I think this is not as useful at it looks. Most of local attacks that allow you to read arbitrary memory locations also allow you to run arbitrary code which can simply read the debug registers, it's interesting to note that state of debug registers is not defined after reset, which probably means their state is retained across resets.
Also one could assume, that whole architectural state of CPU - including debug registers - can be read out using JTAG test port of CPU (I haven't find any official documentation about JTAG capabilities of Intel's CPUs, but there are commercially available JTAG attached ICDs for x86 CPUs).
Also one could assume, that whole architectural state of CPU - including debug registers - can be read out using JTAG test port of CPU (I haven't find any official documentation about JTAG capabilities of Intel's CPUs, but there are commercially available JTAG attached ICDs for x86 CPUs).