From b3226af5ad7bbfcba79d26f547fe6582baf20ce9 Mon Sep 17 00:00:00 2001 From: Sohil Mehta Date: Tue, 20 Jan 2026 15:47:28 -0800 Subject: [PATCH 01/11] x86/cpu: Defer LASS enabling until userspace comes up LASS blocks any kernel access to the lower half of the virtual address space. Unfortunately, some EFI accesses happen during boot with bit 63 cleared, which causes a #GP fault when LASS is enabled. Notably, the SetVirtualAddressMap() call can only happen in EFI physical mode. Also, EFI_BOOT_SERVICES_CODE/_DATA could be accessed even after ExitBootServices(). The boot services memory is truly freed during efi_free_boot_services() after SVAM has completed. To prevent EFI from tripping LASS, at a minimum, LASS enabling must be deferred until EFI has completely finished entering virtual mode (including freeing boot services memory). Moving setup_lass() to arch_cpu_finalize_init() would do the trick, but that would make the implementation very fragile. Something else might come in the future that would need the LASS enabling to be moved again. In general, security features such as LASS provide limited value before userspace is up. They aren't necessary during early boot while only trusted ring0 code is executing. Introduce a generic late initcall to defer activating some CPU features until userspace is enabled. For now, only move the LASS CR4 programming to this initcall. As APs are already up by the time late initcalls run, some extra steps are needed to enable LASS on all CPUs. Use a CPU hotplug callback instead of on_each_cpu() or smp_call_function(). This ensures that LASS is enabled on every CPU that is currently online as well as any future CPUs that come online later. Note, even though hotplug callbacks run with preemption enabled, cr4_set_bits() would disable interrupts while updating CR4. Keep the existing logic in place to clear the LASS feature bits early. setup_clear_cpu_cap() must be called before boot_cpu_data is finalized and alternatives are patched. Eventually, the entire setup_lass() logic can go away once the restrictions based on vsyscall emulation and EFI are removed. Signed-off-by: Sohil Mehta Signed-off-by: Dave Hansen Tested-by: Tony Luck Tested-by: Maciej Wieczor-Retman Link: https://patch.msgid.link/20260120234730.2215498-2-sohil.mehta@intel.com --- arch/x86/kernel/cpu/common.c | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 1c3261cae40c..8c56d5970d61 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -422,12 +422,33 @@ static __always_inline void setup_lass(struct cpuinfo_x86 *c) if (IS_ENABLED(CONFIG_X86_VSYSCALL_EMULATION) || IS_ENABLED(CONFIG_EFI)) { setup_clear_cpu_cap(X86_FEATURE_LASS); - return; } - - cr4_set_bits(X86_CR4_LASS); } +static int enable_lass(unsigned int cpu) +{ + cr4_set_bits(X86_CR4_LASS); + + return 0; +} + +/* + * Finalize features that need to be enabled just before entering + * userspace. Note that this only runs on a single CPU. Use appropriate + * callbacks if all the CPUs need to reflect the same change. + */ +static int cpu_finalize_pre_userspace(void) +{ + if (!cpu_feature_enabled(X86_FEATURE_LASS)) + return 0; + + /* Runs on all online CPUs and future CPUs that come online. */ + cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "x86/lass:enable", enable_lass, NULL); + + return 0; +} +late_initcall(cpu_finalize_pre_userspace); + /* These bits should not change their value after CPU init is finished. */ static const unsigned long cr4_pinned_mask = X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_UMIP | X86_CR4_FSGSBASE | X86_CR4_CET | X86_CR4_FRED; From 0021e71cfb96d7816e2027a76b813da6003c3a0c Mon Sep 17 00:00:00 2001 From: Sohil Mehta Date: Tue, 20 Jan 2026 15:47:29 -0800 Subject: [PATCH 02/11] x86/efi: Disable LASS while executing runtime services Ideally, EFI runtime services should switch to kernel virtual addresses after SetVirtualAddressMap(). However, firmware implementations are known to be buggy in this regard and continue to access physical addresses. The kernel maintains a 1:1 mapping of all runtime services code and data regions to avoid breaking such firmware. LASS enforcement relies on bit 63 of the virtual address, which would block such accesses to the lower half. Unfortunately, not doing anything could lead to #GP faults when users update to a kernel with LASS enabled. One option is to use a STAC/CLAC pair to temporarily disable LASS data enforcement. However, there is no guarantee that the stray accesses would only touch data and not perform instruction fetches. Also, relying on the AC bit would depend on the runtime calls preserving RFLAGS, which is highly unlikely in practice. Instead, use the big hammer and switch off the entire LASS mechanism temporarily by clearing CR4.LASS. Runtime services are called in the context of efi_mm, which has explicitly unmapped any memory EFI isn't allowed to touch (including userspace). So, do this right after switching to efi_mm to avoid any security impact. Some runtime services can be invoked during boot when LASS isn't active. Use a global variable (similar to efi_mm) to save and restore the correct CR4.LASS state. The runtime calls are serialized with the efi_runtime_lock, so no concurrency issues are expected. Signed-off-by: Sohil Mehta Signed-off-by: Dave Hansen Tested-by: Tony Luck Tested-by: Maciej Wieczor-Retman Link: https://patch.msgid.link/20260120234730.2215498-3-sohil.mehta@intel.com --- arch/x86/platform/efi/efi_64.c | 35 ++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c index b4409df2105a..5861008eab22 100644 --- a/arch/x86/platform/efi/efi_64.c +++ b/arch/x86/platform/efi/efi_64.c @@ -55,6 +55,7 @@ */ static u64 efi_va = EFI_VA_START; static struct mm_struct *efi_prev_mm; +static unsigned long efi_cr4_lass; /* * We need our own copy of the higher levels of the page tables @@ -443,16 +444,50 @@ static void efi_leave_mm(void) unuse_temporary_mm(efi_prev_mm); } +/* + * Toggle LASS to allow EFI to access any 1:1 mapped region in the lower + * half. + * + * Disable LASS only after switching to EFI-mm, as userspace is not + * mapped in it. Similar to EFI-mm, these rely on preemption being + * disabled and the calls being serialized. + */ + +static void efi_disable_lass(void) +{ + if (!cpu_feature_enabled(X86_FEATURE_LASS)) + return; + + lockdep_assert_preemption_disabled(); + + /* Save current CR4.LASS state */ + efi_cr4_lass = cr4_read_shadow() & X86_CR4_LASS; + cr4_clear_bits(efi_cr4_lass); +} + +static void efi_enable_lass(void) +{ + if (!cpu_feature_enabled(X86_FEATURE_LASS)) + return; + + lockdep_assert_preemption_disabled(); + + /* Reprogram CR4.LASS only if it was set earlier */ + cr4_set_bits(efi_cr4_lass); +} + void arch_efi_call_virt_setup(void) { efi_sync_low_kernel_mappings(); efi_fpu_begin(); firmware_restrict_branch_speculation_start(); efi_enter_mm(); + efi_disable_lass(); } void arch_efi_call_virt_teardown(void) { + efi_enable_lass(); efi_leave_mm(); firmware_restrict_branch_speculation_end(); efi_fpu_end(); From 68400c1aaf02636a97c45ba198110b66feb270a9 Mon Sep 17 00:00:00 2001 From: Sohil Mehta Date: Tue, 20 Jan 2026 15:47:30 -0800 Subject: [PATCH 03/11] x86/cpu: Remove LASS restriction on EFI The initial LASS enabling has been deferred to much later during boot, and EFI runtime services now run with LASS temporarily disabled. This removes LASS from the path of all EFI services. Remove the LASS restriction on EFI config, as the two can now coexist. Signed-off-by: Sohil Mehta Signed-off-by: Dave Hansen Tested-by: Tony Luck Tested-by: Maciej Wieczor-Retman Link: https://patch.msgid.link/20260120234730.2215498-4-sohil.mehta@intel.com --- arch/x86/kernel/cpu/common.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 8c56d5970d61..3557f0e6b3aa 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -415,14 +415,9 @@ static __always_inline void setup_lass(struct cpuinfo_x86 *c) * Legacy vsyscall page access causes a #GP when LASS is active. * Disable LASS because the #GP handler doesn't support vsyscall * emulation. - * - * Also disable LASS when running under EFI, as some runtime and - * boot services rely on 1:1 mappings in the lower half. */ - if (IS_ENABLED(CONFIG_X86_VSYSCALL_EMULATION) || - IS_ENABLED(CONFIG_EFI)) { + if (IS_ENABLED(CONFIG_X86_VSYSCALL_EMULATION)) setup_clear_cpu_cap(X86_FEATURE_LASS); - } } static int enable_lass(unsigned int cpu) From 3ddd2e12c704f22c28efb714817c88ee4e25688a Mon Sep 17 00:00:00 2001 From: Sohil Mehta Date: Mon, 9 Mar 2026 11:10:25 -0700 Subject: [PATCH 04/11] x86/vsyscall: Reorganize the page fault emulation code With LASS, vsyscall page accesses will cause a #GP instead of a #PF. Separate out the core vsyscall emulation code from the #PF specific handling in preparation for the upcoming #GP emulation. No functional change intended. Signed-off-by: Sohil Mehta Signed-off-by: Dave Hansen Reviewed-by: H. Peter Anvin (Intel) Acked-by: Dave Hansen Tested-by: Maciej Wieczor-Retman Link: https://patch.msgid.link/20260309181029.398498-2-sohil.mehta@intel.com --- arch/x86/entry/vsyscall/vsyscall_64.c | 66 ++++++++++++++------------- arch/x86/include/asm/vsyscall.h | 7 ++- arch/x86/mm/fault.c | 2 +- 3 files changed, 39 insertions(+), 36 deletions(-) diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c index 4bd1e271bb22..398b1ed16f1e 100644 --- a/arch/x86/entry/vsyscall/vsyscall_64.c +++ b/arch/x86/entry/vsyscall/vsyscall_64.c @@ -111,43 +111,13 @@ static bool write_ok_or_segv(unsigned long ptr, size_t size) } } -bool emulate_vsyscall(unsigned long error_code, - struct pt_regs *regs, unsigned long address) +static bool __emulate_vsyscall(struct pt_regs *regs, unsigned long address) { unsigned long caller; int vsyscall_nr, syscall_nr, tmp; long ret; unsigned long orig_dx; - /* Write faults or kernel-privilege faults never get fixed up. */ - if ((error_code & (X86_PF_WRITE | X86_PF_USER)) != X86_PF_USER) - return false; - - /* - * Assume that faults at regs->ip are because of an - * instruction fetch. Return early and avoid - * emulation for faults during data accesses: - */ - if (address != regs->ip) { - /* Failed vsyscall read */ - if (vsyscall_mode == EMULATE) - return false; - - /* - * User code tried and failed to read the vsyscall page. - */ - warn_bad_vsyscall(KERN_INFO, regs, "vsyscall read attempt denied -- look up the vsyscall kernel parameter if you need a workaround"); - return false; - } - - /* - * X86_PF_INSTR is only set when NX is supported. When - * available, use it to double-check that the emulation code - * is only being used for instruction fetches: - */ - if (cpu_feature_enabled(X86_FEATURE_NX)) - WARN_ON_ONCE(!(error_code & X86_PF_INSTR)); - /* * No point in checking CS -- the only way to get here is a user mode * trap to a high address, which means that we're in 64-bit user code. @@ -280,6 +250,40 @@ bool emulate_vsyscall(unsigned long error_code, return true; } +bool emulate_vsyscall_pf(unsigned long error_code, struct pt_regs *regs, + unsigned long address) +{ + /* Write faults or kernel-privilege faults never get fixed up. */ + if ((error_code & (X86_PF_WRITE | X86_PF_USER)) != X86_PF_USER) + return false; + + /* + * Assume that faults at regs->ip are because of an instruction + * fetch. Return early and avoid emulation for faults during + * data accesses: + */ + if (address != regs->ip) { + /* Failed vsyscall read */ + if (vsyscall_mode == EMULATE) + return false; + + /* User code tried and failed to read the vsyscall page. */ + warn_bad_vsyscall(KERN_INFO, regs, + "vsyscall read attempt denied -- look up the vsyscall kernel parameter if you need a workaround"); + return false; + } + + /* + * X86_PF_INSTR is only set when NX is supported. When + * available, use it to double-check that the emulation code + * is only being used for instruction fetches: + */ + if (cpu_feature_enabled(X86_FEATURE_NX)) + WARN_ON_ONCE(!(error_code & X86_PF_INSTR)); + + return __emulate_vsyscall(regs, address); +} + /* * A pseudo VMA to allow ptrace access for the vsyscall page. This only * covers the 64bit vsyscall page now. 32bit has a real VMA now and does diff --git a/arch/x86/include/asm/vsyscall.h b/arch/x86/include/asm/vsyscall.h index 472f0263dbc6..f34902364972 100644 --- a/arch/x86/include/asm/vsyscall.h +++ b/arch/x86/include/asm/vsyscall.h @@ -14,12 +14,11 @@ extern void set_vsyscall_pgtable_user_bits(pgd_t *root); * Called on instruction fetch fault in vsyscall page. * Returns true if handled. */ -extern bool emulate_vsyscall(unsigned long error_code, - struct pt_regs *regs, unsigned long address); +bool emulate_vsyscall_pf(unsigned long error_code, struct pt_regs *regs, unsigned long address); #else static inline void map_vsyscall(void) {} -static inline bool emulate_vsyscall(unsigned long error_code, - struct pt_regs *regs, unsigned long address) +static inline bool emulate_vsyscall_pf(unsigned long error_code, + struct pt_regs *regs, unsigned long address) { return false; } diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c index b83a06739b51..f0e77e084482 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c @@ -1314,7 +1314,7 @@ void do_user_addr_fault(struct pt_regs *regs, * to consider the PF_PK bit. */ if (is_vsyscall_vaddr(address)) { - if (emulate_vsyscall(error_code, regs, address)) + if (emulate_vsyscall_pf(error_code, regs, address)) return; } #endif From 4e57fdd11083d5cd44febc4b6613777291ec936e Mon Sep 17 00:00:00 2001 From: Sohil Mehta Date: Mon, 9 Mar 2026 11:10:26 -0700 Subject: [PATCH 05/11] x86/traps: Consolidate user fixups in the #GP handler Move the UMIP exception fixup under the common "if (user_mode(regs))" condition where the rest of user mode fixups reside. Also, move the UMIP feature check into its fixup function to keep the calling code consistent and clean. No functional change intended. Suggested-by: Dave Hansen Signed-off-by: Sohil Mehta Signed-off-by: Dave Hansen Reviewed-by: H. Peter Anvin (Intel) Acked-by: Dave Hansen Tested-by: Maciej Wieczor-Retman Link: https://patch.msgid.link/20260309181029.398498-3-sohil.mehta@intel.com --- arch/x86/kernel/traps.c | 8 +++----- arch/x86/kernel/umip.c | 3 +++ 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c index 4dbff8ef9b1c..614a281bd419 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -921,11 +921,6 @@ DEFINE_IDTENTRY_ERRORCODE(exc_general_protection) cond_local_irq_enable(regs); - if (static_cpu_has(X86_FEATURE_UMIP)) { - if (user_mode(regs) && fixup_umip_exception(regs)) - goto exit; - } - if (v8086_mode(regs)) { local_irq_enable(); handle_vm86_fault((struct kernel_vm86_regs *) regs, error_code); @@ -940,6 +935,9 @@ DEFINE_IDTENTRY_ERRORCODE(exc_general_protection) if (fixup_vdso_exception(regs, X86_TRAP_GP, error_code, 0)) goto exit; + if (fixup_umip_exception(regs)) + goto exit; + gp_user_force_sig_segv(regs, X86_TRAP_GP, error_code, desc); goto exit; } diff --git a/arch/x86/kernel/umip.c b/arch/x86/kernel/umip.c index d432f3824f0c..3ce99cbcf187 100644 --- a/arch/x86/kernel/umip.c +++ b/arch/x86/kernel/umip.c @@ -354,6 +354,9 @@ bool fixup_umip_exception(struct pt_regs *regs) void __user *uaddr; struct insn insn; + if (!cpu_feature_enabled(X86_FEATURE_UMIP)) + return false; + if (!regs) return false; From 8376b503b0f18d7425b42621798518e61e2ea601 Mon Sep 17 00:00:00 2001 From: Sohil Mehta Date: Mon, 9 Mar 2026 11:10:27 -0700 Subject: [PATCH 06/11] x86/vsyscall: Restore vsyscall=xonly mode under LASS Background ========== The vsyscall page is located in the high/kernel part of the address space. Prior to LASS, a vsyscall page access from userspace would always generate a #PF. The kernel emulates the accesses in the #PF handler and returns the appropriate values to userspace. Vsyscall emulation has two modes of operation, specified by the vsyscall={xonly, emulate} kernel command line option. The vsyscall page behaves as execute-only in XONLY mode or read-execute in EMULATE mode. XONLY mode is the default and the only one expected to be commonly used. The EMULATE mode has been deprecated since 2022 and is considered insecure. With LASS, a vsyscall page access triggers a #GP instead of a #PF. Currently, LASS is only enabled when all vsyscall modes are disabled. LASS with XONLY mode ==================== Now add support for LASS specifically with XONLY vsyscall emulation. For XONLY mode, all that is needed is the faulting RIP, which is trivially available regardless of the type of fault. Reuse the #PF emulation code during the #GP when the fault address points to the vsyscall page. As multiple fault handlers will now be using the emulation code, add a sanity check to ensure that the fault truly happened in 64-bit user mode. LASS with EMULATE mode ====================== Supporting vsyscall=emulate with LASS is much harder because the #GP doesn't provide enough error information (such as PFEC and CR2 as in case of a #PF). So, complex instruction decoding would be required to emulate this mode in the #GP handler. This isn't worth the effort as remaining users of EMULATE mode can be reasonably assumed to be niche users, who are already trading off security for compatibility. LASS and vsyscall=emulate will be kept mutually exclusive for simplicity. Signed-off-by: Sohil Mehta Signed-off-by: Dave Hansen Reviewed-by: H. Peter Anvin (Intel) Tested-by: Maciej Wieczor-Retman Link: https://patch.msgid.link/20260309181029.398498-4-sohil.mehta@intel.com --- arch/x86/entry/vsyscall/vsyscall_64.c | 22 +++++++++++++++++----- arch/x86/include/asm/vsyscall.h | 6 ++++++ arch/x86/kernel/traps.c | 4 ++++ 3 files changed, 27 insertions(+), 5 deletions(-) diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c index 398b1ed16f1e..e740f3b42278 100644 --- a/arch/x86/entry/vsyscall/vsyscall_64.c +++ b/arch/x86/entry/vsyscall/vsyscall_64.c @@ -23,7 +23,7 @@ * soon be no new userspace code that will ever use a vsyscall. * * The code in this file emulates vsyscalls when notified of a page - * fault to a vsyscall address. + * fault or a general protection fault to a vsyscall address. */ #include @@ -118,10 +118,9 @@ static bool __emulate_vsyscall(struct pt_regs *regs, unsigned long address) long ret; unsigned long orig_dx; - /* - * No point in checking CS -- the only way to get here is a user mode - * trap to a high address, which means that we're in 64-bit user code. - */ + /* Confirm that the fault happened in 64-bit user mode */ + if (!user_64bit_mode(regs)) + return false; if (vsyscall_mode == NONE) { warn_bad_vsyscall(KERN_INFO, regs, @@ -284,6 +283,19 @@ bool emulate_vsyscall_pf(unsigned long error_code, struct pt_regs *regs, return __emulate_vsyscall(regs, address); } +bool emulate_vsyscall_gp(struct pt_regs *regs) +{ + /* Without LASS, vsyscall accesses are expected to generate a #PF */ + if (!cpu_feature_enabled(X86_FEATURE_LASS)) + return false; + + /* Emulate only if the RIP points to the vsyscall address */ + if (!is_vsyscall_vaddr(regs->ip)) + return false; + + return __emulate_vsyscall(regs, regs->ip); +} + /* * A pseudo VMA to allow ptrace access for the vsyscall page. This only * covers the 64bit vsyscall page now. 32bit has a real VMA now and does diff --git a/arch/x86/include/asm/vsyscall.h b/arch/x86/include/asm/vsyscall.h index f34902364972..538053b1656a 100644 --- a/arch/x86/include/asm/vsyscall.h +++ b/arch/x86/include/asm/vsyscall.h @@ -15,6 +15,7 @@ extern void set_vsyscall_pgtable_user_bits(pgd_t *root); * Returns true if handled. */ bool emulate_vsyscall_pf(unsigned long error_code, struct pt_regs *regs, unsigned long address); +bool emulate_vsyscall_gp(struct pt_regs *regs); #else static inline void map_vsyscall(void) {} static inline bool emulate_vsyscall_pf(unsigned long error_code, @@ -22,6 +23,11 @@ static inline bool emulate_vsyscall_pf(unsigned long error_code, { return false; } + +static inline bool emulate_vsyscall_gp(struct pt_regs *regs) +{ + return false; +} #endif /* diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c index 614a281bd419..0ca3912ecb7f 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -70,6 +70,7 @@ #include #include #include +#include #ifdef CONFIG_X86_64 #include @@ -938,6 +939,9 @@ DEFINE_IDTENTRY_ERRORCODE(exc_general_protection) if (fixup_umip_exception(regs)) goto exit; + if (emulate_vsyscall_gp(regs)) + goto exit; + gp_user_force_sig_segv(regs, X86_TRAP_GP, error_code, desc); goto exit; } From b36d1f53d90c869d5f02fe0d8603f825013e746e Mon Sep 17 00:00:00 2001 From: Sohil Mehta Date: Mon, 9 Mar 2026 11:10:28 -0700 Subject: [PATCH 07/11] x86/vsyscall: Disable LASS if vsyscall mode is set to EMULATE The EMULATE mode of vsyscall maps the vsyscall page with a high kernel address directly into user address space. Reading the vsyscall page in EMULATE mode would cause LASS to trigger a #GP. Fixing the LASS violation in EMULATE mode would require complex instruction decoding because the resulting #GP does include the necessary error information, and the vsyscall address is not readily available in the RIP. The EMULATE mode has been deprecated since 2022 and can only be enabled using the command line parameter vsyscall=emulate. See commit bf00745e7791 ("x86/vsyscall: Remove CONFIG_LEGACY_VSYSCALL_EMULATE") for details. At this point, no one is expected to be using this insecure mode. The rare usages that need it obviously do not care about security. Disable LASS when EMULATE mode is requested to avoid breaking legacy user software. Also, update the vsyscall documentation to reflect this. LASS will only be supported if vsyscall mode is set to XONLY (default) or NONE. Signed-off-by: Sohil Mehta Signed-off-by: Dave Hansen Reviewed-by: Rick Edgecombe Reviewed-by: Dave Hansen Reviewed-by: H. Peter Anvin (Intel) Tested-by: Maciej Wieczor-Retman Link: https://patch.msgid.link/20260309181029.398498-5-sohil.mehta@intel.com --- Documentation/admin-guide/kernel-parameters.txt | 4 +++- arch/x86/entry/vsyscall/vsyscall_64.c | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index cb850e5290c2..64df2c52b2e5 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -8376,7 +8376,9 @@ Kernel parameters emulate Vsyscalls turn into traps and are emulated reasonably safely. The vsyscall page is - readable. + readable. This disables the Linear + Address Space Separation (LASS) security + feature and makes the system less secure. xonly [default] Vsyscalls turn into traps and are emulated reasonably safely. The vsyscall diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c index e740f3b42278..ea36de9fa864 100644 --- a/arch/x86/entry/vsyscall/vsyscall_64.c +++ b/arch/x86/entry/vsyscall/vsyscall_64.c @@ -62,6 +62,11 @@ static int __init vsyscall_setup(char *str) else return -EINVAL; + if (cpu_feature_enabled(X86_FEATURE_LASS) && vsyscall_mode == EMULATE) { + setup_clear_cpu_cap(X86_FEATURE_LASS); + pr_warn_once("x86/cpu: Disabling LASS due to vsyscall=emulate\n"); + } + return 0; } From 584d752b8a1f0ee3a7d5a831e55623c10e7ca0ee Mon Sep 17 00:00:00 2001 From: Sohil Mehta Date: Mon, 9 Mar 2026 11:10:29 -0700 Subject: [PATCH 08/11] x86/cpu: Remove LASS restriction on vsyscall emulation Vsyscall emulation has two modes of operation: XONLY and EMULATE. The default XONLY mode is now supported with a LASS-triggered #GP. OTOH, LASS is disabled if someone requests the deprecated EMULATE mode via the vsyscall=emulate command line option. So, remove the restriction on LASS when the overall vsyscall emulation support is compiled in. As a result, there is no need for setup_lass() anymore. LASS is enabled by default through a late_initcall(). Signed-off-by: Sohil Mehta Signed-off-by: Dave Hansen Reviewed-by: Dave Hansen Reviewed-by: H. Peter Anvin (Intel) Reviewed-by: Tested-by: Maciej Wieczor-Retman Link: https://patch.msgid.link/20260309181029.398498-6-sohil.mehta@intel.com --- arch/x86/kernel/cpu/common.c | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 3557f0e6b3aa..02472fc763d9 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -406,20 +406,6 @@ static __always_inline void setup_umip(struct cpuinfo_x86 *c) cr4_clear_bits(X86_CR4_UMIP); } -static __always_inline void setup_lass(struct cpuinfo_x86 *c) -{ - if (!cpu_feature_enabled(X86_FEATURE_LASS)) - return; - - /* - * Legacy vsyscall page access causes a #GP when LASS is active. - * Disable LASS because the #GP handler doesn't support vsyscall - * emulation. - */ - if (IS_ENABLED(CONFIG_X86_VSYSCALL_EMULATION)) - setup_clear_cpu_cap(X86_FEATURE_LASS); -} - static int enable_lass(unsigned int cpu) { cr4_set_bits(X86_CR4_LASS); @@ -2061,7 +2047,6 @@ static void identify_cpu(struct cpuinfo_x86 *c) setup_smep(c); setup_smap(c); setup_umip(c); - setup_lass(c); /* Enable FSGSBASE instructions if available. */ if (cpu_has(c, X86_FEATURE_FSGSBASE)) { From 93a1f0e61329f538cfc7122d7fa0e7a1803e326d Mon Sep 17 00:00:00 2001 From: "Ahmed S. Darwish" Date: Fri, 27 Mar 2026 03:15:15 +0100 Subject: [PATCH 09/11] ASoC: Intel: avs: Check maximum valid CPUID leaf The Intel AVS driver queries CPUID(0x15) before checking if the CPUID leaf is available. Check the maximum-valid CPU standard leaf beforehand. Use the CPUID_LEAF_TSC macro instead of the custom local one for the CPUID(0x15) leaf number. Fixes: cbe37a4d2b3c ("ASoC: Intel: avs: Configure basefw on TGL-based platforms") Signed-off-by: Ahmed S. Darwish Signed-off-by: Borislav Petkov (AMD) Acked-by: Cezary Rojewski Link: https://patch.msgid.link/20260327021645.555257-2-darwi@linutronix.de --- sound/soc/intel/avs/tgl.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sound/soc/intel/avs/tgl.c b/sound/soc/intel/avs/tgl.c index afb066516101..4649d749b41e 100644 --- a/sound/soc/intel/avs/tgl.c +++ b/sound/soc/intel/avs/tgl.c @@ -11,8 +11,6 @@ #include "debug.h" #include "messages.h" -#define CPUID_TSC_LEAF 0x15 - static int avs_tgl_dsp_core_power(struct avs_dev *adev, u32 core_mask, bool power) { core_mask &= AVS_MAIN_CORE_MASK; @@ -49,7 +47,11 @@ static int avs_tgl_config_basefw(struct avs_dev *adev) unsigned int ecx; #include - ecx = cpuid_ecx(CPUID_TSC_LEAF); + + if (boot_cpu_data.cpuid_level < CPUID_LEAF_TSC) + goto no_cpuid; + + ecx = cpuid_ecx(CPUID_LEAF_TSC); if (ecx) { ret = avs_ipc_set_fw_config(adev, 1, AVS_FW_CFG_XTAL_FREQ_HZ, sizeof(ecx), &ecx); if (ret) @@ -57,6 +59,7 @@ static int avs_tgl_config_basefw(struct avs_dev *adev) } #endif +no_cpuid: hwid.device = pci->device; hwid.subsystem = pci->subsystem_vendor | (pci->subsystem_device << 16); hwid.revision = pci->revision; From 7f78e0b46e9984e955cb73ffada8dace8b4dd059 Mon Sep 17 00:00:00 2001 From: "Ahmed S. Darwish" Date: Fri, 27 Mar 2026 03:15:16 +0100 Subject: [PATCH 10/11] ASoC: Intel: avs: Include CPUID header at file scope Commit cbe37a4d2b3c ("ASoC: Intel: avs: Configure basefw on TGL-based platforms") includes the main CPUID header from within a C function. This works by luck and forbids valid refactoring inside that header. Include the CPUID header at file scope instead. Remove the COMPILE_TEST build flag so that the CONFIG_X86 conditionals can be removed. The driver gets enough compilation testing already on x86. For clarity, refactor the CPUID(0x15) code into its own function without changing any of the driver's logic. Fixes: cbe37a4d2b3c ("ASoC: Intel: avs: Configure basefw on TGL-based platforms") Suggested-by: Borislav Petkov # CONFIG_X86 removal Signed-off-by: Ahmed S. Darwish Signed-off-by: Borislav Petkov (AMD) Acked-by: Cezary Rojewski Link: https://lore.kernel.org/all/20250612234010.572636-3-darwi@linutronix.de --- sound/soc/intel/Kconfig | 2 +- sound/soc/intel/avs/tgl.c | 41 +++++++++++++++++++++++++-------------- 2 files changed, 27 insertions(+), 16 deletions(-) diff --git a/sound/soc/intel/Kconfig b/sound/soc/intel/Kconfig index 412555e626b8..63367364916a 100644 --- a/sound/soc/intel/Kconfig +++ b/sound/soc/intel/Kconfig @@ -95,7 +95,7 @@ config SND_SOC_INTEL_KEEMBAY config SND_SOC_INTEL_AVS tristate "Intel AVS driver" - depends on X86 || COMPILE_TEST + depends on X86 depends on PCI depends on COMMON_CLK select ACPI_NHLT if ACPI diff --git a/sound/soc/intel/avs/tgl.c b/sound/soc/intel/avs/tgl.c index 4649d749b41e..a7123639de43 100644 --- a/sound/soc/intel/avs/tgl.c +++ b/sound/soc/intel/avs/tgl.c @@ -7,6 +7,7 @@ // #include +#include #include "avs.h" #include "debug.h" #include "messages.h" @@ -38,28 +39,38 @@ static int avs_tgl_dsp_core_stall(struct avs_dev *adev, u32 core_mask, bool stal return avs_dsp_core_stall(adev, core_mask, stall); } +/* + * Succeed if CPUID(0x15) is not available, or if the nominal core crystal clock + * frequency cannot be enumerated from it. There is nothing to do in both cases. + */ +static int avs_tgl_set_xtal_freq(struct avs_dev *adev) +{ + unsigned int freq; + int ret; + + if (boot_cpu_data.cpuid_level < CPUID_LEAF_TSC) + return 0; + + freq = cpuid_ecx(CPUID_LEAF_TSC); + if (freq) { + ret = avs_ipc_set_fw_config(adev, 1, AVS_FW_CFG_XTAL_FREQ_HZ, sizeof(freq), &freq); + if (ret) + return AVS_IPC_RET(ret); + } + + return 0; +} + static int avs_tgl_config_basefw(struct avs_dev *adev) { struct pci_dev *pci = adev->base.pci; struct avs_bus_hwid hwid; int ret; -#ifdef CONFIG_X86 - unsigned int ecx; -#include + ret = avs_tgl_set_xtal_freq(adev); + if (ret) + return ret; - if (boot_cpu_data.cpuid_level < CPUID_LEAF_TSC) - goto no_cpuid; - - ecx = cpuid_ecx(CPUID_LEAF_TSC); - if (ecx) { - ret = avs_ipc_set_fw_config(adev, 1, AVS_FW_CFG_XTAL_FREQ_HZ, sizeof(ecx), &ecx); - if (ret) - return AVS_IPC_RET(ret); - } -#endif - -no_cpuid: hwid.device = pci->device; hwid.subsystem = pci->subsystem_vendor | (pci->subsystem_device << 16); hwid.revision = pci->revision; From 124ad3034ec0029b65178f3ab8a6cdca5a0b0519 Mon Sep 17 00:00:00 2001 From: "Ahmed S. Darwish" Date: Fri, 27 Mar 2026 03:15:17 +0100 Subject: [PATCH 11/11] tools/x86/kcpuid: Update bitfields to x86-cpuid-db v3.0 Update kcpuid's CSV to version 3.0, as generated by x86-cpuid-db. Summary of the v2.5 changes: - Reduce the verbosity of leaf and bitfields descriptions, as formerly requested by Boris. - Leaf 0x8000000a: Add Page Modification Logging (PML) bit. Summary of the v3.0 changes: - Leaf 0x23: Introduce subleaf 2, Auto Counter Reload (ACR) - Leaf 0x23: Introduce subleaf 4/5, PEBS capabilities and counters - Leaf 0x1c: Return LBR depth as a bitmask instead of individual bits - Leaf 0x0a: Use more descriptive PMU bitfield names - Leaf 0x0a: Add various missing PMU events - Leaf 0x06: Add missing IA32_HWP_CTL flag - Leaf 0x0f: Add missing non-CPU (IO) Intel RDT bits Thanks to Dave Hansen for reporting multiple missing bits. Signed-off-by: Ahmed S. Darwish Signed-off-by: Borislav Petkov (AMD) Link: https://gitlab.com/x86-cpuid.org/x86-cpuid-db/-/blob/v2.5/CHANGELOG.rst Link: https://gitlab.com/x86-cpuid.org/x86-cpuid-db/-/blob/v3.0/CHANGELOG.rst --- tools/arch/x86/kcpuid/cpuid.csv | 661 +++++++++++++++++--------------- 1 file changed, 342 insertions(+), 319 deletions(-) diff --git a/tools/arch/x86/kcpuid/cpuid.csv b/tools/arch/x86/kcpuid/cpuid.csv index 8d925ce9750f..9f5155c825ca 100644 --- a/tools/arch/x86/kcpuid/cpuid.csv +++ b/tools/arch/x86/kcpuid/cpuid.csv @@ -1,5 +1,5 @@ # SPDX-License-Identifier: CC0-1.0 -# Generator: x86-cpuid-db v2.4 +# Generator: x86-cpuid-db v3.0 # # Auto-generated file. @@ -10,9 +10,9 @@ # LEAF, SUBLEAVES, reg, bits, short_name , long_description # Leaf 0H -# Maximum standard leaf number + CPU vendor string +# Maximum standard leaf + CPU vendor string - 0x0, 0, eax, 31:0, max_std_leaf , Highest standard CPUID leaf supported + 0x0, 0, eax, 31:0, max_std_leaf , Highest standard CPUID leaf 0x0, 0, ebx, 31:0, cpu_vendorid_0 , CPU vendor ID string bytes 0 - 3 0x0, 0, ecx, 31:0, cpu_vendorid_2 , CPU vendor ID string bytes 8 - 11 0x0, 0, edx, 31:0, cpu_vendorid_1 , CPU vendor ID string bytes 4 - 7 @@ -134,23 +134,23 @@ 0x4, 31:0, edx, 2, complex_indexing , Not a direct-mapped cache (complex function) # Leaf 5H -# MONITOR/MWAIT instructions enumeration +# MONITOR/MWAIT instructions 0x5, 0, eax, 15:0, min_mon_size , Smallest monitor-line size, in bytes 0x5, 0, ebx, 15:0, max_mon_size , Largest monitor-line size, in bytes - 0x5, 0, ecx, 0, mwait_ext , Enumeration of MONITOR/MWAIT extensions is supported - 0x5, 0, ecx, 1, mwait_irq_break , Interrupts as a break-event for MWAIT is supported - 0x5, 0, edx, 3:0, n_c0_substates , Number of C0 sub C-states supported using MWAIT - 0x5, 0, edx, 7:4, n_c1_substates , Number of C1 sub C-states supported using MWAIT - 0x5, 0, edx, 11:8, n_c2_substates , Number of C2 sub C-states supported using MWAIT - 0x5, 0, edx, 15:12, n_c3_substates , Number of C3 sub C-states supported using MWAIT - 0x5, 0, edx, 19:16, n_c4_substates , Number of C4 sub C-states supported using MWAIT - 0x5, 0, edx, 23:20, n_c5_substates , Number of C5 sub C-states supported using MWAIT - 0x5, 0, edx, 27:24, n_c6_substates , Number of C6 sub C-states supported using MWAIT - 0x5, 0, edx, 31:28, n_c7_substates , Number of C7 sub C-states supported using MWAIT + 0x5, 0, ecx, 0, mwait_ext , MONITOR/MWAIT extensions + 0x5, 0, ecx, 1, mwait_irq_break , Interrupts as a break event for MWAIT + 0x5, 0, edx, 3:0, n_c0_substates , Number of C0 sub C-states + 0x5, 0, edx, 7:4, n_c1_substates , Number of C1 sub C-states + 0x5, 0, edx, 11:8, n_c2_substates , Number of C2 sub C-states + 0x5, 0, edx, 15:12, n_c3_substates , Number of C3 sub C-states + 0x5, 0, edx, 19:16, n_c4_substates , Number of C4 sub C-states + 0x5, 0, edx, 23:20, n_c5_substates , Number of C5 sub C-states + 0x5, 0, edx, 27:24, n_c6_substates , Number of C6 sub C-states + 0x5, 0, edx, 31:28, n_c7_substates , Number of C7 sub C-states # Leaf 6H -# Thermal and Power Management enumeration +# Thermal and power management 0x6, 0, eax, 0, dtherm , Digital temperature sensor 0x6, 0, eax, 1, turbo_boost , Intel Turbo Boost @@ -158,24 +158,25 @@ 0x6, 0, eax, 4, pln , Power Limit Notification (PLN) event 0x6, 0, eax, 5, ecmd , Clock modulation duty cycle extension 0x6, 0, eax, 6, pts , Package thermal management - 0x6, 0, eax, 7, hwp , HWP (Hardware P-states) base registers are supported + 0x6, 0, eax, 7, hwp , HWP (Hardware P-states) base registers 0x6, 0, eax, 8, hwp_notify , HWP notification (IA32_HWP_INTERRUPT MSR) - 0x6, 0, eax, 9, hwp_act_window , HWP activity window (IA32_HWP_REQUEST[bits 41:32]) supported + 0x6, 0, eax, 9, hwp_act_window , HWP activity window (IA32_HWP_REQUEST[bits 41:32]) 0x6, 0, eax, 10, hwp_epp , HWP Energy Performance Preference 0x6, 0, eax, 11, hwp_pkg_req , HWP Package Level Request - 0x6, 0, eax, 13, hdc_base_regs , HDC base registers are supported + 0x6, 0, eax, 13, hdc_base_regs , HDC base registers 0x6, 0, eax, 14, turbo_boost_3_0 , Intel Turbo Boost Max 3.0 0x6, 0, eax, 15, hwp_capabilities , HWP Highest Performance change 0x6, 0, eax, 16, hwp_peci_override , HWP PECI override 0x6, 0, eax, 17, hwp_flexible , Flexible HWP 0x6, 0, eax, 18, hwp_fast , IA32_HWP_REQUEST MSR fast access mode - 0x6, 0, eax, 19, hfi , HW_FEEDBACK MSRs supported - 0x6, 0, eax, 20, hwp_ignore_idle , Ignoring idle logical CPU HWP req is supported - 0x6, 0, eax, 23, thread_director , Intel thread director support - 0x6, 0, eax, 24, therm_interrupt_bit25 , IA32_THERM_INTERRUPT MSR bit 25 is supported + 0x6, 0, eax, 19, hfi , HW_FEEDBACK MSRs + 0x6, 0, eax, 20, hwp_ignore_idle , Ignoring idle logical CPU HWP request is supported + 0x6, 0, eax, 22, hwp_ctl , IA32_HWP_CTL MSR + 0x6, 0, eax, 23, thread_director , Intel thread director + 0x6, 0, eax, 24, therm_interrupt_bit25 , IA32_THERM_INTERRUPT MSR bit 25 0x6, 0, ebx, 3:0, n_therm_thresholds , Digital thermometer thresholds 0x6, 0, ecx, 0, aperfmperf , MPERF/APERF MSRs (effective frequency interface) - 0x6, 0, ecx, 3, epb , IA32_ENERGY_PERF_BIAS MSR support + 0x6, 0, ecx, 3, epb , IA32_ENERGY_PERF_BIAS MSR 0x6, 0, ecx, 15:8, thrd_director_nclasses , Number of classes, Intel thread director 0x6, 0, edx, 0, perfcap_reporting , Performance capability reporting 0x6, 0, edx, 1, encap_reporting , Energy efficiency capability reporting @@ -183,11 +184,11 @@ 0x6, 0, edx, 31:16, this_lcpu_hwfdbk_idx , This logical CPU hardware feedback interface index # Leaf 7H -# Extended CPU features enumeration +# Extended CPU features 0x7, 0, eax, 31:0, leaf7_n_subleaves , Number of leaf 0x7 subleaves - 0x7, 0, ebx, 0, fsgsbase , FSBASE/GSBASE read/write support - 0x7, 0, ebx, 1, tsc_adjust , IA32_TSC_ADJUST MSR supported + 0x7, 0, ebx, 0, fsgsbase , FSBASE/GSBASE read/write + 0x7, 0, ebx, 1, tsc_adjust , IA32_TSC_ADJUST MSR 0x7, 0, ebx, 2, sgx , Intel SGX (Software Guard Extensions) 0x7, 0, ebx, 3, bmi1 , Bit manipulation extensions group 1 0x7, 0, ebx, 4, hle , Hardware Lock Elision @@ -227,7 +228,7 @@ 0x7, 0, ecx, 7, cet_ss , CET shadow stack features 0x7, 0, ecx, 8, gfni , Galois field new instructions 0x7, 0, ecx, 9, vaes , Vector AES instructions - 0x7, 0, ecx, 10, vpclmulqdq , VPCLMULQDQ 256-bit instruction support + 0x7, 0, ecx, 10, vpclmulqdq , VPCLMULQDQ 256-bit instruction 0x7, 0, ecx, 11, avx512_vnni , Vector neural network instructions 0x7, 0, ecx, 12, avx512_bitalg , AVX-512 bitwise algorithms 0x7, 0, ecx, 13, tme , Intel total memory encryption @@ -235,34 +236,34 @@ 0x7, 0, ecx, 16, la57 , 57-bit linear addresses (five-level paging) 0x7, 0, ecx, 21:17, mawau_val_lm , BNDLDX/BNDSTX MAWAU value in 64-bit mode 0x7, 0, ecx, 22, rdpid , RDPID instruction - 0x7, 0, ecx, 23, key_locker , Intel key locker support + 0x7, 0, ecx, 23, key_locker , Intel key locker 0x7, 0, ecx, 24, bus_lock_detect , OS bus-lock detection 0x7, 0, ecx, 25, cldemote , CLDEMOTE instruction 0x7, 0, ecx, 27, movdiri , MOVDIRI instruction 0x7, 0, ecx, 28, movdir64b , MOVDIR64B instruction - 0x7, 0, ecx, 29, enqcmd , Enqueue stores supported (ENQCMD{,S}) + 0x7, 0, ecx, 29, enqcmd , Enqueue stores (ENQCMD{,S}) 0x7, 0, ecx, 30, sgx_lc , Intel SGX launch configuration 0x7, 0, ecx, 31, pks , Protection keys for supervisor-mode pages 0x7, 0, edx, 1, sgx_keys , Intel SGX attestation services 0x7, 0, edx, 2, avx512_4vnniw , AVX-512 neural network instructions 0x7, 0, edx, 3, avx512_4fmaps , AVX-512 multiply accumulation single precision 0x7, 0, edx, 4, fsrm , Fast short REP MOV - 0x7, 0, edx, 5, uintr , CPU supports user interrupts + 0x7, 0, edx, 5, uintr , User interrupts 0x7, 0, edx, 8, avx512_vp2intersect , VP2INTERSECT{D,Q} instructions - 0x7, 0, edx, 9, srdbs_ctrl , SRBDS mitigation MSR available - 0x7, 0, edx, 10, md_clear , VERW MD_CLEAR microcode support + 0x7, 0, edx, 9, srdbs_ctrl , SRBDS mitigation MSR + 0x7, 0, edx, 10, md_clear , VERW MD_CLEAR microcode 0x7, 0, edx, 11, rtm_always_abort , XBEGIN (RTM transaction) always aborts - 0x7, 0, edx, 13, tsx_force_abort , MSR TSX_FORCE_ABORT, RTM_ABORT bit, supported + 0x7, 0, edx, 13, tsx_force_abort , MSR TSX_FORCE_ABORT, RTM_ABORT bit 0x7, 0, edx, 14, serialize , SERIALIZE instruction 0x7, 0, edx, 15, hybrid_cpu , The CPU is identified as a 'hybrid part' 0x7, 0, edx, 16, tsxldtrk , TSX suspend/resume load address tracking 0x7, 0, edx, 18, pconfig , PCONFIG instruction 0x7, 0, edx, 19, arch_lbr , Intel architectural LBRs 0x7, 0, edx, 20, ibt , CET indirect branch tracking - 0x7, 0, edx, 22, amx_bf16 , AMX-BF16: tile bfloat16 support + 0x7, 0, edx, 22, amx_bf16 , AMX-BF16: tile bfloat16 0x7, 0, edx, 23, avx512_fp16 , AVX-512 FP16 instructions - 0x7, 0, edx, 24, amx_tile , AMX-TILE: tile architecture support - 0x7, 0, edx, 25, amx_int8 , AMX-INT8: tile 8-bit integer support + 0x7, 0, edx, 24, amx_tile , AMX-TILE: tile architecture + 0x7, 0, edx, 25, amx_int8 , AMX-INT8: tile 8-bit integer 0x7, 0, edx, 26, spec_ctrl , Speculation Control (IBRS/IBPB: indirect branch restrictions) 0x7, 0, edx, 27, intel_stibp , Single thread indirect branch predictors 0x7, 0, edx, 28, flush_l1d , FLUSH L1D cache: IA32_FLUSH_CMD MSR @@ -273,7 +274,7 @@ 0x7, 1, eax, 5, avx512_bf16 , AVX-512 bfloat16 instructions 0x7, 1, eax, 6, lass , Linear address space separation 0x7, 1, eax, 7, cmpccxadd , CMPccXADD instructions - 0x7, 1, eax, 8, arch_perfmon_ext , ArchPerfmonExt: leaf 0x23 is supported + 0x7, 1, eax, 8, arch_perfmon_ext , ArchPerfmonExt: leaf 0x23 0x7, 1, eax, 10, fzrm , Fast zero-length REP MOVSB 0x7, 1, eax, 11, fsrs , Fast short REP STOSB 0x7, 1, eax, 12, fsrc , Fast Short REP CMPSB/SCASB @@ -282,7 +283,7 @@ 0x7, 1, eax, 19, wrmsrns , WRMSRNS instruction (WRMSR-non-serializing) 0x7, 1, eax, 20, nmi_src , NMI-source reporting with FRED event data 0x7, 1, eax, 21, amx_fp16 , AMX-FP16: FP16 tile operations - 0x7, 1, eax, 22, hreset , History reset support + 0x7, 1, eax, 22, hreset , HRESET (Thread director history reset) 0x7, 1, eax, 23, avx_ifma , Integer fused multiply add 0x7, 1, eax, 26, lam , Linear address masking 0x7, 1, eax, 27, rd_wr_msrlist , RDMSRLIST/WRMSRLIST instructions @@ -298,35 +299,40 @@ 0x7, 2, edx, 3, ddp_ctrl , MSR bit IA32_SPEC_CTRL.DDPD_U 0x7, 2, edx, 4, bhi_ctrl , MSR bit IA32_SPEC_CTRL.BHI_DIS_S 0x7, 2, edx, 5, mcdt_no , MCDT mitigation not needed - 0x7, 2, edx, 6, uclock_disable , UC-lock disable is supported + 0x7, 2, edx, 6, uclock_disable , UC-lock disable # Leaf 9H -# Intel DCA (Direct Cache Access) enumeration +# Intel DCA (Direct Cache Access) 0x9, 0, eax, 0, dca_enabled_in_bios , DCA is enabled in BIOS # Leaf AH -# Intel PMU (Performance Monitoring Unit) enumeration +# Intel PMU (Performance Monitoring Unit) 0xa, 0, eax, 7:0, pmu_version , Performance monitoring unit version ID - 0xa, 0, eax, 15:8, pmu_n_gcounters , Number of general PMU counters per logical CPU - 0xa, 0, eax, 23:16, pmu_gcounters_nbits , Bitwidth of PMU general counters - 0xa, 0, eax, 31:24, pmu_cpuid_ebx_bits , Length of leaf 0xa EBX bit vector - 0xa, 0, ebx, 0, no_core_cycle_evt , Core cycle event not available - 0xa, 0, ebx, 1, no_insn_retired_evt , Instruction retired event not available - 0xa, 0, ebx, 2, no_refcycle_evt , Reference cycles event not available - 0xa, 0, ebx, 3, no_llc_ref_evt , LLC-reference event not available - 0xa, 0, ebx, 4, no_llc_miss_evt , LLC-misses event not available - 0xa, 0, ebx, 5, no_br_insn_ret_evt , Branch instruction retired event not available - 0xa, 0, ebx, 6, no_br_mispredict_evt , Branch mispredict retired event not available - 0xa, 0, ebx, 7, no_td_slots_evt , Topdown slots event not available + 0xa, 0, eax, 15:8, num_counters_gp , Number of general-purpose PMU counters per logical CPU + 0xa, 0, eax, 23:16, bit_width_gp , Bitwidth of PMU general-purpose counters + 0xa, 0, eax, 31:24, events_mask_len , Length of CPUID(0xa).EBX bit vector + 0xa, 0, ebx, 0, no_core_cycle , Core cycle event not available + 0xa, 0, ebx, 1, no_instruction_retired , Instruction retired event not available + 0xa, 0, ebx, 2, no_reference_cycles , Reference cycles event not available + 0xa, 0, ebx, 3, no_llc_reference , LLC-reference event not available + 0xa, 0, ebx, 4, no_llc_misses , LLC-misses event not available + 0xa, 0, ebx, 5, no_br_insn_retired , Branch instruction retired event not available + 0xa, 0, ebx, 6, no_br_misses_retired , Branch mispredict retired event not available + 0xa, 0, ebx, 7, no_topdown_slots , Topdown slots event not available + 0xa, 0, ebx, 8, no_backend_bound , Topdown backend bound not available + 0xa, 0, ebx, 9, no_bad_speculation , Topdown bad speculation not available + 0xa, 0, ebx, 10, no_frontend_bound , Topdown frontend bound not available + 0xa, 0, ebx, 11, no_retiring , Topdown retiring not available + 0xa, 0, ebx, 12, no_lbr_inserts , LBR inserts not available 0xa, 0, ecx, 31:0, pmu_fcounters_bitmap , Fixed-function PMU counters support bitmap - 0xa, 0, edx, 4:0, pmu_n_fcounters , Number of fixed PMU counters - 0xa, 0, edx, 12:5, pmu_fcounters_nbits , Bitwidth of PMU fixed counters - 0xa, 0, edx, 15, anythread_depr , AnyThread deprecation + 0xa, 0, edx, 4:0, num_counters_fixed , Number of fixed PMU counters + 0xa, 0, edx, 12:5, bitwidth_fixed , Bitwidth of PMU fixed counters + 0xa, 0, edx, 15, anythread_deprecation , AnyThread mode deprecation # Leaf BH -# CPUs v1 extended topology enumeration +# CPU extended topology v1 0xb, 1:0, eax, 4:0, x2apic_id_shift , Bit width of this level (previous levels inclusive) 0xb, 1:0, ebx, 15:0, domain_lcpus_count , Logical CPUs count across all instances of this domain @@ -335,107 +341,109 @@ 0xb, 1:0, edx, 31:0, x2apic_id , x2APIC ID of current logical CPU # Leaf DH -# Processor extended state enumeration +# CPU extended state - 0xd, 0, eax, 0, xcr0_x87 , XCR0.X87 (bit 0) supported - 0xd, 0, eax, 1, xcr0_sse , XCR0.SEE (bit 1) supported - 0xd, 0, eax, 2, xcr0_avx , XCR0.AVX (bit 2) supported - 0xd, 0, eax, 3, xcr0_mpx_bndregs , XCR0.BNDREGS (bit 3) supported (MPX BND0-BND3 registers) - 0xd, 0, eax, 4, xcr0_mpx_bndcsr , XCR0.BNDCSR (bit 4) supported (MPX BNDCFGU/BNDSTATUS registers) - 0xd, 0, eax, 5, xcr0_avx512_opmask , XCR0.OPMASK (bit 5) supported (AVX-512 k0-k7 registers) - 0xd, 0, eax, 6, xcr0_avx512_zmm_hi256 , XCR0.ZMM_Hi256 (bit 6) supported (AVX-512 ZMM0->ZMM7/15 registers) - 0xd, 0, eax, 7, xcr0_avx512_hi16_zmm , XCR0.HI16_ZMM (bit 7) supported (AVX-512 ZMM16->ZMM31 registers) - 0xd, 0, eax, 9, xcr0_pkru , XCR0.PKRU (bit 9) supported (XSAVE PKRU registers) - 0xd, 0, eax, 11, xcr0_cet_u , XCR0.CET_U (bit 11) supported (CET user state) - 0xd, 0, eax, 12, xcr0_cet_s , XCR0.CET_S (bit 12) supported (CET supervisor state) - 0xd, 0, eax, 17, xcr0_tileconfig , XCR0.TILECONFIG (bit 17) supported (AMX can manage TILECONFIG) - 0xd, 0, eax, 18, xcr0_tiledata , XCR0.TILEDATA (bit 18) supported (AMX can manage TILEDATA) - 0xd, 0, ebx, 31:0, xsave_sz_xcr0_enabled , XSAVE/XRSTOR area byte size, for XCR0 enabled features + 0xd, 0, eax, 0, xcr0_x87 , XCR0.X87 + 0xd, 0, eax, 1, xcr0_sse , XCR0.SSE + 0xd, 0, eax, 2, xcr0_avx , XCR0.AVX + 0xd, 0, eax, 3, xcr0_mpx_bndregs , XCR0.BNDREGS: MPX BND0-BND3 registers + 0xd, 0, eax, 4, xcr0_mpx_bndcsr , XCR0.BNDCSR: MPX BNDCFGU/BNDSTATUS registers + 0xd, 0, eax, 5, xcr0_avx512_opmask , XCR0.OPMASK: AVX-512 k0-k7 registers + 0xd, 0, eax, 6, xcr0_avx512_zmm_hi256 , XCR0.ZMM_Hi256: AVX-512 ZMM0->ZMM7/15 registers + 0xd, 0, eax, 7, xcr0_avx512_hi16_zmm , XCR0.HI16_ZMM: AVX-512 ZMM16->ZMM31 registers + 0xd, 0, eax, 9, xcr0_pkru , XCR0.PKRU: XSAVE PKRU registers + 0xd, 0, eax, 11, xcr0_cet_u , XCR0.CET_U: CET user state + 0xd, 0, eax, 12, xcr0_cet_s , XCR0.CET_S: CET supervisor state + 0xd, 0, eax, 17, xcr0_tileconfig , XCR0.TILECONFIG: AMX can manage TILECONFIG + 0xd, 0, eax, 18, xcr0_tiledata , XCR0.TILEDATA: AMX can manage TILEDATA + 0xd, 0, ebx, 31:0, xsave_sz_xcr0 , XSAVE/XRSTOR area byte size, for XCR0 enabled features 0xd, 0, ecx, 31:0, xsave_sz_max , XSAVE/XRSTOR area max byte size, all CPU features - 0xd, 0, edx, 30, xcr0_lwp , AMD XCR0.LWP (bit 62) supported (Light-weight Profiling) + 0xd, 0, edx, 30, xcr0_lwp , AMD XCR0.LWP: Light-weight Profiling 0xd, 1, eax, 0, xsaveopt , XSAVEOPT instruction 0xd, 1, eax, 1, xsavec , XSAVEC instruction 0xd, 1, eax, 2, xgetbv1 , XGETBV instruction with ECX = 1 0xd, 1, eax, 3, xsaves , XSAVES/XRSTORS instructions (and XSS MSR) - 0xd, 1, eax, 4, xfd , Extended feature disable support - 0xd, 1, ebx, 31:0, xsave_sz_xcr0_xmms_enabled, XSAVE area size, all XCR0 and XMMS features enabled - 0xd, 1, ecx, 8, xss_pt , PT state, supported - 0xd, 1, ecx, 10, xss_pasid , PASID state, supported - 0xd, 1, ecx, 11, xss_cet_u , CET user state, supported - 0xd, 1, ecx, 12, xss_cet_p , CET supervisor state, supported - 0xd, 1, ecx, 13, xss_hdc , HDC state, supported - 0xd, 1, ecx, 14, xss_uintr , UINTR state, supported - 0xd, 1, ecx, 15, xss_lbr , LBR state, supported - 0xd, 1, ecx, 16, xss_hwp , HWP state, supported - 0xd, 63:2, eax, 31:0, xsave_sz , Size of save area for subleaf-N feature, in bytes - 0xd, 63:2, ebx, 31:0, xsave_offset , Offset of save area for subleaf-N feature, in bytes - 0xd, 63:2, ecx, 0, is_xss_bit , Subleaf N describes an XSS bit, otherwise XCR0 bit - 0xd, 63:2, ecx, 1, compacted_xsave_64byte_aligned, When compacted, subleaf-N feature XSAVE area is 64-byte aligned + 0xd, 1, eax, 4, xfd , Extended feature disable + 0xd, 1, ebx, 31:0, xsave_sz_xcr0_xss , XSAVES/XSAVEC area byte size, for XCR0|XSS enabled features + 0xd, 1, ecx, 8, xss_pt , PT state + 0xd, 1, ecx, 10, xss_pasid , PASID state + 0xd, 1, ecx, 11, xss_cet_u , CET user state + 0xd, 1, ecx, 12, xss_cet_p , CET supervisor state + 0xd, 1, ecx, 13, xss_hdc , HDC state + 0xd, 1, ecx, 14, xss_uintr , UINTR state + 0xd, 1, ecx, 15, xss_lbr , LBR state + 0xd, 1, ecx, 16, xss_hwp , HWP state + 0xd, 63:2, eax, 31:0, xsave_sz , Subleaf-N feature save area size, in bytes + 0xd, 63:2, ebx, 31:0, xsave_offset , Subleaf-N feature save area offset, in bytes + 0xd, 63:2, ecx, 0, is_xss_bit , Subleaf N describes an XSS bit (otherwise XCR0) + 0xd, 63:2, ecx, 1, compacted_xsave_64byte_aligned, When compacted, subleaf-N XSAVE area is 64-byte aligned # Leaf FH # Intel RDT / AMD PQoS resource monitoring - 0xf, 0, ebx, 31:0, core_rmid_max , RMID max, within this core, all types (0-based) - 0xf, 0, edx, 1, cqm_llc , LLC QoS-monitoring supported + 0xf, 0, ebx, 31:0, core_rmid_max , RMID max within this core (0-based) + 0xf, 0, edx, 1, cqm_llc , LLC QoS-monitoring 0xf, 1, eax, 7:0, l3c_qm_bitwidth , L3 QoS-monitoring counter bitwidth (24-based) 0xf, 1, eax, 8, l3c_qm_overflow_bit , QM_CTR MSR bit 61 is an overflow bit + 0xf, 1, eax, 9, io_rdt_cmt , non-CPU agent supporting Intel RDT CMT present + 0xf, 1, eax, 10, io_rdt_mbm , non-CPU agent supporting Intel RDT MBM present 0xf, 1, ebx, 31:0, l3c_qm_conver_factor , QM_CTR MSR conversion factor to bytes 0xf, 1, ecx, 31:0, l3c_qm_rmid_max , L3 QoS-monitoring max RMID - 0xf, 1, edx, 0, cqm_occup_llc , L3 QoS occupancy monitoring supported - 0xf, 1, edx, 1, cqm_mbm_total , L3 QoS total bandwidth monitoring supported - 0xf, 1, edx, 2, cqm_mbm_local , L3 QoS local bandwidth monitoring supported + 0xf, 1, edx, 0, cqm_occup_llc , L3 QoS occupancy monitoring + 0xf, 1, edx, 1, cqm_mbm_total , L3 QoS total bandwidth monitoring + 0xf, 1, edx, 2, cqm_mbm_local , L3 QoS local bandwidth monitoring # Leaf 10H -# Intel RDT / AMD PQoS allocation enumeration +# Intel RDT / AMD PQoS allocation - 0x10, 0, ebx, 1, cat_l3 , L3 Cache Allocation Technology supported - 0x10, 0, ebx, 2, cat_l2 , L2 Cache Allocation Technology supported - 0x10, 0, ebx, 3, mba , Memory Bandwidth Allocation supported + 0x10, 0, ebx, 1, cat_l3 , L3 Cache Allocation Technology + 0x10, 0, ebx, 2, cat_l2 , L2 Cache Allocation Technology + 0x10, 0, ebx, 3, mba , Memory Bandwidth Allocation 0x10, 2:1, eax, 4:0, cat_cbm_len , L3/L2_CAT capacity bitmask length, minus-one notation - 0x10, 2:1, ebx, 31:0, cat_units_bitmap , L3/L2_CAT bitmap of allocation units + 0x10, 2:1, ebx, 31:0, cat_units_bitmap , L3/L2_CAT allocation units bitmap 0x10, 2:1, ecx, 1, l3_cat_cos_infreq_updates, L3_CAT COS updates should be infrequent - 0x10, 2:1, ecx, 2, cdp_l3 , L3/L2_CAT CDP (Code and Data Prioritization) - 0x10, 2:1, ecx, 3, cat_sparse_1s , L3/L2_CAT non-contiguous 1s value supported - 0x10, 2:1, edx, 15:0, cat_cos_max , L3/L2_CAT max COS (Class of Service) supported + 0x10, 2:1, ecx, 2, cdp_l3 , L3/L2_CAT Code and Data Prioritization + 0x10, 2:1, ecx, 3, cat_sparse_1s , L3/L2_CAT non-contiguous 1s value + 0x10, 2:1, edx, 15:0, cat_cos_max , L3/L2_CAT max Class of Service 0x10, 3, eax, 11:0, mba_max_delay , Max MBA throttling value; minus-one notation - 0x10, 3, ecx, 0, per_thread_mba , Per-thread MBA controls are supported + 0x10, 3, ecx, 0, per_thread_mba , Per-thread MBA controls 0x10, 3, ecx, 2, mba_delay_linear , Delay values are linear - 0x10, 3, edx, 15:0, mba_cos_max , MBA max Class of Service supported + 0x10, 3, edx, 15:0, mba_cos_max , MBA max Class of Service # Leaf 12H -# Intel Software Guard Extensions (SGX) enumeration +# Intel SGX (Software Guard Extensions) - 0x12, 0, eax, 0, sgx1 , SGX1 leaf functions supported - 0x12, 0, eax, 1, sgx2 , SGX2 leaf functions supported - 0x12, 0, eax, 5, enclv_leaves , ENCLV leaves (E{INC,DEC}VIRTCHILD, ESETCONTEXT) supported - 0x12, 0, eax, 6, encls_leaves , ENCLS leaves (ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC) supported - 0x12, 0, eax, 7, enclu_everifyreport2 , ENCLU leaf EVERIFYREPORT2 supported - 0x12, 0, eax, 10, encls_eupdatesvn , ENCLS leaf EUPDATESVN supported - 0x12, 0, eax, 11, sgx_edeccssa , ENCLU leaf EDECCSSA supported - 0x12, 0, ebx, 0, miscselect_exinfo , SSA.MISC frame: reporting #PF and #GP exceptions inside enclave supported - 0x12, 0, ebx, 1, miscselect_cpinfo , SSA.MISC frame: reporting #CP exceptions inside enclave supported + 0x12, 0, eax, 0, sgx1 , SGX1 leaf functions + 0x12, 0, eax, 1, sgx2 , SGX2 leaf functions + 0x12, 0, eax, 5, enclv_leaves , ENCLV leaves + 0x12, 0, eax, 6, encls_leaves , ENCLS leaves + 0x12, 0, eax, 7, enclu_everifyreport2 , ENCLU leaf EVERIFYREPORT2 + 0x12, 0, eax, 10, encls_eupdatesvn , ENCLS leaf EUPDATESVN + 0x12, 0, eax, 11, sgx_edeccssa , ENCLU leaf EDECCSSA + 0x12, 0, ebx, 0, miscselect_exinfo , SSA.MISC frame: Enclave #PF and #GP reporting + 0x12, 0, ebx, 1, miscselect_cpinfo , SSA.MISC frame: Enclave #CP reporting 0x12, 0, edx, 7:0, max_enclave_sz_not64 , Maximum enclave size in non-64-bit mode (log2) 0x12, 0, edx, 15:8, max_enclave_sz_64 , Maximum enclave size in 64-bit mode (log2) - 0x12, 1, eax, 0, secs_attr_init , ATTRIBUTES.INIT supported (enclave initialized by EINIT) - 0x12, 1, eax, 1, secs_attr_debug , ATTRIBUTES.DEBUG supported (enclave permits debugger read/write) - 0x12, 1, eax, 2, secs_attr_mode64bit , ATTRIBUTES.MODE64BIT supported (enclave runs in 64-bit mode) - 0x12, 1, eax, 4, secs_attr_provisionkey , ATTRIBUTES.PROVISIONKEY supported (provisioning key available) - 0x12, 1, eax, 5, secs_attr_einittoken_key, ATTRIBUTES.EINITTOKEN_KEY supported (EINIT token key available) - 0x12, 1, eax, 6, secs_attr_cet , ATTRIBUTES.CET supported (enable CET attributes) - 0x12, 1, eax, 7, secs_attr_kss , ATTRIBUTES.KSS supported (Key Separation and Sharing enabled) - 0x12, 1, eax, 10, secs_attr_aexnotify , ATTRIBUTES.AEXNOTIFY supported (enclave threads may get AEX notifications - 0x12, 1, ecx, 0, xfrm_x87 , Enclave XFRM.X87 (bit 0) supported - 0x12, 1, ecx, 1, xfrm_sse , Enclave XFRM.SEE (bit 1) supported - 0x12, 1, ecx, 2, xfrm_avx , Enclave XFRM.AVX (bit 2) supported - 0x12, 1, ecx, 3, xfrm_mpx_bndregs , Enclave XFRM.BNDREGS (bit 3) supported (MPX BND0-BND3 registers) - 0x12, 1, ecx, 4, xfrm_mpx_bndcsr , Enclave XFRM.BNDCSR (bit 4) supported (MPX BNDCFGU/BNDSTATUS registers) - 0x12, 1, ecx, 5, xfrm_avx512_opmask , Enclave XFRM.OPMASK (bit 5) supported (AVX-512 k0-k7 registers) - 0x12, 1, ecx, 6, xfrm_avx512_zmm_hi256 , Enclave XFRM.ZMM_Hi256 (bit 6) supported (AVX-512 ZMM0->ZMM7/15 registers) - 0x12, 1, ecx, 7, xfrm_avx512_hi16_zmm , Enclave XFRM.HI16_ZMM (bit 7) supported (AVX-512 ZMM16->ZMM31 registers) - 0x12, 1, ecx, 9, xfrm_pkru , Enclave XFRM.PKRU (bit 9) supported (XSAVE PKRU registers) - 0x12, 1, ecx, 17, xfrm_tileconfig , Enclave XFRM.TILECONFIG (bit 17) supported (AMX can manage TILECONFIG) - 0x12, 1, ecx, 18, xfrm_tiledata , Enclave XFRM.TILEDATA (bit 18) supported (AMX can manage TILEDATA) - 0x12, 31:2, eax, 3:0, subleaf_type , Subleaf type (dictates output layout) + 0x12, 1, eax, 0, secs_attr_init , Enclave initialized by EINIT + 0x12, 1, eax, 1, secs_attr_debug , Enclave permits debugger read/write + 0x12, 1, eax, 2, secs_attr_mode64bit , Enclave runs in 64-bit mode + 0x12, 1, eax, 4, secs_attr_provisionkey , Provisioning key + 0x12, 1, eax, 5, secs_attr_einittoken_key, EINIT token key + 0x12, 1, eax, 6, secs_attr_cet , CET attributes + 0x12, 1, eax, 7, secs_attr_kss , Key Separation and Sharing + 0x12, 1, eax, 10, secs_attr_aexnotify , Enclave threads: AEX notifications + 0x12, 1, ecx, 0, xfrm_x87 , Enclave XFRM.X87 + 0x12, 1, ecx, 1, xfrm_sse , Enclave XFRM.SEE + 0x12, 1, ecx, 2, xfrm_avx , Enclave XFRM.AVX + 0x12, 1, ecx, 3, xfrm_mpx_bndregs , Enclave XFRM.BNDREGS (MPX BND0-BND3 registers) + 0x12, 1, ecx, 4, xfrm_mpx_bndcsr , Enclave XFRM.BNDCSR (MPX BNDCFGU/BNDSTATUS registers) + 0x12, 1, ecx, 5, xfrm_avx512_opmask , Enclave XFRM.OPMASK (AVX-512 k0-k7 registers) + 0x12, 1, ecx, 6, xfrm_avx512_zmm_hi256 , Enclave XFRM.ZMM_Hi256 (AVX-512 ZMM0->ZMM7/15 registers) + 0x12, 1, ecx, 7, xfrm_avx512_hi16_zmm , Enclave XFRM.HI16_ZMM (AVX-512 ZMM16->ZMM31 registers) + 0x12, 1, ecx, 9, xfrm_pkru , Enclave XFRM.PKRU (XSAVE PKRU registers) + 0x12, 1, ecx, 17, xfrm_tileconfig , Enclave XFRM.TILECONFIG (AMX can manage TILECONFIG) + 0x12, 1, ecx, 18, xfrm_tiledata , Enclave XFRM.TILEDATA (AMX can manage TILEDATA) + 0x12, 31:2, eax, 3:0, subleaf_type , Subleaf type 0x12, 31:2, eax, 31:12, epc_sec_base_addr_0 , EPC section base address, bits[12:31] 0x12, 31:2, ebx, 19:0, epc_sec_base_addr_1 , EPC section base address, bits[32:51] 0x12, 31:2, ecx, 3:0, epc_sec_type , EPC section type / property encoding @@ -443,44 +451,44 @@ 0x12, 31:2, edx, 19:0, epc_sec_size_1 , EPC section size, bits[32:51] # Leaf 14H -# Intel Processor Trace enumeration +# Intel Processor Trace 0x14, 0, eax, 31:0, pt_max_subleaf , Maximum leaf 0x14 subleaf 0x14, 0, ebx, 0, cr3_filtering , IA32_RTIT_CR3_MATCH is accessible 0x14, 0, ebx, 1, psb_cyc , Configurable PSB and cycle-accurate mode 0x14, 0, ebx, 2, ip_filtering , IP/TraceStop filtering; Warm-reset PT MSRs preservation 0x14, 0, ebx, 3, mtc_timing , MTC timing packet; COFI-based packets suppression - 0x14, 0, ebx, 4, ptwrite , PTWRITE support - 0x14, 0, ebx, 5, power_event_trace , Power Event Trace support - 0x14, 0, ebx, 6, psb_pmi_preserve , PSB and PMI preservation support - 0x14, 0, ebx, 7, event_trace , Event Trace packet generation through IA32_RTIT_CTL.EventEn - 0x14, 0, ebx, 8, tnt_disable , TNT packet generation disable through IA32_RTIT_CTL.DisTNT - 0x14, 0, ecx, 0, topa_output , ToPA output scheme support + 0x14, 0, ebx, 4, ptwrite , PTWRITE instruction + 0x14, 0, ebx, 5, power_event_trace , Power Event Trace + 0x14, 0, ebx, 6, psb_pmi_preserve , PSB and PMI preservation + 0x14, 0, ebx, 7, event_trace , Event Trace packet generation + 0x14, 0, ebx, 8, tnt_disable , TNT packet generation disable + 0x14, 0, ecx, 0, topa_output , ToPA output scheme 0x14, 0, ecx, 1, topa_multiple_entries , ToPA tables can hold multiple entries - 0x14, 0, ecx, 2, single_range_output , Single-range output scheme supported - 0x14, 0, ecx, 3, trance_transport_output, Trace Transport subsystem output support + 0x14, 0, ecx, 2, single_range_output , Single-range output + 0x14, 0, ecx, 3, trance_transport_output, Trace Transport subsystem output 0x14, 0, ecx, 31, ip_payloads_lip , IP payloads have LIP values (CS base included) - 0x14, 1, eax, 2:0, num_address_ranges , Filtering number of configurable Address Ranges - 0x14, 1, eax, 31:16, mtc_periods_bmp , Bitmap of supported MTC period encodings - 0x14, 1, ebx, 15:0, cycle_thresholds_bmp , Bitmap of supported Cycle Threshold encodings - 0x14, 1, ebx, 31:16, psb_periods_bmp , Bitmap of supported Configurable PSB frequency encodings + 0x14, 1, eax, 2:0, num_address_ranges , Number of configurable Address Ranges + 0x14, 1, eax, 31:16, mtc_periods_bmp , MTC period encodings bitmap + 0x14, 1, ebx, 15:0, cycle_thresholds_bmp , Cycle Threshold encodings bitmap + 0x14, 1, ebx, 31:16, psb_periods_bmp , Configurable PSB frequency encodings bitmap # Leaf 15H -# Intel TSC (Time Stamp Counter) enumeration +# Intel TSC (Time Stamp Counter) 0x15, 0, eax, 31:0, tsc_denominator , Denominator of the TSC/'core crystal clock' ratio 0x15, 0, ebx, 31:0, tsc_numerator , Numerator of the TSC/'core crystal clock' ratio 0x15, 0, ecx, 31:0, cpu_crystal_hz , Core crystal clock nominal frequency, in Hz # Leaf 16H -# Intel processor frequency enumeration +# Intel processor frequency 0x16, 0, eax, 15:0, cpu_base_mhz , Processor base frequency, in MHz 0x16, 0, ebx, 15:0, cpu_max_mhz , Processor max frequency, in MHz 0x16, 0, ecx, 15:0, bus_mhz , Bus reference frequency, in MHz # Leaf 17H -# Intel SoC vendor attributes enumeration +# Intel SoC vendor attributes 0x17, 0, eax, 31:0, soc_max_subleaf , Maximum leaf 0x17 subleaf 0x17, 0, ebx, 15:0, soc_vendor_id , SoC vendor ID @@ -493,32 +501,32 @@ 0x17, 3:1, edx, 31:0, vendor_brand_d , Vendor Brand ID string, bytes subleaf_nr * (12 -> 15) # Leaf 18H -# Intel determenestic address translation (TLB) parameters +# Intel deterministic address translation (TLB) parameters 0x18, 31:0, eax, 31:0, tlb_max_subleaf , Maximum leaf 0x18 subleaf - 0x18, 31:0, ebx, 0, tlb_4k_page , TLB 4KB-page entries supported - 0x18, 31:0, ebx, 1, tlb_2m_page , TLB 2MB-page entries supported - 0x18, 31:0, ebx, 2, tlb_4m_page , TLB 4MB-page entries supported - 0x18, 31:0, ebx, 3, tlb_1g_page , TLB 1GB-page entries supported - 0x18, 31:0, ebx, 10:8, hard_partitioning , (Hard/Soft) partitioning between logical CPUs sharing this structure + 0x18, 31:0, ebx, 0, tlb_4k_page , TLB supports 4KB-page entries + 0x18, 31:0, ebx, 1, tlb_2m_page , TLB supports 2MB-page entries + 0x18, 31:0, ebx, 2, tlb_4m_page , TLB supports 4MB-page entries + 0x18, 31:0, ebx, 3, tlb_1g_page , TLB supports 1GB-page entries + 0x18, 31:0, ebx, 10:8, hard_partitioning , Partitioning between logical CPUs 0x18, 31:0, ebx, 31:16, n_way_associative , Ways of associativity 0x18, 31:0, ecx, 31:0, n_sets , Number of sets 0x18, 31:0, edx, 4:0, tlb_type , Translation cache type (TLB type) 0x18, 31:0, edx, 7:5, tlb_cache_level , Translation cache level (1-based) - 0x18, 31:0, edx, 8, is_fully_associative , Fully-associative structure - 0x18, 31:0, edx, 25:14, tlb_max_addressible_ids, Max number of addressable IDs for logical CPUs sharing this TLB - 1 + 0x18, 31:0, edx, 8, is_fully_associative , Fully-associative + 0x18, 31:0, edx, 25:14, tlb_max_addressible_ids, Max number of addressable IDs - 1 # Leaf 19H -# Intel Key Locker enumeration +# Intel key locker - 0x19, 0, eax, 0, kl_cpl0_only , CPL0-only key Locker restriction supported - 0x19, 0, eax, 1, kl_no_encrypt , No-encrypt key locker restriction supported - 0x19, 0, eax, 2, kl_no_decrypt , No-decrypt key locker restriction supported - 0x19, 0, ebx, 0, aes_keylocker , AES key locker instructions supported - 0x19, 0, ebx, 2, aes_keylocker_wide , AES wide key locker instructions supported - 0x19, 0, ebx, 4, kl_msr_iwkey , Key locker MSRs and IWKEY backups supported - 0x19, 0, ecx, 0, loadiwkey_no_backup , LOADIWKEY NoBackup parameter supported - 0x19, 0, ecx, 1, iwkey_rand , IWKEY randomization (KeySource encoding 1) supported + 0x19, 0, eax, 0, kl_cpl0_only , CPL0-only key Locker restriction + 0x19, 0, eax, 1, kl_no_encrypt , No-encrypt key locker restriction + 0x19, 0, eax, 2, kl_no_decrypt , No-decrypt key locker restriction + 0x19, 0, ebx, 0, aes_keylocker , AES key locker instructions + 0x19, 0, ebx, 2, aes_keylocker_wide , AES wide key locker instructions + 0x19, 0, ebx, 4, kl_msr_iwkey , Key locker MSRs and IWKEY backups + 0x19, 0, ecx, 0, loadiwkey_no_backup , LOADIWKEY NoBackup parameter + 0x19, 0, ecx, 1, iwkey_rand , IWKEY randomization # Leaf 1AH # Intel hybrid CPUs identification (e.g. Atom, Core) @@ -527,7 +535,7 @@ 0x1a, 0, eax, 31:24, core_type , This core's type # Leaf 1BH -# Intel PCONFIG (Platform configuration) enumeration +# Intel PCONFIG (Platform configuration) 0x1b, 31:0, eax, 11:0, pconfig_subleaf_type , CPUID 0x1b subleaf type 0x1b, 31:0, ebx, 31:0, pconfig_target_id_x , A supported PCONFIG target ID @@ -535,25 +543,18 @@ 0x1b, 31:0, edx, 31:0, pconfig_target_id_z , A supported PCONFIG target ID # Leaf 1CH -# Intel LBR (Last Branch Record) enumeration +# Intel LBR (Last Branch Record) - 0x1c, 0, eax, 0, lbr_depth_8 , Max stack depth (number of LBR entries) = 8 - 0x1c, 0, eax, 1, lbr_depth_16 , Max stack depth (number of LBR entries) = 16 - 0x1c, 0, eax, 2, lbr_depth_24 , Max stack depth (number of LBR entries) = 24 - 0x1c, 0, eax, 3, lbr_depth_32 , Max stack depth (number of LBR entries) = 32 - 0x1c, 0, eax, 4, lbr_depth_40 , Max stack depth (number of LBR entries) = 40 - 0x1c, 0, eax, 5, lbr_depth_48 , Max stack depth (number of LBR entries) = 48 - 0x1c, 0, eax, 6, lbr_depth_56 , Max stack depth (number of LBR entries) = 56 - 0x1c, 0, eax, 7, lbr_depth_64 , Max stack depth (number of LBR entries) = 64 + 0x1c, 0, eax, 7:0, lbr_depth_mask , Max LBR stack depth bitmask 0x1c, 0, eax, 30, lbr_deep_c_reset , LBRs maybe cleared on MWAIT C-state > C1 - 0x1c, 0, eax, 31, lbr_ip_is_lip , LBR IP contain Last IP, otherwise effective IP - 0x1c, 0, ebx, 0, lbr_cpl , CPL filtering (non-zero IA32_LBR_CTL[2:1]) supported - 0x1c, 0, ebx, 1, lbr_branch_filter , Branch filtering (non-zero IA32_LBR_CTL[22:16]) supported - 0x1c, 0, ebx, 2, lbr_call_stack , Call-stack mode (IA32_LBR_CTL[3] = 1) supported - 0x1c, 0, ecx, 0, lbr_mispredict , Branch misprediction bit supported (IA32_LBR_x_INFO[63]) - 0x1c, 0, ecx, 1, lbr_timed_lbr , Timed LBRs (CPU cycles since last LBR entry) supported - 0x1c, 0, ecx, 2, lbr_branch_type , Branch type field (IA32_LBR_INFO_x[59:56]) supported - 0x1c, 0, ecx, 19:16, lbr_events_gpc_bmp , LBR PMU-events logging support; bitmap for first 4 GP (general-purpose) Counters + 0x1c, 0, eax, 31, lbr_ip_is_lip , LBR IP contain Last IP (otherwise effective IP) + 0x1c, 0, ebx, 0, lbr_cpl , CPL filtering + 0x1c, 0, ebx, 1, lbr_branch_filter , Branch filtering + 0x1c, 0, ebx, 2, lbr_call_stack , Call-stack mode + 0x1c, 0, ecx, 0, lbr_mispredict , Branch misprediction bit + 0x1c, 0, ecx, 1, lbr_timed_lbr , Timed LBRs (CPU cycles since last LBR entry) + 0x1c, 0, ecx, 2, lbr_branch_type , Branch type field + 0x1c, 0, ecx, 19:16, lbr_events_gpc_bmp , PMU-events logging support # Leaf 1DH # Intel AMX (Advanced Matrix Extensions) tile information @@ -566,13 +567,13 @@ 0x1d, 1, ecx, 15:0, amx_tile_nr_rows , AMX tile max number of rows # Leaf 1EH -# Intel AMX, TMUL (Tile-matrix MULtiply) accelerator unit enumeration +# Intel TMUL (Tile-matrix Multiply) 0x1e, 0, ebx, 7:0, tmul_maxk , TMUL unit maximum height, K (rows or columns) 0x1e, 0, ebx, 23:8, tmul_maxn , TMUL unit maximum SIMD dimension, N (column bytes) # Leaf 1FH -# Intel extended topology enumeration v2 +# Intel extended topology v2 0x1f, 5:0, eax, 4:0, x2apic_id_shift , Bit width of this level (previous levels inclusive) 0x1f, 5:0, ebx, 15:0, domain_lcpus_count , Logical CPUs count across all instances of this domain @@ -581,13 +582,13 @@ 0x1f, 5:0, edx, 31:0, x2apic_id , x2APIC ID of current logical CPU # Leaf 20H -# Intel HRESET (History Reset) enumeration +# Intel HRESET (History Reset) 0x20, 0, eax, 31:0, hreset_nr_subleaves , CPUID 0x20 max subleaf + 1 - 0x20, 0, ebx, 0, hreset_thread_director , HRESET of Intel thread director is supported + 0x20, 0, ebx, 0, hreset_thread_director , Intel thread director HRESET # Leaf 21H -# Intel TD (Trust Domain) guest execution environment enumeration +# Intel TD (Trust Domain) 0x21, 0, ebx, 31:0, tdx_vendorid_0 , TDX vendor ID string bytes 0 - 3 0x21, 0, ecx, 31:0, tdx_vendorid_2 , CPU vendor ID string bytes 8 - 11 @@ -596,43 +597,64 @@ # Leaf 23H # Intel Architectural Performance Monitoring Extended (ArchPerfmonExt) - 0x23, 0, eax, 1, subleaf_1_counters , Subleaf 1, PMU counters bitmaps, is valid - 0x23, 0, eax, 3, subleaf_3_events , Subleaf 3, PMU events bitmaps, is valid - 0x23, 0, ebx, 0, unitmask2 , IA32_PERFEVTSELx MSRs UnitMask2 is supported - 0x23, 0, ebx, 1, zbit , IA32_PERFEVTSELx MSRs Z-bit is supported - 0x23, 1, eax, 31:0, pmu_gp_counters_bitmap , General-purpose PMU counters bitmap - 0x23, 1, ebx, 31:0, pmu_f_counters_bitmap , Fixed PMU counters bitmap - 0x23, 3, eax, 0, core_cycles_evt , Core cycles event supported - 0x23, 3, eax, 1, insn_retired_evt , Instructions retired event supported - 0x23, 3, eax, 2, ref_cycles_evt , Reference cycles event supported - 0x23, 3, eax, 3, llc_refs_evt , Last-level cache references event supported - 0x23, 3, eax, 4, llc_misses_evt , Last-level cache misses event supported - 0x23, 3, eax, 5, br_insn_ret_evt , Branch instruction retired event supported - 0x23, 3, eax, 6, br_mispr_evt , Branch mispredict retired event supported - 0x23, 3, eax, 7, td_slots_evt , Topdown slots event supported - 0x23, 3, eax, 8, td_backend_bound_evt , Topdown backend bound event supported - 0x23, 3, eax, 9, td_bad_spec_evt , Topdown bad speculation event supported - 0x23, 3, eax, 10, td_frontend_bound_evt , Topdown frontend bound event supported - 0x23, 3, eax, 11, td_retiring_evt , Topdown retiring event support + 0x23, 0, eax, 0, subleaf_0 , Subleaf 0, this subleaf + 0x23, 0, eax, 1, counters_subleaf , Subleaf 1, PMU counter bitmaps + 0x23, 0, eax, 2, acr_subleaf , Subleaf 2, Auto Counter Reload bitmaps + 0x23, 0, eax, 3, events_subleaf , Subleaf 3, PMU event bitmaps + 0x23, 0, eax, 4, pebs_caps_subleaf , Subleaf 4, PEBS capabilities + 0x23, 0, eax, 5, pebs_subleaf , Subleaf 5, Arch PEBS bitmaps + 0x23, 0, ebx, 0, unitmask2 , IA32_PERFEVTSELx MSRs UnitMask2 bit + 0x23, 0, ebx, 1, eq , IA32_PERFEVTSELx MSRs EQ bit + 0x23, 0, ebx, 2, rdpmc_user_disable , RDPMC userspace disable + 0x23, 1, eax, 31:0, gp_counters , Bitmap of general-purpose PMU counters + 0x23, 1, ebx, 31:0, fixed_counters , Bitmap of fixed PMU counters + 0x23, 2, eax, 31:0, acr_gp_reload , Bitmap of general-purpose counters that can be reloaded + 0x23, 2, ebx, 31:0, acr_fixed_reload , Bitmap of fixed counters that can be reloaded + 0x23, 2, ecx, 31:0, acr_gp_trigger , Bitmap of general-purpose counters that can trigger reloads + 0x23, 2, edx, 31:0, acr_fixed_trigger , Bitmap of fixed counters that can trigger reloads + 0x23, 3, eax, 0, core_cycles_evt , Core cycles event + 0x23, 3, eax, 1, insn_retired_evt , Instructions retired event + 0x23, 3, eax, 2, ref_cycles_evt , Reference cycles event + 0x23, 3, eax, 3, llc_refs_evt , Last-level cache references event + 0x23, 3, eax, 4, llc_misses_evt , Last-level cache misses event + 0x23, 3, eax, 5, br_insn_ret_evt , Branch instruction retired event + 0x23, 3, eax, 6, br_mispr_evt , Branch mispredict retired event + 0x23, 3, eax, 7, td_slots_evt , Topdown slots event + 0x23, 3, eax, 8, td_backend_bound_evt , Topdown backend bound event + 0x23, 3, eax, 9, td_bad_spec_evt , Topdown bad speculation event + 0x23, 3, eax, 10, td_frontend_bound_evt , Topdown frontend bound event + 0x23, 3, eax, 11, td_retiring_evt , Topdown retiring event + 0x23, 4, ebx, 3, allow_in_record , ALLOW_IN_RECORD bit in MSRs + 0x23, 4, ebx, 4, counters_gp , Counters group sub-group general-purpose counters + 0x23, 4, ebx, 5, counters_fixed , Counters group sub-group fixed-function counters + 0x23, 4, ebx, 6, counters_metrics , Counters group sub-group performance metrics + 0x23, 4, ebx, 9:8, lbr , LBR group + 0x23, 4, ebx, 23:16, xer , XER group + 0x23, 4, ebx, 29, gpr , GPR group + 0x23, 4, ebx, 30, aux , AUX group + 0x23, 5, eax, 31:0, pebs_gp , Architectural PEBS general-purpose counters + 0x23, 5, ebx, 31:0, pebs_pdist_gp , Architectural PEBS PDIST general-purpose counters + 0x23, 5, ecx, 31:0, pebs_fixed , Architectural PEBS fixed counters + 0x23, 5, edx, 31:0, pebs_pdist_fixed , Architectural PEBS PDIST fixed counters # Leaf 40000000H -# Maximum hypervisor standard leaf + hypervisor vendor string +# Maximum hypervisor leaf + hypervisor vendor string -0x40000000, 0, eax, 31:0, max_hyp_leaf , Maximum hypervisor standard leaf number +0x40000000, 0, eax, 31:0, max_hyp_leaf , Maximum hypervisor leaf 0x40000000, 0, ebx, 31:0, hypervisor_id_0 , Hypervisor ID string bytes 0 - 3 0x40000000, 0, ecx, 31:0, hypervisor_id_1 , Hypervisor ID string bytes 4 - 7 0x40000000, 0, edx, 31:0, hypervisor_id_2 , Hypervisor ID string bytes 8 - 11 # Leaf 80000000H -# Maximum extended leaf number + AMD/Transmeta CPU vendor string +# Maximum extended leaf + CPU vendor string -0x80000000, 0, eax, 31:0, max_ext_leaf , Maximum extended CPUID leaf supported +0x80000000, 0, eax, 31:0, max_ext_leaf , Maximum extended CPUID leaf 0x80000000, 0, ebx, 31:0, cpu_vendorid_0 , Vendor ID string bytes 0 - 3 0x80000000, 0, ecx, 31:0, cpu_vendorid_2 , Vendor ID string bytes 8 - 11 0x80000000, 0, edx, 31:0, cpu_vendorid_1 , Vendor ID string bytes 4 - 7 # Leaf 80000001H -# Extended CPU feature identifiers +# Extended CPU features 0x80000001, 0, eax, 3:0, e_stepping_id , Stepping ID 0x80000001, 0, eax, 7:4, e_base_model , Base processor model @@ -723,7 +745,7 @@ 0x80000004, 0, edx, 31:0, cpu_brandid_11 , CPU brand ID string, bytes 44 - 47 # Leaf 80000005H -# AMD/Transmeta L1 cache and L1 TLB enumeration +# AMD/Transmeta L1 cache and TLB 0x80000005, 0, eax, 7:0, l1_itlb_2m_4m_nentries , L1 ITLB #entries, 2M and 4M pages 0x80000005, 0, eax, 15:8, l1_itlb_2m_4m_assoc , L1 ITLB associativity, 2M and 4M pages @@ -743,7 +765,7 @@ 0x80000005, 0, edx, 31:24, l1_icache_size_kb , L1 icache size, in KB # Leaf 80000006H -# (Mostly AMD) L2 TLB, L2 cache, and L3 cache enumeration +# (Mostly AMD) L2/L3 cache and TLB 0x80000006, 0, eax, 11:0, l2_itlb_2m_4m_nentries , L2 iTLB #entries, 2M and 4M pages 0x80000006, 0, eax, 15:12, l2_itlb_2m_4m_assoc , L2 iTLB associativity, 2M and 4M pages @@ -763,7 +785,7 @@ 0x80000006, 0, edx, 31:18, l3_size_range , L3 cache size range # Leaf 80000007H -# CPU power management (mostly AMD) and AMD RAS enumeration +# CPU power management (mostly AMD) and AMD RAS 0x80000007, 0, ebx, 0, overflow_recov , MCA overflow conditions not fatal 0x80000007, 0, ebx, 1, succor , Software containment of uncorrectable errors @@ -792,14 +814,14 @@ 0x80000008, 0, eax, 7:0, phys_addr_bits , Max physical address bits 0x80000008, 0, eax, 15:8, virt_addr_bits , Max virtual address bits 0x80000008, 0, eax, 23:16, guest_phys_addr_bits , Max nested-paging guest physical address bits -0x80000008, 0, ebx, 0, clzero , CLZERO supported +0x80000008, 0, ebx, 0, clzero , CLZERO instruction 0x80000008, 0, ebx, 1, irperf , Instruction retired counter MSR 0x80000008, 0, ebx, 2, xsaveerptr , XSAVE/XRSTOR always saves/restores FPU error pointers -0x80000008, 0, ebx, 3, invlpgb , INVLPGB broadcasts a TLB invalidate to all threads -0x80000008, 0, ebx, 4, rdpru , RDPRU (Read Processor Register at User level) supported +0x80000008, 0, ebx, 3, invlpgb , INVLPGB broadcasts a TLB invalidate +0x80000008, 0, ebx, 4, rdpru , RDPRU (Read Processor Register at User level) 0x80000008, 0, ebx, 6, mba , Memory Bandwidth Allocation (AMD bit) -0x80000008, 0, ebx, 8, mcommit , MCOMMIT (Memory commit) supported -0x80000008, 0, ebx, 9, wbnoinvd , WBNOINVD supported +0x80000008, 0, ebx, 8, mcommit , MCOMMIT instruction +0x80000008, 0, ebx, 9, wbnoinvd , WBNOINVD instruction 0x80000008, 0, ebx, 12, amd_ibpb , Indirect Branch Prediction Barrier 0x80000008, 0, ebx, 13, wbinvd_int , Interruptible WBINVD/WBNOINVD 0x80000008, 0, ebx, 14, amd_ibrs , Indirect Branch Restricted Speculation @@ -808,8 +830,8 @@ 0x80000008, 0, ebx, 17, amd_stibp_always_on , STIBP always-on preferred 0x80000008, 0, ebx, 18, ibrs_fast , IBRS is preferred over software solution 0x80000008, 0, ebx, 19, ibrs_same_mode , IBRS provides same mode protection -0x80000008, 0, ebx, 20, no_efer_lmsle , EFER[LMSLE] bit (Long-Mode Segment Limit Enable) unsupported -0x80000008, 0, ebx, 21, tlb_flush_nested , INVLPGB RAX[5] bit can be set (nested translations) +0x80000008, 0, ebx, 20, no_efer_lmsle , Long-Mode Segment Limit Enable unsupported +0x80000008, 0, ebx, 21, tlb_flush_nested , INVLPGB RAX[5] bit can be set 0x80000008, 0, ebx, 23, amd_ppin , Protected Processor Inventory Number 0x80000008, 0, ebx, 24, amd_ssbd , Speculative Store Bypass Disable 0x80000008, 0, ebx, 25, virt_ssbd , virtualized SSBD (Speculative Store Bypass Disable) @@ -818,7 +840,7 @@ 0x80000008, 0, ebx, 28, amd_psfd , Predictive Store Forward Disable 0x80000008, 0, ebx, 29, btc_no , CPU not affected by Branch Type Confusion 0x80000008, 0, ebx, 30, ibpb_ret , IBPB clears RSB/RAS too -0x80000008, 0, ebx, 31, brs , Branch Sampling supported +0x80000008, 0, ebx, 31, brs , Branch Sampling 0x80000008, 0, ecx, 7:0, cpu_nthreads , Number of physical threads - 1 0x80000008, 0, ecx, 15:12, apicid_coreid_len , Number of thread core ID bits (shift) in APIC ID 0x80000008, 0, ecx, 17:16, perf_tsc_len , Performance time-stamp counter size @@ -826,10 +848,11 @@ 0x80000008, 0, edx, 31:16, rdpru_max_reg_id , RDPRU max register ID (ECX input) # Leaf 8000000AH -# AMD SVM (Secure Virtual Machine) enumeration +# AMD SVM (Secure Virtual Machine) 0x8000000a, 0, eax, 7:0, svm_version , SVM revision number 0x8000000a, 0, ebx, 31:0, svm_nasid , Number of address space identifiers (ASID) +0x8000000a, 0, ecx, 4, pml , Page Modification Logging (PML) 0x8000000a, 0, edx, 0, npt , Nested paging 0x8000000a, 0, edx, 1, lbrv , LBR virtualization 0x8000000a, 0, edx, 2, svm_lock , SVM lock @@ -856,7 +879,7 @@ 0x8000000a, 0, edx, 28, svme_addr_chk , Guest SVME address check # Leaf 80000019H -# AMD TLB 1G-pages enumeration +# AMD TLB characteristics for 1GB pages 0x80000019, 0, eax, 11:0, l1_itlb_1g_nentries , L1 iTLB #entries, 1G pages 0x80000019, 0, eax, 15:12, l1_itlb_1g_assoc , L1 iTLB associativity, 1G pages @@ -868,64 +891,64 @@ 0x80000019, 0, ebx, 31:28, l2_dtlb_1g_assoc , L2 dTLB associativity, 1G pages # Leaf 8000001AH -# AMD instruction optimizations enumeration +# AMD instruction optimizations 0x8000001a, 0, eax, 0, fp_128 , Internal FP/SIMD exec data path is 128-bits wide 0x8000001a, 0, eax, 1, movu_preferred , SSE: MOVU* better than MOVL*/MOVH* 0x8000001a, 0, eax, 2, fp_256 , internal FP/SSE exec data path is 256-bits wide # Leaf 8000001BH -# AMD IBS (Instruction-Based Sampling) enumeration +# AMD IBS (Instruction-Based Sampling) -0x8000001b, 0, eax, 0, ibs_flags_valid , IBS feature flags valid -0x8000001b, 0, eax, 1, ibs_fetch_sampling , IBS fetch sampling supported -0x8000001b, 0, eax, 2, ibs_op_sampling , IBS execution sampling supported -0x8000001b, 0, eax, 3, ibs_rdwr_op_counter , IBS read/write of op counter supported -0x8000001b, 0, eax, 4, ibs_op_count , IBS OP counting mode supported -0x8000001b, 0, eax, 5, ibs_branch_target , IBS branch target address reporting supported +0x8000001b, 0, eax, 0, ibs_flags , IBS feature flags +0x8000001b, 0, eax, 1, ibs_fetch_sampling , IBS fetch sampling +0x8000001b, 0, eax, 2, ibs_op_sampling , IBS execution sampling +0x8000001b, 0, eax, 3, ibs_rdwr_op_counter , IBS read/write of op counter +0x8000001b, 0, eax, 4, ibs_op_count , IBS OP counting mode +0x8000001b, 0, eax, 5, ibs_branch_target , IBS branch target address reporting 0x8000001b, 0, eax, 6, ibs_op_counters_ext , IBS IbsOpCurCnt/IbsOpMaxCnt extend by 7 bits -0x8000001b, 0, eax, 7, ibs_rip_invalid_chk , IBS invalid RIP indication supported -0x8000001b, 0, eax, 8, ibs_op_branch_fuse , IBS fused branch micro-op indication supported -0x8000001b, 0, eax, 9, ibs_fetch_ctl_ext , IBS Fetch Control Extended MSR (0xc001103c) supported -0x8000001b, 0, eax, 10, ibs_op_data_4 , IBS op data 4 MSR supported -0x8000001b, 0, eax, 11, ibs_l3_miss_filter , IBS L3-miss filtering supported (Zen4+) +0x8000001b, 0, eax, 7, ibs_rip_invalid_chk , IBS invalid RIP indication +0x8000001b, 0, eax, 8, ibs_op_branch_fuse , IBS fused branch micro-op indication +0x8000001b, 0, eax, 9, ibs_fetch_ctl_ext , IBS Fetch Control Extended MSR +0x8000001b, 0, eax, 10, ibs_op_data_4 , IBS op data 4 MSR +0x8000001b, 0, eax, 11, ibs_l3_miss_filter , IBS L3-miss filtering (Zen4+) # Leaf 8000001CH # AMD LWP (Lightweight Profiling) -0x8000001c, 0, eax, 0, os_lwp_avail , LWP is available to application programs (supported by OS) -0x8000001c, 0, eax, 1, os_lpwval , LWPVAL instruction is supported by OS -0x8000001c, 0, eax, 2, os_lwp_ire , Instructions Retired Event is supported by OS -0x8000001c, 0, eax, 3, os_lwp_bre , Branch Retired Event is supported by OS -0x8000001c, 0, eax, 4, os_lwp_dme , Dcache Miss Event is supported by OS -0x8000001c, 0, eax, 5, os_lwp_cnh , CPU Clocks Not Halted event is supported by OS -0x8000001c, 0, eax, 6, os_lwp_rnh , CPU Reference clocks Not Halted event is supported by OS -0x8000001c, 0, eax, 29, os_lwp_cont , LWP sampling in continuous mode is supported by OS -0x8000001c, 0, eax, 30, os_lwp_ptsc , Performance Time Stamp Counter in event records is supported by OS -0x8000001c, 0, eax, 31, os_lwp_int , Interrupt on threshold overflow is supported by OS -0x8000001c, 0, ebx, 7:0, lwp_lwpcb_sz , LWP Control Block size, in quadwords -0x8000001c, 0, ebx, 15:8, lwp_event_sz , LWP event record size, in bytes -0x8000001c, 0, ebx, 23:16, lwp_max_events , LWP max supported EventID value (EventID 255 not included) -0x8000001c, 0, ebx, 31:24, lwp_event_offset , LWP events area offset in the LWP Control Block -0x8000001c, 0, ecx, 4:0, lwp_latency_max , Number of bits in cache latency counters (10 to 31) -0x8000001c, 0, ecx, 5, lwp_data_adddr , Cache miss events report the data address of the reference -0x8000001c, 0, ecx, 8:6, lwp_latency_rnd , Amount by which cache latency is rounded -0x8000001c, 0, ecx, 15:9, lwp_version , LWP implementation version -0x8000001c, 0, ecx, 23:16, lwp_buf_min_sz , LWP event ring buffer min size, in units of 32 event records +0x8000001c, 0, eax, 0, os_lwp_avail , OS: LWP is available to application programs +0x8000001c, 0, eax, 1, os_lpwval , OS: LWPVAL instruction +0x8000001c, 0, eax, 2, os_lwp_ire , OS: Instructions Retired Event +0x8000001c, 0, eax, 3, os_lwp_bre , OS: Branch Retired Event +0x8000001c, 0, eax, 4, os_lwp_dme , OS: Dcache Miss Event +0x8000001c, 0, eax, 5, os_lwp_cnh , OS: CPU Clocks Not Halted event +0x8000001c, 0, eax, 6, os_lwp_rnh , OS: CPU Reference clocks Not Halted event +0x8000001c, 0, eax, 29, os_lwp_cont , OS: LWP sampling in continuous mode +0x8000001c, 0, eax, 30, os_lwp_ptsc , OS: Performance Time Stamp Counter in event records +0x8000001c, 0, eax, 31, os_lwp_int , OS: Interrupt on threshold overflow +0x8000001c, 0, ebx, 7:0, lwp_lwpcb_sz , Control Block size, in quadwords +0x8000001c, 0, ebx, 15:8, lwp_event_sz , Event record size, in bytes +0x8000001c, 0, ebx, 23:16, lwp_max_events , Max EventID supported +0x8000001c, 0, ebx, 31:24, lwp_event_offset , Control Block events area offset +0x8000001c, 0, ecx, 4:0, lwp_latency_max , Cache latency counters number of bits +0x8000001c, 0, ecx, 5, lwp_data_addr , Cache miss events report data cache address +0x8000001c, 0, ecx, 8:6, lwp_latency_rnd , Cache latency rounding amount +0x8000001c, 0, ecx, 15:9, lwp_version , LWP version +0x8000001c, 0, ecx, 23:16, lwp_buf_min_sz , LWP event ring buffer min size, 32 event records units 0x8000001c, 0, ecx, 28, lwp_branch_predict , Branches Retired events can be filtered -0x8000001c, 0, ecx, 29, lwp_ip_filtering , IP filtering (IPI, IPF, BaseIP, and LimitIP @ LWPCP) supported -0x8000001c, 0, ecx, 30, lwp_cache_levels , Cache-related events can be filtered by cache level -0x8000001c, 0, ecx, 31, lwp_cache_latency , Cache-related events can be filtered by latency -0x8000001c, 0, edx, 0, hw_lwp_avail , LWP is available in hardware -0x8000001c, 0, edx, 1, hw_lpwval , LWPVAL instruction is available in hardware -0x8000001c, 0, edx, 2, hw_lwp_ire , Instructions Retired Event is available in hardware -0x8000001c, 0, edx, 3, hw_lwp_bre , Branch Retired Event is available in hardware -0x8000001c, 0, edx, 4, hw_lwp_dme , Dcache Miss Event is available in hardware -0x8000001c, 0, edx, 5, hw_lwp_cnh , Clocks Not Halted event is available in hardware -0x8000001c, 0, edx, 6, hw_lwp_rnh , Reference clocks Not Halted event is available in hardware -0x8000001c, 0, edx, 29, hw_lwp_cont , LWP sampling in continuous mode is available in hardware -0x8000001c, 0, edx, 30, hw_lwp_ptsc , Performance Time Stamp Counter in event records is available in hardware -0x8000001c, 0, edx, 31, hw_lwp_int , Interrupt on threshold overflow is available in hardware +0x8000001c, 0, ecx, 29, lwp_ip_filtering , IP filtering (IPI, IPF, BaseIP, and LimitIP @ LWPCP) +0x8000001c, 0, ecx, 30, lwp_cache_levels , Cache-related events: filter by cache level +0x8000001c, 0, ecx, 31, lwp_cache_latency , Cache-related events: filter by latency +0x8000001c, 0, edx, 0, hw_lwp_avail , HW: LWP available +0x8000001c, 0, edx, 1, hw_lpwval , HW: LWPVAL available +0x8000001c, 0, edx, 2, hw_lwp_ire , HW: Instructions Retired Event +0x8000001c, 0, edx, 3, hw_lwp_bre , HW: Branch Retired Event +0x8000001c, 0, edx, 4, hw_lwp_dme , HW: Dcache Miss Event +0x8000001c, 0, edx, 5, hw_lwp_cnh , HW: Clocks Not Halted event +0x8000001c, 0, edx, 6, hw_lwp_rnh , HW: Reference clocks Not Halted event +0x8000001c, 0, edx, 29, hw_lwp_cont , HW: LWP sampling in continuous mode +0x8000001c, 0, edx, 30, hw_lwp_ptsc , HW: Performance Time Stamp Counter in event records +0x8000001c, 0, edx, 31, hw_lwp_int , HW: Interrupt on threshold overflow # Leaf 8000001DH # AMD deterministic cache parameters @@ -943,49 +966,49 @@ 0x8000001d, 31:0, edx, 1, ll_inclusive , Cache is inclusive of Lower-Level caches # Leaf 8000001EH -# AMD CPU topology enumeration +# AMD CPU topology 0x8000001e, 0, eax, 31:0, ext_apic_id , Extended APIC ID 0x8000001e, 0, ebx, 7:0, core_id , Unique per-socket logical core unit ID -0x8000001e, 0, ebx, 15:8, core_nthreas , #Threads per core (zero-based) +0x8000001e, 0, ebx, 15:8, core_nthreads , #Threads per core (zero-based) 0x8000001e, 0, ecx, 7:0, node_id , Node (die) ID of invoking logical CPU 0x8000001e, 0, ecx, 10:8, nnodes_per_socket , #nodes in invoking logical CPU's package/socket # Leaf 8000001FH -# AMD encrypted memory capabilities enumeration (SME/SEV) +# AMD encrypted memory capabilities (SME/SEV) -0x8000001f, 0, eax, 0, sme , Secure Memory Encryption supported -0x8000001f, 0, eax, 1, sev , Secure Encrypted Virtualization supported -0x8000001f, 0, eax, 2, vm_page_flush , VM Page Flush MSR (0xc001011e) available -0x8000001f, 0, eax, 3, sev_es , SEV Encrypted State supported -0x8000001f, 0, eax, 4, sev_nested_paging , SEV secure nested paging supported -0x8000001f, 0, eax, 5, vm_permission_levels , VMPL supported -0x8000001f, 0, eax, 6, rpmquery , RPMQUERY instruction supported -0x8000001f, 0, eax, 7, vmpl_sss , VMPL supervisor shadow stack supported -0x8000001f, 0, eax, 8, secure_tsc , Secure TSC supported +0x8000001f, 0, eax, 0, sme , Secure Memory Encryption +0x8000001f, 0, eax, 1, sev , Secure Encrypted Virtualization +0x8000001f, 0, eax, 2, vm_page_flush , VM Page Flush MSR +0x8000001f, 0, eax, 3, sev_es , SEV Encrypted State +0x8000001f, 0, eax, 4, sev_nested_paging , SEV secure nested paging +0x8000001f, 0, eax, 5, vm_permission_levels , VMPL +0x8000001f, 0, eax, 6, rpmquery , RPMQUERY instruction +0x8000001f, 0, eax, 7, vmpl_sss , VMPL supervisor shadow stack +0x8000001f, 0, eax, 8, secure_tsc , Secure TSC 0x8000001f, 0, eax, 9, v_tsc_aux , Hardware virtualizes TSC_AUX -0x8000001f, 0, eax, 10, sme_coherent , Cache coherency is enforced across encryption domains +0x8000001f, 0, eax, 10, sme_coherent , Cache coherency enforcement across encryption domains 0x8000001f, 0, eax, 11, req_64bit_hypervisor , SEV guest mandates 64-bit hypervisor 0x8000001f, 0, eax, 12, restricted_injection , Restricted Injection supported 0x8000001f, 0, eax, 13, alternate_injection , Alternate Injection supported -0x8000001f, 0, eax, 14, debug_swap , SEV-ES: full debug state swap is supported -0x8000001f, 0, eax, 15, disallow_host_ibs , SEV-ES: Disallowing IBS use by the host is supported +0x8000001f, 0, eax, 14, debug_swap , SEV-ES: Full debug state swap +0x8000001f, 0, eax, 15, disallow_host_ibs , SEV-ES: Disallowing IBS use by the host 0x8000001f, 0, eax, 16, virt_transparent_enc , Virtual Transparent Encryption -0x8000001f, 0, eax, 17, vmgexit_paremeter , VmgexitParameter is supported in SEV_FEATURES -0x8000001f, 0, eax, 18, virt_tom_msr , Virtual TOM MSR is supported -0x8000001f, 0, eax, 19, virt_ibs , IBS state virtualization is supported for SEV-ES guests -0x8000001f, 0, eax, 24, vmsa_reg_protection , VMSA register protection is supported -0x8000001f, 0, eax, 25, smt_protection , SMT protection is supported -0x8000001f, 0, eax, 28, svsm_page_msr , SVSM communication page MSR (0xc001f000) is supported -0x8000001f, 0, eax, 29, nested_virt_snp_msr , VIRT_RMPUPDATE/VIRT_PSMASH MSRs are supported -0x8000001f, 0, ebx, 5:0, pte_cbit_pos , PTE bit number used to enable memory encryption -0x8000001f, 0, ebx, 11:6, phys_addr_reduction_nbits, Reduction of phys address space when encryption is enabled, in bits -0x8000001f, 0, ebx, 15:12, vmpl_count , Number of VM permission levels (VMPL) supported -0x8000001f, 0, ecx, 31:0, enc_guests_max , Max supported number of simultaneous encrypted guests +0x8000001f, 0, eax, 17, vmgexit_parameter , SEV_FEATURES: VmgexitParameter +0x8000001f, 0, eax, 18, virt_tom_msr , Virtual TOM MSR +0x8000001f, 0, eax, 19, virt_ibs , SEV-ES guests: IBS state virtualization +0x8000001f, 0, eax, 24, vmsa_reg_protection , VMSA register protection +0x8000001f, 0, eax, 25, smt_protection , SMT protection +0x8000001f, 0, eax, 28, svsm_page_msr , SVSM communication page MSR +0x8000001f, 0, eax, 29, nested_virt_snp_msr , VIRT_RMPUPDATE/VIRT_PSMASH MSRs +0x8000001f, 0, ebx, 5:0, pte_cbit_pos , PTE bit number to enable memory encryption +0x8000001f, 0, ebx, 11:6, phys_addr_reduction_nbits, Reduction of phys address space in bits +0x8000001f, 0, ebx, 15:12, vmpl_count , Number of VM permission levels (VMPL) +0x8000001f, 0, ecx, 31:0, enc_guests_max , Max number of simultaneous encrypted guests 0x8000001f, 0, edx, 31:0, min_sev_asid_no_sev_es , Minimum ASID for SEV-enabled SEV-ES-disabled guest # Leaf 80000020H -# AMD Platform QoS extended feature IDs +# AMD PQoS (Platform QoS) extended features 0x80000020, 0, ebx, 1, mba , Memory Bandwidth Allocation support 0x80000020, 0, ebx, 2, smba , Slow Memory Bandwidth Allocation support @@ -1007,7 +1030,7 @@ 0x80000020, 3, ecx, 6, bmec_all_dirty_victims , Dirty QoS victims to all types of memory can be tracked # Leaf 80000021H -# AMD extended features enumeration 2 +# AMD extended CPU features 2 0x80000021, 0, eax, 0, no_nested_data_bp , No nested data breakpoints 0x80000021, 0, eax, 1, fsgs_non_serializing , WRMSR to {FS,GS,KERNEL_GS}_BASE is non-serializing @@ -1016,43 +1039,43 @@ 0x80000021, 0, eax, 6, null_sel_clr_base , Null selector clears base 0x80000021, 0, eax, 7, upper_addr_ignore , EFER MSR Upper Address Ignore 0x80000021, 0, eax, 8, autoibrs , EFER MSR Automatic IBRS -0x80000021, 0, eax, 9, no_smm_ctl_msr , SMM_CTL MSR (0xc0010116) is not available +0x80000021, 0, eax, 9, no_smm_ctl_msr , SMM_CTL MSR not available 0x80000021, 0, eax, 10, fsrs , Fast Short Rep STOSB 0x80000021, 0, eax, 11, fsrc , Fast Short Rep CMPSB -0x80000021, 0, eax, 13, prefetch_ctl_msr , Prefetch control MSR is available +0x80000021, 0, eax, 13, prefetch_ctl_msr , Prefetch control MSR 0x80000021, 0, eax, 16, opcode_reclaim , Reserves opcode space -0x80000021, 0, eax, 17, user_cpuid_disable , #GP when executing CPUID at CPL > 0 is supported +0x80000021, 0, eax, 17, user_cpuid_disable , #GP when executing CPUID at CPL > 0 0x80000021, 0, eax, 18, epsf , Enhanced Predictive Store Forwarding 0x80000021, 0, eax, 22, wl_feedback , Workload-based heuristic feedback to OS 0x80000021, 0, eax, 24, eraps , Enhanced Return Address Predictor Security 0x80000021, 0, eax, 27, sbpb , Selective Branch Predictor Barrier 0x80000021, 0, eax, 28, ibpb_brtype , Branch predictions flushed from CPU branch predictor -0x80000021, 0, eax, 29, srso_no , CPU is not subject to the SRSO vulnerability -0x80000021, 0, eax, 30, srso_uk_no , CPU is not vulnerable to SRSO at user-kernel boundary -0x80000021, 0, eax, 31, srso_msr_fix , Software may use MSR BP_CFG[BpSpecReduce] to mitigate SRSO -0x80000021, 0, ebx, 15:0, microcode_patch_size , Size of microcode patch, in 16-byte units +0x80000021, 0, eax, 29, srso_no , No SRSO vulnerability +0x80000021, 0, eax, 30, srso_uk_no , No SRSO at user-kernel boundary +0x80000021, 0, eax, 31, srso_msr_fix , MSR BP_CFG[BpSpecReduce] SRSO mitigation +0x80000021, 0, ebx, 15:0, microcode_patch_size , Microcode patch size, in 16-byte units 0x80000021, 0, ebx, 23:16, rap_size , Return Address Predictor size # Leaf 80000022H -# AMD Performance Monitoring v2 enumeration +# AMD extended performance monitoring -0x80000022, 0, eax, 0, perfmon_v2 , Performance monitoring v2 supported +0x80000022, 0, eax, 0, perfmon_v2 , Performance monitoring v2 0x80000022, 0, eax, 1, lbr_v2 , Last Branch Record v2 extensions (LBR Stack) -0x80000022, 0, eax, 2, lbr_pmc_freeze , Freezing core performance counters / LBR Stack supported +0x80000022, 0, eax, 2, lbr_pmc_freeze , Freezing core performance counters / LBR Stack 0x80000022, 0, ebx, 3:0, n_pmc_core , Number of core performance counters -0x80000022, 0, ebx, 9:4, lbr_v2_stack_size , Number of available LBR stack entries -0x80000022, 0, ebx, 15:10, n_pmc_northbridge , Number of available northbridge (data fabric) performance counters -0x80000022, 0, ebx, 21:16, n_pmc_umc , Number of available UMC performance counters +0x80000022, 0, ebx, 9:4, lbr_v2_stack_size , Number of LBR stack entries +0x80000022, 0, ebx, 15:10, n_pmc_northbridge , Number of northbridge performance counters +0x80000022, 0, ebx, 21:16, n_pmc_umc , Number of UMC performance counters 0x80000022, 0, ecx, 31:0, active_umc_bitmask , Active UMCs bitmask # Leaf 80000023H -# AMD Secure Multi-key Encryption enumeration +# AMD multi-key encrypted memory -0x80000023, 0, eax, 0, mem_hmk_mode , MEM-HMK encryption mode is supported -0x80000023, 0, ebx, 15:0, mem_hmk_avail_keys , MEM-HMK mode: total number of available encryption keys +0x80000023, 0, eax, 0, mem_hmk_mode , MEM-HMK encryption mode +0x80000023, 0, ebx, 15:0, mem_hmk_avail_keys , Total number of available encryption keys # Leaf 80000026H -# AMD extended topology enumeration v2 +# AMD extended CPU topology 0x80000026, 3:0, eax, 4:0, x2apic_id_shift , Bit width of this level (previous levels inclusive) 0x80000026, 3:0, eax, 29, core_has_pwreff_ranking, This core has a power efficiency ranking @@ -1067,15 +1090,15 @@ 0x80000026, 3:0, edx, 31:0, x2apic_id , x2APIC ID of current logical CPU # Leaf 80860000H -# Maximum Transmeta leaf number + CPU vendor ID string +# Maximum Transmeta leaf + CPU vendor string -0x80860000, 0, eax, 31:0, max_tra_leaf , Maximum supported Transmeta leaf number +0x80860000, 0, eax, 31:0, max_tra_leaf , Maximum Transmeta leaf 0x80860000, 0, ebx, 31:0, cpu_vendorid_0 , Transmeta Vendor ID string bytes 0 - 3 0x80860000, 0, ecx, 31:0, cpu_vendorid_2 , Transmeta Vendor ID string bytes 8 - 11 0x80860000, 0, edx, 31:0, cpu_vendorid_1 , Transmeta Vendor ID string bytes 4 - 7 # Leaf 80860001H -# Transmeta extended CPU information +# Transmeta extended CPU features 0x80860001, 0, eax, 3:0, stepping , Stepping ID 0x80860001, 0, eax, 7:4, base_model , Base CPU model ID @@ -1091,7 +1114,7 @@ 0x80860001, 0, edx, 3, lrti , LongRun Table Interface # Leaf 80860002H -# Transmeta Code Morphing Software (CMS) enumeration +# Transmeta CMS (Code Morphing Software) 0x80860002, 0, eax, 31:0, cpu_rev_id , CPU revision ID 0x80860002, 0, ebx, 7:0, cms_rev_mask_2 , CMS revision ID, mask component 2 @@ -1141,9 +1164,9 @@ 0x80860007, 0, edx, 31:0, cpu_cur_gate_delay , Current CPU gate delay, in femtoseconds # Leaf C0000000H -# Maximum Centaur/Zhaoxin leaf number +# Maximum Centaur/Zhaoxin leaf -0xc0000000, 0, eax, 31:0, max_cntr_leaf , Maximum Centaur/Zhaoxin leaf number +0xc0000000, 0, eax, 31:0, max_cntr_leaf , Maximum Centaur/Zhaoxin leaf # Leaf C0000001H # Centaur/Zhaoxin extended CPU features