際際滷

際際滷Share a Scribd company logo

Storage Protection Education

D
Daniel FitzGerald

This document provides an overview of storage protection mechanisms on z/Architecture systems, including key-controlled protection, access-list-controlled protection, page protection, and low-address protection. It defines important concepts like virtual addresses, real addresses, and storage keys. It describes how access keys are determined and how violations of protection are handled for different types of storage access, including via the CPU, channels, and measurement blocks. Override controls for storage protection and fetch protection are also outlined.

1 of 21
Download to read offline
息 2004 IBM Corporation IBM Systems and Technology Group 1 z/VM CP Storage Management Education Series Storage Protection on z/Architecture A Brief Primer Dan FitzGerald Friday, October 16, 2009 (Revision 2)
IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series2 Outline Concept Review Background Key-Controlled Protection Access-List-Controlled Protection Page Protection Low-Address Protection Suppression on Protection
IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series3 Concept Review In this portion of the presentation, we will reintroduce concepts that will come up in our discussion on storage protection mechanisms. Most of this information is available from the z/Architecture Principles of Operation, Chapter 3. We will present this information as a series of definitions. This is intended to be a fast reference/review only, so please consult the Principles of Operation or your Connections Coach if you have any questions.
IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series4 Concept Review Dynamic Address Translation (DAT) The process via which we handle virtual memory Program Status Word (PSW) Contains information used in the execution of the currently active program Access Registers A special set of 16 registers, one for each general purpose register. For use with AR Mode AR Mode Uses the access registers when doing base displacement addressing Determined by bits 16 and 17 of the PSW
IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series5 Concept Review There are four different types of addresses that we will encounter in z/Architecture. They are known as absolute, real, virtual and logical. Additionally, we will hear about effective addresses. Absolute Address The address assigned to a main storage location These are the unmodified, actual addresses of bytes in storage. Real Address Identifies a location in real storage When a real address is used for an access into main storage, prefixing may be used to convert it into an absolute address
IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series6 Concept Review Virtual Address Identifies a location in virtual storage When a virtual address is used for an access to main storage, it is translated by means of dynamic address translation (DAT) to a real address, which is then prefixed to an absolute address. Logical Address Your addresses are translated within whatever mode the architecture is set to In z/Architecture, a specific address mode can be set. For example, your machine may be set to real address mode. In this case, your logical addresses will be treated as real addresses. Unless otherwise specified, the storage-operand addresses for most instructions are logical addresses.
IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series7 Concept Review Effective Address The address which exists before any transformation by dynamic address translation or any prefixing is performed Instruction Address Addresses used to fetch instructions from storage
IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series8 Background z/Architecture has four means of protecting the contents of main storage from tampering by either malicious or errant programs Key-controlled protection Access-list-controlled protection Page protection Low-address protection These are used in conjunction with (not exclusive of) one another.
IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series9 Background A storage key is associated with each 4K block of storage on the system: ACC Access-Control Bits These are matched with a four bit access key when information is stored and when information is fetched from a location that is protected against fetching. F Fetch-Protection Bit Controls whether key-controlled protection applies to fetch-type references
IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series10 Background F Fetch-Protection Bit (cont'd.) A zero indicates that only store-type references are monitored and that fetching with any access key is permitted. A one indicates that key-controlled protection applies to both fetching and storing. R Reference Bit Whenever the associated storage block is referenced, this is set to one. C Change Bit Each time the associated storage block (always a page or a frame on z/VM) is modified, this is set to one. Note that storage keys are not part of addressable storage In z/VM, these are analogous to the guest storage keys found in the PGSTE block associated with a given page table entry
IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series11 Key-Controlled Protection So just what is an access key, anyway? Well, its a key. To store or fetch to a protected page, the access key must either match the storage key, or be set to zero. What constitutes an access key differs depending on the manner of access: Access to storage initiated by the CPU Access to storage for the purpose of channel-program execution Access to the measurement block for channel-subsystem monitoring Additionally, depending on the type of access, different things happen should protection prohibit the action.
IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series12 Key-Controlled Protection Access to storage initiated by the CPU Access Key - can be found in the PSW key (bits 8-11 of the PSW) Prohibitive Action execution of the instruction is terminated and a protection exception is issued (this is a program interrupt) Access to storage for the purpose of channel-program execution Access Key - the subchannel key associated with the calling channel program. On z/VM, this can be found in bit 4 of the operation request block (ORBLK). Prohibitive Action the start function is ended and the protection check bit in the associated interruption response block (IRB) is set to one.
IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series13 Key-Controlled Protection Access to the measurement block for channel-subsystem monitoring Access Key - an access to the measurement block is made; use the measurement block key Prohibitive Action the I/O measurement-block protection check condition is set to one In general, when a store is prohibited because of a protection lock violation, the contents of the target location remain unchanged. When a fetch request causes the violation, the protected data is left unchanged in storage.
IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series14 Key-Controlled Protection Here's an odd case: As you know, on program load, your entire program is loaded from disk and into storage. Suppose that the key for a page of your program got changed... Yes, it is possible for an instruction fetch to violate key protection. This is generally bad. For a prohibited instruction fetch, the instruction is suppressed and an arbitrary instruction-length code is returned. Key-controlled protection does not apply when the storage- protection control bit is one and the value of the access control bits is 9. There are two override controls: Storage-Protection Override Fetch-Protection Override
IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series15 Key-Controlled Protection Storage-Protection Override Control When active, key- controlled storage protection is ignored for storage locations having an associated storage-key value of 9. Bit 39 of Control Register 0 Applies to instruction fetch and to the fetch and store accesses of instructions whose operand addresses are logical, virtual or real. Fetch-Protection Override Control When active, fetch protection is ignored for locations at effective addresses 0- 2047 Bit 38 of Control Register 0 Fetch Protection is not ignored if the effective address is subject to DAT and the private-space control is active (Bit 55 of the address- space-control element).
IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series16 Key-Controlled Protection Fetch-Protection Override Control (cont'd.) This applies to instruction fetch and the fetch accesses of instructions whose operand addresses are logical, virtual or real. It does not apply to fetch accesses made for the purpose of channel- subsystem monitoring.
IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series17 Access-List-Controlled Protection In AR mode, the fetch-only bit (bit 6 of the access-list entry) controls which types of references are allowed into the specified address space. When the fetch-only bit is zero, both fetches and stores are permitted When the bit is one, only fetches are allowed. Any attempt to store causes a protection exception (an interrupt) to be issued and the execution of the instruction will be suppressed.
IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series18 Page Protection The page protection facility controls access to virtual storage via the page-protection bit in each page-table and segment- table entry. Bit 54 of the page table entry Controls whether storing into a given page is permitted When zero, both fetching and storing are permitted When one, only fetching is permitted When an attempt to store violates page protection, the contents of the page remain unchanged, the operation/instruction is suppressed and an protection exception (interruption) is issued.
IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series19 Page Protection The page protection bit of the segment-table entry is treated as being OR'd into the page-protection bit position of each entry of the page table designated by the segment-table entry. In effect, when the page-protection bit of the segment table entry is one, it has the same effect as having the page- protection bit in each entry of the designated page table.
IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series20 Low-Address Protection Protects against the destruction of main-storage information used by the CPU during interruption processing. Controlled by bit 53 of Control Register 0 Instructions are prohibited from storing with effective addresses in the ranges 0-511 and 4096-4607 These are the first 512 bytes of each of the first two 4K pages Low-address protection does not apply if the address-space- control element to be used is not available due to another type of exception. This protection is not applied to access made by the CPU or the channel subsystem for such sequences as interruptions.
IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series21 Suppression on Protection In layman's terms, when we suppress an instruction we present the generated exception to the calling program and ignore the instruction. When is an operation suppressed? Some instruction definitions specify that the operation is always suppressed if any sort of protection exception is generated. Otherwise, we will always suppress an instruction if a protection exception due to access-list controlled protection or page protection is recognized. The suppression function allows the control program to locate the segment-table entry and page-table entry used in the translation of a virtual address that caused a protection exception, in order to determine if the exception was due to page protection. The CP also has the ability to avoid this if the address was not virtual or due to access-list-controlled protection.

More Related Content

Storage Protection Education

  • 1. 息 2004 IBM Corporation IBM Systems and Technology Group 1 z/VM CP Storage Management Education Series Storage Protection on z/Architecture A Brief Primer Dan FitzGerald Friday, October 16, 2009 (Revision 2)
  • 2. IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series2 Outline Concept Review Background Key-Controlled Protection Access-List-Controlled Protection Page Protection Low-Address Protection Suppression on Protection
  • 3. IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series3 Concept Review In this portion of the presentation, we will reintroduce concepts that will come up in our discussion on storage protection mechanisms. Most of this information is available from the z/Architecture Principles of Operation, Chapter 3. We will present this information as a series of definitions. This is intended to be a fast reference/review only, so please consult the Principles of Operation or your Connections Coach if you have any questions.
  • 4. IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series4 Concept Review Dynamic Address Translation (DAT) The process via which we handle virtual memory Program Status Word (PSW) Contains information used in the execution of the currently active program Access Registers A special set of 16 registers, one for each general purpose register. For use with AR Mode AR Mode Uses the access registers when doing base displacement addressing Determined by bits 16 and 17 of the PSW
  • 5. IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series5 Concept Review There are four different types of addresses that we will encounter in z/Architecture. They are known as absolute, real, virtual and logical. Additionally, we will hear about effective addresses. Absolute Address The address assigned to a main storage location These are the unmodified, actual addresses of bytes in storage. Real Address Identifies a location in real storage When a real address is used for an access into main storage, prefixing may be used to convert it into an absolute address
  • 6. IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series6 Concept Review Virtual Address Identifies a location in virtual storage When a virtual address is used for an access to main storage, it is translated by means of dynamic address translation (DAT) to a real address, which is then prefixed to an absolute address. Logical Address Your addresses are translated within whatever mode the architecture is set to In z/Architecture, a specific address mode can be set. For example, your machine may be set to real address mode. In this case, your logical addresses will be treated as real addresses. Unless otherwise specified, the storage-operand addresses for most instructions are logical addresses.
  • 7. IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series7 Concept Review Effective Address The address which exists before any transformation by dynamic address translation or any prefixing is performed Instruction Address Addresses used to fetch instructions from storage
  • 8. IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series8 Background z/Architecture has four means of protecting the contents of main storage from tampering by either malicious or errant programs Key-controlled protection Access-list-controlled protection Page protection Low-address protection These are used in conjunction with (not exclusive of) one another.
  • 9. IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series9 Background A storage key is associated with each 4K block of storage on the system: ACC Access-Control Bits These are matched with a four bit access key when information is stored and when information is fetched from a location that is protected against fetching. F Fetch-Protection Bit Controls whether key-controlled protection applies to fetch-type references
  • 10. IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series10 Background F Fetch-Protection Bit (cont'd.) A zero indicates that only store-type references are monitored and that fetching with any access key is permitted. A one indicates that key-controlled protection applies to both fetching and storing. R Reference Bit Whenever the associated storage block is referenced, this is set to one. C Change Bit Each time the associated storage block (always a page or a frame on z/VM) is modified, this is set to one. Note that storage keys are not part of addressable storage In z/VM, these are analogous to the guest storage keys found in the PGSTE block associated with a given page table entry
  • 11. IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series11 Key-Controlled Protection So just what is an access key, anyway? Well, its a key. To store or fetch to a protected page, the access key must either match the storage key, or be set to zero. What constitutes an access key differs depending on the manner of access: Access to storage initiated by the CPU Access to storage for the purpose of channel-program execution Access to the measurement block for channel-subsystem monitoring Additionally, depending on the type of access, different things happen should protection prohibit the action.
  • 12. IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series12 Key-Controlled Protection Access to storage initiated by the CPU Access Key - can be found in the PSW key (bits 8-11 of the PSW) Prohibitive Action execution of the instruction is terminated and a protection exception is issued (this is a program interrupt) Access to storage for the purpose of channel-program execution Access Key - the subchannel key associated with the calling channel program. On z/VM, this can be found in bit 4 of the operation request block (ORBLK). Prohibitive Action the start function is ended and the protection check bit in the associated interruption response block (IRB) is set to one.
  • 13. IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series13 Key-Controlled Protection Access to the measurement block for channel-subsystem monitoring Access Key - an access to the measurement block is made; use the measurement block key Prohibitive Action the I/O measurement-block protection check condition is set to one In general, when a store is prohibited because of a protection lock violation, the contents of the target location remain unchanged. When a fetch request causes the violation, the protected data is left unchanged in storage.
  • 14. IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series14 Key-Controlled Protection Here's an odd case: As you know, on program load, your entire program is loaded from disk and into storage. Suppose that the key for a page of your program got changed... Yes, it is possible for an instruction fetch to violate key protection. This is generally bad. For a prohibited instruction fetch, the instruction is suppressed and an arbitrary instruction-length code is returned. Key-controlled protection does not apply when the storage- protection control bit is one and the value of the access control bits is 9. There are two override controls: Storage-Protection Override Fetch-Protection Override
  • 15. IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series15 Key-Controlled Protection Storage-Protection Override Control When active, key- controlled storage protection is ignored for storage locations having an associated storage-key value of 9. Bit 39 of Control Register 0 Applies to instruction fetch and to the fetch and store accesses of instructions whose operand addresses are logical, virtual or real. Fetch-Protection Override Control When active, fetch protection is ignored for locations at effective addresses 0- 2047 Bit 38 of Control Register 0 Fetch Protection is not ignored if the effective address is subject to DAT and the private-space control is active (Bit 55 of the address- space-control element).
  • 16. IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series16 Key-Controlled Protection Fetch-Protection Override Control (cont'd.) This applies to instruction fetch and the fetch accesses of instructions whose operand addresses are logical, virtual or real. It does not apply to fetch accesses made for the purpose of channel- subsystem monitoring.
  • 17. IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series17 Access-List-Controlled Protection In AR mode, the fetch-only bit (bit 6 of the access-list entry) controls which types of references are allowed into the specified address space. When the fetch-only bit is zero, both fetches and stores are permitted When the bit is one, only fetches are allowed. Any attempt to store causes a protection exception (an interrupt) to be issued and the execution of the instruction will be suppressed.
  • 18. IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series18 Page Protection The page protection facility controls access to virtual storage via the page-protection bit in each page-table and segment- table entry. Bit 54 of the page table entry Controls whether storing into a given page is permitted When zero, both fetching and storing are permitted When one, only fetching is permitted When an attempt to store violates page protection, the contents of the page remain unchanged, the operation/instruction is suppressed and an protection exception (interruption) is issued.
  • 19. IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series19 Page Protection The page protection bit of the segment-table entry is treated as being OR'd into the page-protection bit position of each entry of the page table designated by the segment-table entry. In effect, when the page-protection bit of the segment table entry is one, it has the same effect as having the page- protection bit in each entry of the designated page table.
  • 20. IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series20 Low-Address Protection Protects against the destruction of main-storage information used by the CPU during interruption processing. Controlled by bit 53 of Control Register 0 Instructions are prohibited from storing with effective addresses in the ranges 0-511 and 4096-4607 These are the first 512 bytes of each of the first two 4K pages Low-address protection does not apply if the address-space- control element to be used is not available due to another type of exception. This protection is not applied to access made by the CPU or the channel subsystem for such sequences as interruptions.
  • 21. IBM Systems and Technology Group 息 2004 IBM Corporation 04/27/15 z/VM CP Storage Management Education Series21 Suppression on Protection In layman's terms, when we suppress an instruction we present the generated exception to the calling program and ignore the instruction. When is an operation suppressed? Some instruction definitions specify that the operation is always suppressed if any sort of protection exception is generated. Otherwise, we will always suppress an instruction if a protection exception due to access-list controlled protection or page protection is recognized. The suppression function allows the control program to locate the segment-table entry and page-table entry used in the translation of a virtual address that caused a protection exception, in order to determine if the exception was due to page protection. The CP also has the ability to avoid this if the address was not virtual or due to access-list-controlled protection.