36-24 Vol. 3C
INTEL® PROCESSOR TRACE
TSX and IP Filtering
A complication with tracking transactions is handling transactions that start or end outside of the tracing region.
Transactions can’t span across a change in ContextEn, because CPL changes and CR3 changes each cause aborts.
But a transaction can start within the IP filter region and end outside it.
To assist the decoder handling this situation, MODE.TSX packets can be sent even if FilterEn=0, though there will
be no FUP attached. Instead, they will merely serve to indicate to the decoder when transactions are active and
when they are not. When tracing resumes (due to PacketEn=1), the last MODE.TSX preceding the TIP.PGE will indi-
cate the current transaction status.
System Management Mode (SMM)
SMM code has special privileges that non-SMM code does not have. Intel Processor Trace can be used to trace SMM
code, but special care is taken to ensure that SMM handler context is not exposed in any non-SMM trace collection.
Additionally, packet output from tracing non-SMM code cannot be written into memory space that is either
protected by SMRR or used by the SMM handler.
SMM is entered via a system management interrupt (SMI). SMI delivery saves the value of IA32_RTIT_CTL.TraceEn
into SMRAM and then clears it, thereby disabling packet generation.
The saving and clearing of IA32_RTIT_CTL.TraceEn ensures two things:
1. All internally buffered packet data is flushed before entering SMM (see Section 36.2.7.2).
2. Packet generation ceases before entering SMM, so any tracing that was configured outside SMM does not
continue into SMM. No SMM instruction pointers or other state will be exposed in the non-SMM trace.
When the RSM instruction is executed to return from SMM, the TraceEn value that was saved by SMI delivery is
restored, allowing tracing to be resumed. As is done any time packet generation is enabled, ContextEn is re-evalu-
ated, based on the values of CPL, CR3, etc., established by RSM.
Like other interrupts, delivery of an SMI produces a FUP containing the IP of the next instruction to execute. By
toggling TraceEn, SMI and RSM can produce TIP.PGD and TIP.PGE packets, respectively, indicating that tracing was
disabled or re-enabled. See Table 36.7 for more information about packets entering and leaving SMM.
Although #SMI and RSM change CR3, PIP packets are not generated in these cases. With #SMI tracing is disabled
before the CR3 change; with RSM TraceEn is restored after CR3 is written.
TraceEn must be cleared before executing RSM, otherwise it will cause a shutdown. Further, on processors that
restrict use of Intel PT with LBRs (see Section 36.3.1.2), any RSM that results in enabling of both will cause a shut-
down.
Intel PT can support tracing of System Transfer Monitor operating in SMM, see Section 36.6.
36.2.8.2 Virtual-Machine Extensions (VMX)
Initial implementations of Intel Processor Trace do not support tracing in VMX operation. Such processors indicate
this by returning 0 for IA32_VMX_MISC[bit 14]. On these processors, execution of the VMXON instruction clears
IA32_RTIT_CTL.TraceEn and any attempt to set that bit in VMX operation using WRMSR causes a general-protec-
tion exception (#GP).
Processors that support Intel Processor Trace in VMX operation return 1 for IA32_VMX_MISC[bit 14]. Details of
tracing in VMX operation are described in Section 36.5.
36.2.8.3 Intel Software Guard Extensions (SGX)
SGX provides an application with ability to instantiate a protective container (an enclave) with confidentiality and
integrity (see Intel® Software Guard Extensions Programming Reference). On a processor with both Intel PT and
SGX enabled, when executing code within a production enclave, no control flow packets are produced by Intel PT.
Enclave entry will clear ContextEn, thereby blocking control flow packet generation. A TIP.PGD packet will be
generated if PacketEn=1 at the time of the entry.
Upon enclave exit, ContextEn will no longer be forced to 0. If other enables are set at the time, a TIP.PGE may be
generated to indicate that tracing is resumed.