
               Protection in EMAS3
               ___________________

     Apart from a single write protect bit in the segment tables all
protection on IBM architecture is provided by keys on the store. Each
store page has associated a 4 bit key (0-15) an each program has a
similar key in its PSW. Writes to store are only permitted if the key in
the PSW matches the key on the store or if the key in the pSW is 0. One
extra bit associated with the page is available to extend key protection
to read accesses.

     EMAS3 has the system in segments 0-63 as there is no public address
space. Careful use of the keys is needed to allow sharing and give
reasonable protection to the system. The scheme may cause some
inconvenience to Director and Comms controller since these may have to
alter their PSW before writing to certain pages. Fortunately there is a
suitable privileged instruction to do this!

      My plan is thus:-

     1) Director to maintain the one bit in the segment table for users
     read only segments as a vestigial remnant of acr levels.

     2) All users pages read or write to be set with key X'F' and no
     additional read protection. Supervisor can thus read users pages.

     3) Director and user to run with key F in the psw but Directors
     writable area for NNTs and Indexes to be in the last 15 segments.
     Director removes these but changing control register 1 before
     exiting to his user. On being called from user Director makes a
     special Monitor call to Localcontroller to obtain Priv and his 15
     segments. All such calls will be checked for a valid PC from known
     Director code area.

     4) All free list pages to be set with key 7 and read protection
     THese pages are inaccessible to everyone.

     5) All Supervisor and Local controller pages to be set with key 1
     and read protection. This to include page 0. The sole exception is
     that part ot the Local controller stack shared with Director (for
     CBT SST and ACNT records) . THis will have key 1 but no read
     protection so Director (and Users!) can read it. To update these
     tables Director must use his privilege to change his PSW key to
     zero for the minimum duration of the write.

     6) Keys to be set for get epage in P-P3 and not subsequently
     altered. Peripheral transfers normally to be unprotected except for
     Comms controller who (PDS thinks) can specify ACR 15 for input on
     behalf of users unless chaining control information.