Security Software

CPUID Enumeration and Architectural MSRs

Processors affected by speculative execution side channel issues

Refer to the articles below for lists of processors affected by various speculative execution side channel issues.

CPUID enumeration for mitigations

Processor support for the new mitigation mechanisms is enumerated using the CPUID instruction and several architectural MSRs. To find the mapping between a processor's CPUID and its Family/Model number, refer to the Intel® Software Developer's Manual, Vol 2A, table 3-8 and the INPUT EAX = 01H: Returns Model, Family, Stepping Information section.

The CPUID instruction enumerates support for the mitigation mechanisms using five feature flags in CPUID.(EAX=7H,ECX=0):EDX:

  • CPUID.(EAX=7H,ECX=0):EDX[10] enumerates support for additional functionality that will flush microarchitectural structures as listed here.
  • CPUID.(EAX=7H,ECX=0):EDX[26] enumerates support for indirect branch restricted speculation (IBRS) and the indirect branch predictor barrier (IBPB). Processors that set this bit support the IA32_SPEC_CTRL MSR and the IA32_PRED_CMD MSR. They allow software to set IA32_SPEC_CTRL[0] (IBRS) and IA32_PRED_CMD[0] (IBPB).
  • CPUID.(EAX=7H,ECX=0):EDX[27] enumerates support for single thread indirect branch predictors (STIBP). Processors that set this bit support the IA32_SPEC_CTRL MSR. They allow software to set IA32_SPEC_CTRL[1] (STIBP).
  • CPUID.(EAX=7H,ECX=0):EDX[28] enumerates support for L1D_FLUSH. Processors that set this bit support the IA32_FLUSH_CMD MSR. They allow software to set IA32_FLUSH_CMD[0] (L1D_FLUSH).
  • CPUID.(EAX=7H,ECX=0):EDX[29] enumerates support for the IA32_ARCH_CAPABILITIES MSR.
  • CPUID.(EAX=7H,ECX=0):EDX[31] enumerates support for Speculative Store Bypass Disable (SSBD). Processors that set this bit support the IA32_SPEC_CTRL MSR. They allow software to set IA32_SPEC_CTRL[2] (SSBD).

The mitigation mechanisms may be introduced to a processor by loading a microcode update. In such cases, software should reevaluate the enumeration after loading that microcode update.

Table 1: Structured Extended Feature Flags Enumeration Leaf (Output depends on ECX input value)
Initial EAX Value Information Provided About the Processor Notes
07H EDX Leaf 07H main leaf (ECX = 0).
If ECX contains an invalid subleaf index, EAX/EBX/ECX/EDX return 0.

Bit 10: MD_CLEAR supported.
Bits 25-00: Reserved
Bit 26: IBRS and IBPB supported
Bit 27: STIBP supported
Bit 28: L1D_FLUSH supported
Bit 29: IA32_ARCH_CAPABILITIES supported
Bit 30: Reserved
Bit 31: SSBD supported

NOTE: The table above is not intended to provide full details of this leaf; see the Intel® 64 and IA-32 Architectures Software Developer’s Manual, Volume 2A (CPUID instruction), for full details on CPUID leaf 07H.

IA32_ARCH_CAPABILITIES MSR

Additional features are enumerated by the IA32_ARCH_CAPABILITIES MSR (MSR index 10AH). This is a read-only MSR that is supported if CPUID.(EAX=7H,ECX=0):EDX[29] is enumerated as 1.

 

Table 2: IA32_ARCH_CAPABILITIES MSR Details
Register Address Hex Register Address DEC Register Name / Bit Fields Bit Description Comment
10AH 266 IA32_ARCH_CAPABILITIES Enumeration of Architectural Features (RO) If CPUID.(EAX-07H, ECX=0):EDX[29]=1
10AH 266 0 RDCL_NO: The processor is not susceptible to Rogue Data Cache Load (RDCL).  
10AH 266 1 IBRS_ALL: the processor supports enhanced Indirect Branch Restriction Speculation (IBRS)  
10AH 266 2 RSBA: The processor supports RSB Alternate. Alternative branch predictors may be used by RET instructions when the RSB is empty. Software using retpoline may be affected by this behavior.  
10AH 266 3 SKIP_L1DFL_VMENTRY: A value of 1 indicates the hypervisor need not flush the L1D on VM entry.  
10AH 266 4 SSB_NO Processor is not susceptible to Speculative Store Bypass (SSB).   
10AH 266 5 MDS_NO: Processor is not susceptible to Microarchitectural Data Sampling (MDS).  
10AH 266 8 TAA_NO: Processor is not susceptible to Intel TSX Asynchronous Abort (TAA).   
10AH 266 63:6 Reserved  

 

IA32_SPEC_CTRL MSR

The IA32_SPEC_CTRL MSR bits are defined as logical processor scope. On some core implementations, the bits may impact sibling logical processors on the same core.

This MSR has a value of 0 after reset and is unaffected by INIT# or SIPI#.

Like IA32_TSC_DEADLINE MSR (MSR index 6E0H), the x2APIC MSRs (MSR indices 802H to 83FH) and IA32_PRED_CMD (MSR index 49H), WRMSR to IA32_SPEC_CTRL (MSR index 48H) is not defined as a serializing instruction.

WRMSR to IA32_SPEC_CTRL does not execute until all prior instructions have completed locally and no later instructions begin execution until the WRMSR completes.

 

Table 3: IA32_SPEC_CTRL MSR Details
Register Address Hex Register Address DEC Register Name / Bit Fields Bit Description Comment
48H 72 IA32_SPEC_CTRL Speculation Control (R/W) If any one of the enumeration conditions for the defined bit field positions holds.
48H 72 0 IBRS. Restricts speculation of indirect branch. If CPUID.(EAX=07H, EXC=0):EDX[26]=1
48H 72 1 Single Thread Indirect Branch Predictors (STIBP). Prevents indirect branch predictions on all logical processors on the core from being controlled by any sibling logical processor in the same core If CPUID.(EAX=07H, ECX=0):EDX[27]=1
48H 72 2 Speculative Store Bypass Disable (SSBD) delays speculative execution of a load until the addresses of all older stores are known If CPUID.(EAX=07H, ECX=0):EDX[31]=1
48H 72 63:4 Reserved  

 

IA32_PRED_CMD MSR

The IA32_PRED_CMD MSR gives software a way to issue commands that affect the state of predictors.

Table 4: IA32_PRED_CMD MSR Details
Register Address Hex Register Address DEC Register Name / Bit Fields Bit Description Comment
49H 73 IA_PRED_CMD Prediction Command (WO) If any one of the enumeration conditions for defined bit field positions holds.
49H 73 0 Indirect Branch Prediction Barrier (IBPB) If CPUID.EAX=07H, ECX=0):EDX[26]=1
49H 73 63:1 Reserved  

Like IA32_TSC_DEADLINE MSR (MSR index 6E0H), the X2APIC MSRs (MSR indices 802H to 83FH) and IA32_SPEC_CTRL (MSR index 48H), WRMSR to IA32_PRED_CMD (MSR index 49H) is not defined as a serializing instruction.

WRMSR to IA32_PRED_CMD does not execute until all prior instructions have completed locally and no later instructions begin execution until the WRMSR completes.
 

IA32_FLUSH_CMD MSR

The IA32_FLUSH_CMD MSR gives software a way to invalidate structures with finer granularity than other architectural methods.

Like the IA32_TSC_DEADLINE MSR (MSR index 6E0H), the X2APIC MSRs (MSR indices 802H to 83FH), and the IA32_SPEC_CTRL MSR (MSR index 48H), WRMSR to the IA32_FLUSH_CMD MSR (MSR index 10BH) is not defined as a serializing instruction.

WRMSR to the IA32_FLUSH_CMD MSR does not execute until all prior instructions have completed locally, and no later instructions begin execution until the WRMSR completes. 

 

Table 5: IA32_FLUSH_CMD MSR Details
Register Address Hex Register Address DEC Register Name / Bit Fields Bit Description Comment
10BH 267 IA_FLUSH_CMD Flush Command (WO) If any one of the enumeration conditions for defined bit field positions holds.
10BH 267 0 L1D_FLUSH: Writeback and invalidate the L1 data cache If CPUID.EAX=07H, ECX=0):EDX[28]=1
10BH 267 63:1 Reserved  

Was this article helpful?YesNo
0% of users found this helpful

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Performance varies depending on system configuration. Check with your system manufacturer or retailer or learn more at www.intel.com.

All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps.

Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors.

Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more complete information visit www.intel.com/benchmarks.

Performance results are based on testing as of dates shown in configurations and may not reflect all publicly available​ updates.

The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errata are available on request.

Intel provides these materials as-is, with no express or implied warranties.

No product or component can be absolutely secure.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.

*Other names and brands may be claimed as the property of others.

Copyright Intel Corporation 2020.