Every x86 CPU carries a small set of Model-Specific Registers (MSRs) — control registers that don't appear in your ISA reference but govern almost everything: which CPU features are enabled, where the syscall handler lives, how performance counters behave, what the TSC frequency is. They're read with RDMSR and written with WRMSR, both of which fault with #GP if you're not in ring 0. That's the whole security model: one CPL check.

The MSR namespace is huge — thousands of addresses, most undocumented or vendor-specific. A few are load-bearing for everything you do:

• IA32_EFER (0xC0000080): bit 0 (SCE) enables the SYSCALL instruction. Without it, SYSCALL from userspace raises #UD. Linux sets this once at boot.
• IA32_LSTAR (0xC0000082): holds the RIP that SYSCALL jumps to. Linux writes entry_SYSCALL_64 here. Change this byte and every syscall on the CPU goes somewhere else.
• IA32_FS_BASE / IA32_GS_BASE (0xC0000100/0101): the base addresses for FS/GS segments. This is how thread-local storage works — glibc writes the TCB pointer here on every context switch via arch_prctl.
• IA32_TSC_DEADLINE (0x6E0): write a TSC value; the local APIC fires an interrupt when the counter reaches it. This is how modern kernels schedule timer ticks.

The Spectre patch lives here too. IA32_SPEC_CTRL (0x48) bit 0 is IBRS — Indirect Branch Restricted Speculation. Setting it tells the CPU "flush indirect predictors before speculating." Linux writes this MSR on every kernel entry and exit on vulnerable CPUs. The mitigation cost you measured in 2018 was literally two WRMSR instructions per syscall — each one ~100 cycles because WRMSR is fully serializing.

Concrete example. Run sudo rdmsr -p 0 0xC0000082 on any Linux box. You'll get back something like ffffffff81e00100 — the kernel virtual address of the syscall entry point. Now grep entry_SYSCALL_64 /proc/kallsyms. Same address. That single MSR is the bridge between every SYSCALL instruction your binaries execute and the kernel code that handles them.

Rule of thumb. RDMSR costs ~30-50 cycles; WRMSR costs ~100-300 cycles because it serializes the pipeline (it has to — you might have just changed how every subsequent instruction behaves). If you see WRMSR on a hot path in a flame graph, something is wrong. The kernel batches MSR writes across context switches precisely because each one is a speculation barrier.

MSRs are also the attack surface for half the speculative-execution mitigations: IBRS, STIBP, SSBD, MD_CLEAR — each is a bit in an MSR that the kernel toggles at trust boundaries. Your CPU's security posture is, literally, the contents of a few 64-bit registers.