BIOS writes undocumented bit in MSR 0x3A, need explanation

BIOS writes undocumented bit in MSR 0x3A, need explanation

In Software Developer's Manual MSR 0x3A bits 7:3 are specified as reserved.
In BWG for Core 2 Duo Mobile CPUs those bits are also specified as reserved.

However, I have seen BIOS code which is writing to bit 3 in that MSR as a part of VT configuration.

So the question is simple -- what is the function of bit 3 in MSR 0x3A?

I am asking because if I am to replicate the configuration sequence I need to know whether I should write that bit as well.

--
Regards,
Igor Levicki

If you find my post helpfull, please rate it and/or select it as a best answer where applies. Thank you.
7 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Take a look at section 19.7 in the Intel 64 and IA-32 Architectures Software Developer's Manual
Volume 3A: System Programming Guide

http://download.intel.com/design/processor/manuals/253669.pdf

There is a lock bit which allows to BIOS to protect system settings.

Quoting - David Ott (Intel)

Take a look at section 19.7 in the Intel 64 and IA-32 Architectures Software Developer's Manual
Volume 3A: System Programming Guide

http://download.intel.com/design/processor/manuals/253669.pdf

There is a lock bit which allows to BIOS to protect system settings.

No David, lock bit is a bit 0, I am asking about (undocumented) bit 3.

--
Regards,
Igor Levicki

If you find my post helpfull, please rate it and/or select it as a best answer where applies. Thank you.

Igor,

The response I've been given internally is that the information will need to remain undisclosed. Intel has included detailed technical information in its programming and reference guides. What it has left out, it has done so intentionally. There are variety of possible reasons(use changes over time, use is for specific validation contexts, there is no current use, etc.), but the important implication is that BIOS or other system software should not touch or rely on this bit. Sorry if this answeris unsatisfying.

-d

Quoting - David Ott (Intel)

Igor,

The response I've been given internally is that the information will need to remain undisclosed. Intel has included detailed technical information in its programming and reference guides. What it has left out, it has done so intentionally. There are variety of possible reasons(use changes over time, use is for specific validation contexts, there is no current use, etc.), but the important implication is that BIOS or other system software should not touch or rely on this bit. Sorry if this answera bit unsatisfying.

-d

David, thanks for answering, but as you said yourself the answer is indeed far from satisfying.

Let me try to explain why, it is technical so bear with me please.

I am looking at the disassembly of a Sony VAIO VGN-FW190E EFI BIOS (production version), particulary its CPU configuration driver.

What I see there is a series of tests for VMX and SMX capabilities followed by the MSR 0x3A initialization code. Let me write you a pseudo-code example so you can better understand why I am asking about the bit 3:

	// ...

	new_msr_val = 0x00000000;

	if (CPUID(1).ECX[5] == 0) {
		goto skip_VMX_init;
	}

	if (NVRAM_VARIABLE(VMX_Enable) == 0) {
		goto skip_VMX_init;
	}

	new_msr_val |= 0x00000004; // Enable VMX

skip_VMX_init:

	if (CPUID(1).ECX[6] == 0) {
		goto skip_SMX_init;
	}

	if (NVRAM_VARIABLE(SMX_Enable) == 0) {
		goto skip_SMX_init;
	}

	new_msr_val |= 0x0000FF02; // Enable SMX

skip_SMX_init:

	// ...

	if (NVRAM_VARIABLE(UNKNOWN_Enable) == 0) {
		goto skip_UNKNOWN_init;
	}

	new_msr_val |= 0x00000008; // Enable WHAT?!?

skip_UNKNOWN_init:

	new_msr_val |= 0x00000001; // lock MSR

	WRITE_MSR(0x3A, new_msr_val);

	// ...

If you look at this code, you will see that the initialization of bit 3 I am asking about is actually governed by the user adjustable setting which may be hidden from the setup menu but that is in my opinion irrelevant -- the code is there and can in the event of NVRAM corruption or intentional modification be "convinced" to set the undocumented bit.

Now, if that bit controls some CPU feature which was at one point meant to be exposed to the end user via some setup menu option (and from the code it is crystal clear that was the original intention) then there really must be some end-user identifiable name for that feature and I would like to learn it.

If I can modify the BIOS code (and I certainly can!) to set that bit then I will find out what it does eventually one way or another.

What I am afraid of is that the bit may activate some buggy or incomplete CPU feature and that it may lead to the system instability, failure or even worse -- hidden security vulnerability.

That is of course why I am not performing such "live" test. But even though I am reasonable and won't do it, there is some probability however small that it can happen on its own or that someone can craft a malicious application to do it.

So, if you said that the BIOS should not touch that bit, why is the code for checking some NVRAM variable and setting it accordingly there at all? Why are BIOS vendors toying with it, and more important why are they toying with our computers?

Finally, as I already suggested multiple times, this secrecy game and severely restricted acccess to information only hurts legitimate developers and sometimes even end-users -- malicious people will always get what they need either by stealing, espionage, or by the means of reverse-engineering.

I sincerely hope Intel will reconsider, and finally merge all those "secret" documents into the Software Developer's Manual. Benefit would be twofold -- developers would have easy access to all the information they need, and Intel would get free feedback -- more eyes are more likely to spot an error be it in documentation itself or in the design being documented.

I would really like to hear your thoughts on this, and if you want proof that the BIOS really contains the code for modifying the bit 3 just let me know and I will upload you a disassembly or an executable module itself and I will even point you to the relevant code address.

--
Regards,
Igor Levicki

If you find my post helpfull, please rate it and/or select it as a best answer where applies. Thank you.

Igor,

I follow your pseudocode and appreciate the points you raise. Unfortunately, the decision is not mine and there is little that I can do. I can, however, promise that your position is well-represented in internal discussions. Sorry to make your workmoredifficult. :-(

Dave

Quoting - David Ott (Intel)

Igor,

I follow your pseudocode and appreciate the points you raise. Unfortunately, the decision is not mine and there is little that I can do. I can, however, promise that your position is well-represented in internal discussions. Sorry to make your workmoredifficult. :-(

Dave

I have just received an email from a Sony VAIO VGN-FW21Z owner.

He has a T9400 CPU, and his BIOS always sets the undocumented bit (i.e. his MSR 0x3A contains a value of 9 -- bits 3 and 0 are set).

Since I have P8600 CPU and my BIOS doesn't set the bit even though the code is there I presume that the bit is CPU specific -- it is required to be set for certain CPUs and not for others, perhaps it has to do something with some errata regarding VT implementation i a specific CPU stepping.

I hope that at least you could tell me what would be the consequences of not setting that bit if the BIOS has been setting it?

--
Regards,
Igor Levicki

If you find my post helpfull, please rate it and/or select it as a best answer where applies. Thank you.

Leave a Comment

Please sign in to add a comment. Not a member? Join today