Refer to the articles below for lists of processors affected by various speculative execution side channel issues.
Processor support for the new mitigation mechanisms is enumerated using the CPUID instruction and several architectural MSRs. To find the mapping between a processor's CPUID and its Family/Model number, refer to the Intel® Software Developer's Manual, Vol 2A, table 3-8 and the INPUT EAX = 01H: Returns Model, Family, Stepping Information section.
The CPUID instruction enumerates support for the mitigation mechanisms using five feature flags in CPUID.(EAX=7H,ECX=0):EDX:
The mitigation mechanisms may be introduced to a processor by loading a microcode update. In such cases, software should reevaluate the enumeration after loading that microcode update.
| Initial EAX Value | Information Provided About the Processor | Notes |
|---|---|---|
| 07H | EDX | Leaf 07H main leaf (ECX = 0). If ECX contains an invalid subleaf index, EAX/EBX/ECX/EDX return 0. Bit 10: MD_CLEAR supported. Bits 25-00: Reserved Bit 26: IBRS and IBPB supported Bit 27: STIBP supported Bit 28: L1D_FLUSH supported Bit 29: IA32_ARCH_CAPABILITIES supported Bit 30: Reserved Bit 31: SSBD supported |
NOTE: The table above is not intended to provide full details of this leaf; see the Intel® 64 and IA-32 Architectures Software Developer’s Manual, Volume 2A (CPUID instruction), for full details on CPUID leaf 07H.
Additional features are enumerated by the IA32_ARCH_CAPABILITIES MSR (MSR index 10AH). This is a read-only MSR that is supported if CPUID.(EAX=7H,ECX=0):EDX[29] is enumerated as 1.
| Register Address Hex | Register Address DEC | Register Name / Bit Fields | Bit Description | Comment |
|---|---|---|---|---|
| 10AH | 266 | IA32_ARCH_CAPABILITIES | Enumeration of Architectural Features (RO) | If CPUID.(EAX-07H, ECX=0):EDX[29]=1 |
| 10AH | 266 | 0 | RDCL_NO: The processor is not susceptible to Rogue Data Cache Load (RDCL). | |
| 10AH | 266 | 1 | IBRS_ALL: the processor supports enhanced Indirect Branch Restriction Speculation (IBRS) | |
| 10AH | 266 | 2 | RSBA: The processor supports RSB Alternate. Alternative branch predictors may be used by RET instructions when the RSB is empty. Software using retpoline may be affected by this behavior. | |
| 10AH | 266 | 3 | SKIP_L1DFL_VMENTRY: A value of 1 indicates the hypervisor need not flush the L1D on VM entry. | |
| 10AH | 266 | 4 | SSB_NO Processor is not susceptible to Speculative Store Bypass (SSB). | |
| 10AH | 266 | 5 | MDS_NO: Processor is not susceptible to Microarchitectural Data Sampling (MDS). | |
| 10AH | 266 | 8 | TAA_NO: Processor is not susceptible to Intel TSX Asynchronous Abort (TAA). | |
| 10AH | 266 | 63:6 | Reserved |
The IA32_SPEC_CTRL MSR bits are defined as logical processor scope. On some core implementations, the bits may impact sibling logical processors on the same core.
This MSR has a value of 0 after reset and is unaffected by INIT# or SIPI#.
Like IA32_TSC_DEADLINE MSR (MSR index 6E0H), the x2APIC MSRs (MSR indices 802H to 83FH) and IA32_PRED_CMD (MSR index 49H), WRMSR to IA32_SPEC_CTRL (MSR index 48H) is not defined as a serializing instruction.
WRMSR to IA32_SPEC_CTRL does not execute until all prior instructions have completed locally and no later instructions begin execution until the WRMSR completes.
| Register Address Hex | Register Address DEC | Register Name / Bit Fields | Bit Description | Comment |
|---|---|---|---|---|
| 48H | 72 | IA32_SPEC_CTRL | Speculation Control (R/W) | If any one of the enumeration conditions for the defined bit field positions holds. |
| 48H | 72 | 0 | IBRS. Restricts speculation of indirect branch. | If CPUID.(EAX=07H, EXC=0):EDX[26]=1 |
| 48H | 72 | 1 | Single Thread Indirect Branch Predictors (STIBP). Prevents indirect branch predictions on all logical processors on the core from being controlled by any sibling logical processor in the same core | If CPUID.(EAX=07H, ECX=0):EDX[27]=1 |
| 48H | 72 | 2 | Speculative Store Bypass Disable (SSBD) delays speculative execution of a load until the addresses of all older stores are known | If CPUID.(EAX=07H, ECX=0):EDX[31]=1 |
| 48H | 72 | 63:4 | Reserved |
The IA32_PRED_CMD MSR gives software a way to issue commands that affect the state of predictors.
| Register Address Hex | Register Address DEC | Register Name / Bit Fields | Bit Description | Comment |
|---|---|---|---|---|
| 49H | 73 | IA_PRED_CMD | Prediction Command (WO) | If any one of the enumeration conditions for defined bit field positions holds. |
| 49H | 73 | 0 | Indirect Branch Prediction Barrier (IBPB) | If CPUID.EAX=07H, ECX=0):EDX[26]=1 |
| 49H | 73 | 63:1 | Reserved |
Like IA32_TSC_DEADLINE MSR (MSR index 6E0H), the X2APIC MSRs (MSR indices 802H to 83FH) and IA32_SPEC_CTRL (MSR index 48H), WRMSR to IA32_PRED_CMD (MSR index 49H) is not defined as a serializing instruction.
WRMSR to IA32_PRED_CMD does not execute until all prior instructions have completed locally and no later instructions begin execution until the WRMSR completes.
The IA32_FLUSH_CMD MSR gives software a way to invalidate structures with finer granularity than other architectural methods.
Like the IA32_TSC_DEADLINE MSR (MSR index 6E0H), the X2APIC MSRs (MSR indices 802H to 83FH), and the IA32_SPEC_CTRL MSR (MSR index 48H), WRMSR to the IA32_FLUSH_CMD MSR (MSR index 10BH) is not defined as a serializing instruction.
WRMSR to the IA32_FLUSH_CMD MSR does not execute until all prior instructions have completed locally, and no later instructions begin execution until the WRMSR completes.
| Register Address Hex | Register Address DEC | Register Name / Bit Fields | Bit Description | Comment |
|---|---|---|---|---|
| 10BH | 267 | IA_FLUSH_CMD | Flush Command (WO) | If any one of the enumeration conditions for defined bit field positions holds. |
| 10BH | 267 | 0 | L1D_FLUSH: Writeback and invalidate the L1 data cache | If CPUID.EAX=07H, ECX=0):EDX[28]=1 |
| 10BH | 267 | 63:1 | Reserved |