Storage protection keys for memory storage blocks have been disclosed in U.S. Pat. No. 3,576,544 entitled "Storage Protection System". by H. Cordero et al, U.S. Pat. No. 4,093,987 entitled "Hardware Control Storage Area Protection Method and Means" by C. H. Gaudette et al and U.S. Pat. No. 4,472,790 entitled "Storage Fetch Protect Override Controls" by J. L. Burk et al, all assigned to the same assignee as the present application. Storage protection keys have been used in commercial IBM S/360, S/370 and S/390 systems, and in their compatible systems.
The current IBM S/390 architecture supports storage keys 0-15 and access keys 0-15, as described in the Enterprise System Architecture S/390 Principles of Operation (form number SA22-7201-00) published by the IBM Corporation. In current IBM systems, keys 0-15 provide two levels of protection, one for a supervisory class of key (implemented with key 0) and a user class of keys (implemented with keys 1-15). The supervisory key 0 can access data in any storage block in the memory (regardless of the storage key assigned to the block). But a non-supervisory access key (of keys 1-15) is allowed store access only if equality existed between an access key (used by the accessing program) and the storage key assigned to the block in which access is being attempted.
A storage key is provided with the main storage hardware for each 4KB block (page) in the main storage of a S/360, S/370 and S/390 system. Each access to the system main storage does a protect key check of an access key provided for each accessing program. The access key is generally provided from an access key field in the program status word (PSW) of the program. The access key is matched against the storage protect key of the page being addressed in the storage system hardware, using a rather complex set of hardware-enforced rules to determine if a key match exists or not.
The matching rules include use of a fetch protect bit (FP) in each storage key. (Store accesses are not affected by the FP bit setting, and equality between the access key and storage key is needed before any store access is allowed for any non-supervisory access key 1-15.) For a fetch request, the FP bit controls whether or not equality is needed to allow access for any non-supervisory access key 1-15. If the FP bit is zero, equality is not needed to allow a fetch access which is allowed regardless of the access key value or of the storage key value. But if the FP bit is one, equality is needed to allow a fetch access for any non-supervisory key 1-15.
The supervisory access key 0 is allowed access whether it is equal or not to any of storage keys 1-15.
The storage key protection method presently found in systems using the IBM S/390 architecture is a two level protection structure, comprised of a supervisory level (key 0) and a non-supervisory level (keys 1-15). Supervisory programs can access non-supervisory assigned storage blocks, but the non-supervisory programs cannot access the supervisory assigned storage blocks.
The key protection method is provided in the critical path of each storage access in a system, since it is done for every storage access. Accordingly, the key control hardware in an S/390 system (and in its prior S/360 and S/370 systems) have been operated in a parallel manner overlapping other control operations in each access so as to not increase the access time of each storage access.
Non-IBM types of computer architectures are not known to use hardware-implemented storage protect keys in their storage protection schemes. For example, the prior Multics system used a rings of protection scheme which did not use storage protect keys. Multics is not known to assign storage keys to blocks in storage. It assigned a ring number to each process, which was enforced by program call/return instructions using segmented virtual addressing. Any process could access the virtual storage assigned to any other process assigned a lower numbered ring in a ring number hierarchy. Protect rings are not needed with this invention.
Protection keys protect accesses to the real storage in a system, and provide addressing protection in addition to other protection methods provided in S/390 systems, such as virtual addressing and virtual address spaces which provide access protection beyond that provided by storage keys. The virtual addressing of any programmed address maps it to any page location in real main storage, which makes the actual location variable and unknown to the user of the address from one instant to the next in the use of a system. If a program running in one address space is not allowed to access another address space, then the data and programs in the second address space are protected from the program. Storage keys are used to provide protection within an address space from programs that have addressing capability to the space but do not have authority to some of the data within the space.
There are other protection methods disclosed in the prior art which have little or nothing to do with the above-described key protection method, such as using a compare with upper and lower boundary addresses, which may be real or absolute addresses.
However, the different types of protection methods available in a system are not equal trade-offs with each other, since system performance is not equally impacted.
Key protection requires the initialization of the access and storage keys involved. A program's access key is specified by a field in the PSW (program status word) under which the program is executed. A storage key is associated with each block of real storage. Key protection can permit multiple levels of access authority to be used within a single program. The program may be given the capability to access more than one key. This capability is provided by a control register field called the PKM (program key mask), initialized by an operating system for the task to be executed. However in general, only one access key value may be in force at any time. (A small set of instructions exist in the S/390 architecture for moving data from one location in storage to another which allow a separate protection key for each operand. One key is the PSW key; the other key must be authorized by the PKM if the PSW is not in supervisory state (bit 15 of the PSW is zero--see FIG. 3.)) A program which is authorized to use more than one key must manage the PSW access key value by use of an instruction in S/390 called Set PSW Key From Address (SPKA), as required by its intended storage accesses at any point in time. Only the supervisory access key allows simultaneous access capability to more than one key, and without performing specific PSW access key management.
But other protection techniques require the execution of specially programmed instructions in their critical paths which decrease their performance, such as the use of program call/return instructions, in order to use virtual addressing protection techniques that involve the performance overhead of address-space switching (which is not required by key protection).
For example, a software subsystem may be put into one address space and its applications in different address spaces to provide virtual address space separation. Then, a significant loss of performance results in having to switch address spaces when moving between the subsystem to the application, and such address space switching overhead is avoided by this invention while obtaining all the needed protection benefits, by assigning a different storage key to the application program than to the subsystem data, but allowing access by the subsystem to the application program's data without access key management.