I'm not understanding this one. The attacker has to have Ring 0 access to perform this particular attack. Doesn't that mean that attacker already has access to everything on the machine? There must be some subtlety I'm not understanding.
There's things that can be set by writing to MSRs that are not able to be unset until the processor is physically reset.
An example is the option that enables/disables the whole VMX/SVM capability - and that is something the firmware will typically do according to an option in NVRAM early in the boot process.
