Alternate Instruction Set

Last updated

The Alternate Instruction Set (AIS) is a second 32-bit instruction set architecture found in some x86 CPUs made by VIA Technologies. On these VIA C3 processors, the second hidden processor mode is accessed by executing the x86 instruction ALTINST (0F 3F). If AIS mode has been enabled, the processor will perform a JMP EAX [1] and begin executing AIS instructions at the address of the EAX register. Using AIS allows native access to the Centaur Technology-designed RISC core inside the processor. [2]

Contents

Instruction format

Register mapping between AIS and x86
AIS numberx86 name
R0EAX
R1ECX
R2EDX
R3EBX
R4ESP
R5EBP
R6ESI
R7EDI
R8‒R15

The manufacturer describes the Alternate Instruction Set as "an extended set of integer, MMX, floating-point, and 3DNow! instructions along with additional registers and some more powerful instruction forms". [1] Every AIS instruction is prefixed with the 3-byte sequence 0x8D8400 followed by the 32-bit instruction; this prefix form for the AIS instructions makes them appear to be x86 Load Effective Address (LEA) instructions. In 2018 researcher Christopher Domas reported that the prefix 0x620405 (x86 BOUND) also worked.

A proposal made in 2002 to add AIS support to the Netwide Assembler (NASM) was partially declined in 2005, on the basis that NASM was an x86 assembler, and AIS is a separate instruction set. [3] An assembler is available from Domas's 2018 research. [4]

In 2007 a patent named some microcode instructions as load and store to/from main RAM, and loadPRAM and storePRAM to/from private-RAM inside the processor. [5] The Centaur Technologies verification team, in a 2014 paper about the VIA Nano, included some short lists of micro-instructions including ADDIG, JLINK, JMP_ALL, MVIG, NLOOPE, STORE_PRAM, plus micro-operations XADD and XSUB. Micro-operations were shown to have a format that includes the fields opcode, exec unit, src width, src1, src2, dest width, dest, write flags? and end routine?. [6]

Availability

From x86 mode, the availability of the Alternate Instruction Set can be detected by executing a CPUID with the EAX register set to 0xc0000001 and then examining the EDX register. If EDX bit 0 is set to 1, then AIS is supported. If EDX bit 1 is also set to 1, then AIS is enabled. [7] If AIS is supported by the CPU, then its status can be checked and altered through the Model-specific registers, by checking and setting the Feature Control Register (FCR, register 0x1107). If bit 0 ("ALTINST") is set to 1, then AIS is enabled. [7]

The Microsoft Windows NT kernel KiGetFeatureBits() initialisation function proactively disables Alternate Instruction mode on boot up. [8] If the x86 ALTINST jump instruction is executed when AIS mode is disabled, then the processor will generate an Invalid Instruction exception. [9] Setting the AIS-enabled bit requires privileged access, and should be set using a read-modify-write sequence. [9]

Privilege elevation

In 2018 Christopher Domas discovered that some Samuel 2 processors came with the Alternate Instruction Set enabled by default and that by executing AIS instructions from user space, it was possible to gain privilege escalation from Ring 3 to Ring 0. [4] Domas had partially reverse engineered the AIS instruction set using automated fuzzing against a cluster of seven thin clients. [10] Domas used the terms "deeply embedded core" (DEC) plus "deeply embedded instruction set" (DEIS) for the RISC instruction set, "launch instruction" for ALTINST, "bridge instruction" for the x86 prefix wrapper, "global configuration register" for the Feature Control Register (FCR), and documented the privilege escalation with the name "Rosenbridge". [4]

See also

Related Research Articles

A complex instruction set computer is a computer architecture in which single instructions can execute several low-level operations or are capable of multi-step operations or addressing modes within single instructions. The term was retroactively coined in contrast to reduced instruction set computer (RISC) and has therefore become something of an umbrella term for everything that is not RISC, where the typical differentiating characteristic is that most RISC designs use uniform instruction length for almost all instructions, and employ strictly separate load and store instructions.

<span class="mw-page-title-main">Intel 8086</span> 16-bit microprocessor

The 8086 is a 16-bit microprocessor chip designed by Intel between early 1976 and June 8, 1978, when it was released. The Intel 8088, released July 1, 1979, is a slightly modified chip with an external 8-bit data bus, and is notable as the processor used in the original IBM PC design.

In processor design, microcode (μcode) is a technique that interposes a layer of computer organization between the central processing unit (CPU) hardware and the programmer-visible instruction set architecture of a computer. Microcode is a layer of hardware-level instructions that implement higher-level machine code instructions or internal finite-state machine sequencing in many digital processing elements. Microcode is used in general-purpose central processing units, although in current desktop CPUs, it can be a fallback path for cases that the faster hardwired control unit cannot handle.

<span class="mw-page-title-main">Reduced instruction set computer</span> Processor executing one instruction in minimal clock cycles

In computer engineering, a reduced instruction set computer (RISC) is a computer architecture designed to simplify the individual instructions given to the computer to accomplish tasks. Compared to the instructions given to a complex instruction set computer (CISC), a RISC computer might require more instructions in order to accomplish a task because the individual instructions are written in simpler code. The goal is to offset the need to process more instructions by increasing the speed of each instruction, in particular by implementing an instruction pipeline, which may be simpler given simpler instructions.

x86 Family of instruction set architectures

x86 is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel based on the Intel 8086 microprocessor and its 8088 variant. The 8086 was introduced in 1978 as a fully 16-bit extension of Intel's 8-bit 8080 microprocessor, with memory segmentation as a solution for addressing more memory than can be covered by a plain 16-bit address. The term "x86" came into being because the names of several successors to Intel's 8086 processor end in "86", including the 80186, 80286, 80386 and 80486 processors.

In computer science, an instruction set architecture (ISA), also called computer architecture, is an abstract model of a computer. A device that executes instructions described by that ISA, such as a central processing unit (CPU), is called an implementation.

Very long instruction word (VLIW) refers to instruction set architectures designed to exploit instruction level parallelism (ILP). Whereas conventional central processing units mostly allow programs to specify instructions to execute in sequence only, a VLIW processor allows programs to explicitly specify instructions to execute in parallel. This design is intended to allow higher performance without the complexity inherent in some other designs.

x86 assembly language is the name for the family of assembly languages which provide some level of backward compatibility with CPUs back to the Intel 8008 microprocessor, which was launched in April 1972. It is used to produce object code for the x86 class of processors.

x86-64 Type of instruction set which is a 64-bit version of the x86 instruction set

x86-64 is a 64-bit version of the x86 instruction set, first released in 1999. It introduced two new modes of operation, 64-bit mode and compatibility mode, along with a new 4-level paging mode.

<span class="mw-page-title-main">VIA C3</span> Family of x86 central processing units for personal computers

The VIA C3 is a family of x86 central processing units for personal computers designed by Centaur Technology and sold by VIA Technologies. The different CPU cores are built following the design methodology of Centaur Technology.

<span class="mw-page-title-main">NEC V20</span> 16-bit microprocessor introduced by NEC in 1984

The NEC V20 is a microprocessor that was designed and produced by NEC. It is both pin compatible and object code compatible with the Intel 8088, with an instruction set architecture (ISA) similar to that of the Intel 80188 with some extensions. The V20 was introduced in March 1984.

The x86 instruction set refers to the set of instructions that x86-compatible microprocessors support. The instructions are usually part of an executable program, often stored as a computer file and executed on the processor.

Centaur Technology is an x86 CPU design company started in 1995 and subsequently a wholly owned subsidiary of VIA Technologies. In 2015, the documentary Rise of the Centaur covered the early history of the company.

In the x86 architecture, the CPUID instruction is a processor supplementary instruction allowing software to discover details of the processor. It was introduced by Intel in 1993 with the launch of the Pentium and SL-enhanced 486 processors.

<span class="mw-page-title-main">History of general-purpose CPUs</span> History of processors used in general purpose computers

The history of general-purpose CPUs is a continuation of the earlier history of computing hardware.

<span class="mw-page-title-main">Cosmos (operating system)</span> Toolkit for building GUI and command-line based operating systems

C# Open Source Managed Operating System (Cosmos) is a toolkit for building GUI and command-line based operating systems, written mostly in the programming language C# and small amounts of a high level assembly language named X#. Cosmos is a backronym, in that the acronym was chosen before the meaning. It is open-source software released under a BSD license.

VIA PadLock is a central processing unit (CPU) instruction set extension to the x86 microprocessor instruction set architecture (ISA) found on processors produced by VIA Technologies and Zhaoxin. Introduced in 2003 with the VIA Centaur CPUs, the additional instructions provide hardware-accelerated random number generation (RNG), Advanced Encryption Standard (AES), SHA-1, SHA256, and Montgomery modular multiplication.

Transactional Synchronization Extensions (TSX), also called Transactional Synchronization Extensions New Instructions (TSX-NI), is an extension to the x86 instruction set architecture (ISA) that adds hardware transactional memory support, speeding up execution of multi-threaded software through lock elision. According to different benchmarks, TSX/TSX-NI can provide around 40% faster applications execution in specific workloads, and 4–5 times more database transactions per second (TPS).

RISC-V is an open standard instruction set architecture (ISA) based on established RISC principles. Unlike most other ISA designs, RISC-V is provided under open source licenses that do not require fees to use. A number of companies are offering or have announced RISC-V hardware, open source operating systems with RISC-V support are available, and the instruction set is supported in several popular software toolchains.

Intel microcode is microcode that runs inside x86 processors made by Intel. Since the P6 microarchitecture introduced in the mid-1990s, the microcode programs can be patched by the operating system or BIOS firmware to work around bugs found in the CPU after release. Intel had originally designed microcode updates for processor debugging under its design for testing (DFT) initiative.

References

  1. 1 2 Alternate Instruction Set (PDF). VIA Eden (Report). Embedded System Platform Processor Datasheet. November 2002. p. 70‒71. Retrieved 2018-08-10.
  2. Stiller, Andreas (2003-01-22). "VIAs Prozessor der siebten Generation" [VIA's seventh-generation processor]. Heise Online (in German). Heinz Heise . Retrieved 2018-08-12. Als … kann man Nehemiahs RISC-artigen Core auch native programmieren (AIS: Alternate Instruction Set). Auch hier wird sich zeigen, ob findige Programmierer das für den einen oder anderen Treiber nutzen können, um hier mehr Performance herauszukitzeln.
  3. "#21 add support for Centaur's AIS". The Netwide Assembler. 2002-12-18. Retrieved 2018-08-12 via Sourceforge.
  4. 1 2 3 Domas, Christopher. "Rosenbridge: Hardware backdoors in x86 CPUs". GitHub . Retrieved 2018-08-10.
  5. USpatent 20080256336, Henry, G. Glenn; Eddy, Colin& Hooker, Rodney E.et al.,"Microprocessor with private microcode ram",published 2008-10-16,issued 2010-11-02
  6. Davis, Jared; Slobodova, Anna; Swords, Sol (2016-04-20). "Microcode Verification – Another Piece of the Microprocessor Verification Puzzle" (PDF). Retrieved 2018-08-14.
  7. 1 2 Centaur Extended CPUID Instruction Functions (PDF). VIA Eden-N Embedded System Platform Processor Datasheet (Report). 2004-10-22. p. 20, 74. Retrieved 2018-08-10.
  8. Microsoft. "kernlini.c". Microsoft Windows NT kernel source. Retrieved 2018-08-14. KiGetFeatureBits() … // Disable bit 0 which controls the Cyrix ALTINST feature.
  9. 1 2 Alternative Instruction Execution (PDF). VIA C3 Samuel 2 Processor Datasheet (Report). October 2004. p. 60.
  10. Wagenseil, Paul (2018-08-09). "Hacker Finds Hidden 'God Mode' on Old x86 CPUs". Tom's Hardware . Retrieved 2018-08-10.

Further reading