VIA/Centaur C3 processors are internally RISC and the front end converts x86 instructions into RISC instructions that the processor executes. People used to ask "can I generate native RISC code?" and Centaur always said no, but you know they must have debugging functionality to do that.
And now someone has discovered that sometimes you can enter debug mode from ring 3 and they're calling it a backdoor.
This. When I read the article I instantly recognised this from some datasheet-browsing I did many years ago. It's not a "coprocessor", it's not a backdoor, it's just access to the internal core. It's even documented in the datasheet itself:
http://datasheets.chipdb.org/VIA/Nehemiah/VIA%20C3%20Nehemia...
(Page 82, "Alternate Instruction Execution")
Edit: Now it's all coming back to me. I was exploring the 0F opcode space and came upon 0F 3F, which happens to be the "enter alternate execution mode" instruction when it's enabled. There are a lot of other interesting results if you Google "0F 3F", although I remember them being a lot more relevant when I originally discovered this...
https://spth.virii.lu/29a7/Articles/29A-7.029.txt
It's not just the C3 that has this feature, if you Google "ALTINST" you'll find more info.
While it is (a bit disappointingly) a known instruction, it seems that Domas has came up with this by his own (via sandsifter [1]). Also, it is really unexpected that there is a documented userland instruction that goes to ring 0 anyway, so it is a "documented" "backdoor". In any case I still think that this study is interesting, mainly because it shows that we can inspect such instructions seemingly out of nowhere.