The problem of maintaining the security of data in data processing systems is well known. A given system may store data which should be maintained secret and it can be disastrous if part of the data is lost, mutilated, or becomes public. The system may have many terminals which should have access to some but not all of the stored data. Some of these terminals may be in-house but with increasing frequency some terminals of the system are telephone line connections which might be accessed by any member of the public if the access code should become known. With the proliferation of personal computers it is not uncommon for operators of these personal computers to gain access to a large computer system over telephone lines. When access is obtained the data stored in the system can become public knowledge. In addition, the PC operator may, in some instances, modify the stored data or even change the executive or supervisory program which controls the system.
Various approaches have been taken in attempting to provide a secure system but, insofar as we presently know, none of these approaches has achieved level A1 security. For example, the MC68020 provides function control signals which may be decoded to indicate whether an address specifies supervisory program space or data space or user program or data space. The decoded signals may then be used to limit access to certain portions of memory. However, if one should gain entry into the supervisory program then the function codes may be changed so that all memory space would become available. In accordance with one aspect of the invention each unit connected to a bus is categorized as "system", "user" or "external" to provide three levels of access to memory space. Furthermore, no user or external unit can gain access to the supervisory program which defines the categories of the units.
Direct memory access (DMA) controllers of the prior art generally require that the controller issue a first address to read the data to be transferred after which the controller must issue a second address indicating the location to which the data must be sent. In accordance with a second aspect of the invention a controller is provided which issues both addresses at the same time. This permits the memory-to-memory transfer of one word of data in a single clock pulse interval.
In the prior art it is conventional for a controller to issue an interrupt signal when an exception occurs. The exception may be an error, completion of a specific task, etc. In response to the interrupt the system processor issues a command to read the status of the unit asserting the interrupt. In accordance with a third aspect of the invention provision is made for selectively issuing an interrupt signal upon occurrence of an exception, as in the prior art, or automatically initiating an interrupt message cycle which transfers the status of the controller to a specific location in the local memory of the system processor.