rl and the key mask presently stored in CR3. This recreates the key mask associated with the program being returned to by PT. Further, the contents of general register R2 are transferred back to the PSW restoring the P-bit, and the instruction address. During a PT instruction execution, an error or an exception condition is recognized if execution of the PT instruction attempts to change the P-bit from one to zero, this being an indication that an attempt had been made to change the program state from problem to supervisor.

FIGURE 7 represents the overall data flow and logic diagram involved in translating a symbolic program number to proper table entries for providing the initial instruction address for a called program.
Represented at 63 is the Program Call (PC) instruction, the format of which includes the designation of a general register by a B field and a displacement field D. The general register addressed by the B field contains a base address to which the displacement field D is added in the normal creation of an effective address. Instead of using the sum as an address, the low-order 20 bits represent a PC number shown at 64.

In FIGURE 7, the designation CR "before' and CR
"after" is used. The designation CR "before" relates to information contained in the control register for the current address space and current program which is the calling program. The contents of a control register "after" represent information associated with the called program.

P~ '7-022 ~159965
-2~-A number of transfers between registers and other cont:rol registers or general registers occur for all PC instruction executions. One of the first logic decisions made during the execution of the PC instruction is shown at 65 and involves the determination of whether or not the ASN of the called program equals zero. If the ASN of the called program equals zero, this indi-cates at 66 that the called program is within the current primary address space and therefore no ASN
translation is re~uired. If the ASN associated with the called program is other than a zero, a program call with space switch (PC-ss) is indicated at 67 and the new ASN is transferred into CR4 to become the new primary ASN.

During every PC instruction execution, certain information in the PSW represented at 68 is trans-ferred to general register 14 to be saved for use when returning to the calling program. The information saved includes the P-bit and the instruction address.

PC number translation is the process of translating the 20-bit PC number to locate an entry-table entry 35 as part of the execution of the Program Call instruction.
To perform this translation, the 20-bit PC number shown at 64 is divided into two fields. Bits 12-23 are the linkage index (LX), and bits 24-31 are the entry index (EX). The translation is performed by means of two tables: the Linkage Table (LT) 69 and an Entry Table (ET) 70. Both of these system control tables reside in main storage 21. The origin of the LT 69 resides in CR5.
The origin of the entry table 70 (ETO) is designated by means of the LT entry 34.

_7,_~? 2 ~9965 Bits 8-24 of CR5 with seven zeros appended on the right, form a 24-bit real address that designates the beginning of the LT 69. Bits 25-31 of CR5 designate the length of the LT 69 in units of 128 bytes, thus making the length of the LT variable in multiples of 32 four-byte entries. The length of the LT, in units of 128 bytes, is one more than the value in bit positions 25-31. The LT length is compared against the leftmost seven bits of the linkage-index portion of the PC
number to determine whether the linkage index designates an entry within the linkage table.

The LX portion of the PC number is used at 71 to select an LT entry 34. The entry fetched from the LT
designates the availability, origin, and length of the corresponding ET 70.

Bits 8-25 of LT entry 34, with six zeros appended on the right, form a 24-bit real address that designates the beginning of the ET 70. Bits 26-31 of entry 34 designate the length of the ET 70 in units of 64 bytes, thus making the ET variable in multiples of four 16-byte entries. The length of the ET in units of 64 bytes, is one more than the value in bit positions 26-31. The ET length is compared against the leftmost six bits of the entry index EX to determine whether the EX designates an entry within the entry table.

The entry 35 fetched from the ET 70 is 16 bytes in length. Bits 0-15 are used to verify whether the program issuing the Program Call instruction, when in the problem state, is authorized to call this entry point. The authorization key mask (AKM) and the current PSW-ke~ mask in CR3 are ANDed at 72, and the result is checked for all zeros. If the result is all zeros, a privileged-operation exception is recognized, and the operation is suppressed. The mas~ is ignored in the supervisor or privileged'program state.

~ ~ 7-, ~?~
- 1~5~?9~i5 Bits 16-31 specify at 65 whether a PC-ss or PC-cp is to occur. When bits 16-31 are zeros, a PC-cp is specified. When bits 16-31 are not all zeros, a PC-ss is specified, and the bits contain the ASN that replaces the primary ASN.

~ its 40-62, with a zero appended on the right, form the instruction address of the called program which replaces at 73 the instruction address in the PSW as part of the Program Call operation. Bit 63 replaces, at 74, the problem state bit position 15 of the current PSW, as part of the Program Call operation.
Bits 64-95 are placed in general register 4 at 75.
Bits 96-111 specifying the entry key mask are ORed at 76 into the PS~ key mask in CR3 as part of the Program Call operation.

Other transfers that take place during PC instruc-tion execution include the transfer at 77 from the key mask storage in CR3 of the calling program to general register 3 to be saved for subsequent return. Also transferred to GR3 at 78 is the primary ASN in CR4.
During any PC instruction execution, the primary segment table descriptor (PSTD) in CRl is transferred at 79 to CR7 to become the secondary segment table descriptor (SSTD) and the primary ASN in ~R4 is transferred at 80 to CR3 to become the secondary ASN. Whether or not the primary segment table descriptor and primary ASN
are changed depends on whether or not a PC-ss is signalled at 65 which will initiate an ASN translation in accordance with the data flow and logic shown in FIGURE 6.

FIGURE 8 is a logic and data flow diagram depicting the execution of the new instruction set secondary ASN
(SSAR). This is one of the new instructions which - 7 7 ~ ?
i~599~5 causes a new AS~ to be loaded into one of the address control registers, namely the secondary ASN stored in CR3, and shown at 81. All the remaining designations for tables, entries, data transfer paths, and logic decisions are as previously designated in the discussion of FIGURE 6 with regard to the ASN translation operation.

In summary, the problem program which is executing in the primary address space utilizing the primary segment table descriptor in CRl executes the SSAR
instruction to obtain addressability to data contained in another address space. As indicated previously, each address space has an associated set of address translation tables, and therefore the associated segment table descriptor for the new address space must be stored into CR7 for performing address trans-lation to obtain data in the other address space. CR7 will receive at 55 the primary segment table description if the ASN specified happens to be equal to the primary ASN. Otherwise, if the secondary ASN to be loaded into CR3 is different from the primary ASN, the address translation operation must be performed to obtain the associated segment table descriptor from the ASN second table entry 37, and transferred to CR7 by the path 60. Further, authority chec~ing must be accomplished by effecting access to the authority table 47 to determine whether or not the program executing in the system has authority to establish addressability to the address space as a secondary address space.

FIGURES 9, 10 and ll depict the operation performed in executing the Program Call (PC) instruction. These figures show the logic and data flow diagram for the PC instruction in particular and are a simplified showing of the diagrams discussed in connection with FIGURES 6 and 7. The numerals for designating various logic functions and data paths used in FIGURE 6 and 7 have been utilized in FIGURES 9, 10 and 11.

p ~7-~22 ~ 9~S

As indicated previously, the B2 and D2 fields of the PC instruction shown at 63 are combined by normal address arithmetic to create a PC number shown at 64.
The PC translation process includes access to entry 34 in the linkage table 69 which provides further access to the entry 35 in the entry table 70.

As shown in FIGURE 10, the first decisions made, if the program making the program call is in the problem state is to perform the AND function 72 between the authority key mask in entry 35 and the key mask in CR3 associated with the calling program. An all zero result indicating identity between the two key masks is considered an error condition and a privileged operation interrupt is generated. In the absence of the privileged operation interrupt, the key mask of the calling program in CR3 is replaced in CR3 by the OR combination shown at 76 with the entry key mask from the entry 35. This provides the called program with the ability to use storage protect keys assigned to the called program by the entry key mask (EKM) and the keys authorized for use by the calling program represented by the key mask in CR3. The original version of the key mask in CR3 associated with the calling program is transferred at 77 and saved in general register 3.

The ASN associated with the calling program contained in CR4 is transferred to GR3 for saving when the called program returns to the calling program.
Other information saved in GR14 as a result of executing 3Q the PC instruction is the P-bit and instruction address of the PSW, represented at 68, associated with callir.g program.

`-77-02~ 1~5~996S

The initial instruction address of the called program and the P bit associated with the called program are transferred from the entry 35 to the PSW .

The Program Call may be to a program contained within the address space of the calling program, and if this is so, the ASN value in the entry 35 will equal zero. If so, the secondary ASN and secondary segment table description will be made the same as the primary ASN and associated primary segment table description.

If the ASN number in entry 35 is not equal to zero, then the called program is associated with another address space, indicated at 67, and requires ASN translation shown in FIGU~E 11. The ASN trans-lation process in FIGURE 11, as previously discussed in connection with FIGURE 6 and FIGURE 8 will load a new ASN and associated segment table descriptor into the address control registers CR4 and CRl respectively for use in providing address translations during execution of the called program. The called program will also have an associated linkage table, the origin and length of which is transferred at 56 to CR5. The called program will also have an author-ization index (AX) which is loaded at 59 into CR4 toprovide control for the ability of the called program to establish addressability to other address spaces.

FIGURE 12 dépicts execution of the program transfer (PT) instruction previously discussed in connection with FIGURE 6. The same designations used in FIGURE 6 are utilized in FIGURE 12.

--77--02?
~l~`tj~96~

The PT instruction identifies two general registers by the Rl and R2 fields. Prior to execution of the PT
instruction, the general register represented at 40 and 41 will be loaded with the information saved during execution of the PC instruction. This information , includes the key mask, address space number, instruction address, and P bit.

One of the first checks made during execution of the PT instruction is to determine whether or not the ASN being returned to and stored in address control registers is equal to the current primary ASN in CR4.
The equality or nonequality is determined at 53, and if equal, all of the information required for doing address translation including the primary segment table descriptor in CRl will be effective for the program being returned to. Therefore, the primary segment table descriptor in CRl will be transferred at 58 to CR7 to also be the secondary segment table descriptor.
The ASN of the program being returned to will invariably be stored into the secondary ASN portion of CR3 shown at 61.

The next function shown in FIGURE 12 is to alter the key mask in CR3, which was being used by the called program, to represent the key mask,associated with the program being returned to. This is accomplished at 62 by performing the AND function between the key mask in CR3 and the key mask shown at 40 to replace the key mask in CR3.

Returning to a program in an address space having a number different from the present primary ASN, in_i-cated at 53, invokes the ASN translation process previously described in connection with FIGURE 6, and this is shown in FIGURE 13. The ASN translation process -77-02~
1-~5~)96~

uses the new ASN represented at 44 being loaded into the address control registers to provide the sequence of table entries providing access to the ASN first table table 45 and the ASN second table 46. The AS~
translation process shown in FIGURE 13 thus returns all of the necessary address translation control information required including the primary segment table descriptor to CRl and CR7, the authorization index to CR4, and the linkage table descriptor to CR5.

The authority table 47 must be accessed during the PT instruction execution to insure that the program which is attempting to return to the present program has authority to return to this program in this particular address space.

FIGURE 14 is a table summarizing all of the authorization techniques implemen~ed in the present invention. Also shown are a number of new System/370 instructions which utilize the authorization mechanism in various ways. The prior description has discussed the use of the subsystem linkage control in bit 0 of CR5, ASN translation control in bit 12 of CR14, and use of the authorization index in bits 0-15 of CR4.
These mechanisms have been discussed in connection with the new instructions:

Program Call (PC) Program Transfer (PT) Set Secondary ASN (SSA~) Execution of these new instructions has shown the ability of a program executing in the system to establish addressability to data in two different address spaces with associated address translation tables. Having established addressability to data in two different ~-77-022 ~i~9~65 address spaces, concern must be given to providing a problem pro~ram executing in the system with knowledge of the coded storage protect key associated with addressed data in main memory which may physically be stored in two different blocks of main memory having two different storage protect keys. Prior to the present invention, any instruction executing in the system at a particular time was only able to utilize the PSW storage protect key previously assigned by the supervisor.

l~anipulation of storage protect keys has, prior to this time, been under strict control of the super-visor. The instructions shown in FIGURE 14 which utilize the PSW key mask authorizat.ion mechanism and extraction authority control mechanism are:

Insert PSW Key (IPK) Insert Virtual Storage Key (IVSK) Move to Primary (MVCP) Move to Secondary (MVCS) Move With Key (MVCK) Set PSW Key From Address (SPKA) The IPK and SPKA instructions have been previously defined in System/370. When authorized by bit 4 of CR0, the IPK instruction can, in problem state, cause the PSW key in the current PSW to be inserted in bit posi-tions 24-27 of general register 2. The SPKA instruction causes the 4-bit PSW key to be replaced by bits 24-27 of an operand addressed from memory. The execution of SPKA is subject to control by the PSW key mask in CR3. When the bit in the PSW key mask corresponding to the PSW key value to be set is 1, the corresponding instruction is executed normally. Otherwise, a privileged-operation exception is recognized.

9-77-0~7 The IVS~ instruction is a new instruction in the RRE format, the execution of which causes the coded storage protect key associated with the physical block addressed by the contents of the general register designated by the R2 field to be inserted in the general register designated by the Rl field~ In the problem state, the extraction authority control bit 4 in CR0 must be 1. The block address is a virtual address and is subject to the address space selection bit 16 of the current PSW. The binary state of bit 16 determines whether the virtual address is translated utilizing the primary seqment table descriptor or the secondary segmen~ table descriptor.

Providing a problem program e~ecuting in the system with the ability to determine the coded storage protect key associated with a particular physical block of main memory and insert that key in a general register, and providing the ability to change the PSW key will provide the problem program with the ability to move data between physical blocks of main memory having different coded storage protect keys.

The MVCP and MVCS instructions are in the SS f ormat.
The first operand is replaced by the second operand.
One operand is in the primary space, and the other is in the secondary space. The accesses to the operand in the primary space are performed using the PSW key, and the accesses to the operand in the secondary space are performed using the key specified in the third operand.

The addresses of the operands are virtual, one operand address being translated by the means of the primary segment table description in CRl and the other by means of the secondary segment table description in CR7. Since the secondary space is accessed, movement ~9-77-d22 is performed only when the secondary space control bit 5 of CR0 is 1. For MVCP, movement is to the primary space from the secondary space with the first operand address being translated using the primary segment table, and the second operand address is translated using the secondary segment table.

For MVCS, movement is to the secondary space from the primary space with the first operand address being translated using the secondary segment table and the second operand address is translated using the primary segment table.

Bit positions 24-27 of the general register speci-fied by the R3 field are used as the secondary space access key. In the problem state, movement is performed only if the secondary space access key is valid. The secondary space access key is valid only if the corres-ponding PSW key mask bit in CR3 is 1. Otherwise, a privileged operation exception is recognized. The contents of the general register specified by the Rl field are a 32-bit unsigned value specifying the number of bytes to be transferred.

The MVCK instruction is an SS format instruction.
The first operand is replaced by the second operand.
The fetch accesses to the second operand location are performed using the storage protect key specified in the third operand, and the store accesses to the first operand locations are performed using the PSW key. Bit positions 24-27 of the general register specified by the R3 field are used as the source access key. In the problem state, movement is performed only if the source access key is valid. The source access key is valid only if the corresponding PSW key mask bit in C~3 is 1. Otherwise, a privileged operation exception is recognized~ The contents of the general register specified by the Rl field are a 32-bit unsigned value in~icating the number of bytes to be transferred.

As mentioned before, the present definition of the System/370 is such that only a supervisor program, when the system is in a supervisor program state, is capable of manipulating the control register information or PSW information. Three additional instructions shown in FIGURE 14, provided with the semi-privileged state indicated by bit 4 of CR0 are:

Extract Primary ASN (EPAR) Extract Secondary ASN (ESAR) Insert Address Space Control (IAC) The EPAR and ESAR instructions are in the RRE
format. When in the problem state, and subject to bit 4 of CR0 being a binary l, the 16-bit primary ASN
in bits 16-31 of CR4 or the 16-bit secondary ASN in bits 16-31 of CR3 are placed in bit position 16-31 of the general register designated by the Rl field.

An instruction shown in FIGURE 14 not previously identified is Set Address Space Control (SAC) which is the complementary instruction to IAC. Utilizing these two instructions, a problem program executing in the system can cause the binary state of PSW bit 16 to be controlled. When bit 16 is zero, all virtual addresses are translated utilizing the primary segment table identi-fied in CRl. Whén bit 16 is a binary 1, only data addresses are translated utilizing the secondary segment table identified in CR7. Since instruction addresses are considered virtual and subject to address translation, a problem program switching between use of the primary !--77--0~2 9~6S

or secondary segment tables, without being able to separate data and instruction address translation, must insure that the instruction addresses being translated by the secondary sesment table translates to the same physical main memory location as would have occurred if utilizing the primary segment table.

FIGURE 15 is a schematic representation of main memory 21 showing a number of problem programs, data, and system control tables previously identified. The interaction between the various tables, control registers, and general registers is shown with a number of examples.

A supervisor program would have established a number of address space numbers and two have been shown in FIGURE 15 represented by ~SN 1 and ASN 9. ASN 1 is considered the primary ASN and therefore CRl provides the main memory address of the origin of the address translation segment table (ST) and associated page table (PT) which respond to virtual addresses shown at 82 in accordance with previously defined dynamic address translation procedures in System/370. It is assumed that the presently executing program in the system is program Pl which at 83 issues a PC instruction identi-fying program P2. CR5 indicates the origin of the linkage table tLT) associated with Pl. The PC trans-lation process defined in FIGURE 7 is invoked. Asshown, the program being called is program P2. The LT
entry obtained utilizing the LX portion of the PC
number will provide the origin 84 of the entry table (ET) of program P2. The ET entry will provide the instruction address 85 of the first instruction to be executed in program P2. Further, as depicted in FIGURE 15, the ASN in the ET entry obtained will be equal to 0 indicating that the called program P2 is in the same address space as the calling program Pl.
Therefore, no ~SN translation process will be required.

~ 77-~2~

At 86, it is assumed that P2 desires to return control to program Pl. The instruction address and other information saved during execution o PC at 8 wi].l be returned to control by execution of the PT
in.~truction issued at 86. Again, no ASN translation will be required.

As program Pl continues to execute, 87 reflects the execution of the instruction SSAR identifying ASN
9. Execution of SSAR requires utilization of the first part of the ASN number to provide access into the ASN
first table (AFT) which provides the main memory address 88 of the origin of the ASN in the second table tAST) associated with ASN 9. The AST entry includes the origin 89 of the authority table (AT) which is accessed utilizing the authorization index in CR4 associated with ASN 1. If the establishment of a secondary address space is author-ized, the AST entry of the secondary segment table descriptor is transferred at 90 to CR7 to provide the main memory address 91 of the origin of the segment table associated with ASN 9.

Instruction execution can continue in program Pl and include the new instructions which can obtain the storage protect key associated with data in ASN 9, which keys can be inserted in a general register. At this point, instructions in program Pl can cause data transfers shown at 92 to be effected between the primary address space AS~ 1 and the secondary address space AS~ 9.

FIGURE 16 depicts the interaction of system control tables, control registers, and general registers during the execution by problem program Pl of a program call (PC) instruction shown at 93. Depicted is a call to program P3. The PC translation process will utilize the first part of the PC number to address the linkage ~9-77-02~ -1~5~36S

table (LT) associated with Pl. The main memory addres '34 of the LT entry points to the entry table (ET) associated with P3. The instruction address shown at ~5, associated with program Pl, will be transferred to GR14, and the ASN 1 designation in CR4 will be transferred to GR3 and CR3 to become the secondary ASN. The ET
entry associated with program P3 will be read out and its contents transferred to various registers~ The initial instruction address for program P3 will be trans-ferred at 96 to the instruction address register portionof the PSW. In view of the fact that the PC translation has caused entry into a program in an address space different from ASN 1, the ET entry ASN, when compared with the primary ASN originally in CR4, will indicate the need for ASN translation. The AS~ number will be transferred at 97 to become the primary ASN in CR4.
The first part of the ASN number will be used to provide an address 98 into the ASN first table, which in turn provides an address 99 to the origin of the ASN second table (AST) where the accessed en~ry will be read out at 100 to store the associated segment table origin value in CRl and the authorization index (AX) value into CR4.

As a result, the PC instruction 93 has caused a transfer of program control to a program in an address space different from ASN 1. As a result, a new primary A~N and associated primary segment table descriptor has been provided for the indicated control registers.

FIGURE 17 shows the interaction when program P3 in ASN 9 returns control to program P1 in ASN 1. Prior to executing the PT instruction, GR2 will have been loaded with the instruction address previously saved in GR14 in response to the PC instruction. The ASN 1 value `~-77-~23 previously saved in GR3 in response to the PC instruction will have been stored in GRl. In response to execution of the PT instruction, the ASN in GRl is utilized at 101 and 102 to initiate the previously described ASN
translation process which includes access to the authority table (AT) utilizing the authorization index in CR4 associated with program P3. Assuming authorization, the ASN ~ranslation process completes whereby CR4 receives a new AX, CRl receives the primary segment table descriptor associated with ASN 1, and CR7 receives the same segment table descriptor thereby making the primary ASN and secondary ASN the same. The previously saved instruction address for program Pl is inserted into the instruction address portion of the PSW and execution of instructions in program Pl is resumed in ASN l.

There has thus been shown increased capability and flexibility for an IBM System/370 data processing system which maintains program and data integrity by using storage protect mask bits, establishing a new program mode called semi-privileged for allowing mani-pulation of PSW and control register information, providing authorization checking for determining the ability of a problem program to establish addressability to data in an other address space, providing addressa-bility to more than one address space with associatedaddress translation tables, and providing the ability to execute instructions utilizing coded storage protect keys other than that provided in the PSW by a super-visor. All of these capabilities are provided to relieve the programming overhead of a supervisor program.
While the invention has been particularly shown and described with references to preferred embodiments thereof, it will be understood by those skilled in the art that the foregoiny and other changes in form and details may be made therein without departing from the spirit and scope of the invention.

Claims (8)

The embodiments of the invention in which an exclusive property or privilege is claimed are defined as follows:

1. In a multiprogramming data processing system including (1) a main memory comprised of physical, addressable blocks having associated addressable coded storage protect keys providing access control to the associated physical block, the main memory adaptable for storing information including data, problem programs, supervisor programs, and system control tables, and (2) processor means for extracting and decoding series of program instructions from the main memory and for performing the operations required including the accessing of physical addressable blocks in the main memory for transfer of information between the processor and main memory, the processor including a program status word (PSW) including a plurality of control bits including a problem program bit, the binary state of which signifies a problem or supervisor program state, control fields including a coded PSW protect key field to be compared with the coded storage protect key of a physical block to be accessed in main memory, and an instruction address value indicating the location of the next program instruction to be extracted, the improve-ment comprising:

key-mask storage comprised of a plurality of binary key-mask bits, each corresponding to a different one of the permutations of the coded storage protect keys, and each having a first or second binary state,
1. (continued) key authorization checking means, operative when the PSW problem program bit indicates the processor is in the problem program state, including checking initiating signalling means indicating a requirement of a problem program operation to obtain authority for the use of at least one coded storage protect key different from the PSW protect key, and inhibit means, connected to said key-mask bit in said key-mask storage corresponding to said at least one coded storage protect key, for preventing the problem program operation when said key-mask bit is in said second binary state.
2. A system in accordance with Claim 1 further including:

further inhibit means, comprised of a bistable storage device, the binary state of which is controllable by supervisor program operations, effective when in a first binary state to provide a semi-privileged signal, and operative in the absence of said semi-privileged signal to prevent the problem program operation.
3. A system in accordance with Claim 1:

coded key storage means, said check initiating signalling means includes instruction decoding and instruction execution means, responsive to a program instruction, for effecting the transfer of information between a first and second physical block of main memory utilizing the coded PSW protect key for access control to one physical block and the key mani-fested by said coded key storage means for access control to the other physical block.
4. A system in accordance with Claim 1 further including program call signalling means, responsive to a program instruction, from a calling program, providing a called program identification, entry access means responsive to said called program identification, including means for accessing a particular entry in an associated system control table for transferring said particular entry to the processor, and means for storing said particular entry which comprises entry control information for the called program, said entry control information including an initial called program instruction address, and an authorization key-mask having the same plurality of binary key-mask bits as said key-mask storage, and key-mask checking means, connected to said key-mask storage and said authorization key-mask, including means for performing a bit-for-bit combinatorial function and providing an interrupt signal in response to a particular result of said combinatorial function.
5. A system in accordance with Claim 4 wherein said combinatorial function of said key-mask checking means is the AND function, and said parti-cular result is a binary 0 result of all the bit-for-bit combinations.
6. A system in accordance with Claim 4 wherein said entry control information further includes an entry key-mask having the same plurality of binary bits as said key-mask storage, and further including, a key-mask saving register, key-mask generating means, connected to said key-mask storage and said entry key-mask of said entry control information, operative in the absence of said interrupt signal, for transferring the key-mask manifestation of said calling program in said key-mask storage to said key-mask saving register, and including means for manifesting in said key-mask storage the combinatorial OR function of said entry key-mask and the original manifestation in said key-mask storage, an instruction address saving register, and means, operative in the absence of said inter-rupt signal, for transferring the manifestation of said calling program instruction address in the PSW to said instruction address saving register, and storing said initial called program instruction address from said entry control information in the PSW.
7. A system in accordance with Claim 6 wherein said entry control information further includes:

a binary bit store comprising a new problem program bit;

problem program bit saving means; and means, operative in the absence of said interrupt signal, for transferring the problem program bit from the PSW to said program bit saving means, and said new problem program bit from said entry control information to the PSW, whereby a called program initiates instruction execution in either the problem or supervisor state.
8. A system in accordance with Claim 7 including:

program transfer signalling means, responsive to a program instruction from said called program, for transferring the manifestation of said calling program instruction address in said instruction address saving register to the PSW;

key-mask restoring means, connected to said key-mask storage and said key-mask saving register, including means for storing in said key-mask storage the AND function of corresponding binary bits of said key-mask storage and said key-mask saving register;

means for transferring the problem program bit from said problem program bit saving means to the PSW; and means, responsive to detection of a change in the PSW problem program bit from one particular binary state to the other, for providing an error signal.
CA000373340A 1980-05-23 1981-03-18 Authorization mechanism for transfer of program control or data between different address spaces having different storage protect keys Expired CA1159965A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US152,919 1980-05-23
US06/152,919 US4366537A (en) 1980-05-23 1980-05-23 Authorization mechanism for transfer of program control or data between different address spaces having different storage protect keys

Publications (1)

Publication Number Publication Date
CA1159965A true CA1159965A (en) 1984-01-03

Family

ID=22545010

Family Applications (1)

Application Number Title Priority Date Filing Date
CA000373340A Expired CA1159965A (en) 1980-05-23 1981-03-18 Authorization mechanism for transfer of program control or data between different address spaces having different storage protect keys

Country Status (5)

Country Link
US (1) US4366537A (en)
EP (1) EP0040702B1 (en)
JP (1) JPS5710842A (en)
CA (1) CA1159965A (en)
DE (1) DE3174378D1 (en)

Families Citing this family (133)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4472790A (en) * 1982-02-05 1984-09-18 International Business Machines Corporation Storage fetch protect override controls
US4926316A (en) * 1982-09-29 1990-05-15 Apple Computer, Inc. Memory management unit with overlapping control for accessing main memory of a digital computer
GB2127994B (en) * 1982-09-29 1987-01-21 Apple Computer Memory management unit for digital computer
US4493034A (en) * 1982-10-14 1985-01-08 Honeywell Information Systems Inc. Apparatus and method for an operating system supervisor in a data processing system
DE3300699C2 (en) * 1983-01-11 1985-12-19 Nixdorf Computer Ag, 4790 Paderborn Circuit arrangement for addressing the memory of a plurality of data processing devices, each having an address volume, in a multiprocessor system with a system bus
JPS60107155A (en) * 1983-11-16 1985-06-12 Hitachi Ltd Data protection system of storage volume
CA1235821A (en) * 1984-06-28 1988-04-26 John Zolnowsky Data processor having module access control
JPS61127038A (en) * 1984-11-26 1986-06-14 Nec Corp Switch control system of service processing program
US4766537A (en) * 1986-01-02 1988-08-23 Motorola, Inc. Paged memory management unit having stack change control register
JPS62297955A (en) * 1986-06-17 1987-12-25 Digital:Kk Cache memory device
JPS6376034A (en) * 1986-09-19 1988-04-06 Hitachi Ltd Multiple address space control system
JPS63278145A (en) * 1987-05-11 1988-11-15 Nec Corp Parameter correspondence check system
US4930073A (en) * 1987-06-26 1990-05-29 International Business Machines Corporation Method to prevent use of incorrect program version in a computer system
US5317717A (en) * 1987-07-01 1994-05-31 Digital Equipment Corp. Apparatus and method for main memory unit protection using access and fault logic signals
US5140684A (en) * 1987-09-30 1992-08-18 Mitsubishi Denki Kabushiki Kaisha Access privilege-checking apparatus and method
US4887076A (en) * 1987-10-16 1989-12-12 Digital Equipment Corporation Computer interconnect coupler for clusters of data processing devices
US5129087A (en) * 1988-02-03 1992-07-07 International Business Machines, Corp. Computer system and a method of monitoring transient data structures in a computer system
US4945480A (en) * 1988-02-10 1990-07-31 International Business Machines Corporation Data domain switching on program address space switching and return
US5008811A (en) * 1988-02-10 1991-04-16 International Business Machines Corp. Control mechanism for zero-origin data spaces
US5023773A (en) * 1988-02-10 1991-06-11 International Business Machines Corporation Authorization for selective program access to data in multiple address spaces
US4979098A (en) * 1988-02-10 1990-12-18 International Business Machines Corporation Multiple address space token designation, protection controls, designation translation and lookaside
US5220669A (en) * 1988-02-10 1993-06-15 International Business Machines Corporation Linkage mechanism for program isolation
US5434999A (en) * 1988-11-09 1995-07-18 Bull Cp8 Safeguarded remote loading of service programs by authorizing loading in protected memory zones in a terminal
US5201052A (en) * 1989-02-10 1993-04-06 Fujitsu Limited System for transferring first and second ring information from program status word register and store buffer
US5163096A (en) * 1991-06-06 1992-11-10 International Business Machines Corporation Storage protection utilizing public storage key control
GB2260004B (en) * 1991-09-30 1995-02-08 Apple Computer Memory management unit for a computer system
EP0543032A1 (en) * 1991-11-16 1993-05-26 International Business Machines Corporation Expanded memory addressing scheme
US5359721A (en) * 1991-12-18 1994-10-25 Sun Microsystems, Inc. Non-supervisor mode cross address space dynamic linking
US5493661A (en) * 1992-03-06 1996-02-20 International Business Machines Corporation Method and system for providing a program call to a dispatchable unit's base space
US5694587A (en) * 1995-03-31 1997-12-02 International Business Machines Corporation Specialized millicode instructions for test PSW validity, load with access test, and character translation assist
US5611062A (en) * 1995-03-31 1997-03-11 International Business Machines Corporation Specialized millicode instruction for string operations
US5689702A (en) * 1995-06-07 1997-11-18 Microtec Research, Inc. Flexible data structure layout for data structure including bit-field data members
US5745676A (en) * 1995-12-04 1998-04-28 International Business Machines Corporation Authority reduction and restoration method providing system integrity for subspace groups and single address spaces during program linkage
US5754810A (en) * 1996-03-12 1998-05-19 International Business Machines Corporation Specialized millicode instruction for certain decimal operations
US5621909A (en) * 1996-03-12 1997-04-15 International Business Machines Corporation Specialized millicode instruction for range checking
US5900019A (en) * 1996-05-23 1999-05-04 International Business Machines Corporation Apparatus for protecting memory storage blocks from I/O accesses
US5787309A (en) * 1996-05-23 1998-07-28 International Business Machines Corporation Apparatus for protecting storage blocks from being accessed by unwanted I/O programs using I/O program keys and I/O storage keys having M number of bits
US6175916B1 (en) * 1997-05-06 2001-01-16 Microsoft Corporation Common-thread inter-process function calls invoked by jumps to invalid addresses
US6182174B1 (en) 1998-04-13 2001-01-30 International Business Machines Corporation Memory card interface method using multiplexed storage protect key to indicate command acceptance
US7089418B1 (en) 2000-03-31 2006-08-08 Intel Corporation Managing accesses in a processor for isolated execution
US6934817B2 (en) 2000-03-31 2005-08-23 Intel Corporation Controlling access to multiple memory zones in an isolated execution environment
US6678825B1 (en) 2000-03-31 2004-01-13 Intel Corporation Controlling access to multiple isolated memories in an isolated execution environment
US6996710B1 (en) 2000-03-31 2006-02-07 Intel Corporation Platform and method for issuing and certifying a hardware-protected attestation key
US6760441B1 (en) 2000-03-31 2004-07-06 Intel Corporation Generating a key hieararchy for use in an isolated execution environment
US6754815B1 (en) 2000-03-31 2004-06-22 Intel Corporation Method and system for scrubbing an isolated area of memory after reset of a processor operating in isolated execution mode if a cleanup flag is set
US6795905B1 (en) 2000-03-31 2004-09-21 Intel Corporation Controlling accesses to isolated memory using a memory controller for isolated execution
US7111176B1 (en) 2000-03-31 2006-09-19 Intel Corporation Generating isolated bus cycles for isolated execution
US7194634B2 (en) 2000-03-31 2007-03-20 Intel Corporation Attestation key memory device and bus
US7356817B1 (en) 2000-03-31 2008-04-08 Intel Corporation Real-time scheduling of virtual machines
US6769058B1 (en) 2000-03-31 2004-07-27 Intel Corporation Resetting a processor in an isolated execution environment
US7013481B1 (en) 2000-03-31 2006-03-14 Intel Corporation Attestation key memory device and bus
US7013484B1 (en) 2000-03-31 2006-03-14 Intel Corporation Managing a secure environment using a chipset in isolated execution mode
US7082615B1 (en) 2000-03-31 2006-07-25 Intel Corporation Protecting software environment in isolated execution
US6990579B1 (en) 2000-03-31 2006-01-24 Intel Corporation Platform and method for remote attestation of a platform
US6507904B1 (en) 2000-03-31 2003-01-14 Intel Corporation Executing isolated mode instructions in a secure system running in privilege rings
US7073071B1 (en) 2000-03-31 2006-07-04 Intel Corporation Platform and method for generating and utilizing a protected audit log
US6957332B1 (en) 2000-03-31 2005-10-18 Intel Corporation Managing a secure platform using a hierarchical executive architecture in isolated execution mode
US6976162B1 (en) 2000-06-28 2005-12-13 Intel Corporation Platform and method for establishing provable identities while maintaining privacy
US7389427B1 (en) 2000-09-28 2008-06-17 Intel Corporation Mechanism to secure computer output from software attack using isolated execution
US7793111B1 (en) 2000-09-28 2010-09-07 Intel Corporation Mechanism to handle events in a machine with isolated execution
US7215781B2 (en) * 2000-12-22 2007-05-08 Intel Corporation Creation and distribution of a secret value between two devices
US7225441B2 (en) * 2000-12-27 2007-05-29 Intel Corporation Mechanism for providing power management through virtualization
US7818808B1 (en) 2000-12-27 2010-10-19 Intel Corporation Processor mode for limiting the operation of guest software running on a virtual machine supported by a virtual machine monitor
US6907600B2 (en) 2000-12-27 2005-06-14 Intel Corporation Virtual translation lookaside buffer
US7035963B2 (en) 2000-12-27 2006-04-25 Intel Corporation Method for resolving address space conflicts between a virtual machine monitor and a guest operating system
US7117376B2 (en) * 2000-12-28 2006-10-03 Intel Corporation Platform and method of creating a secure boot that enforces proper user authentication and enforces hardware configurations
US7272831B2 (en) * 2001-03-30 2007-09-18 Intel Corporation Method and apparatus for constructing host processor soft devices independent of the host processor operating system
US7096497B2 (en) * 2001-03-30 2006-08-22 Intel Corporation File checking using remote signing authority via a network
US20020144121A1 (en) * 2001-03-30 2002-10-03 Ellison Carl M. Checking file integrity using signature generated in isolated execution
US7631160B2 (en) * 2001-04-04 2009-12-08 Advanced Micro Devices, Inc. Method and apparatus for securing portions of memory
US7191440B2 (en) * 2001-08-15 2007-03-13 Intel Corporation Tracking operating system process and thread execution and virtual machine execution in hardware or in a virtual machine monitor
US7024555B2 (en) 2001-11-01 2006-04-04 Intel Corporation Apparatus and method for unilaterally loading a secure operating system within a multiprocessor environment
US7103771B2 (en) * 2001-12-17 2006-09-05 Intel Corporation Connecting a virtual token to a physical token
US20030126454A1 (en) * 2001-12-28 2003-07-03 Glew Andrew F. Authenticated code method and apparatus
US20030126453A1 (en) * 2001-12-31 2003-07-03 Glew Andrew F. Processor supporting execution of an authenticated code instruction
US7308576B2 (en) * 2001-12-31 2007-12-11 Intel Corporation Authenticated code module
US7480806B2 (en) * 2002-02-22 2009-01-20 Intel Corporation Multi-token seal and unseal
US7631196B2 (en) 2002-02-25 2009-12-08 Intel Corporation Method and apparatus for loading a trustable operating system
US7124273B2 (en) * 2002-02-25 2006-10-17 Intel Corporation Method and apparatus for translating guest physical addresses in a virtual machine environment
US7028149B2 (en) * 2002-03-29 2006-04-11 Intel Corporation System and method for resetting a platform configuration register
US7069442B2 (en) * 2002-03-29 2006-06-27 Intel Corporation System and method for execution of a secured environment initialization instruction
US20030191943A1 (en) * 2002-04-05 2003-10-09 Poisner David I. Methods and arrangements to register code
US20030196096A1 (en) * 2002-04-12 2003-10-16 Sutton James A. Microcode patch authentication
US20030196100A1 (en) * 2002-04-15 2003-10-16 Grawrock David W. Protection against memory attacks following reset
US7058807B2 (en) * 2002-04-15 2006-06-06 Intel Corporation Validation of inclusion of a platform within a data center
US7076669B2 (en) * 2002-04-15 2006-07-11 Intel Corporation Method and apparatus for communicating securely with a token
US7127548B2 (en) * 2002-04-16 2006-10-24 Intel Corporation Control register access virtualization performance improvement in the virtual-machine architecture
US7139890B2 (en) * 2002-04-30 2006-11-21 Intel Corporation Methods and arrangements to interface memory
US20030229794A1 (en) * 2002-06-07 2003-12-11 Sutton James A. System and method for protection against untrusted system management code by redirecting a system management interrupt and creating a virtual machine container
US6820177B2 (en) * 2002-06-12 2004-11-16 Intel Corporation Protected configuration space in a protected environment
US7142674B2 (en) 2002-06-18 2006-11-28 Intel Corporation Method of confirming a secure key exchange
US7392415B2 (en) * 2002-06-26 2008-06-24 Intel Corporation Sleep protection
US20040003321A1 (en) * 2002-06-27 2004-01-01 Glew Andrew F. Initialization of protected system
US7124327B2 (en) * 2002-06-29 2006-10-17 Intel Corporation Control over faults occurring during the operation of guest software in the virtual-machine architecture
US6996748B2 (en) * 2002-06-29 2006-02-07 Intel Corporation Handling faults associated with operation of guest software in the virtual-machine architecture
US7296267B2 (en) * 2002-07-12 2007-11-13 Intel Corporation System and method for binding virtual machines to hardware contexts
US7165181B2 (en) 2002-11-27 2007-01-16 Intel Corporation System and method for establishing trust without revealing identity
US7073042B2 (en) 2002-12-12 2006-07-04 Intel Corporation Reclaiming existing fields in address translation data structures to extend control over memory accesses
US7318235B2 (en) 2002-12-16 2008-01-08 Intel Corporation Attestation using both fixed token and portable token
US20040117318A1 (en) * 2002-12-16 2004-06-17 Grawrock David W. Portable token controlling trusted environment launch
US7318141B2 (en) 2002-12-17 2008-01-08 Intel Corporation Methods and systems to control virtual machines
US7793286B2 (en) * 2002-12-19 2010-09-07 Intel Corporation Methods and systems to manage machine state in virtual machine operations
US7900017B2 (en) * 2002-12-27 2011-03-01 Intel Corporation Mechanism for remapping post virtual machine memory pages
US20040128465A1 (en) * 2002-12-30 2004-07-01 Lee Micheil J. Configurable memory bus width
US7076802B2 (en) * 2002-12-31 2006-07-11 Intel Corporation Trusted system clock
US7415708B2 (en) 2003-06-26 2008-08-19 Intel Corporation Virtual machine management using processor state information
US7424709B2 (en) * 2003-09-15 2008-09-09 Intel Corporation Use of multiple virtual machine monitors to handle privileged events
US7287197B2 (en) * 2003-09-15 2007-10-23 Intel Corporation Vectoring an interrupt or exception upon resuming operation of a virtual machine
US7739521B2 (en) 2003-09-18 2010-06-15 Intel Corporation Method of obscuring cryptographic computations
US7610611B2 (en) 2003-09-19 2009-10-27 Moran Douglas R Prioritized address decoder
US7237051B2 (en) * 2003-09-30 2007-06-26 Intel Corporation Mechanism to control hardware interrupt acknowledgement in a virtual machine system
US7177967B2 (en) 2003-09-30 2007-02-13 Intel Corporation Chipset support for managing hardware interrupts in a virtual machine system
US7366305B2 (en) * 2003-09-30 2008-04-29 Intel Corporation Platform and method for establishing trust without revealing identity
US20050080934A1 (en) 2003-09-30 2005-04-14 Cota-Robles Erik C. Invalidating translation lookaside buffer entries in a virtual machine (VM) system
US7636844B2 (en) 2003-11-17 2009-12-22 Intel Corporation Method and system to provide a trusted channel within a computer system for a SIM device
US8156343B2 (en) 2003-11-26 2012-04-10 Intel Corporation Accessing private data about the state of a data processing machine from storage that is publicly accessible
US8037314B2 (en) 2003-12-22 2011-10-11 Intel Corporation Replacing blinded authentication authority
US20050133582A1 (en) * 2003-12-22 2005-06-23 Bajikar Sundeep M. Method and apparatus for providing a trusted time stamp in an open platform
US7802085B2 (en) 2004-02-18 2010-09-21 Intel Corporation Apparatus and method for distributing private keys to an entity with minimal secret, unique information
US7356735B2 (en) 2004-03-30 2008-04-08 Intel Corporation Providing support for single stepping a virtual machine in a virtual machine environment
US7620949B2 (en) 2004-03-31 2009-11-17 Intel Corporation Method and apparatus for facilitating recognition of an open event window during operation of guest software in a virtual machine environment
US7490070B2 (en) 2004-06-10 2009-02-10 Intel Corporation Apparatus and method for proving the denial of a direct proof signature
JP2006004280A (en) * 2004-06-18 2006-01-05 Toshiba Kyaria Kk Microcomputer, and electronic device
US7305592B2 (en) 2004-06-30 2007-12-04 Intel Corporation Support for nested fault in a virtual machine environment
US7840962B2 (en) 2004-09-30 2010-11-23 Intel Corporation System and method for controlling switching between VMM and VM using enabling value of VMM timer indicator and VMM timer value having a specified time
US8146078B2 (en) 2004-10-29 2012-03-27 Intel Corporation Timer offsetting mechanism in a virtual machine environment
US8924728B2 (en) 2004-11-30 2014-12-30 Intel Corporation Apparatus and method for establishing a secure session with a device without exposing privacy-sensitive information
US8533777B2 (en) * 2004-12-29 2013-09-10 Intel Corporation Mechanism to determine trust of out-of-band management agents
US7395405B2 (en) 2005-01-28 2008-07-01 Intel Corporation Method and apparatus for supporting address translation in a virtual machine environment
US7809957B2 (en) 2005-09-29 2010-10-05 Intel Corporation Trusted platform module for generating sealed data
US8014530B2 (en) 2006-03-22 2011-09-06 Intel Corporation Method and apparatus for authenticated, recoverable key distribution with no database secrets
US7530106B1 (en) 2008-07-02 2009-05-05 Kaspersky Lab, Zao System and method for security rating of computer processes
US8918885B2 (en) * 2012-02-09 2014-12-23 International Business Machines Corporation Automatic discovery of system integrity exposures in system code

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3328768A (en) * 1964-04-06 1967-06-27 Ibm Storage protection systems
FR2258112A5 (en) * 1973-11-30 1975-08-08 Honeywell Bull Soc Ind
AU506710B2 (en) * 1974-10-21 1980-01-24 Honeywell Information Systems Incorp. Method of accessing priviledged memory in a multiprogrammed data processing system
US4038645A (en) * 1976-04-30 1977-07-26 International Business Machines Corporation Non-translatable storage protection control system

Also Published As

Publication number Publication date
JPS5710842A (en) 1982-01-20
EP0040702B1 (en) 1986-04-16
US4366537A (en) 1982-12-28
DE3174378D1 (en) 1986-05-22
EP0040702A3 (en) 1982-01-13
JPH0137775B2 (en) 1989-08-09
EP0040702A2 (en) 1981-12-02

Similar Documents

Publication Publication Date Title
CA1159965A (en) Authorization mechanism for transfer of program control or data between different address spaces having different storage protect keys
CA1151309A (en) Authorization mechanism for establishing addressability to information in another address space
US4500952A (en) Mechanism for control of address translation by a program using a plurality of translation tables
US5023773A (en) Authorization for selective program access to data in multiple address spaces
EP0331900B1 (en) Method and apparatus for capability control
US4521846A (en) Mechanism for accessing multiple virtual address spaces
US4979098A (en) Multiple address space token designation, protection controls, designation translation and lookaside
US5220669A (en) Linkage mechanism for program isolation
US5469556A (en) Resource access security system for controlling access to resources of a data processing system
US5280614A (en) Apparatus and method for controlling access to data using domains
US5809546A (en) Method for managing I/O buffers in shared storage by structuring buffer table having entries including storage keys for controlling accesses to the buffers
US5163096A (en) Storage protection utilizing public storage key control
EP0478978A2 (en) Multiple controlled data-space facility
EP0150521A2 (en) Data processing system with improved interrupt handling
US5339417A (en) Computer system with two levels of guests
US5802397A (en) System for storage protection from unintended I/O access using I/O protection key by providing no control by I/O key entries over access by CP entity
EP0040703B1 (en) Enhancements in system/370 type of data processing apparatus
EP0327839B1 (en) Information handling system
US5493661A (en) Method and system for providing a program call to a dispatchable unit's base space
CA1312142C (en) Linkage mechanism for program isolation
EP0550285A2 (en) Machine with two units of operation

Legal Events

Date Code Title Description
MKEX Expiry