0x3F0, doesn't work on Skylake so not architectural, write-protected, seems to be 1 only on the CPU #0. Only mention seems to be in XEN, doesn't seem to be accurate.
Thing is, as trivial and innocent as it is, stuff like this opens up detection vectors for virtualization based sandboxes. Running on a Broadwell? Switch to first core, read 3F0 in a loop for a few seconds, if it ever returns 0 or faults, you're in a VM, congrats. ¯\_(ツ)_/¯
Not that there aren't a thousand other easier methods, but you get the point.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Turns out you can also find out undocumented MSRs behind NDA with Haruspex, looks like either rdmsr/wrmsr dispatches μOps dynamically or the decoder waits for the ecx value to be set, pretty interesting.🤭
You also get to see how certain MSRs such as the LSTAR and KERNEL_GS_BASE are optimized compared to normal CRBUS MSRs, likely due to the fact that they're kept in the register file instead.
Bit more research reveals that, it's not the decoder but the uOps of the rdmsr that schedule the rest of the ops since MSRs for the SMM state seem to look like other #GPs --however it seems like they forgot a speculative barrier there so DIV cycles gives those away 🥰