Top Banner
© 2004 IBM Corporation IBM Systems and Technology Group 1 z/VM CP Storage Management Education Series Storage Protection on z/Architecture A Brief Primer Dan FitzGerald Friday, October 16, 2009 (Revision 2)
21
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Storage Protection Education

© 2004 IBM Corporation

IBM Systems and Technology Group

1 z/VM CP Storage Management Education Series

Storage Protection on z/ArchitectureA Brief Primer

Dan FitzGeraldFriday, October 16, 2009 (Revision 2)

Page 2: Storage Protection Education

IBM Systems and Technology Group

© 2004 IBM Corporation

04/27/15z/VM CP Storage Management Education Series2

Outline

Concept Review

Background

Key-Controlled Protection

Access-List-Controlled Protection

Page Protection

Low-Address Protection

Suppression on Protection

Page 3: Storage Protection Education

IBM Systems and Technology Group

© 2004 IBM Corporation

04/27/15z/VM CP Storage Management Education Series3

Concept Review

In this portion of the presentation, we will reintroduce concepts that will come up in our discussion on storage protection mechanisms.

Most of this information is available from the z/Architecture Principles of Operation, Chapter 3.

We will present this information as a series of definitions. This is intended to be a fast reference/review only, so please consult the Principles of Operation or your Connections Coach if you have any questions.

Page 4: Storage Protection Education

IBM Systems and Technology Group

© 2004 IBM Corporation

04/27/15z/VM CP Storage Management Education Series4

Concept Review

Dynamic Address Translation (DAT) – The process via which we handle virtual memory

Program Status Word (PSW) – Contains information used in the execution of the currently active program

Access Registers – A special set of 16 registers, one for each general purpose register. For use with AR Mode

AR Mode – Uses the access registers when doing base displacement addressing

Determined by bits 16 and 17 of the PSW

Page 5: Storage Protection Education

IBM Systems and Technology Group

© 2004 IBM Corporation

04/27/15z/VM CP Storage Management Education Series5

Concept Review

There are four different types of addresses that we will encounter in z/Architecture. They are known as “absolute”, “real”, “virtual” and “logical.” Additionally, we will hear about “effective” addresses.

Absolute Address – The address assigned to a main storage location

These are the unmodified, “actual” addresses of bytes in storage.

Real Address – Identifies a location in real storage

When a real address is used for an access into main storage, prefixing may be used to convert it into an absolute address

Page 6: Storage Protection Education

IBM Systems and Technology Group

© 2004 IBM Corporation

04/27/15z/VM CP Storage Management Education Series6

Concept Review

Virtual Address – Identifies a location in virtual storage

When a virtual address is used for an access to main storage, it is translated by means of dynamic address translation (DAT) to a real address, which is then prefixed to an absolute address.

Logical Address – Your addresses are translated within whatever mode the architecture is set to

In z/Architecture, a specific address mode can be set.For example, your machine may be set to “real address mode”. In this case, your logical addresses will be treated as real addresses.Unless otherwise specified, the storage-operand addresses for most instructions are logical addresses.

Page 7: Storage Protection Education

IBM Systems and Technology Group

© 2004 IBM Corporation

04/27/15z/VM CP Storage Management Education Series7

Concept Review

Effective Address – The address which exists before any transformation by dynamic address translation or any prefixing is performed

Instruction Address – Addresses used to fetch instructions from storage

Page 8: Storage Protection Education

IBM Systems and Technology Group

© 2004 IBM Corporation

04/27/15z/VM CP Storage Management Education Series8

Background

z/Architecture has four means of protecting the contents of main storage from tampering by either malicious or errant programs

Key-controlled protection

Access-list-controlled protection

Page protection

Low-address protection

These are used in conjunction with (not exclusive of) one another.

Page 9: Storage Protection Education

IBM Systems and Technology Group

© 2004 IBM Corporation

04/27/15z/VM CP Storage Management Education Series9

Background

A storage key is associated with each 4K block of storage on the system:

ACC – Access-Control Bits

These are matched with a four bit access key when information is stored and when information is fetched from a location that is protected against fetching.

F – Fetch-Protection Bit

Controls whether key-controlled protection applies to fetch-type references

Page 10: Storage Protection Education

IBM Systems and Technology Group

© 2004 IBM Corporation

04/27/15z/VM CP Storage Management Education Series10

Background

F – Fetch-Protection Bit (cont'd.)

A zero indicates that only store-type references are monitored and that fetching with any access key is permitted.

A one indicates that key-controlled protection applies to both fetching and storing.

R – Reference Bit

Whenever the associated storage block is referenced, this is set to one.

C – Change Bit

Each time the associated storage block (always a page or a frame on z/VM) is modified, this is set to one.

Note that storage keys are not part of addressable storageIn z/VM, these are analogous to the guest storage keys found in the PGSTE block associated with a given page table entry

Page 11: Storage Protection Education

IBM Systems and Technology Group

© 2004 IBM Corporation

04/27/15z/VM CP Storage Management Education Series11

Key-Controlled Protection

So just what is an “access key”, anyway?

Well, its a key. To store or fetch to a protected page, the access key must either match the storage key, or be set to zero.

What constitutes an access key differs depending on the manner of access:

Access to storage initiated by the CPU

Access to storage for the purpose of channel-program execution

Access to the measurement block for channel-subsystem monitoring

Additionally, depending on the type of access, different things happen should protection prohibit the action.

Page 12: Storage Protection Education

IBM Systems and Technology Group

© 2004 IBM Corporation

04/27/15z/VM CP Storage Management Education Series12

Key-Controlled Protection

Access to storage initiated by the CPU

Access Key - can be found in the PSW key (bits 8-11 of the PSW)

Prohibitive Action – execution of the instruction is terminated and a protection exception is issued (this is a program interrupt)

Access to storage for the purpose of channel-program execution

Access Key - the subchannel key associated with the calling channel program. On z/VM, this can be found in bit 4 of the operation request block (ORBLK).

Prohibitive Action – the start function is ended and the protection check bit in the associated interruption response block (IRB) is set to one.

Page 13: Storage Protection Education

IBM Systems and Technology Group

© 2004 IBM Corporation

04/27/15z/VM CP Storage Management Education Series13

Key-Controlled Protection Access to the measurement block for channel-subsystem

monitoring

Access Key - an access to the measurement block is made; use the measurement block key

Prohibitive Action – the I/O measurement-block protection check condition is set to one

In general, when a store is prohibited because of a protection lock violation, the contents of the target location remain unchanged.

When a fetch request causes the violation, the protected data is left unchanged in storage.

Page 14: Storage Protection Education

IBM Systems and Technology Group

© 2004 IBM Corporation

04/27/15z/VM CP Storage Management Education Series14

Key-Controlled Protection

Here's an odd case: As you know, on program load, your entire program is loaded from disk and into storage. Suppose that the key for a page of your program got changed...

Yes, it is possible for an instruction fetch to violate key protection. This is generally bad.For a prohibited instruction fetch, the instruction is suppressed and an arbitrary instruction-length code is returned.

Key-controlled protection does not apply when the storage-protection control bit is one and the value of the access control bits is 9.

There are two override controls:Storage-Protection OverrideFetch-Protection Override

Page 15: Storage Protection Education

IBM Systems and Technology Group

© 2004 IBM Corporation

04/27/15z/VM CP Storage Management Education Series15

Key-Controlled Protection

Storage-Protection Override Control – When active, key-controlled storage protection is ignored for storage locations having an associated storage-key value of 9.

Bit 39 of Control Register 0Applies to instruction fetch and to the fetch and store accesses of instructions whose operand addresses are logical, virtual or real.

Fetch-Protection Override Control – When active, fetch protection is ignored for locations at effective addresses 0-2047

Bit 38 of Control Register 0Fetch Protection is not ignored if the effective address is subject to DAT and the private-space control is active (Bit 55 of the address-space-control element).

Page 16: Storage Protection Education

IBM Systems and Technology Group

© 2004 IBM Corporation

04/27/15z/VM CP Storage Management Education Series16

Key-Controlled Protection Fetch-Protection Override Control (cont'd.)

This applies to instruction fetch and the fetch accesses of instructions whose operand addresses are logical, virtual or real.It does not apply to fetch accesses made for the purpose of channel-subsystem monitoring.

Page 17: Storage Protection Education

IBM Systems and Technology Group

© 2004 IBM Corporation

04/27/15z/VM CP Storage Management Education Series17

Access-List-Controlled Protection

In AR mode, the fetch-only bit (bit 6 of the access-list entry) controls which types of references are allowed into the specified address space.

When the fetch-only bit is zero, both fetches and stores are permittedWhen the bit is one, only fetches are allowed. Any attempt to store causes a protection exception (an interrupt) to be issued and the execution of the instruction will be suppressed.

Page 18: Storage Protection Education

IBM Systems and Technology Group

© 2004 IBM Corporation

04/27/15z/VM CP Storage Management Education Series18

Page Protection

The page protection facility controls access to virtual storage via the page-protection bit in each page-table and segment-table entry.

Bit 54 of the page table entry

Controls whether storing into a given page is permittedWhen zero, both fetching and storing are permittedWhen one, only fetching is permitted

When an attempt to store violates page protection, the contents of the page remain unchanged, the operation/instruction is suppressed and an protection exception (interruption) is issued.

Page 19: Storage Protection Education

IBM Systems and Technology Group

© 2004 IBM Corporation

04/27/15z/VM CP Storage Management Education Series19

Page Protection

The page protection bit of the segment-table entry is treated as being OR'd into the page-protection bit position of each entry of the page table designated by the segment-table entry.

In effect, when the page-protection bit of the segment table entry is one, it has the same effect as having the page-protection bit in each entry of the designated page table.

Page 20: Storage Protection Education

IBM Systems and Technology Group

© 2004 IBM Corporation

04/27/15z/VM CP Storage Management Education Series20

Low-Address Protection

Protects against the destruction of main-storage information used by the CPU during interruption processing.

Controlled by bit 53 of Control Register 0

Instructions are prohibited from storing with effective addresses in the ranges 0-511 and 4096-4607

These are the first 512 bytes of each of the first two 4K pages

Low-address protection does not apply if the address-space-control element to be used is not available due to another type of exception.

This protection is not applied to access made by the CPU or the channel subsystem for such sequences as interruptions.

Page 21: Storage Protection Education

IBM Systems and Technology Group

© 2004 IBM Corporation

04/27/15z/VM CP Storage Management Education Series21

Suppression on Protection

In layman's terms, when we suppress an instruction we present the generated exception to the calling program and ignore the instruction.

When is an operation suppressed?Some instruction definitions specify that the operation is always suppressed if any sort of protection exception is generated.Otherwise, we will always suppress an instruction if a protection exception due to access-list controlled protection or page protection is recognized.

The suppression function allows the control program to locate the segment-table entry and page-table entry used in the translation of a virtual address that caused a protection exception, in order to determine if the exception was due to page protection. The CP also has the ability to avoid this if the address was not virtual or due to access-list-controlled protection.