Security Software

Deep Dive: CPUID Enumeration and Architectural MSRs

Processor support for the new mitigation mechanisms is enumerated using the CPUID instruction and several architectural MSRs.

The CPUID instruction enumerates support for the mitigation mechanisms using five feature flags in CPUID.(EAX=7H,ECX=0):EDX:

  • CPUID.(EAX=7H,ECX=0):EDX[26] enumerates support for indirect branch restricted speculation (IBRS) and the indirect branch predictor barrier (IBPB). Processors that set this bit support the IA32_SPEC_CTRL MSR and the IA32_PRED_CMD MSR. They allow software to set IA32_SPEC_CTRL[0] (IBRS) and IA32_PRED_CMD[0] (IBPB).
  • CPUID.(EAX=7H,ECX=0):EDX[27] enumerates support for single thread indirect branch predictors (STIBP). Processors that set this bit support the IA32_SPEC_CTRL MSR. They allow software to set IA32_SPEC_CTRL[1] (STIBP).
  • CPUID.(EAX=7H,ECX=0):EDX[28] enumerates support for L1D_FLUSH. Processors that set this bit support the IA32_FLUSH_CMD MSR. They allow software to set IA32_FLUSH_CMD[0] (L1D_FLUSH).
  • CPUID.(EAX=7H,ECX=0):EDX[29] enumerates support for the IA32_ARCH_CAPABILITIES MSR.
  • CPUID.(EAX=7H,ECX=0):EDX[31] enumerates support for Speculative Store Bypass Disable (SSBD). Processors that set this bit support the IA32_SPEC_CTRL MSR. They allow software to set IA32_SPEC_CTRL[2] (SSBD).

The mitigation mechanisms may be introduced to a processor by loading a microcode update. In such cases, software should reevaluate the enumeration after loading that microcode update.

Table 1. CPUID Leaf 07H, Sub-leaf 0: Updated EDX Register Details

NOTE: The table above is not intended to provide full details of this leaf; see the Intel® 64 and IA-32 Architectures Software Developer’s Manual, Volume 2A (CPUID instruction), for full details on CPUID leaf 07H.

IA32_ARCH_CAPABILITIES MSR

Additional features are enumerated by the IA32_ARCH_CAPABILITIES MSR (MSR index 10AH). This is a read-only MSR that is supported if CPUID.(EAX=7H,ECX=0):EDX[29] is enumerated as 1.

Table 2. IA32_ARCH_CAPABILITIES MSR Details

Figure 3. IA32_ARCH_CAPABILITIES MSR

https://lh3.googleusercontent.com/3LhDhZ1SCPCVf6c7u8fr40lDg6gIq8gXvWcLr3NwtP-6sshTgxyQM_mPQwxw_uH1xYgp6k0gYc6vIRy5bUkuLGA9JTBU7gzXBLA7nqaZPZYab7C7PZrNUA15AskqVeMwJ97PRuJ-

IA32_SPEC_CTRL MSR

The IA32_SPEC_CTRL MSR bits are defined as logical processor scope. On some core implementations, the bits may impact sibling logical processors on the same core.

This MSR has a value of 0 after reset and is unaffected by INIT# or SIPI#.

Like IA32_TSC_DEADLINE MSR (MSR index 6E0H), the x2APIC MSRs (MSR indices 802H to 83FH) and IA32_PRED_CMD (MSR index 49H), WRMSR to IA32_SPEC_CTRL (MSR index 48H) is not defined as a serializing instruction.

WRMSR to IA32_SPEC_CTRL does not execute until all prior instructions have completed locally and no later instructions begin execution until the WRMSR completes.

Table 4. IA32_SPEC_CTRL MSR Details

Figure 5. IA32_SPEC_CTRL MSR

https://lh3.googleusercontent.com/dR8IlGI2_gmrGjrSfx7p0naPBdFFlPC829bRppYqLyp5wXNl7ymCjyMG5DqoNS3e4vhdyRBWrExI3DIvy3rorwRO_PH9fMwqwXA7yhb9UQPSYqclcgMJjGlfS2HJG8RMihMQi77N

IA32_PRED_CMD MSR

The IA32_PRED_CMD MSR gives software a way to issue commands that affect the state of predictors.

Table 6. IA32_PRED_CMD MSR Details

Figure 7. IA32_PRED_CMD MSR

https://lh3.googleusercontent.com/yUMv3Yo_7rNTtslEV1ES1vhXBRuLhabytpnXnR78-Bp-GdnxfLbE58HbtrwO86xXkjg9Z7_IludmomVHEw2aXjUEPjeBJREFGAJh-rW1ABkFqKQUQ472-RdmYSoyHfddujK0oLPM

Like IA32_TSC_DEADLINE MSR (MSR index 6E0H), the X2APIC MSRs (MSR indices 802H to 83FH) and IA32_SPEC_CTRL (MSR index 48H), WRMSR to IA32_PRED_CMD (MSR index 49H) is not defined as a serializing instruction.

WRMSR to IA32_PRED_CMD does not execute until all prior instructions have completed locally and no later instructions begin execution until the WRMSR completes.
 

IA32_FLUSH_CMD MSR

The IA32_FLUSH_CMD MSR gives software a way to invalidate structures with finer granularity than other architectural methods.

Like the IA32_TSC_DEADLINE MSR (MSR index 6E0H), the X2APIC MSRs (MSR indices 802H to 83FH), and the IA32_SPEC_CTRL MSR (MSR index 48H), WRMSR to the IA32_FLUSH_CMD MSR (MSR index 10BH) is not defined as a serializing instruction.

WRMSR to the IA32_FLUSH_CMD MSR does not execute until all prior instructions have completed locally, and no later instructions begin execution until the WRMSR completes. 

Table 8. IA32_FLUSH_CMD MSR Details


Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Performance varies depending on system configuration. Check with your system manufacturer or retailer or learn more at www.intel.com.

All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps.

The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errata are available on request.

Intel provides these materials as-is, with no express or implied warranties.

No product can be absolutely secure.

Intel, the Intel logo, Intel Core, Intel Atom, Intel Xeon, Intel Xeon Phi, Intel® C Compiler, Intel Software Guard Extensions, and Intel® Trusted Execution Engine are trademarks of Intel Corporation in the U.S. and/or other countries.

*Other names and brands may be claimed as the property of others.