Alternate Instruction Set
{{Short description|Instruction set architecture}}
{{use dmy dates|date=January 2022|cs1-dates=y}}
The Alternate Instruction Set (AIS) is a second 32-bit instruction set architecture found in some x86 CPUs made by VIA Technologies. On these VIA C3 processors, the second hidden processor mode is accessed by executing the x86 instruction JMPAI ({{nowrap|0F 3F}}). If AIS mode has been enabled, the processor will perform a JMP EAX and begin executing AIS instructions at the address of the EAX register. Using AIS allows native access to the Centaur Technology-designed RISC core inside the processor.{{cite news|url=https://www.heise.de/newsticker/meldung/VIAs-Prozessor-der-siebten-Generation-73381.html|title=VIAs Prozessor der siebten Generation|trans-title=VIA's seventh-generation processor|date=22 January 2003|access-date=12 August 2018|first=Andreas|last=Stiller|work=Heise Online|publisher=Heinz Heise|language=de|quote=Als … kann man Nehemiahs RISC-artigen Core auch native programmieren (AIS: Alternate Instruction Set). Auch hier wird sich zeigen, ob findige Programmierer das für den einen oder anderen Treiber nutzen können, um hier mehr Performance herauszukitzeln.}}
Instruction format
| class="wikitable" style="float: right;"
|+ Register mapping between AIS and x86 ! AIS number ! x86 name | |
| R0 | EAX |
| R1 | ECX |
| R2 | EDX |
| R3 | EBX |
| R4 | ESP |
| R5 | EBP |
| R6 | ESI |
| R7 | EDI |
| R8‒R15 | … |
The manufacturer describes the Alternate Instruction Set as "an extended set of integer, MMX, floating-point, and 3DNow! instructions along with additional registers and some more powerful instruction forms".{{cite report|url=http://datasheets.chipdb.org/VIA/Eden-ESP/Eden%20v1.4.pdf|page=70‒71|title=Alternate Instruction Set|work=VIA Eden|series=Embedded System Platform Processor Datasheet|access-date=10 August 2018|date=November 2002}}
Every AIS instruction is prefixed with the 3-byte sequence 0x8D8400 followed by the 32-bit instruction; this prefix form for the AIS instructions makes them appear to be x86 Load Effective Address (LEA) instructions.
In 2018 researcher Christopher Domas reported that the prefix 0x620405 (x86 BOUND) also worked.
A proposal made in 2002 to add AIS support to the Netwide Assembler (NASM) was partially declined in 2005, on the basis that NASM was an x86 assembler, and AIS is a separate instruction set.{{cite web|url=https://sourceforge.net/p/nasm/feature-requests/21/|title=#21 add support for Centaur's AIS|work=The Netwide Assembler|date=18 December 2002|access-date=12 August 2018|via=Sourceforge}} An assembler is available from Domas's 2018 research.
In 2007 a patent named some microcode instructions as load and store to/from main RAM, and loadPRAM and storePRAM to/from private-RAM inside the processor.{{cite patent |status=patent |country=US |number= 20080256336 |title=Microprocessor with private microcode ram |fdate=2007-04-10 |pubdate=2008-10-16 |gdate=2010-11-02 |inventor1-first=G. Glenn |inventor1-last=Henry |inventorlink1=Glenn Henry (IT entrepreneur) |inventor2-first=Colin |inventor2-last=Eddy |inventor3-first=Rodney E. |inventor3-last=Hooker |inventor4-first=Terry |inventor4-last=Parks |url= https://patents.google.com/patent/US20080256336A1/en}}
The Centaur Technologies verification team, in a 2014 paper about the VIA Nano, included some short lists of micro-instructions including ADDIG, JLINK, JMP_ALL, MVIG, NLOOPE, STORE_PRAM, plus micro-operations XADD and XSUB. Micro-operations were shown to have a format that includes the fields opcode, exec unit, src width, src1, src2, dest width, dest, write flags? and end routine?.{{cite web|url=https://www.kookamara.com/jared/2014-itp-ucode.pdf|title=Microcode Verification – Another Piece of the Microprocessor Verification Puzzle|first1=Jared|last1=Davis|first2=Anna|last2=Slobodova|first3=Sol|last3=Swords|date=20 April 2016|access-date=14 August 2018}}
A 2002 programming reference for the Alternate Instruction setVIA, [http://www.bitsavers.org/components/viaTechnologies/C3-ais-reference.pdf VIA C3 Processor Alternate Instruction Set Programming Reference], version 0.25, november 2002. Accessed on Apr 26, 2023. and an accompanying appnoteVIA, [http://www.bitsavers.org/components/viaTechnologies/C3-ais-appnote.pdf VIA C3 Processor Alternate Instruction Set Application Note], version 0.24, 2002. Accessed on Apr 26, 2023. were added to the Bitsavers archive in May 2021.
Availability
From x86 mode, the availability of the Alternate Instruction Set can be detected by executing a CPUID with the EAX register set to 0xc0000001 and then examining the EDX register. If EDX {{nowrap|bit 0}} is set to 1, then AIS is supported. If EDX {{no wrap|bit 1}} is also set to 1, then AIS is enabled.{{cite report|url=http://datasheets.chipdb.org/VIA/Eden-N/VIA%20Eden-N%20Processor%20Datasheet%20V092.pdf|title=Centaur Extended CPUID Instruction Functions|work=VIA Eden-N Embedded System Platform Processor Datasheet|issue=Revision 0.92|date=22 October 2004|access-date=10 August 2018|page=20, 74}} If AIS is supported by the CPU, then its status can be checked and altered through the Model-specific registers, by checking and setting the Feature Control Register (FCR, register 0x1107). If {{no wrap|bit 0}} ("ALTINST") is set to 1, then AIS is enabled.
The Microsoft Windows NT kernel KiGetFeatureBits() initialisation function proactively disables Alternate Instruction mode on boot up.{{cite web|url=https://github.com/mic101/windows/blob/master/WRK-v1.2/base/ntos/ke/i386/kernlini.c|title=kernlini.c|author=Microsoft|work=Microsoft Windows NT kernel source|access-date=14 August 2018|quote=KiGetFeatureBits() … // Disable bit 0 which controls the Cyrix ALTINST feature.}}
If the x86 JMPAI jump instruction is executed when AIS mode is disabled, then the processor will generate an Invalid Instruction exception.
Setting the AIS-enabled bit requires privileged access, and should be set using a read-modify-write sequence.{{cite report|url=http://datasheets.chipdb.org/VIA/Samuel2/VIA%20C3%20Samuel%202%20Datasheet%20V1.12.pdf|title=Alternative Instruction Execution|work=VIA C3 Samuel 2 Processor Datasheet|date=October 2004|issue=Version 1.12|page=60}}
Privilege elevation
In 2018 Christopher Domas discovered that some Samuel 2 processors came with the Alternate Instruction Set enabled by default and that by executing AIS instructions from user space, it was possible to gain privilege escalation from Ring 3 to Ring 0.{{cite web|url=https://github.com/xoreaxeaxeax/rosenbridge|title=Rosenbridge: Hardware backdoors in x86 CPUs|first=Christopher|last=Domas|website=GitHub|access-date=10 August 2018}} Domas had partially reverse engineered the AIS instruction set using automated fuzzing against a cluster of seven thin clients.{{cite news|url=https://www.tomshardware.com/news/x86-hidden-god-mode,37582.html|work=Tom's Hardware|title=Hacker Finds Hidden 'God Mode' on Old x86 CPUs|first=Paul|last=Wagenseil|date=9 August 2018|access-date=10 August 2018}} Domas used the terms "deeply embedded core" (DEC) plus "deeply embedded instruction set" (DEIS) for the RISC instruction set, "launch instruction" for JMPAI, "bridge instruction" for the x86 prefix wrapper, "global configuration register" for the Feature Control Register (FCR), and documented the privilege escalation with the name "Rosenbridge".
See also
- NEC V20/V30, an x86-compatible CPU implementing a similar scheme to enter and exit into an alternate instruction set mode to support Intel 8080 instructions.
References
{{reflist}}
Further reading
{{refbegin}}
- {{cite patent|country=US|number=20030154359|status=patent|title=Apparatus and method for extending a microprocessor instruction set|fdate=2002-05-09|pubdate=2003-08-14|gdate=2007-02-20|url=https://patents.google.com/patent/US20030154359|assign=Centaur Technology|inventor1-first=Glenn|inventor1-last=Henry|inventorlink1=Glenn Henry (IT entrepreneur)|inventor2-first=Rodney|inventor2-last=Hooker|inventor3-first=Terry|inventor3-last=Parks|quote="A dual-opcode embodiment provided for by the present invention selects one specific prefix state which indicates that following opcode entities take on an entirely new translation meaning. Such an embodiment is employed in a dual-architecture microprocessor design to execute more than one instruction set. … For example, in an embodiment that increases the number of architectural registers in the microprocessor beyond the number provided for by an existing instruction set architecture will necessarily provide an extended register file … The translation logic also has a micro instruction buffer having an opcode extension field, a micro opcode field, a destination field, a source field, and a displacement field. … In one embodiment, the signal is derived from a feature control register that reads a fuse array that was configured during fabrication of the part.}}
- {{cite patent|country=US|number=20030188130|status=patent|title=Mechanism for extending the number of registers in a microprocessor|fdate=2002-05-09|pubdate=2003-10-02|gdate=2008-05-13|url=https://patents.google.com/patent/US20030188130A1/en|assign=Centaur Technology|inventor1-first=Glenn|inventor1-last=Henry|inventorlink1=Glenn Henry (IT entrepreneur)|inventor2-first=Rodney|inventor2-last=Hooker|inventor3-first=Terry|inventor3-last=Parks|quote=The register logic has an extended register file comprising existing architectural registers and additional registers. In an x86 embodiment, registers R0-R7 comprise the eight existing architectural registers and registers R8-R15 comprise eight added registers.}}
- {{cite conference|url=http://i.blackhat.com/us-18/Thu-August-9/us-18-Domas-God-Mode-Unlocked-Hardware-Backdoors-In-x86-CPUs.pdf|title=God Mode unlocked: Hardware backdoors in x86 CPUs|first=Christopher|last=Domas|date=10 August 2018|conference=DEF CON 26|location=Las Vegas}}
- {{cite journal
| title=The Soul of a New Machine
| author=Tracy Kidder
| journal=Sky and Telescope
| date=2022
| volume=144
| issue=6
| page=70
| bibcode=2022S&T...144f..70T
}} Comments on the use of mode bits in CPUs, in the context of the creation of Data General's Eagle computer.
{{refend}}