The present invention relates to an authorization mechanism for a multiple virtual system (MVS) which provides authorization for a program being executed in a data processing system such that the program has concurrent access to multiple virtual address spaces, and more particularly relates to such an authorization mechanism wherein the authorization is nonhierarchical, that is, the called program does not have to have an equal or higher authority than the calling program.
Data processing systems using virtual addressing in multiple virtual address spaces, such as the IBM System/370 Systems using MVS controlled programming, are well known. The organization and hardware/architectural aspects of the IBM System/370 are described in the "IBM System/370 Principles of Operation", form number SA22-7085-1. The described MVS system includes a central processing unit (CPU) which contains the sequencing and processing facilities for instruction execution, interruption action, timing functions, initial program loading, and other machine-related functions. Also included is a main storage, which is directly addressable and provides for high-speed processing of data by the CPU. The main storage may be either physically integrated with the CPU or constructed in stand-alone units.
Located in a register in the machine is a program-status word (PSW) which includes the instruction address and other information used to control instruction sequencing and to determine the state of the CPU. Instructions may designate information in one or more of 16 general registers which may be used as base-address registers and index registers in address arithmetic and as accumulators in general arithmetic and logical operations. The general registers are identified by the numbers 0-15 and are designated by a four bit register field in an instruction. Some instructions provide for addressing multiple general registers by having several register fields.
The CPU has provision for 16 control registers, each having 32 bit positions. The bit positions in the control registers are assigned to particular facilities in the system, such as program-event recording, and are used either to condition or constrain operations or to furnish special information required by the facility.
U.S. Pat. No. RE. 27,251 to G. M. Amdahl for "Memory Protection System", assigned to the Assignee of the present invention, discloses a four bit coded storage protect key associated with physical blocks of memory. The protect key is compared with a PSW key associated with a program to control access to data.
U.S. Pat. No. 4,096,573 to A. R. Heller et al for "DLAT Synonym Control Means for Common Portions of All Address Spaces" and U.S. Pat. No. 4,136,385 to P. M. Gannon et al for "Synonym Control Means for Multiple Virtual Storage Systems" both assigned to the Assignee of the present invention, disclose MVS systems in which the main storage may be allocated as address spaces for use by multiple users, each address space containing a portion defined as common among all of the users. The result is that a user may isolate programs or data from other users by placing them in a "private" portion of the user's assigned address space, or he may make them accessible to all other users by placing the programs or data in "common". In such a system, data may be moved between two address spaces by having a program in the first address space move the data from its private area into common and then signal a program in the other address space to operate on, or further move, the data. The use of common as a communication area between address spaces increases the size of the common area and thus reduces the size of the private area available to all users. Signalling from one program to another can only be done by subsystems or the control program. Data is protected by storage protect keys. However, there are only 16 such keys, which are not enough to guarantee that the information is protected from an inadvertent store by another subsystem or authorized program since the information is commonly addressable.
U.S. Pat. No. 4,355,355 to Butwell et al for "Address Generating Mechanism for Multiple Virtual Spaces", assigned to the Assignee of the present invention, discloses access registers (ARs) associated with the general purpose registers (GPRs) in a data processor. The ARs may each be loaded with an address space identifier, for example, a unique segment table designation (STD). There may be 16 ARs associated respectively with the 16 GPRs in a processor. The address space identifier in an AR is selected for address translation when the associated GPR is selected as a storage operand base register, such as being the GPR selected by the B field in an IBM System/370 instruction. However, the address space identifier content of a AR is not selected for an address translation if the associated GPR is selected for a purpose other than as a storage operand base register, such as if a GPR is selected as an index (X) register or as a data source or sink register (R) for an instruction. The disclosed invention also contains authority for each program's access to each address space by also associating an AR control vector (ARCV) register with each AR to control the type of access permitted to the associated address space by an executing program. A special field in either an AR or its associated ARCV may indicate whether the AR content is enabled and thereby contains a usable address space identifier; or is disabled such that the address space identifier must be obtained elsewhere. This special field with each AR permits the GPR of any disabled AR to specify a base value associated with the address space defined by another AR; i.e. the GPR of a disabled AR may specify a base address for data in the program address space defined by AR0.
U.S. Pat. No. 4,430,705 to Cannavino et al for "Authorization Mechanism for Establishing Addressability to Information in Another Address Space", assigned to the Assignee of the present invention, discloses an enhancement to the previous MVS systems. A dual address space (DAS) system is disclosed (see also U.S. Pat. Nos. 4,366,537 and 4,500,952) in which problem programs have the ability to obtain addressability to a different address space if permitted by an authority table associated with the different address space. As with the previous MVS systems, the disclosed DAS system makes use of control registers, general registers, and a PSW. A bit in the PSW is assigned to indicate the DAS mode of operation.
DAS makes two address spaces, a primary address space and a secondary address space, available for use by a semiprivileged program. Three instructions are added for moving information. The MOVE TO PRIMARY (MVCP) instruction moves data from the secondary address space to the primary address space, the MOVE TO SECONDARY (MVCS) instruction moves data from the primary address space to the secondary address space, and the MOVE WITH KEY (MVCK) instruction moves data between differently protected areas in the same address space. The CPU can be in the primary mode in which instructions and the operand addresses defined to be logical refer to the primary address space, or in the secondary mode in which the operand addresses defined to be logical refer to the secondary address space. However, in the secondary mode, it is unpredictable whether instructions are fetched from the primary address space or from the secondary address space. Thus, programs executed in the secondary mode are placed in a common portion of the address space which is shared between the primary address space and the secondary address space.
DAS permits programs operating at different levels of authority to be linked directly without invoking the supervisor. The instructions PROGRAM CALL and PROGRAM TRANSFER provide a protected mechanism for transferring control between programs operating at different levels, or the same level, of control. A PROGRAM CALL by a program in one address space to a program in another address space is called a program call with space switching (PC-ss) operation. A PROGRAM CALL to a program in the same address space with no space switching is called a program call to current primary (PC-cp) operation. Both the PC-cp and the PC-ss operations provide for a change to a higher level of privilege and authority. A return function is performed by a PROGRAM TRANSFER instruction which may be to current primary (PT-cp) or with a space switching operation (PT-ss).
To accomplish a transfer of control, DAS establishes several tables. A linkage table is established for use by the program call operation, with each linkage-table entry containing an entry-table address. An entry table is established at the entry-table address, each entry of which contains entry information for a program to be called. For each program call operation, DAS creates a PC number composed of a linkage index (LX) and an entry index (EX). The LX indexes into the linkage table to obtain an entry-table address, and the EX indexes into the entry table at that address to obtain entry information for the called program. The entry-table-entry data includes an address space number (ASN) which is used to identify the address space of the respective program.
DAS also establishes an ASN first table and an ASN second table which are used for translating the ASN value found in the entry-table entry. The ASN assigned to the address space is made up of an ASN-first-table index (AFX) and an ASN-second-table index (ASX). The AFX indexes into the ASN first table to a ASN-first-table entry which contains an ASN second table designation. If the ASN-first-table entry is valid, the ASX value indexes into the ASN second table. The thus located ASN-second-table entry (ASTE) includes a segment table origin (STO) which is used by a dynamic address translator (DAT) to determine the real addresses of the target address space.
The bits of a PSW-key mask (PKM) in control register 3 are used in the problem state to control which keys and entry points are authorized for the program. The PKM is modified by PROGRAM CALL and PROGRAM TRANSFER and is loaded by a LOAD ADDRESS SPACE PARAMETERS instruction. The PKM is used in the problem state to control the PSW-key values that can be set in the PSW by means of a semiprivileged instruction to control the PSW-key values that are valid for the MVCP, MVCS and MVCK instructions that specify a second access key, and to control the entry points which can be called by means of PROGRAM CALL.
In a PROGRAM CALL, the PSW-key mask is ANDed with an authorization key mask (AKM) in the entry-table entry. If the result is nonzero, the program is authorized to issue the PC instruction. The entry-table entry contains an entry key mask (EKM) that may contain additional keys to which the called program is authorized. The EKM is ORed into the PKM in control register 3 when the PC routine receives control. This can increase the authority provided by the PKM.
In a PROGRAM TRANSFER, the PKM in control register 3 is ANDed with a PSW-key mask that is specified as an operand, and the result replaces the PKM in control register 3. This can decrease the authority provided by the PKM.
In the MVCP, MVCS and MVCK instructions, access to the primary address space is authorized by the PSW key in the PC operation. In the case of the MVCP and MVCS instructions, an operand specifies an access key to be used to access the secondary space. In the problem state, an MVCP or MVCS operation is performed only if the PKM bit in control register 3 corresponding to the secondary-space access key of the operand is one. In the case of the MVCK instruction, an operand specifies an access key to be used to access the source data area. In the problem state, an MVCK operation is performed only if the PKM bit in control register 3 corresponding to the source-data-area access key of the operand is one.
ASN authorization is the process of testing whether the program associated with the current authorization index is permitted to establish a particular address space by use of an authorization index (AX). The ASN authorization is performed as part of a PT-ss operation, or a SET SECONDARY ASN with space switching (SSAR-ss) operation which sets the secondary address space to any desired address space. Each address space has associated with it an authority table (AT) which contains one entry for every AX in use. The AX entry in the AT indicates the authority of programs running under that AX to issue PT and SSAR instructions to the address space. ASN authorization is required for both supervisor state and problem programs. The AX to be checked against the AT is located in control register 4, and the authority-table origin (ATO) for the address space is located in the ASTE of the target address space. Each entry of the authority table consists of two bits, a P bit and an S bit. The program with an AX corresponding to that AX entry in the AT is permitted to establish the address space as its primary address space if the corresponding P bit is one and is permitted to establish the address space as its secondary address space if the corresponding S bit is one.
The use of the DAS facility has several limitations. The MVCP and MVCS instructions can only move data between the primary and secondary address spaces. DAS cannot move data between two arbitrary address spaces which are not primary or secondary address spaces. All of the programs executed in an address space use the authorization index associated with the address space. The use of the secondary mode by a program requires that the program be in the common area. Switching frequently between the primary mode and the secondary mode, in order to access data in both the primary address space and the secondary address space, severely decreases performance. A PC instruction performs only a hierarchical type linkage. It is not practical to use the PC instruction to give control from a supervisor state program to a problem state program because the PT instruction cannot be used to return. The PC instruction can only change the PSW-key mask by increasing its authority. The space switching PC instruction always gives the called program access to the calling program's address space. Finally, the PC instruction does not change the PSW key, so fetch-protected code cannot be called.
U.S. Pat. No. 4,037,214 to Birney et al for "Key Register Controlled Accessing System", assigned to the Assignee of the present invention, shows a horizontal addressing system in which three access key registers (AKRs) authorize the address space of a storage access as a function of an instruction address, a sink operand address and a source operand address, respectively.
U.S. Pat. No. 4,521,846 issued to the same assignee as the present invention and entitled "Mechanism for Accessing Multiple Virtual Spaces" shows another mechanism for controlling access to plural virtual address spaces in a cross-memory implementation where data can be accessed in a non-privileged state.
U.S. Pat. No. 3,787,813 to Cole et al for "Data Processing Devices Using Capability Registers", assigned to the Assignee of the present invention, shows the concept of data processing devices using capability register patent shows a data processing device with a central processing unit and a storage unit, the information in the storage unit being arranged in segments and the central processing unit having a plurality of capability registers each arranged to store descriptor information indicative of the base and limit addresses of an information segment. One of the capability registers is arranged to hold information defining the base and limit addresses of an information segment which contains a segment pointer table, particular to the program currently being executed by the central processing unit. A further one of the registers is arranged to hold information defining the base and limit addresses of an information segment which contains a master capability table having an entry for each information segment in the storage unit composed of information defining the base and limit addresses of a segment. The segment pointer table comprises a list of data words which are used as pointers to define different entries in the master segment table.
U.S. Pat. No. 4,366,536 to Kohn for "Modular Digital Computer System for Storing and Selecting Data Processing Procedures and Data", assigned to the Assignee of the present invention, shows a digital computer system for selecting and linking multiple, separately stored data processing procedures consisting of assembly level commands and for selecting a variable data area from a plurality of variable data areas. The system includes memories for storing the data processing procedures, the variable data areas and linking addresses; a program counter for accessing the memory containing the stored data processing procedures; registers for accessing the memories containing the data and the linking addresses; and a hardware unit which is adapted to execute the assembly level commands contained in selected data processing procedures in accordance with assembly level commands in the data processing procedure being executed and previously selected addresses.
U.S. Pat. No. 4,268,903 to Miki et al for "Stack Control System and Method for Data Processor", assigned to the Assignee of the present invention, discloses a stack control register group for controlling a stack area. A data stack pointer register holds the start address of the data stack area which is formed in the stack facility and controlled by the user program directly.
U.S. Pat. No. 4,454,580 entitled "Program Call Method and Call Instruction Execution Apparatus", assigned to the same assignee as the present invention includes a method of passing execution from a program in one logical address space to another program in a new logical address space. The calling program controls selective allocation of segments to the called program but the called program controls the lengths of the segments being allocated. In this way, recursive calls to the same program cannot affect the function or data of other programs or of the same program in a previous call. Also allocation of data segments can be postponed until execution resulting in more flexible execution of programs written without knowledge of the details of other co-executing programs.
U.S. Pat. No. 4,297,743 entitled "Call and Stack Mechanism for Procedures Executing in Different Rings" shows an architecture based on a hierarchy of rings where each ring represents a different level of privilege. Branches are allowed to rings having a lesser privilege and privilege levels are allowed to be different for read only status as opposed to read and write status. The patent shows a stack frame which has three areas: a work area for storing variables, a save area for saving the contents of register and a communications area for passing parameters between procedures. Prior to a procedure call, the user must specify those registers to be saved and the user must load into the communications area the parameters to be passed to the called procedure. The system provides for a history of calls in a sequence of stack frames so that a return can be accomplished. Finally, U.S. Pat. No. 4,044,334 entitled "Database Instruction Unload" shows a system for retrieving a database pointer for locating database records in one of a plurality of segments of addressable space.
IBM Technical Disclosure Bulletin, January 1982, Vol. 24, No. 8, pages 4401-4403 entitled "Method of Revoking a Capability Containing a Pointer-type Identifier without Accessing the Capability" deals with an Address Space No. (ASN) as a pointer-type identifier for the address space capability. This publication relates to the dual address space facility and the fact that an address space does not have to be entered to determine if the access is valid since that information may be determined using the ASN-second-table entry (ASTE) associated with address translation. In general, access to an object by means of the capability is permitted only when the unique codes in the capability and the object are equal. The capability can be revoked simply by changing the unique code in the object without the need to locate and access the capability.