hw: detect VM guest via hypervisor CPUID flag, warn on unreliable microcode

Addresses issue #336: when running inside a VM (KVM, VMware, ESXi, Hyper-V, VirtualBox), the hypervisor can present a fake CPUID and microcode version to the guest, making the microcode up-to-date check meaningless or misleading. Changes: - Add is_running_as_guest() to 370_hw_vmm.sh: detects VM guest status by checking for the 'hypervisor' CPUID flag in /proc/cpuinfo, which is exposed by KVM, VMware, Hyper-V, VirtualBox and most other hypervisors. Result is cached in g_is_guest_vm / g_is_guest_vm_reason. - Add "Running as VM guest: YES/NO" line to the CPU details block in check_cpu() (400_hw_check.sh), shown for both x86 and ARM guests. - Add a pr_warn block after the microcode-is-latest check in check_cpu() advising the user to verify microcode information on the hypervisor host when a VM guest is detected. - Add minimal ARM CPU details block in check_cpu(): vendor, model name, implementer(s), part(s), architecture(s), and VM guest status. ARM CPUs previously got no output from check_cpu() due to the x86-only early return guard. - Expose guest VM status in JSON output (250_output_emitters.sh): - system section: guest_vm (bool) and guest_vm_reason (string) - cpu_microcode section: unreliable_in_vm (bool)
2026-06-06 06:33:04 +02:00 · 2026-04-22 00:08:11 +02:00
parent 7329c1fd2f
commit 43bbfabc34
3 changed files with 66 additions and 4 deletions
@@ -388,6 +388,30 @@ check_kernel_info() {
 check_cpu() {
    local capabilities ret spec_ctrl_msr codename ucode_str

+    if is_arm_cpu; then
+        pr_info "* CPU details"
+        pr_info "  * Vendor: $cpu_vendor"
+        pr_info "  * Model name: $cpu_friendly_name"
+        if [ -n "${cpu_impl_list:-}" ]; then
+            pr_info "  * Implementer(s): $cpu_impl_list"
+        fi
+        if [ -n "${cpu_part_list:-}" ]; then
+            pr_info "  * Part(s): $cpu_part_list"
+        fi
+        if [ -n "${cpu_arch_list:-}" ]; then
+            pr_info "  * Architecture(s): $cpu_arch_list"
+        fi
+        if has_runtime; then
+            pr_info_nol "  * Running as VM guest: "
+            if is_running_as_guest; then
+                pstatus yellow YES "$g_is_guest_vm_reason"
+            else
+                pstatus green NO
+            fi
+        fi
+        return
+    fi
+
    if ! uname -m | grep -qwE 'x86_64|i[3-6]86|amd64'; then
        return
    fi
@@ -416,6 +440,15 @@ check_cpu() {
        fi
    fi

+    if has_runtime; then
+        pr_info_nol "  * Running as VM guest: "
+        if is_running_as_guest; then
+            pstatus yellow YES "$g_is_guest_vm_reason"
+        else
+            pstatus green NO
+        fi
+    fi
+
    pr_info "* Hardware support (CPU microcode) for mitigation techniques"
    pr_info "  * Indirect Branch Restricted Speculation (IBRS)"
    pr_info_nol "    * SPEC_CTRL MSR is available: "
@@ -1365,6 +1398,13 @@ check_cpu() {
    else
        pstatus blue UNKNOWN "$ret_is_latest_known_ucode_latest"
    fi
+    if is_running_as_guest; then
+        pr_warn
+        pr_warn "Note: this system is running inside a VM ($g_is_guest_vm_reason)."
+        pr_warn "The hypervisor may be faking the CPU model and microcode version;"
+        pr_warn "verify the above microcode information on the hypervisor host for accuracy."
+        pr_warn
+    fi
 }

 # Display per-CVE CPU vulnerability status based on CPU model/family.