From 4875b4c71c15821cd8bf41099905a52c83b1d063 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= <speed47_github@speed47.net>
Date: Tue, 31 Mar 2026 22:47:19 +0200
Subject: [PATCH] feat: add CVE-2020-0543 (SRBDS) mitigation detection under
 BSD

---
 src/vulns/CVE-2020-0543.sh | 41 ++++++++++++++++++++++++++++++++++----
 1 file changed, 37 insertions(+), 4 deletions(-)

diff --git a/src/vulns/CVE-2020-0543.sh b/src/vulns/CVE-2020-0543.sh
index 4e41bc0..69fc020 100644
--- a/src/vulns/CVE-2020-0543.sh
+++ b/src/vulns/CVE-2020-0543.sh
@@ -105,11 +105,44 @@ check_CVE_2020_0543_linux() {
 }
 
 # CVE-2020-0543 SRBDS (special register buffer data sampling) - BSD mitigation check
+# FreeBSD uses the name "rngds" (Random Number Generator Data Sampling) for SRBDS
 check_CVE_2020_0543_bsd() {
-    if ! is_cpu_affected "$cve"; then
-        # override status & msg in case CPU is not vulnerable after all
-        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    local rngds_enable rngds_state kernel_rngds
+    pr_info_nol "* Kernel supports SRBDS mitigation (machdep.mitigations.rngds.enable): "
+    rngds_enable=$(sysctl -n machdep.mitigations.rngds.enable 2>/dev/null)
+    if [ -n "$rngds_enable" ]; then
+        kernel_rngds=1
+        case "$rngds_enable" in
+            0) pstatus yellow YES "optimized (RDRAND/RDSEED not locked, faster but vulnerable)" ;;
+            1) pstatus green YES "mitigated" ;;
+            *) pstatus yellow YES "unknown value: $rngds_enable" ;;
+        esac
     else
-        pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
+        kernel_rngds=0
+        pstatus yellow NO
+    fi
+
+    pr_info_nol "* SRBDS mitigation state: "
+    rngds_state=$(sysctl -n machdep.mitigations.rngds.state 2>/dev/null)
+    if [ -n "$rngds_state" ]; then
+        if echo "$rngds_state" | grep -qi 'not.affected\|mitigat'; then
+            pstatus green YES "$rngds_state"
+        else
+            pstatus yellow NO "$rngds_state"
+        fi
+    else
+        pstatus yellow NO "sysctl not available"
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ "$kernel_rngds" = 1 ] && [ "$rngds_enable" = 1 ]; then
+        pvulnstatus "$cve" OK "SRBDS mitigation is enabled"
+    elif [ "$kernel_rngds" = 1 ] && [ "$rngds_enable" = 0 ]; then
+        pvulnstatus "$cve" VULN "SRBDS mitigation is supported but set to optimized mode (disabled for RDRAND/RDSEED)"
+        explain "To enable full SRBDS mitigation, run \`sysctl machdep.mitigations.rngds.enable=1'.\n " \
+            "To make this persistent, add 'machdep.mitigations.rngds.enable=1' to /etc/sysctl.conf."
+    else
+        pvulnstatus "$cve" VULN "your kernel doesn't support SRBDS mitigation, update it"
     fi
 }