> First, CPUID doesn't tell you if FRED is in use. Is it even on by > default yet? There might not be a better way to do this than checking > CPUID, but checking CPUID is imprecise at best.
A reliable way to distinguish IDT and FRED mode is to: 1) Load $3 into %fs (x86_64) or %gs (i386) (i.e. whichever isn't thread local stoage) 2) execute a breakpoint, ignore the signal 3) Look to see whether %fs/%gs holds 3 or 0 IRET has a fun behaviour where it zeroes NULL selectors even if they had a non-zero RPL. ERETU doesn't do this; Andy Luto and I asked for this minor information leak to be removed, and Intel agreed as it served no purpose anyone could identify. As a consequence, you can use it to determine whether the kernel used IRET or ERET to return back to userspace. ~Andrew
