Exploring x86 MSR Space July 22, 2023 Kernel/VM Tokyo No.16 @retrage

Is it possible to detect the CPU type without knowledge by exploring the MSR space?

Model-Specific Registers (MSRs) • Model-Speci fi c Registers: x86 system registers to con fi gure the system. • As the name indicates, most of the MSRs are implementation de fi ned. • MSRs have own address space (MSR address space). • Use rdmsr/wrmsr to read/write an MSR.

Behaviors on Reading Unsupported MSR • There are two types of behaviors on reading an unsupported MSR: • Generates general purpose exception (#GP(0)). [1] • Default behavior for unimplemented MSR access. • Returns all-zeros or all-ones • For backward-compatibility, such as used by already deleted features.

Experiment #1: Intel CPU, Different Gen. • Intuitive: A Newer CPU have more valid MSRs than an old one. • Compare MSR spaces of two Intel CPUs: • i7-7700K: 7th Gen. (Q1’17) [2] • i9-13900K: 13th Gen. (Q4’22) [3] • Visualize the MSR spaces (with ChatGPT Code Interpreter) • https://github.com/retrage/msr-explorer

Experiment #1: Intel CPU, Different Gen. Left: i7-7700K, Right: i9-13900K • N

Experiment #1: Intel CPU, Different Gen. Left: i7-7700K, Right: i9-13900K • N The newer CPU has more valid MSRs.

What about different CPU makers?

Yet Another x86 CPU • “In 2013, Via entered a joint venture with the municipal government of Shanghai to found Zhaoxin” [4] • KX-6640MA: (Q2’19) [5] • 4C/[email protected] • Modern CPU spec. ZhaoXin (ஹਊ)

Highly Compatible with Intel CPU • It has Intel VT-x extension. • BitVisor works without any modi fi cation. • Is it really the successor to VIA CPUs? • Let’s compare the MSR space. Successor to VIA?

Experiment #2: Intel and ZhaoXin Left: i7-7700K, Right: Z3-6540M

Experiment #2: Intel and ZhaoXin ZhaoXin CPU has intentionally unimplemented MSRs x2APIC MSRs

Experiment #2: Intel and ZhaoXin ZhaoXin CPU has many unknown MSRs Unknown MSRs

Experiment #2: MSR Space Distance Manhattan Distances of the MSR Spaces i7-7700K i9-13900K Z3-6540M i7-7700K 915 8405 i9-13900K 915 8466 Z3-6540M 8405 8466

Summary • Visualized some of CPU MSR spaces. • Intel CPU: A Newer CPU have more valid MSRs than an old one. • ZhaoXin CPU has Intel VT-x extension, but the MSR space di ff ers. • Looking for a VIA CPU to compare with ZhaoXin CPU. • Published Tool: https://github.com/retrage/msr-explorer

References • [1] Intel (2023) Intel 64 and IA-32 Architectures Software Developer's Manual: Instruction Set Reference, A-Z, Volume 2 (2A, 2B, 2C & 2D). • [2] https://ark.intel.com/content/www/us/en/ark/products/97129/intel-core- i77700k-processor-8m-cache-up-to-4-50-ghz.html • [3] https://www.intel.com/content/www/us/en/products/sku/230496/intel-core- i913900k-processor-36m-cache-up-to-5-80-ghz/speci fi cations.html • [4] https://www.tomshardware.com/news/via-chinese-x86- soc-2019,36209.html • [5] https://www.zhaoxin.com/prod_view.aspx?nid=3&typeid=129&id=327

Experiment Setup • msr-explorer: A small tool that dumps MSRs in speci fi ed range. • Read /dev/cpu/CPUNUM/msr on Linux and dump as JSON. • https://github.com/retrage/msr-explorer • MSR Address Range: [0x0000-0x1 ff f] • To cover all the IA-32 architectural MSRs [1]

Experiment #2: Intel and ZhaoXin Left: i9-13900K, Right: Z3-6540M Unknown MSRs