[Simh] simh & hardware - pdp-11 psw in supervisor mode?

Kevin Brunt k.brunt at ccs.bbk.ac.uk
Mon Oct 25 13:57:38 EDT 2010 

>Date: Sun, 24 Oct 2010 14:33:42 -0400
>From: Brad Parker <brad at heeltoe.com>  
>Subject: [Simh] simh & hardware - pdp-11 psw in supervisor mode?  
>To: General at heeltoe.com, "Discussion at heeltoe.com": On-Topic and Off-Topic Posts <cctalk at classiccmp.org>, "simh at trailing-edge.com" <simh at trailing-edge.com>
>
>   I have a low-level pdp-11 question...
>
>   I'm confused about writing to the PSW on cpu's which
>   support user & supervisor mode.  My
>   read of the docs is that in user mode you should not
>   be able to write the "mode" bits of the PSW.
>
>   (or, perhaps more accurately, you should not be able
>   to *clear* any mode bits from user space)
>
>   I have a little diagnostic which doesn't work as I
>   though it should under simh and I thought I'd
>   ask what others think...
>
>   Basically, simh allows code running in "user mode"
>   to write the PSW even when (I claim) it
>   should not.   I have not tried this on a real 11/44
>   or 11/34 yet, but I can/will.
>
>   Should simh allow this?  In the test blow the "clr
>   @#PSW" is successful when run
>   on simh and I think it should basically be a nop...
>
>   (which begs another question - should it be a nop?
>   or a exception?)
>
>   A side question might be "the psw is not protected
>   from writes, except by using
>   the mmu" - is this true on all models?  or just
>   some?  The 11/40 manual implies
>   that it *is* protected.  But 11/73 docs seem to say
>   the opposite and imply using the mmu.
>
>   diagnostic follows:
>       .TITLE test17
>       .ASECT
>   PSW=177776    ;processor status word
>       .=34
>       .word    200
>       .word    0007
>       .=200
>       mov    #200, r5    ;we should be in kernel mode
>   here
>       rti
>       .=500
>       clr    @#PSW        ;kernel mode   
>       mov    #500,sp        ;sp=500 in kernel mode
>       mov    #140000,@#PSW    ;user mode   
>       mov    #700,sp        ;sp=700 in user mode
>       trap    377        ;should move us to kernel
>   mode
>       nop
>       clr    @#PSW        ;back to kernel mode   
>       nop
>       halt

Don't forget that in general a user mode program will not have the I/O page mapped, so will not have access to the PSW as a memory location. Instead, it will be manipulating the PSW using instructions like MTPS or SPL (depending on the processor) and particularly RTI, where clearly it should not be possible to RTI from user mode to a random location in kernel mode - it is in these instructions that the rule about not clearing "security-related" bits in the PSW is imposed.

Kevin

PS I see that someone on CCTALK mentioned the CSM instruction on the 11/44. This is a red herring, as CSM is a variant form of trap.

More information about the Simh mailing list