IBM AIX Continuous Availability Features - IBM Redbooks
IBM AIX Continuous Availability Features - IBM Redbooks
IBM AIX Continuous Availability Features - IBM Redbooks
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Note: Kernel and kernel extensions are not necessarily protected from other kernel<br />
extensions. Kernel and kernel extensions are only protected (to the extent possible) from<br />
key-safe extensions. For details about protection degrees, refer to 3.7.4, “Degrees of<br />
storage key protection and porting considerations” on page 84, which describes key-safe<br />
and key-unsafe kernel extensions.<br />
Furthermore, key-unsafe extensions’ access rights are also somewhat limited. In<br />
particular, certain kernel parts appear only as read-only to the key-unsafe kernel<br />
extensions.<br />
Serviceability is enhanced by detecting memory addressing errors closer to their origin.<br />
Kernel keys allow many random overlays to be detected when the error occurs, rather than<br />
when the corrupted memory is used.<br />
With kernel key support, the <strong>AIX</strong> kernel introduces kernel domains and private memory<br />
access. Kernel domains are component data groups that are created to segregate sections of<br />
the kernel and kernel extensions from each other. Hardware protection of kernel memory<br />
domains is provided and enforced. Also, global storage heaps are separated and protected.<br />
This keeps heap corruption errors within kernel domains.<br />
There are also private memory keys that allow memory objects to be accessed only by<br />
authorized components. In addition to RAS benefits, private memory keys are a tool to<br />
enforce data encapsulation. There is a static kernel key-to-storage key mapping function set<br />
by the kernel at boot time. This mapping function is dependent on the number of storage keys<br />
that are present in the system.<br />
Note: Kernel keys are not intended to provide a security function. There is no infrastructure<br />
provided to authorize access to memory. The goal is to detect and prevent accidental<br />
memory overlays. The data protection kernel keys provide can be circumvented, but this is<br />
by design. Kernel code, with the appropriate protection gate, can still access any memory<br />
for compatibility reasons.<br />
Analogy<br />
To understand the concept of kernel storage keys, consider a simple analogy. Assume there<br />
is a large house (the kernel) with many rooms (components and device drivers) and many<br />
members (kernel processes and kernel execution path), and each member has keys only for<br />
a few other selected rooms in addition to its own room (keyset).<br />
Therefore, members having a key for a room are considered safe to be allowed inside. Every<br />
time a member wants to enter a room, the member needs to see whether its keyset contains<br />
a key for that room.<br />
If the member does not have the corresponding key, it can either create a key which will<br />
permit the member to enter the room (which means it will add the key to its keyset). Or the<br />
member can try to enter without a key. If the member tries to enter without a key, an alarm will<br />
trip (cause a DSI/Kernel crash) and everything will come to a halt because one member (a<br />
component or kernel execution path) tried to intrude into an unauthorized room.<br />
Kernel keys<br />
The kernel's data is classified into kernel keys according to intended use. A kernel key is a<br />
software key that allows the kernel to create data protection classes, regardless of the<br />
number of hardware keys available. A kernel keyset is a representation of a collection of<br />
kernel keys and the desired read or write access to them. Remember, several kernel keys<br />
Chapter 3. <strong>AIX</strong> advanced continuous availability tools and features 81