Storage protection utilizing public storage key control

US 5,163,096 A
Filed: 06/06/1991
Issued: 11/10/1992
Est. Priority Date: 06/06/1991
Status: Expired due to Term

First Claim

Patent Images

1. Means for protecting against unauthorized accesses by program requests for accessing data units in blocks in a storage of a computer system, comprising:

processor means for providing an address of a data unit to be accessed in a block in storage and providing an access key associated with a program requesting the access in the block and providing a fetch/store signal identifying the manner of access;

means for fetching a storage key associated with an addressed block in storage;

means for testing if an access key equals a supervisory key for providing a supervisory key signal;

means for comparing an access key with the storage key to provide an equal key signal;

means for determining if the storage key equals a public key value to provide a public storage key signal;

means for finding if an access key equals the public key value to provide a public access key signal; and

circuit means for enabling the addressed data unit to be accessed and sent to the requesting processor means if (1) the supervisory key signal is provided, or (2) if the equal signal is provided, or (3) if the public storage key signal and no public access key signal and no equal signal and no supervisory key signal are provided, or (4) if the fetch request signal and the public access key signal and no equal signal and no supervisory key signal are provided whenever the use of the public key value is enabled, or (5) if the fetch request signal and the public access key signal and no equal signal or no supervisory key signal are provided whenever use of the public key value is disabled.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provides three access levels of storage key protection, comprising a supervisory level (key 0), an intermediate level of non-public and non-supervisory keys (keys 1-8, 10-15), and an unique public level (key 9). The program routines operating with a supervisory-level access key can access both the public level and the intermediate level of storage blocks. Although a program routine operating with an access key in the intermediary access level cannot access any supervisory level storage block, it can access any block assigned a public level storage key, as well as any storage block assigned the respective intermediate level key. One or more third-level public storage keys (PSKs) may be provided. A program access key using one of the PSK values can only access blocks having the same PSK value, and it cannot access blocks having any other key value.

148 Citations

17 Claims

1. Means for protecting against unauthorized accesses by program requests for accessing data units in blocks in a storage of a computer system, comprising:
- processor means for providing an address of a data unit to be accessed in a block in storage and providing an access key associated with a program requesting the access in the block and providing a fetch/store signal identifying the manner of access;
  
  means for fetching a storage key associated with an addressed block in storage;
  
  means for testing if an access key equals a supervisory key for providing a supervisory key signal;
  
  means for comparing an access key with the storage key to provide an equal key signal;
  
  means for determining if the storage key equals a public key value to provide a public storage key signal;
  
  means for finding if an access key equals the public key value to provide a public access key signal; and
  
  circuit means for enabling the addressed data unit to be accessed and sent to the requesting processor means if (1) the supervisory key signal is provided, or (2) if the equal signal is provided, or (3) if the public storage key signal and no public access key signal and no equal signal and no supervisory key signal are provided, or (4) if the fetch request signal and the public access key signal and no equal signal and no supervisory key signal are provided whenever the use of the public key value is enabled, or (5) if the fetch request signal and the public access key signal and no equal signal or no supervisory key signal are provided whenever use of the public key value is disabled.
- View Dependent Claims (2, 3, 4, 5)
- - 2. Means for protecting against unauthorized accesses by program requests as defined in claim 1, further comprising:
    - circuit means for generating an exception signal for the processor and preventing the addressed data unit from being sent to the requesting processor means (1) if the store request signal and no public storage key signal and no public access key signal and no equal signal and no supervisory key signal are provided whenever use of the public key value is enabled, (2) if the store request signal and the public access key signal and no equal signal and no supervisory key signal are provided whenever use of the public key is enabled, or (3) if the store request signal and the public access key signal and no equal signal are provided whenever use of the public key is disabled.
  - 3. Means for protecting against unauthorized accesses by program requests as defined in claim 2, further comprising:
    - the circuit means being a combination of AND, OR circuits with signal inversion means being provided for no-state conditions in circuits.
  - 4. Means for protecting against unauthorized accesses by program requests as defined in claim 3, further comprising:
    - means for indicating the state of a public key mode field in a control register in the processor means for indicating when the use of the public key value is enabled or disabled.
  - 5. Means for protecting against unauthorized accesses by program requests as defined in claim 3, further comprising:
    - the processor means being any of plural processors in the computer system, including any central processor or any input/output (I/O) processor.

6. A method of providing access protection for data blocks in a storage of a data processing system, in which different programs may access the blocks, comprising the steps of:
- electronically-detecting one or more key values as public storage and access keys available in a computer system of which the remaining key values are detected electronically as non-public storage and access keys;
  
  electronically-assigning a public access key value to electronically constrain accesses by a particular program to the storage; and
  
  electronically-assigning a public storage key value to each block to be electronically stored-in primarily by programs executing with a public access key and also being storable by programs executing with a non-public access key, and any block assigned a non-public storage key not being storable by programs assigned a public access key.
- View Dependent Claims (7, 8, 9, 11, 12)
- - 7. A method of providing access protection between storage blocks as defined in claim 6, further comprising the steps of:
    - electronically-allowing storing by the particular programing each block assigned a public storage key when equality is obtained between the program'"'"'s access key and the public storage key, and electronically-allowing storing in the block assigned the public storage key by the other programs having non-public access keys not equal to a public storage key.
  - 8. A method of providing access protection between storage blocks as defined in claim 6, further comprising:
    - electronically-enabling the use of the public access and storage keys by setting a state in the computer to a public storage key mode.
  - 9. A method of providing access protection between storage blocks as defined in claim 6, further comprising:
    - electronically-detecting a fetch protect field in association with the public storage key assigned to any block; and
      
      electronically-enabling a program assigned a public access key to allow fetching (but not storing) in a block assigned a non-public storage key if the fetch protect field if set off, but not allowing fetching in the block if the fetch protect field is set on, and to always prevent storing by the program using the public access key in any block assigned a non-public storage key.
  - 11. A method of providing access protection between storage blocks as defined in claim 7, further comprising:
    - electronically-selecting key value 0 in the range 0-15 as a supervisory key, and not allowing any program using any access key value in the range 1-15 to store in any block in storage assigned storage key 0.
  - 12. A method of providing access protection between storage blocks as defined in claim 11, further comprising:
    - electronically-selecting key 9 as a public storage key from the range 0-15, and electronically-representing assignments of keys 1-8 and 10-15 as non-public non-supervisory intermediate keys which can be used to access any block assigned public storage key 9.

10. A method of providing access protection for data blocks in a computer storage of a data processing system, in which different processes may access the block, comprising the steps of:
- electronically-signaling an assignment of a public access key to a particular program selected from one or more keys as public access key(s) from a range of key values 0-15 usable in the system, and electronically-signaling an assignment of the value of the public access key as a public storage key to each block in storage to be accessed by the particular program and by each program in the system assigned a non-public access key from the remaining key values in the range; and
  
  electronically-allowing the particular program to store in blocks assigned the public storage key only when that key is equal to the public access key of the particular program, but allowing storing in the block by each program using a non-public access key without having equality between the non-public access key of the program and the public storage key of the block.

13. A electronic method of providing unidirectional isolation among blocks in a storage in a computer system using protect keys for protecting blocks from being stored into by programs not having a required storing authority, comprising:
- electronically-signaling an assignment of at least one of the protect keys as a supervisory key in a supervisory key class (1st class) for use by supervisory programs, assigning at least one other of the protect keys as a public storage and access key in a public key class (3rd class) for use by programs restricted to storing in blocks assigned a storage protect key equal to the public storage key, and assigning one or more of the protect keys to an intermediate key class (2nd class); and
  
  electronically-allowing programs assigned an access key equal to any key in the supervisory key class or equal to any key in the intermediate key class to have store and fetch access to blocks assigned the public storage key, but not allowing any program using the public access key to store into any block not assigned the value of the public access key as a storage key.
- View Dependent Claims (14)
- - 14. A method of providing access protection between storage blocks as defined in claim 13, further comprising:
    - electronically-setting a public storage key mode field in a control register to specify either a public key state or a no public key state, the public key state enabling the use of the public access key for any program and the public storage key for any block, the no public key state disabling use of the public access and storage keys and controlling the same key value to be used as non-public storage and access keys.

15. A method of providing access protection to blocks of storage in a system having concurrent execution of multiple programs, comprising:
- electronically-representing a set of keys for preventing store and fetch accesses by unauthorized programs to assigned blocks in storage;
  
  electronically-selecting a plurality of key values in the set as public access and storage keys (3rd class), selecting another key value in the set as a supervisory key (1st class), and selecting the remaining key values in the set as intermediate keys, the supervisory and intermediate keys being non-public keys; and
  
  electronically-allowing any program assigned an access key value equal to any non-public storage key value in the set to have read and write access to any block assigned a storage key equal to any public storage key, but electronically-allowing a program assigned an access key value equal to any public access key to have read and write access to a block assigned a public storage key equal to the value of the public access key, and not electronically-allowing the latter program to have write access to any block having a storage key equal to a non-public storage key or a storage key equal to a public storage key different from the public access key.
- View Dependent Claims (16, 17)
- - 16. A method of providing access protection for storage blocks as defined in claim 15, further comprising:
    - electronically-allowing any program assigned a non-public access key to access any storage block assigned a public storage key without equality and not electronically-requiring any program instructions to change the non-public access key for allowing the program to access storage blocks assigned the non-public key value and storage blocks assigned any public storage key value to enable any non-public access key to access storage blocks using different storage keys.
  - 17. A method of providing access protection between storage blocks as defined in claim 15, further comprising:
    - electronically-representing a fetch protect mode having on and off states for an associated storage key to allow fetching in an associated block when the off state exists and not to allow fetching in the associated block when the on state exists; and
      
      electronically-allowing any program with a public access key to have fetch access (but not store access) in any block having any non-public key value as its storage key when its fetch protect mode is in an off state, but not electronically-allowing fetch access or store access in the block having the non-public key value when its storage key has its fetch protect mode in an on state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Mall, Michael G., Sinha, Bhaskar, Clark, Carl E., Scalzi, Casper A.
Primary Examiner(s)
CANGIALOSI, SALVATORE A

Application Number

US07/710,875
Time in Patent Office

523 Days
Field of Search

380/4, 380/30, 395/425
US Class Current

711/164
CPC Class Codes

G06F 12/1491 in a hierarchical protectio...

Storage protection utilizing public storage key control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

148 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Storage protection utilizing public storage key control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

148 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others