Can an x86 CPU read the value of any register while in user mode?

Question

I have read that there are some registers that an x86 CPU cannot modify while in user mode (I believe these registers are called "privileged registers").

But can an x86 CPU read the values of these registers while in user mode, or is even reading not allowed?

Answer 1

All the registers you'd normally use for computation can be read/written in any mode (GP integer, x87/MMX, XMM/YMM/ZMM and AVX512 k0-7 mask registers), but there are many registers that are basically mode/control settings. Some "special" registers can be written in user-space, like segment registers, MPX bnd registers.

---

The following registers cannot be read from or written to in user mode (privilege level > 0):

• All MSR registers. These include the MTRRs. Some of the registers can be accessed using instructions other than WRMSR/RDMSR. Such registers may be accessible in user mode. For example, the kernel may allow user code to access the PMC registers using the WRPMC and RDPMC instructions.
• GDTR, IDTR, LDTR, and TR.
• Control registers CR0-15. However, on Intel processors, if CR4.UMIP = 0, CR0 can be read using SMSW. On AMD processors, CR4.UMIP is not available and SMSW can be executed at any privilege level unconditionally.
• Debug registers DR0-15.
• Test registers TR3-7 on the 80486 and TR6-7 on the 80386.

The modifications that are allowed to the EFLAGS register are a little complicated as described in the Intel manual Volume 2:

When operating in protected, compatibility, or 64-bit mode with a privilege level greater than 0, but less than or equal to IOPL, all flags can be modified except the IOPL field and RF, IF, VIP, VIF, and VM; these remain unaffected. The AC and ID flags can only be modified if the operand-size attribute is 32. The interrupt flag (IF) is altered only when executing at a level at least as privileged as the IOPL. If a POPF/POPFD instruction is executed with insufficient privilege, an exception does not occur but privileged bits do not change.

When operating in virtual-8086 mode (EFLAGS.VM = 1) without the virtual-8086 mode extensions (CR4.VME = 0), the POPF/POPFD instructions can be used only if IOPL = 3; otherwise, a general-protection exception (#GP) occurs. If the virtual-8086 mode extensions are enabled (CR4.VME = 1), POPF (but not POPFD) can be executed in virtual-8086 mode with IOPL < 3.