Can Intel PT (Processor Trace) be disabled/configured from within an OS?

Question

I have a number of questions about Intel PT (have been trying to decode the manual but is very difficult). My questions are:

1. I am trying to find out i

Answer 1

I'm also currently figuring out how to use Intel PT. As far as I know:

1. Yes. From section 36.2.5.2 of the Intel 64 and IA-32 Architectures Software Developer’s Manual:

IA32_RTIT_CTL, at address 570H, is the primary enable and control MSR for trace packet generation. Bit positions are listed in Table 36-5.

You can clear or set the IA32_RTIT_CTL MSR to disable or enable PT tracing. This can be done from within the system PT is providing a trace of. In fact, I don't think it can be done any other way.

2. Yes. A Paging Information Packet (PIP) is created when modifications to the CR3 register happen. Not sure about IDTR and others, though. Furthermore, the CR3 register can be used for trace filtering.

3. The whole idea behind Intel PT is packet encoding and decoding. When x event happens, y packet is generated. It's your job to "decode" this CPU provided data and make some high level sense out of it. Additionally, you can "encode" packets and feed them into the system doing the decoding. Again, decoder (and, optionally, encoder) functionality is your job. You can check out Intel's opensource decoder/encoder library reference implementation here. I'd recommend trying it out under Linux, with the latest stable kernel (4.1.3 as of this writing). It's worth noting that PT stores its data where you tell it to, generally a reserved memory region, or a debugging port.