This. When I read the article I instantly recognised this from some datasheet-browsing I did many years ago. It's not a "coprocessor", it's not a backdoor, it's just access to the internal core. It's even documented in the datasheet itself:
Edit: Now it's all coming back to me. I was exploring the 0F opcode space and came upon 0F 3F, which happens to be the "enter alternate execution mode" instruction when it's enabled. There are a lot of other interesting results if you Google "0F 3F", although I remember them being a lot more relevant when I originally discovered this...
While it is (a bit disappointingly) a known instruction, it seems that Domas has came up with this by his own (via sandsifter [1]). Also, it is really unexpected that there is a documented userland instruction that goes to ring 0 anyway, so it is a "documented" "backdoor". In any case I still think that this study is interesting, mainly because it shows that we can inspect such instructions seemingly out of nowhere.
For which the instruction set is not documented.
For which the x86 access instruction ("bound eax") is not documented.
For which the capabilities are not documented.
From which you can circumvent all of the processor's security checks.
> For which the instruction set is not documented.
Why does it matter?
This alternate instruction set is intended for testing, debug, and special application usage. Accordingly, it is not documented for general usage. If you have a justified need for access to these instructions, contact your VIA representative.
> For which the x86 access instruction ("bound eax") is not documented.
The instruction is documented to be LEA (which I presume is correct for this particular processor) and:
While all VIA C3 processor processors contain this alternate instruction feature, the invocation details (e.g., the 0x8D8400 “prefix”) may be different between processors. Check the appropriate processor data sheet for details.
> For which the capabilities are not documented.
It's documented that you can do pretty much anything:
For example, in the alternate instruction set, privileged functions can be used from any protection level, memory descriptor checking can be bypassed, and many x86 exceptions such as alignment check can be bypassed.
http://datasheets.chipdb.org/VIA/Nehemiah/VIA%20C3%20Nehemia...
(Page 82, "Alternate Instruction Execution")
Edit: Now it's all coming back to me. I was exploring the 0F opcode space and came upon 0F 3F, which happens to be the "enter alternate execution mode" instruction when it's enabled. There are a lot of other interesting results if you Google "0F 3F", although I remember them being a lot more relevant when I originally discovered this...
https://spth.virii.lu/29a7/Articles/29A-7.029.txt
It's not just the C3 that has this feature, if you Google "ALTINST" you'll find more info.