On Hacker News, userbinator posted a comment with the datasheet and a section describing an alternate ISA. The datasheet says that is for debugging and testing. They also say customers can contact them about getting access to it if they really need it. Might shed light on the situation.
tl;dr: You have micro-op level access to the CPU, skipping the x86 decoder. It’s also documented in the processor manual and the ALTINST bit requires ring 0 to set it, so not much of a backdoor, is it?
This sounds like rather a big deal, why is this in these old intel CPUs?
VIA is an independent manufacturer of computers that sold low-power, crypto-accelerated, x86 chips designed by the third, x86 vendor that’s still around: Centaur. Here’s a video about them. They worked on processor verification with ACL2. Jared Davis, who contributed to that work, later did a “self-verifying” prover called Milawa that bootstrappers should find inspiring.
So, interesting company and people. Them being low watts with x86 compatibility got them used in a lot of embedded applications. The VIA Artigos were also one of only boxes you could get for $300 with tiny, form factor and crypto accelerator (incl TRNG). VIA stayed being a struggling also-ran in x86 but many users.
VIA is not Intel
The presentation slides are now live on BlackHat’s site: http://i.blackhat.com/us-18/Thu-August-9/us-18-Domas-God-Mode-Unlocked-Hardware-Backdoors-In-x86-CPUs.pdf
I was wondering when something “practical” would come of sandsifter! Nice find.