Browse Prior Art Database

Storage Protection Mechanism for Microprocessors

IP.com Disclosure Number: IPCOM000050395D
Original Publication Date: 1982-Oct-01
Included in the Prior Art Database: 2005-Feb-10
Document File: 4 page(s) / 70K

Publishing Venue

IBM

Related People

Brackenbury, IF: AUTHOR

Abstract

This article concerns a simple protection mechanism for isolating subspaces within a real address space so that each subspace has unrestricted access to all locations within it- including any contained subsubspace- but cannot access (reference or modify) locations outside the subspace. In particular, the mechanism caters for one global address space and two subspaces A and B. Each of these subspaces contains a subsubspace A(a) and B(b), respectively. Such an arrangement can provide for the isolation of manufacturer developed code (subspace A, say) from customer written code (subspace B, say), with the subsubspaces providing "privileged" and "problem-program" storage areas.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 39% of the total text.

Page 1 of 4

Storage Protection Mechanism for Microprocessors

This article concerns a simple protection mechanism for isolating subspaces within a real address space so that each subspace has unrestricted access to all locations within it- including any contained subsubspace- but cannot access (reference or modify) locations outside the subspace. In particular, the mechanism caters for one global address space and two subspaces A and B. Each of these subspaces contains a subsubspace A(a) and B(b), respectively. Such an arrangement can provide for the isolation of manufacturer developed code (subspace A, say) from customer written code (subspace B, say), with the subsubspaces providing "privileged" and "problem-program" storage areas. For example, one could use the subsubspaces A(a) and B(b) in subspaces A and B, respectively, for "problem-programs", the rest of the space in A and B being for private storage protected from those "problem-programs". A "kernel" control monitor for managing real storage, handling real interrupts, and dispatching programs could occupy the global address space- having direct addressability to all installed storage.

An alternative split of function between the subspaces could be to execute a "native" machine environment in one and emulate an alien architecture in the other. If the alien symbolic machine occupies storage corresponding to the subsubspace of a subspace, then storage references in the subsubspace can be converted to subspace addresses with a simple LOGICAL OR operation if the layout of storage required by the present protection mechanism is used, saving emulator base/limit checks. The alien machine cannot inadvertently reference any storage outside the subsubspace; the emulator cannot reference storage outside its subspace.

Protection is provided by a three-bit "Space-Select" register which is permanently ORed with the three high-order bits of the effective address. The register must be accessible (load/store) from the "kernel" running in the global address space- but inaccessible from programs running in the subspaces or their subsubspaces.

The outermost address space is made accessible by setting the three-bit Space-Select register to '000'. The subspaces are selected by setting the Space-Select register to '010' or '100'. The appropriate subsubspace is selected by ORing '001' with the value required by the encompassing subspace, that is, by using either the value '011' or '101' in the Space-Select register.

When control is to be passed from a program executing in one subspace or subsubspace to another, it requires a change of the Space-Select register. This is performed by "kernel" code once control has been returned to the global address space. To transfer control to the global address space one could either use real "supervisor state" detection to force the Space-Select register to '000' (or bypass the ORing function), or extend a PSW (program status word)-swap mechanism to load a new Space-Select r...