A processor has many internal control registers that are normally accessible only by microcode. An example is a bus control register, which controls details such as timing on the processor bus, the exact bus protocols to be used, etc. In the process of testing and debugging a system in which the processor is employed, it is often desirable for the tester/debugger to be able to execute an external program to set (or read) these internal control registers. For example, the tester/debugger might want to try different timing on the processor bus. Furthermore, it is often desirable to access these internal registers as part of the manufacturing test process.
The x86 architecture, for example, includes the RDMSR and WRMSR instructions in its instruction set to read and write model specific registers (MSRs). A tester/debugger may access the internal control registers of an x86 processor via the RDMSR and WRMSR instructions. However, if not used correctly, accessing some of the internal control registers can cause the processor to work incorrectly, work slowly, or not work at all. Additionally, accessing some of the internal control registers can enable the user to bypass security mechanisms, e.g., allowing ring 0 access at ring 3. In addition, these control registers may reveal information that the processor designers wish to keep proprietary. For these reasons, the various x86 processor manufacturers have not publicly documented any description of the address or function of some control MSRs.
Nevertheless, the existence and location of the undocumented control MSRs are easily found by programmers, who typically then publish their findings for all to use. Furthermore, a processor manufacturer may need to disclose the addresses and description of the control MSRs to its customers for their testing and debugging purposes. The disclosure to the customer may result in the secret of the control MSRs becoming widely known, and thus usable by anyone on any processor.
A more rigorous approach goes a step further and requires that a secret “access key” be placed in a register prior to execution of a RDMSR/WRMSR to access a protected MSR. If the access key value is not correct, the RDMSR/WRMSR fails and the processor does not read/write the specified MSR. In theory, the key value must be obtained from the processor manufacturer. Unfortunately, soon after the manufacturer provides the key value to one customer, it may get publicized and other unauthorized people can use the publicized access key to access the control registers.