Security Software

Instructions Affected by Rogue System Register Read

Rogue System Register Read (INTEL-SA-00115) is a domain-bypass transient execution attack that uses transient execution of instructions to potentially allow malicious actors to infer the values of some system register states that should not be architecturally accessible. This method was first described as Variant 3a (V3a) in the Cache Speculation Side-channels ARM* whitepaper.

Although these transient operations will architecturally fault or VM exit, in certain cases they may return data that is accessible to subsequent instructions in the speculative execution path. These subsequent instructions can then create a side channel to infer the system register state. Refer to the Rogue System Register Read disclosure for further details and mitigations for this issue.

The table below describes transient execution behavior that may occur on one or more existing Intel processors. Individual processors will only be affected by a subset of the issues listed below. These issues are addressed in future processors.

Table 1: List of instructions affected by Rogue System Register Read
Instruction Transient behavior
Counters
RDTSC RDTSC may transiently return the Timestamp counter even when CR4.TSD is set and CPL > 0.
RDTSCP RDTSCP may transiently return the Timestamp counter and Processor ID even when CR4.TSD is set and CPL > 0.
RDPMC RDPMC may transiently return the performance monitoring counter even when CR4.PCE is clear and CPL > 0.
Debug registers
Mov reg, DR{0 to 7} The contents of DR0 to DR7 may transiently be returned even when DR7.GD is set or Mov-DR exiting VM-execution control is set. Additionally, DR4 and DR5 may transiently be returned even when CR4.DE is set.
Control registers
Mov reg, CR3 Mov reg, CR3 may transiently return the CR3 value even when CR3-load exiting VM-execution control is set.
Others
SWAPGS SWAPGS at CPL > 0 may transiently swap the GS base and IA32_KERNEL_GS_BASE MSR.
RDFSBASE/RDGSBASE RDFSBASE and RDGSBASE may transiently execute even when CR4.FSGSBASE is 0.
XGETBV When CR4.OSXSAVE is set, XGETBV may transiently return the xcrx value.
UMIP
STR, SIDT, SLDT, SGDT These instructions may transiently execute even when CR4.UMIP is set and CPL > 0 and even when the descriptor-table exiting VM-execution control is set.
SMSW These instructions may transiently execute even when CR4.UMIP is set and CPL> 0.

Was this article helpful?YesNo
0% of users found this helpful

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Performance varies depending on system configuration. Check with your system manufacturer or retailer or learn more at www.intel.com.

All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps.

Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors.

Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more complete information visit www.intel.com/benchmarks.

Performance results are based on testing as of dates shown in configurations and may not reflect all publicly available​ updates. No product or component can be absolutely secure.

The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errata are available on request.

Intel provides these materials as-is, with no express or implied warranties.

No product or component can be absolutely secure.

Intel, the Intel logo, Intel Core, Intel Atom, Intel Xeon, Intel Xeon Phi, Intel® C Compiler, Intel Software Guard Extensions, and Intel® Trusted Execution Engine are trademarks of Intel Corporation in the U.S. and/or other countries.

*Other names and brands may be claimed as the property of others.