> So it's your contention that Intel never guaranteed that ring 0 protected memory couldn't be read by code running in ring 3.
Assuming by "read" you mean "inferred", yes, I'm not aware of any such guarantee, but again, I of course have't read everything they have published, so by all means prove me wrong.
4.6.1 Determination of Access Rights
For user-mode accesses:
— Data reads.
Access rights depend on the mode of the linear address:
...
• Data may not be read from any supervisor-mode address.
Assuming by "read" you mean "inferred", yes, I'm not aware of any such guarantee, but again, I of course have't read everything they have published, so by all means prove me wrong.