I suspect it'll be a bit more complex than that. But the "speculative reference ... higher privileged data" bit in https://lkml.org/lkml/2017/12/27/2 … , by an AMD engineer!, really hints at something very roughly in that vein.
You don't necessarily have to be able to read the supposedly inaccessible value itself. Seeing the timing effects of speculative execution [aborts] can be sufficient to infer actual value. Timing or PMU stats about aborts could be sufficient to infer value by binary search.
-
-
This Tweet is unavailable.
-
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.