Protected regions

What is claimed is: 1. A machine-implemented method for securing a data processing system, the method comprising: storing in one or more memory zones that are not intelligibly accessible to user software, to operating system software or to supplemental processors, metadata identifying one or more first other parts of a system memory of the data processing system where the identified one or more first other parts are thereby mapped as being protected regions and where the stored metadata defines at least one of access constraints for those identified one or more first other parts, corresponding operational constraints and/or operational requirements that respectively constrain the operations performed by or on the data of the identified first other parts; and during execution of at least one of user software and operating system software in the data processing system, enforcing the operational constraints and/or operational requirements as mapped by the metadata to their corresponding first other parts of the system memory. 2. The method of claim 1 wherein: the data processing system includes a hypervisor; the one or more metadata storing memory zones are not intelligibly accessible to the hypervisor; and the user software and the operating system software execute while using a virtual memory space managed by the hypervisor. 3. The method of claim 2 wherein: the hypervisor produces physical addresses (hyper-PA's) corresponding to virtual addresses (VA's) of informational data items and executable code stored in a main memory portion of the system memory; and the one or more metadata storing memory zones store virtual address to physical address translations of at least one of informational data items and executable code stored in at least one of the one or more first other parts of the system memory of the data processing system. 4. The method of claim 3 wherein: said enforcing of the operational constraints and/or operational requirements is automatically repeatedly carried out by a protected regions enforcer (PR enforcer) implemented in at least one of system hardware and firmware where internal operations of the PR enforcer are not directly alterable by any of user software, operating system software and the hypervisor; and the method further comprises: automatically repeatedly testing with use of the PR enforcer for a match between a hypervisor produced physical address (hyper-PA) and a physical address (meta-PA) obtained from the stored virtual address to physical address translations of the one or more metadata storing memory zones when access is attempted for at least one of an informational data item and executable code stored in a corresponding one of the first other parts. 5. The method of claim 3 wherein: said enforcing of the operational constraints and/or operational requirements is automatically repeatedly carried out by a protected regions enforcer (PR enforcer) implemented in at least one of system hardware and firmware where internal operations of the PR enforcer are not directly alterable by any of user software, operating system software and the hypervisor; and the method further comprises: automatically repeatedly testing with use of the PR enforcer for a context-appropriate restrictive match between a set of hypervisor controlled read, write and/or execute permissions (hyper-R/W/X permissions) and corresponding read, write and/or execute permissions (meta-R/W/X permissions) obtained from at least one of the metadata storing memory zones when access is attempted for at least one of an informational data item and executable code stored in a corresponding one of the first other parts. 6. The method of claim 5 and further comprising: automatically repeatedly testing with use of the PR enforcer for a match between a hypervisor produced physical address (hyper-PA) and a physical address (meta-PA) obtained from the stored virtual address to physical address translations of at least one of the metadata storing memory zones when access is attempted for at least one of an informational data item and executable code stored in a corresponding one of the first other parts. 7. The method of claim 1 and further comprising: automatically verifying integrity of at least part of the metadata stored in at least one of the metadata storing memory zones. 8. The method of claim 7 wherein: the automatic verifying of integrity includes automatically provoking an attestation challenge at least against metadata defining information that is used for creating corresponding metadata stored in the at least one of the metadata storing memory zones. 9. The method of claim 7 wherein: said enforcing of the operational constraints and/or operational requirements is automatically repeatedly carried out by a protected regions enforcer (PR enforcer) implemented in at least one of system hardware and firmware where internal operations of the PR enforcer are not directly alterable by any of user software and operating system software; and the automatic verifying of integrity occurs before the at least part of the stored metadata is used by the PR enforcer. 10. The method of claim 9 wherein: the automatic verifying of integrity is carried out with use of a network connected external system that checks results of the automatic verifying. 11. The method of claim 1 and further comprising: obtaining from an application defining file for a first application, corresponding first metadata defining extents of one or more first protection regions (PR's) whether provided as fragments or as wholes where the PR's are to be constituted by corresponding first allocated virtual areas of the system memory, the first allocated virtual areas being ones allocated to the first application for containing at least one of first informational data items and first executable code belonging to the first application. 12. The method of claim 11 and further comprising: automatically verifying integrity of the obtained first metadata. 13. The method of claim 11 and further comprising: obtaining from an application defining file for the first application, corresponding second metadata defining extents of one or more second PR's which are to be constituted by corresponding second allocated virtual areas of system memory different from the first allocated virtual areas, the second allocated virtual areas also being ones allocated to the first application for containing at least one of second informational data items and second executable code belonging to the first application; and obtaining from an application defining file for the first application, corresponding third and fourth metadata defining respective operational constraints and/or operational requirements for the first and second allocated virtual areas respectively, wherein the obtained third metadata is different from the obtained fourth metadata. 14. The method of claim 11 and further comprising: obtaining from an application defining file for a second application, corresponding other metadata defining extents of a corresponding one or more other protection regions which are to be constituted by corresponding other allocated virtual area of the system memory, the other allocated virtual areas being ones allocated to the second application for containing at least one of other informational data items and other executable code belonging to the second application; and obtaining from an application defining file for the second application, corresponding further metadata defining respective operational constraints and/or operational requirements for the other allocated virtual areas.