This document provides an overview of storage protection mechanisms on z/Architecture systems, including key-controlled protection, access-list-controlled protection, page protection, and low-address protection. It defines important concepts like virtual addresses, real addresses, and storage keys. It describes how access keys are determined and how violations of protection are handled for different types of storage access, including via the CPU, channels, and measurement blocks. Override controls for storage protection and fetch protection are also outlined.

1. © 2004 IBM Corporation
IBM Systems and Technology Group
1 z/VM CP Storage Management Education Series
Storage Protection on z/Architecture
A Brief Primer
Dan FitzGerald
Friday, October 16, 2009 (Revision 2)

2. IBM Systems and Technology Group
© 2004 IBM Corporation
04/27/15
z/VM CP Storage Management Education Series2
Outline
 Concept Review
 Background
 Key-Controlled Protection
 Access-List-Controlled Protection
 Page Protection
 Low-Address Protection
 Suppression on Protection

3. IBM Systems and Technology Group
© 2004 IBM Corporation
04/27/15
z/VM CP Storage Management Education Series3
Concept Review
 In this portion of the presentation, we will reintroduce
concepts that will come up in our discussion on storage
protection mechanisms.
 Most of this information is available from the z/Architecture
Principles of Operation, Chapter 3.
 We will present this information as a series of definitions.
This is intended to be a fast reference/review only, so please
consult the Principles of Operation or your Connections
Coach if you have any questions.

4. IBM Systems and Technology Group
© 2004 IBM Corporation
04/27/15
z/VM CP Storage Management Education Series4
Concept Review
 Dynamic Address Translation (DAT) – The process via which we
handle virtual memory
 Program Status Word (PSW) – Contains information used in the
execution of the currently active program
 Access Registers – A special set of 16 registers, one for each
general purpose register. For use with AR Mode
 AR Mode – Uses the access registers when doing base
displacement addressing
Determined by bits 16 and 17 of the PSW

5. IBM Systems and Technology Group
© 2004 IBM Corporation
04/27/15
z/VM CP Storage Management Education Series5
Concept Review
 There are four different types of addresses that we will encounter
in z/Architecture. They are known as “absolute”, “real”, “virtual”
and “logical.” Additionally, we will hear about “effective” addresses.
 Absolute Address – The address assigned to a main storage
location
These are the unmodified, “actual” addresses of bytes in storage.
 Real Address – Identifies a location in real storage
When a real address is used for an access into main storage,
prefixing may be used to convert it into an absolute address

6. IBM Systems and Technology Group
© 2004 IBM Corporation
04/27/15
z/VM CP Storage Management Education Series6
Concept Review
 Virtual Address – Identifies a location in virtual storage
When a virtual address is used for an access to main storage, it is
translated by means of dynamic address translation (DAT) to a real
address, which is then prefixed to an absolute address.
 Logical Address – Your addresses are translated within
whatever mode the architecture is set to
In z/Architecture, a specific address mode can be set.
For example, your machine may be set to “real address mode”. In this
case, your logical addresses will be treated as real addresses.
Unless otherwise specified, the storage-operand addresses for most
instructions are logical addresses.

7. IBM Systems and Technology Group
© 2004 IBM Corporation
04/27/15
z/VM CP Storage Management Education Series7
Concept Review
 Effective Address – The address which exists before any
transformation by dynamic address translation or any
prefixing is performed
 Instruction Address – Addresses used to fetch instructions
from storage

8. IBM Systems and Technology Group
© 2004 IBM Corporation
04/27/15
z/VM CP Storage Management Education Series8
Background
 z/Architecture has four means of protecting the contents of
main storage from tampering by either malicious or errant
programs
Key-controlled protection
Access-list-controlled protection
Page protection
Low-address protection
 These are used in conjunction with (not exclusive of) one
another.

9. IBM Systems and Technology Group
© 2004 IBM Corporation
04/27/15
z/VM CP Storage Management Education Series9
Background
 A storage key is associated with each 4K block of storage on
the system:
 ACC – Access-Control Bits
These are matched with a four bit access key when information is
stored and when information is fetched from a location that is
protected against fetching.
 F – Fetch-Protection Bit
Controls whether key-controlled protection applies to fetch-type
references

10. IBM Systems and Technology Group
© 2004 IBM Corporation
04/27/15
z/VM CP Storage Management Education Series10
Background
 F – Fetch-Protection Bit (cont'd.)
A zero indicates that only store-type references are monitored and
that fetching with any access key is permitted.
A one indicates that key-controlled protection applies to both fetching
and storing.
 R – Reference Bit
Whenever the associated storage block is referenced, this is set to
one.
 C – Change Bit
Each time the associated storage block (always a page or a frame on
z/VM) is modified, this is set to one.
 Note that storage keys are not part of addressable storage
In z/VM, these are analogous to the guest storage keys found in the
PGSTE block associated with a given page table entry

11. IBM Systems and Technology Group
© 2004 IBM Corporation
04/27/15
z/VM CP Storage Management Education Series11
Key-Controlled Protection
 So just what is an “access key”, anyway?
Well, its a key. To store or fetch to a protected page, the access key
must either match the storage key, or be set to zero.
 What constitutes an access key differs depending on the
manner of access:
Access to storage initiated by the CPU
Access to storage for the purpose of channel-program execution
Access to the measurement block for channel-subsystem monitoring
 Additionally, depending on the type of access, different
things happen should protection prohibit the action.

12. IBM Systems and Technology Group
© 2004 IBM Corporation
04/27/15
z/VM CP Storage Management Education Series12
Key-Controlled Protection
 Access to storage initiated by the CPU
Access Key - can be found in the PSW key (bits 8-11 of the PSW)
Prohibitive Action – execution of the instruction is terminated and a
protection exception is issued (this is a program interrupt)
 Access to storage for the purpose of channel-program
execution
Access Key - the subchannel key associated with the calling channel
program. On z/VM, this can be found in bit 4 of the operation request
block (ORBLK).
Prohibitive Action – the start function is ended and the protection
check bit in the associated interruption response block (IRB) is set to
one.

13. IBM Systems and Technology Group
© 2004 IBM Corporation
04/27/15
z/VM CP Storage Management Education Series13
Key-Controlled Protection
 Access to the measurement block for channel-subsystem
monitoring
Access Key - an access to the measurement block is made; use the
measurement block key
Prohibitive Action – the I/O measurement-block protection check
condition is set to one
 In general, when a store is prohibited because of a protection
lock violation, the contents of the target location remain
unchanged.
 When a fetch request causes the violation, the protected
data is left unchanged in storage.

14. IBM Systems and Technology Group
© 2004 IBM Corporation
04/27/15
z/VM CP Storage Management Education Series14
Key-Controlled Protection
 Here's an odd case: As you know, on program load, your
entire program is loaded from disk and into storage. Suppose
that the key for a page of your program got changed...
Yes, it is possible for an instruction fetch to violate key protection.
This is generally bad.
For a prohibited instruction fetch, the instruction is suppressed and an
arbitrary instruction-length code is returned.
 Key-controlled protection does not apply when the storage-
protection control bit is one and the value of the access
control bits is 9.
 There are two override controls:
Storage-Protection Override
Fetch-Protection Override

15. IBM Systems and Technology Group
© 2004 IBM Corporation
04/27/15
z/VM CP Storage Management Education Series15
Key-Controlled Protection
 Storage-Protection Override Control – When active, key-
controlled storage protection is ignored for storage locations
having an associated storage-key value of 9.
Bit 39 of Control Register 0
Applies to instruction fetch and to the fetch and store accesses of
instructions whose operand addresses are logical, virtual or real.
 Fetch-Protection Override Control – When active, fetch
protection is ignored for locations at effective addresses 0-
2047
Bit 38 of Control Register 0
Fetch Protection is not ignored if the effective address is subject to
DAT and the private-space control is active (Bit 55 of the address-
space-control element).

16. IBM Systems and Technology Group
© 2004 IBM Corporation
04/27/15
z/VM CP Storage Management Education Series16
Key-Controlled Protection
 Fetch-Protection Override Control (cont'd.)
This applies to instruction fetch and the fetch accesses of instructions
whose operand addresses are logical, virtual or real.
It does not apply to fetch accesses made for the purpose of channel-
subsystem monitoring.

17. IBM Systems and Technology Group
© 2004 IBM Corporation
04/27/15
z/VM CP Storage Management Education Series17
Access-List-Controlled Protection
 In AR mode, the fetch-only bit (bit 6 of the access-list entry)
controls which types of references are allowed into the
specified address space.
When the fetch-only bit is zero, both fetches and stores are permitted
When the bit is one, only fetches are allowed. Any attempt to store
causes a protection exception (an interrupt) to be issued and the
execution of the instruction will be suppressed.

18. IBM Systems and Technology Group
© 2004 IBM Corporation
04/27/15
z/VM CP Storage Management Education Series18
Page Protection
 The page protection facility controls access to virtual storage
via the page-protection bit in each page-table and segment-
table entry.
 Bit 54 of the page table entry
 Controls whether storing into a given page is permitted
When zero, both fetching and storing are permitted
When one, only fetching is permitted
 When an attempt to store violates page protection, the
contents of the page remain unchanged, the
operation/instruction is suppressed and an protection
exception (interruption) is issued.

19. IBM Systems and Technology Group
© 2004 IBM Corporation
04/27/15
z/VM CP Storage Management Education Series19
Page Protection
 The page protection bit of the segment-table entry is treated
as being OR'd into the page-protection bit position of each
entry of the page table designated by the segment-table
entry.
 In effect, when the page-protection bit of the segment table
entry is one, it has the same effect as having the page-
protection bit in each entry of the designated page table.

20. IBM Systems and Technology Group
© 2004 IBM Corporation
04/27/15
z/VM CP Storage Management Education Series20
Low-Address Protection
 Protects against the destruction of main-storage information
used by the CPU during interruption processing.
 Controlled by bit 53 of Control Register 0
 Instructions are prohibited from storing with effective
addresses in the ranges 0-511 and 4096-4607
These are the first 512 bytes of each of the first two 4K pages
 Low-address protection does not apply if the address-space-
control element to be used is not available due to another
type of exception.
 This protection is not applied to access made by the CPU or
the channel subsystem for such sequences as interruptions.

21. IBM Systems and Technology Group
© 2004 IBM Corporation
04/27/15
z/VM CP Storage Management Education Series21
Suppression on Protection
 In layman's terms, when we suppress an instruction we
present the generated exception to the calling program and
ignore the instruction.
 When is an operation suppressed?
Some instruction definitions specify that the operation is always
suppressed if any sort of protection exception is generated.
Otherwise, we will always suppress an instruction if a protection
exception due to access-list controlled protection or page protection is
recognized.
 The suppression function allows the control program to
locate the segment-table entry and page-table entry used in
the translation of a virtual address that caused a protection
exception, in order to determine if the exception was due to
page protection. The CP also has the ability to avoid this if
the address was not virtual or due to access-list-controlled
protection.