diff --git a/src/libs/002_core_globals.sh b/src/libs/002_core_globals.sh index 37662df..f87a610 100644 --- a/src/libs/002_core_globals.sh +++ b/src/libs/002_core_globals.sh @@ -4,26 +4,29 @@ show_usage() { # shellcheck disable=SC2086 cat <] [--config ] [--map ]> --live - Offline mode: $(basename $0) [options] <[--kernel ] [--config ] [--map ]> + Live mode: $(basename $0) [options] [--kernel ] [--config ] [--map ] + No-runtime: $(basename $0) [options] --no-runtime <--kernel > [--config ] [--map ] + No-hw: $(basename $0) [options] --no-hw <--kernel > [--config ] [--map ] Modes: - Two modes are available. + Three modes are available. - First mode is the "live" mode (default), it does its best to find information about the currently running kernel. - To run under this mode, just start the script without any option (you can also use --live explicitly) - - Second mode is the "offline" mode, where you can inspect a non-running kernel. - This mode is automatically enabled when you specify the location of the kernel file, config and System.map files: + First mode is the "live" mode (default), it does its best to find information about the currently + running kernel. To run under this mode, just start the script without any option. + You can optionally specify --kernel, --config, or --map to help the script locate files it + couldn't auto-detect, without changing the mode. --kernel kernel_file specify a (possibly compressed) Linux or BSD kernel file --config kernel_config specify a kernel config file (Linux only) --map kernel_map_file specify a kernel System.map file (Linux only) - If you want to use live mode while specifying the location of the kernel, config or map file yourself, - you can add --live to the above options, to tell the script to run in live mode instead of the offline mode, - which is enabled by default when at least one file is specified on the command line. + Second mode is "no-runtime" (--no-runtime), where the script inspects the local CPU hardware + but skips all running-kernel artifacts (/sys, /proc, dmesg). Use this when you have a kernel + image from another system but want to check it against this CPU. + + Third mode is "no-hw" (--no-hw), where the script skips both CPU hardware inspection and + running-kernel artifacts. Use this for pure static analysis of a kernel image, for example + when inspecting an embedded kernel from a different architecture. Options: --no-color don't use color codes @@ -55,7 +58,8 @@ show_usage() { --cve CVE specify which CVE you'd like to check, by default all supported CVEs are checked can be used multiple times (e.g. --cve CVE-2017-5753 --cve CVE-2020-0543) --hw-only only check for CPU information, don't check for any variant - --no-hw skip CPU information and checks, if you're inspecting a kernel not to be run on this host + --no-runtime skip running-kernel checks (/sys, /proc, dmesg), still inspect local CPU hardware + --no-hw skip CPU information and running-kernel checks (implies --no-runtime) --vmm [auto,yes,no] override the detection of the presence of a hypervisor, default: auto --no-intel-db don't use the builtin Intel DB of affected processors --allow-msr-write allow probing for write-only MSRs, this might produce kernel logs or be blocked by your system @@ -114,7 +118,7 @@ g_os=$(uname -s) opt_kernel='' opt_config='' opt_map='' -opt_live=-1 +opt_runtime=1 opt_no_color=0 opt_batch=0 opt_batch_format='text' diff --git a/src/libs/230_util_optparse.sh b/src/libs/230_util_optparse.sh index b58fef6..4342655 100644 --- a/src/libs/230_util_optparse.sh +++ b/src/libs/230_util_optparse.sh @@ -47,7 +47,7 @@ while [ -n "${1:-}" ]; do opt_arch_prefix="$2" shift 2 elif [ "$1" = "--live" ]; then - opt_live=1 + # deprecated, kept for backward compatibility (live is now the default) shift elif [ "$1" = "--no-color" ]; then opt_no_color=1 @@ -74,8 +74,12 @@ while [ -n "${1:-}" ]; do elif [ "$1" = "--hw-only" ]; then opt_hw_only=1 shift + elif [ "$1" = "--no-runtime" ]; then + opt_runtime=0 + shift elif [ "$1" = "--no-hw" ]; then opt_no_hw=1 + opt_runtime=0 shift elif [ "$1" = "--allow-msr-write" ]; then opt_allow_msr_write=1 @@ -334,11 +338,13 @@ if [ "$opt_no_hw" = 1 ] && [ "$opt_hw_only" = 1 ]; then exit 255 fi -if [ "$opt_live" = -1 ]; then - if [ -n "$opt_kernel" ] || [ -n "$opt_config" ] || [ -n "$opt_map" ]; then - # no --live specified and we have a least one of the kernel/config/map files on the cmdline: offline mode - opt_live=0 - else - opt_live=1 - fi +if [ "$opt_runtime" = 0 ] && [ "$opt_sysfs_only" = 1 ]; then + pr_warn "Incompatible options specified (--no-runtime and --sysfs-only), aborting" + exit 255 fi + +if [ "$opt_runtime" = 0 ] && [ -z "$opt_kernel" ] && [ -z "$opt_config" ] && [ -z "$opt_map" ]; then + pr_warn "Option --no-runtime requires at least one of --kernel, --config, or --map" + exit 255 +fi + diff --git a/src/libs/250_output_emitters.sh b/src/libs/250_output_emitters.sh index 23e11a6..31116e7 100644 --- a/src/libs/250_output_emitters.sh +++ b/src/libs/250_output_emitters.sh @@ -68,10 +68,12 @@ _json_bool() { _build_json_meta() { local timestamp mode timestamp=$(date -u '+%Y-%m-%dT%H:%M:%SZ' 2>/dev/null || echo "unknown") - if [ "$opt_live" = 1 ]; then - mode="live" + if [ "$opt_no_hw" = 1 ]; then + mode="no-hw" + elif [ "$opt_runtime" = 0 ]; then + mode="no-runtime" else - mode="offline" + mode="live" fi local run_as_root if [ "$(id -u)" -eq 0 ]; then @@ -97,7 +99,7 @@ _build_json_meta() { # shellcheck disable=SC2034 _build_json_system() { local kernel_release kernel_version kernel_arch smt_val - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then kernel_release=$(uname -r) kernel_version=$(uname -v) kernel_arch=$(uname -m) @@ -383,7 +385,7 @@ _emit_prometheus() { # shellcheck disable=SC2034 _build_prometheus_system_info() { local kernel_release kernel_arch hypervisor_host sys_labels - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then kernel_release=$(uname -r 2>/dev/null || true) kernel_arch=$(uname -m 2>/dev/null || true) else diff --git a/src/libs/400_hw_check.sh b/src/libs/400_hw_check.sh index a6d8b66..f923b36 100644 --- a/src/libs/400_hw_check.sh +++ b/src/libs/400_hw_check.sh @@ -89,7 +89,7 @@ if [ "$opt_cpu" != all ] && [ "$opt_cpu" -gt "$g_max_core_id" ]; then exit 255 fi -if [ "$opt_live" = 1 ]; then +if [ "$opt_runtime" = 1 ]; then pr_info "Checking for vulnerabilities on current system" # try to find the image of the current running kernel @@ -251,7 +251,7 @@ else fi if [ -n "$g_kernel_version" ]; then # in live mode, check if the img we found is the correct one - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then pr_verbose "Kernel image is \033[35m$g_kernel_version" if ! echo "$g_kernel_version" | grep -qF "$(uname -r)"; then pr_warn "Possible discrepancy between your running kernel '$(uname -r)' and the image '$g_kernel_version' we found ($opt_kernel), results might be incorrect" @@ -283,7 +283,7 @@ sys_interface_check() { msg='' ret_sys_interface_check_fullmsg='' - if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r "$file" ]; then + if [ "$opt_runtime" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r "$file" ]; then : else g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_SYSFS_$(basename "$file")_RET=1") @@ -352,7 +352,7 @@ sys_interface_check() { check_kernel_info() { local config_display pr_info "\033[1;34mKernel information\033[0m" - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then pr_info "* Kernel is \033[35m$g_os $(uname -r) $(uname -v) $(uname -m)\033[0m" elif [ -n "$g_kernel_version" ]; then pr_info "* Kernel is \033[35m$g_kernel_version\033[0m" @@ -456,7 +456,7 @@ check_cpu() { ret=invalid pstatus yellow NO "unknown CPU" fi - if [ -z "$cap_ibrs" ] && [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ]; then + if [ -z "$cap_ibrs" ] && [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ]; then # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo if grep ^flags "$g_procfs/cpuinfo" | grep -qw ibrs; then cap_ibrs='IBRS (cpuinfo)' @@ -533,7 +533,7 @@ check_cpu() { if [ $ret = $READ_CPUID_RET_OK ]; then cap_ibpb='IBPB_SUPPORT' pstatus green YES "IBPB_SUPPORT feature bit" - elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw ibpb; then + elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw ibpb; then # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo cap_ibpb='IBPB (cpuinfo)' pstatus green YES "ibpb flag in $g_procfs/cpuinfo" @@ -604,7 +604,7 @@ check_cpu() { ret=invalid pstatus yellow UNKNOWN "unknown CPU" fi - if [ -z "$cap_stibp" ] && [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ]; then + if [ -z "$cap_stibp" ] && [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ]; then # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo if grep ^flags "$g_procfs/cpuinfo" | grep -qw stibp; then cap_stibp='STIBP (cpuinfo)' @@ -676,7 +676,7 @@ check_cpu() { fi fi - if [ -z "$cap_ssbd" ] && [ "$ret24" = $READ_CPUID_RET_ERR ] && [ "$ret25" = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ]; then + if [ -z "$cap_ssbd" ] && [ "$ret24" = $READ_CPUID_RET_ERR ] && [ "$ret25" = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ]; then # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo if grep ^flags "$g_procfs/cpuinfo" | grep -qw ssbd; then cap_ssbd='SSBD (cpuinfo)' @@ -740,7 +740,7 @@ check_cpu() { if [ $ret = $READ_CPUID_RET_OK ]; then pstatus green YES "L1D flush feature bit" cap_l1df=1 - elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw flush_l1d; then + elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw flush_l1d; then # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo pstatus green YES "flush_l1d flag in $g_procfs/cpuinfo" cap_l1df=1 @@ -760,7 +760,7 @@ check_cpu() { if [ $ret = $READ_CPUID_RET_OK ]; then cap_md_clear=1 pstatus green YES "MD_CLEAR feature bit" - elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw md_clear; then + elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw md_clear; then # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo cap_md_clear=1 pstatus green YES "md_clear flag in $g_procfs/cpuinfo" @@ -830,7 +830,7 @@ check_cpu() { if [ $ret = $READ_CPUID_RET_OK ]; then pstatus green YES cap_arch_capabilities=1 - elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw arch_capabilities; then + elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw arch_capabilities; then # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo pstatus green YES "arch_capabilities flag in $g_procfs/cpuinfo" cap_arch_capabilities=1 diff --git a/src/main.sh b/src/main.sh index 211ffbf..b9e15ef 100644 --- a/src/main.sh +++ b/src/main.sh @@ -172,8 +172,13 @@ fi if [ "$opt_batch" = 1 ] && [ "$opt_batch_format" = "prometheus" ]; then prom_run_as_root='false' [ "$(id -u)" -eq 0 ] && prom_run_as_root='true' - prom_mode='offline' - [ "$opt_live" = 1 ] && prom_mode='live' + if [ "$opt_no_hw" = 1 ]; then + prom_mode='no-hw' + elif [ "$opt_runtime" = 0 ]; then + prom_mode='no-runtime' + else + prom_mode='live' + fi prom_paranoid='false' [ "$opt_paranoid" = 1 ] && prom_paranoid='true' prom_sysfs_only='false' diff --git a/src/vulns-helpers/check_mds.sh b/src/vulns-helpers/check_mds.sh index 031c924..6fcb72f 100644 --- a/src/vulns-helpers/check_mds.sh +++ b/src/vulns-helpers/check_mds.sh @@ -3,7 +3,7 @@ check_mds_bsd() { local kernel_md_clear kernel_smt_allowed kernel_mds_enabled kernel_mds_state pr_info_nol "* Kernel supports using MD_CLEAR mitigation: " - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then if sysctl hw.mds_disable >/dev/null 2>&1; then pstatus green YES kernel_md_clear=1 @@ -76,7 +76,7 @@ check_mds_bsd() { else if [ "$cap_md_clear" = 1 ]; then if [ "$kernel_md_clear" = 1 ]; then - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then # mitigation must also be enabled if [ "$kernel_mds_enabled" -ge 1 ]; then if [ "$opt_paranoid" != 1 ] || [ "$kernel_smt_allowed" = 0 ]; then @@ -95,7 +95,7 @@ check_mds_bsd() { pvulnstatus "$cve" VULN "Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability" fi else - if [ "$kernel_md_clear" = 1 ] && [ "$opt_live" = 1 ]; then + if [ "$kernel_md_clear" = 1 ] && [ "$opt_runtime" = 1 ]; then # no MD_CLEAR in microcode, but FreeBSD may still have software-only mitigation active case "$kernel_mds_state" in software*) @@ -135,7 +135,7 @@ check_mds_linux() { pr_info_nol "* Kernel supports using MD_CLEAR mitigation: " kernel_md_clear='' kernel_md_clear_can_tell=1 - if [ "$opt_live" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw md_clear; then + if [ "$opt_runtime" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw md_clear; then kernel_md_clear="md_clear found in $g_procfs/cpuinfo" pstatus green YES "$kernel_md_clear" fi @@ -158,7 +158,7 @@ check_mds_linux() { fi fi - if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then + if [ "$opt_runtime" = 1 ] && [ "$sys_interface_available" = 1 ]; then pr_info_nol "* Kernel mitigation is enabled and active: " if echo "$ret_sys_interface_check_fullmsg" | grep -qi ^mitigation; then mds_mitigated=1 @@ -190,7 +190,7 @@ check_mds_linux() { # compute mystatus and mymsg from our own logic if [ "$cap_md_clear" = 1 ]; then if [ -n "$kernel_md_clear" ]; then - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then # mitigation must also be enabled if [ "$mds_mitigated" = 1 ]; then if [ "$opt_paranoid" != 1 ] || [ "$mds_smt_mitigated" = 1 ]; then diff --git a/src/vulns-helpers/check_mmio.sh b/src/vulns-helpers/check_mmio.sh index 7e1428b..683c2d5 100644 --- a/src/vulns-helpers/check_mmio.sh +++ b/src/vulns-helpers/check_mmio.sh @@ -162,7 +162,7 @@ check_mmio_linux() { pstatus yellow NO fi - if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then + if [ "$opt_runtime" = 1 ] && [ "$sys_interface_available" = 1 ]; then pr_info_nol "* Kernel mitigation is enabled and active: " if echo "$ret_sys_interface_check_fullmsg" | grep -qi ^mitigation; then mmio_mitigated=1 @@ -194,7 +194,7 @@ check_mmio_linux() { # compute mystatus and mymsg from our own logic if [ "$cap_fb_clear" = 1 ]; then if [ -n "$kernel_mmio" ]; then - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then # mitigation must also be enabled if [ "$mmio_mitigated" = 1 ]; then if [ "$opt_paranoid" != 1 ] || [ "$mmio_smt_mitigated" = 1 ]; then diff --git a/src/vulns/CVE-2017-5715.sh b/src/vulns/CVE-2017-5715.sh index 830857b..8fecf0a 100644 --- a/src/vulns/CVE-2017-5715.sh +++ b/src/vulns/CVE-2017-5715.sh @@ -265,7 +265,7 @@ check_CVE_2017_5715_linux() { g_ibpb_supported='' g_ibpb_enabled='' - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then # in live mode, we can check for the ibrs_enabled file in debugfs # all versions of the patches have it (NOT the case of IBPB or KPTI) g_ibrs_can_tell=1 @@ -416,7 +416,7 @@ check_CVE_2017_5715_linux() { fi pr_info_nol " * IBRS enabled and active: " - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then if [ "$g_ibpb_enabled" = 2 ]; then # if ibpb=2, ibrs is forcefully=0 pstatus blue NO "IBPB used instead of IBRS in all kernel entrypoints" @@ -447,7 +447,7 @@ check_CVE_2017_5715_linux() { esac fi else - pstatus blue N/A "not testable in offline mode" + pstatus blue N/A "not testable in no-runtime mode" fi pr_info_nol " * Kernel is compiled with IBPB support: " @@ -455,8 +455,8 @@ check_CVE_2017_5715_linux() { if [ "$g_ibpb_can_tell" = 1 ]; then pstatus yellow NO else - # if we're in offline mode without System.map, we can't really know - pstatus yellow UNKNOWN "in offline mode, we need the kernel image to be able to tell" + # if we're in no-runtime mode without System.map, we can't really know + pstatus yellow UNKNOWN "in no-runtime mode, we need the kernel image to be able to tell" fi else if [ "$opt_verbose" -ge 2 ]; then @@ -467,7 +467,7 @@ check_CVE_2017_5715_linux() { fi pr_info_nol " * IBPB enabled and active: " - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then case "$g_ibpb_enabled" in "") if [ "$g_ibrs_supported" = 1 ]; then @@ -484,7 +484,7 @@ check_CVE_2017_5715_linux() { *) pstatus yellow UNKNOWN ;; esac else - pstatus blue N/A "not testable in offline mode" + pstatus blue N/A "not testable in no-runtime mode" fi pr_info "* Mitigation 2" @@ -544,7 +544,7 @@ check_CVE_2017_5715_linux() { # # since 5.15.28, this is now "Retpolines" as the implementation was switched to a generic one, # so we look for both "retpoline" and "retpolines" - if [ "$opt_live" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then + if [ "$opt_runtime" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then if echo "$ret_sys_interface_check_fullmsg" | grep -qwi -e retpoline -e retpolines; then if echo "$ret_sys_interface_check_fullmsg" | grep -qwi minimal; then retpoline_compiler=0 @@ -595,7 +595,7 @@ check_CVE_2017_5715_linux() { # only Red Hat has a tunable to disable it on runtime retp_enabled=-1 - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then if [ -e "$g_specex_knob_dir/retp_enabled" ]; then retp_enabled=$(cat "$g_specex_knob_dir/retp_enabled" 2>/dev/null) pr_debug "retpoline: found $g_specex_knob_dir/retp_enabled=$retp_enabled" @@ -625,7 +625,7 @@ check_CVE_2017_5715_linux() { if is_vulnerable_to_empty_rsb || [ "$opt_verbose" -ge 2 ]; then pr_info_nol " * Kernel supports RSB filling: " rsb_filling=0 - if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then + if [ "$opt_runtime" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then # if we're live and we aren't denied looking into /sys, let's do it if echo "$ret_sys_interface_check_fullmsg" | grep -qw RSB; then rsb_filling=1 @@ -718,7 +718,7 @@ check_CVE_2017_5715_linux() { *", IBPB"* | *"; IBPB"*) v2_ibpb_mode=conditional ;; *) v2_ibpb_mode=disabled ;; esac - elif [ "$opt_live" = 1 ]; then + elif [ "$opt_runtime" = 1 ]; then case "$g_ibpb_enabled" in 2) v2_ibpb_mode=always-on ;; 1) v2_ibpb_mode=conditional ;; @@ -816,7 +816,7 @@ check_CVE_2017_5715_linux() { *"PBRSB-eIBRS: Vulnerable"*) v2_pbrsb_status=vulnerable ;; *) v2_pbrsb_status=unknown ;; esac - elif [ "$opt_live" != 1 ] && [ -n "$g_kernel" ]; then + elif [ "$opt_runtime" != 1 ] && [ -n "$g_kernel" ]; then if grep -q 'PBRSB-eIBRS' "$g_kernel" 2>/dev/null; then v2_pbrsb_status=sw-sequence else @@ -847,7 +847,7 @@ check_CVE_2017_5715_linux() { *"BHI: Vulnerable"*) v2_bhi_status=vulnerable ;; *) v2_bhi_status=unknown ;; esac - elif [ "$opt_live" != 1 ] && [ -n "$opt_config" ] && [ -r "$opt_config" ]; then + elif [ "$opt_runtime" != 1 ] && [ -n "$opt_config" ] && [ -r "$opt_config" ]; then if grep -q '^CONFIG_\(MITIGATION_\)\?SPECTRE_BHI' "$opt_config"; then if [ "$cap_bhi" = 1 ]; then v2_bhi_status=bhi_dis_s @@ -871,7 +871,7 @@ check_CVE_2017_5715_linux() { esac # --- v2_vuln_module --- - if [ "$opt_live" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then + if [ "$opt_runtime" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then pr_info_nol " * Non-retpoline module loaded: " if echo "$ret_sys_interface_check_fullmsg" | grep -q 'vulnerable module loaded'; then v2_vuln_module=1 @@ -970,7 +970,7 @@ check_CVE_2017_5715_linux() { if [ -n "${SMC_MOCK_UNPRIVILEGED_BPF_DISABLED:-}" ]; then _ebpf_disabled="$SMC_MOCK_UNPRIVILEGED_BPF_DISABLED" g_mocked=1 - elif [ "$opt_live" = 1 ] && [ -r "$g_procfs/sys/kernel/unprivileged_bpf_disabled" ]; then + elif [ "$opt_runtime" = 1 ] && [ -r "$g_procfs/sys/kernel/unprivileged_bpf_disabled" ]; then _ebpf_disabled=$(cat "$g_procfs/sys/kernel/unprivileged_bpf_disabled" 2>/dev/null) g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_UNPRIVILEGED_BPF_DISABLED='$_ebpf_disabled'") fi @@ -1158,18 +1158,18 @@ check_CVE_2017_5715_linux() { pvulnstatus "$cve" OK "Full IBPB is mitigating the vulnerability" # Offline mode fallback - elif [ "$opt_live" != 1 ]; then + elif [ "$opt_runtime" != 1 ]; then if [ "$retpoline" = 1 ] && [ -n "$g_ibpb_supported" ]; then - pvulnstatus "$cve" OK "offline mode: kernel supports retpoline + IBPB to mitigate the vulnerability" + pvulnstatus "$cve" OK "no-runtime mode: kernel supports retpoline + IBPB to mitigate the vulnerability" elif [ -n "$g_ibrs_supported" ] && [ -n "$g_ibpb_supported" ]; then - pvulnstatus "$cve" OK "offline mode: kernel supports IBRS + IBPB to mitigate the vulnerability" + pvulnstatus "$cve" OK "no-runtime mode: kernel supports IBRS + IBPB to mitigate the vulnerability" elif [ "$cap_ibrs_all" = 1 ] || [ "$cap_autoibrs" = 1 ]; then - pvulnstatus "$cve" OK "offline mode: CPU supports Enhanced / Automatic IBRS" + pvulnstatus "$cve" OK "no-runtime mode: CPU supports Enhanced / Automatic IBRS" # CONFIG_MITIGATION_SPECTRE_V2 (v6.12+): top-level on/off for all Spectre V2 mitigations elif [ -n "$opt_config" ] && [ -r "$opt_config" ] && grep -q '^CONFIG_MITIGATION_SPECTRE_V2=y' "$opt_config"; then - pvulnstatus "$cve" OK "offline mode: kernel has Spectre V2 mitigation framework enabled (CONFIG_MITIGATION_SPECTRE_V2)" + pvulnstatus "$cve" OK "no-runtime mode: kernel has Spectre V2 mitigation framework enabled (CONFIG_MITIGATION_SPECTRE_V2)" elif [ "$g_ibrs_can_tell" != 1 ]; then - pvulnstatus "$cve" UNK "offline mode: not enough information" + pvulnstatus "$cve" UNK "no-runtime mode: not enough information" explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect." fi fi diff --git a/src/vulns/CVE-2017-5753.sh b/src/vulns/CVE-2017-5753.sh index 693fac1..f4ed40a 100644 --- a/src/vulns/CVE-2017-5753.sh +++ b/src/vulns/CVE-2017-5753.sh @@ -57,7 +57,7 @@ check_CVE_2017_5753_linux() { status=$ret_sys_interface_check_status fi if [ "$opt_sysfs_only" != 1 ]; then - # no /sys interface (or offline mode), fallback to our own ways + # no /sys interface (or no-runtime mode), fallback to our own ways # Primary detection: grep for sysfs mitigation strings in the kernel binary. # The string "__user pointer sanitization" is present in all kernel versions diff --git a/src/vulns/CVE-2017-5754.sh b/src/vulns/CVE-2017-5754.sh index 2265b55..2eb4f88 100644 --- a/src/vulns/CVE-2017-5754.sh +++ b/src/vulns/CVE-2017-5754.sh @@ -104,7 +104,7 @@ check_CVE_2017_5754_linux() { mount_debugfs pr_info_nol " * PTI enabled and active: " - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then dmesg_grep="Kernel/User page tables isolation: enabled" dmesg_grep="$dmesg_grep|Kernel page table isolation enabled" dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace" @@ -150,7 +150,7 @@ check_CVE_2017_5754_linux() { pstatus yellow NO fi else - pstatus blue N/A "not testable in offline mode" + pstatus blue N/A "not testable in no-runtime mode" fi pti_performance_check @@ -167,7 +167,7 @@ check_CVE_2017_5754_linux() { is_xen_dom0 && xen_pv_domo=1 is_xen_domU && xen_pv_domu=1 - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then # checking whether we're running under Xen PV 64 bits. If yes, we are affected by affected_variant3 # (unless we are a Dom0) pr_info_nol "* Running as a Xen PV DomU: " @@ -183,7 +183,7 @@ check_CVE_2017_5754_linux() { pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" elif [ -z "$msg" ]; then # if msg is empty, sysfs check didn't fill it, rely on our own test - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then if [ "$kpti_enabled" = 1 ]; then pvulnstatus "$cve" OK "PTI mitigates the vulnerability" elif [ "$xen_pv_domo" = 1 ]; then @@ -209,12 +209,12 @@ check_CVE_2017_5754_linux() { fi else if [ -n "$kpti_support" ]; then - pvulnstatus "$cve" OK "offline mode: PTI will mitigate the vulnerability if enabled at runtime" + pvulnstatus "$cve" OK "no-runtime mode: PTI will mitigate the vulnerability if enabled at runtime" elif [ "$kpti_can_tell" = 1 ]; then pvulnstatus "$cve" VULN "PTI is needed to mitigate the vulnerability" explain "If you're using a distro kernel, upgrade your distro to get the latest kernel available. Otherwise, recompile the kernel with the CONFIG_(MITIGATION_)PAGE_TABLE_ISOLATION option (named CONFIG_KAISER for some kernels), or the CONFIG_UNMAP_KERNEL_AT_EL0 option (for ARM64)" else - pvulnstatus "$cve" UNK "offline mode: not enough information" + pvulnstatus "$cve" UNK "no-runtime mode: not enough information" explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect." fi fi diff --git a/src/vulns/CVE-2018-12207.sh b/src/vulns/CVE-2018-12207.sh index 0065b3a..4300965 100644 --- a/src/vulns/CVE-2018-12207.sh +++ b/src/vulns/CVE-2018-12207.sh @@ -36,7 +36,7 @@ check_CVE_2018_12207_linux() { fi pr_info_nol "* iTLB Multihit mitigation enabled and active: " - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then if [ -n "$ret_sys_interface_check_fullmsg" ]; then if echo "$ret_sys_interface_check_fullmsg" | grep -qF 'Mitigation'; then pstatus green YES "$ret_sys_interface_check_fullmsg" @@ -47,7 +47,7 @@ check_CVE_2018_12207_linux() { pstatus yellow NO "itlb_multihit not found in sysfs hierarchy" fi else - pstatus blue N/A "not testable in offline mode" + pstatus blue N/A "not testable in no-runtime mode" fi elif [ "$sys_interface_available" = 0 ]; then # we have no sysfs but were asked to use it only! @@ -63,7 +63,7 @@ check_CVE_2018_12207_linux() { elif [ -z "$msg" ]; then # if msg is empty, sysfs check didn't fill it, rely on our own test if [ "$opt_sysfs_only" != 1 ]; then - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then # if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it" else diff --git a/src/vulns/CVE-2018-3620.sh b/src/vulns/CVE-2018-3620.sh index 835f212..26737e1 100644 --- a/src/vulns/CVE-2018-3620.sh +++ b/src/vulns/CVE-2018-3620.sh @@ -37,7 +37,7 @@ check_CVE_2018_3620_linux() { fi pr_info_nol "* PTE inversion enabled and active: " - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then if [ -n "$ret_sys_interface_check_fullmsg" ]; then if echo "$ret_sys_interface_check_fullmsg" | grep -q 'Mitigation: PTE Inversion'; then pstatus green YES @@ -51,7 +51,7 @@ check_CVE_2018_3620_linux() { pteinv_active=-1 fi else - pstatus blue N/A "not testable in offline mode" + pstatus blue N/A "not testable in no-runtime mode" fi elif [ "$sys_interface_available" = 0 ]; then # we have no sysfs but were asked to use it only! @@ -66,7 +66,7 @@ check_CVE_2018_3620_linux() { # if msg is empty, sysfs check didn't fill it, rely on our own test if [ "$opt_sysfs_only" != 1 ]; then if [ "$pteinv_supported" = 1 ]; then - if [ "$pteinv_active" = 1 ] || [ "$opt_live" != 1 ]; then + if [ "$pteinv_active" = 1 ] || [ "$opt_runtime" != 1 ]; then pvulnstatus "$cve" OK "PTE inversion mitigates the vulnerability" else pvulnstatus "$cve" VULN "Your kernel supports PTE inversion but it doesn't seem to be enabled" diff --git a/src/vulns/CVE-2018-3639.sh b/src/vulns/CVE-2018-3639.sh index 7d46421..6211653 100644 --- a/src/vulns/CVE-2018-3639.sh +++ b/src/vulns/CVE-2018-3639.sh @@ -18,7 +18,7 @@ check_CVE_2018_3639_linux() { fi if [ "$opt_sysfs_only" != 1 ]; then pr_info_nol "* Kernel supports disabling speculative store bypass (SSB): " - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then if grep -Eq 'Speculation.?Store.?Bypass:' "$g_procfs/self/status" 2>/dev/null; then kernel_ssb="found in $g_procfs/self/status" pr_debug "found Speculation.Store.Bypass: in $g_procfs/self/status" @@ -57,7 +57,7 @@ check_CVE_2018_3639_linux() { fi kernel_ssbd_enabled=-1 - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then # https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340 pr_info_nol "* SSB mitigation is enabled and active: " if grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$g_procfs/self/status" 2>/dev/null; then @@ -106,7 +106,7 @@ check_CVE_2018_3639_linux() { # if msg is empty, sysfs check didn't fill it, rely on our own test if [ -n "$cap_ssbd" ]; then if [ -n "$kernel_ssb" ]; then - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then if [ "$kernel_ssbd_enabled" -gt 0 ]; then pvulnstatus "$cve" OK "your CPU and kernel both support SSBD and mitigation is enabled" else diff --git a/src/vulns/CVE-2018-3640.sh b/src/vulns/CVE-2018-3640.sh index 72064e7..3d3ec7d 100644 --- a/src/vulns/CVE-2018-3640.sh +++ b/src/vulns/CVE-2018-3640.sh @@ -11,7 +11,7 @@ check_CVE_2018_3640() { sys_interface_available=0 msg='' - # Detect whether the target kernel is ARM64, for both live and offline modes. + # Detect whether the target kernel is ARM64, for both live and no-runtime modes. # In offline cross-inspection (x86 host, ARM kernel), cpu_vendor reflects the host, # so also check for arm64_sys_ symbols (same pattern used in CVE-2018-3639). is_arm64_kernel=0 diff --git a/src/vulns/CVE-2018-3646.sh b/src/vulns/CVE-2018-3646.sh index 0fb3ab3..dd70ca9 100644 --- a/src/vulns/CVE-2018-3646.sh +++ b/src/vulns/CVE-2018-3646.sh @@ -69,7 +69,7 @@ check_CVE_2018_3646_linux() { pr_info "* Mitigation 1 (KVM)" pr_info_nol " * EPT is disabled: " ept_disabled=-1 - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then if ! [ -r "$SYS_MODULE_BASE/kvm_intel/parameters/ept" ]; then pstatus blue N/A "the kvm_intel module is not loaded" elif [ "$(cat "$SYS_MODULE_BASE/kvm_intel/parameters/ept")" = N ]; then @@ -79,12 +79,12 @@ check_CVE_2018_3646_linux() { pstatus yellow NO fi else - pstatus blue N/A "not testable in offline mode" + pstatus blue N/A "not testable in no-runtime mode" fi pr_info "* Mitigation 2" pr_info_nol " * L1D flush is supported by kernel: " - if [ "$opt_live" = 1 ] && grep -qw flush_l1d "$g_procfs/cpuinfo"; then + if [ "$opt_runtime" = 1 ] && grep -qw flush_l1d "$g_procfs/cpuinfo"; then l1d_kernel="found flush_l1d in $g_procfs/cpuinfo" fi if [ -z "$l1d_kernel" ]; then @@ -106,7 +106,7 @@ check_CVE_2018_3646_linux() { fi pr_info_nol " * L1D flush enabled: " - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then if [ -n "$ret_sys_interface_check_fullmsg" ]; then # vanilla: VMX: $l1dstatus, SMT $smtstatus # Red Hat: VMX: SMT $smtstatus, L1D $l1dstatus @@ -152,18 +152,18 @@ check_CVE_2018_3646_linux() { fi else l1d_mode=-1 - pstatus blue N/A "not testable in offline mode" + pstatus blue N/A "not testable in no-runtime mode" fi pr_info_nol " * Hardware-backed L1D flush supported: " - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then if grep -qw flush_l1d "$g_procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then pstatus green YES "performance impact of the mitigation will be greatly reduced" else pstatus blue NO "flush will be done in software, this is slower" fi else - pstatus blue N/A "not testable in offline mode" + pstatus blue N/A "not testable in no-runtime mode" fi pr_info_nol " * Hyper-Threading (SMT) is enabled: " diff --git a/src/vulns/CVE-2019-11135.sh b/src/vulns/CVE-2019-11135.sh index 555d00e..2d72ce1 100644 --- a/src/vulns/CVE-2019-11135.sh +++ b/src/vulns/CVE-2019-11135.sh @@ -33,7 +33,7 @@ check_CVE_2019_11135_linux() { fi pr_info_nol "* TAA mitigation enabled and active: " - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then if [ -n "$ret_sys_interface_check_fullmsg" ]; then if echo "$ret_sys_interface_check_fullmsg" | grep -qE '^Mitigation'; then pstatus green YES "$ret_sys_interface_check_fullmsg" @@ -44,7 +44,7 @@ check_CVE_2019_11135_linux() { pstatus yellow NO "tsx_async_abort not found in sysfs hierarchy" fi else - pstatus blue N/A "not testable in offline mode" + pstatus blue N/A "not testable in no-runtime mode" fi elif [ "$sys_interface_available" = 0 ]; then # we have no sysfs but were asked to use it only! @@ -57,7 +57,7 @@ check_CVE_2019_11135_linux() { pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" elif [ -z "$msg" ]; then # if msg is empty, sysfs check didn't fill it, rely on our own test - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then # if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old pvulnstatus "$cve" VULN "Your kernel doesn't support TAA mitigation, update it" else diff --git a/src/vulns/CVE-2020-0543.sh b/src/vulns/CVE-2020-0543.sh index c2ef667..894361b 100644 --- a/src/vulns/CVE-2020-0543.sh +++ b/src/vulns/CVE-2020-0543.sh @@ -32,7 +32,7 @@ check_CVE_2020_0543_linux() { pstatus yellow NO fi pr_info_nol "* SRBDS mitigation control is enabled and active: " - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then if [ -n "$ret_sys_interface_check_fullmsg" ]; then if echo "$ret_sys_interface_check_fullmsg" | grep -qE '^Mitigation'; then pstatus green YES "$ret_sys_interface_check_fullmsg" @@ -43,7 +43,7 @@ check_CVE_2020_0543_linux() { pstatus yellow NO "SRBDS not found in sysfs hierarchy" fi else - pstatus blue N/A "not testable in offline mode" + pstatus blue N/A "not testable in no-runtime mode" fi elif [ "$sys_interface_available" = 0 ]; then # we have no sysfs but were asked to use it only! @@ -61,7 +61,7 @@ check_CVE_2020_0543_linux() { # SRBDS mitigation control is enabled if [ -z "$msg" ]; then # if msg is empty, sysfs check didn't fill it, rely on our own test - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then # if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old pvulnstatus "$cve" OK "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated" fi @@ -75,7 +75,7 @@ check_CVE_2020_0543_linux() { elif [ "$cap_srbds_on" = 0 ]; then # SRBDS mitigation control is disabled if [ -z "$msg" ]; then - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then # if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old pvulnstatus "$cve" VULN "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated. Mitigation is disabled" fi diff --git a/src/vulns/CVE-2022-29900.sh b/src/vulns/CVE-2022-29900.sh index 9a9f40a..5728142 100644 --- a/src/vulns/CVE-2022-29900.sh +++ b/src/vulns/CVE-2022-29900.sh @@ -174,14 +174,14 @@ check_CVE_2022_29900_linux() { # Zen/Zen+/Zen2: check IBPB microcode support and SMT if [ "$cpu_family" = $((0x17)) ]; then pr_info_nol "* CPU supports IBPB: " - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then if [ -n "$cap_ibpb" ]; then pstatus green YES "$cap_ibpb" else pstatus yellow NO fi else - pstatus blue N/A "not testable in offline mode" + pstatus blue N/A "not testable in no-runtime mode" fi pr_info_nol "* Hyper-Threading (SMT) is enabled: " @@ -217,7 +217,7 @@ check_CVE_2022_29900_linux() { "doesn't fully protect cross-thread speculation." elif [ -z "$kernel_unret" ] && [ -z "$kernel_ibpb_entry" ]; then pvulnstatus "$cve" VULN "Your kernel doesn't have either UNRET_ENTRY or IBPB_ENTRY compiled-in" - elif [ "$smt_enabled" = 0 ] && [ -z "$cap_ibpb" ] && [ "$opt_live" = 1 ]; then + elif [ "$smt_enabled" = 0 ] && [ -z "$cap_ibpb" ] && [ "$opt_runtime" = 1 ]; then pvulnstatus "$cve" VULN "SMT is enabled and your microcode doesn't support IBPB" explain "Update your CPU microcode to get IBPB support, or disable SMT by adding\n" \ "\`nosmt\` to your kernel command line." diff --git a/src/vulns/CVE-2022-29901.sh b/src/vulns/CVE-2022-29901.sh index 1a76f05..b712556 100644 --- a/src/vulns/CVE-2022-29901.sh +++ b/src/vulns/CVE-2022-29901.sh @@ -84,7 +84,7 @@ check_CVE_2022_29901_linux() { fi pr_info_nol "* CPU supports Enhanced IBRS (IBRS_ALL): " - if [ "$opt_live" = 1 ] || [ "$cap_ibrs_all" != -1 ]; then + if [ "$opt_runtime" = 1 ] || [ "$cap_ibrs_all" != -1 ]; then if [ "$cap_ibrs_all" = 1 ]; then pstatus green YES elif [ "$cap_ibrs_all" = 0 ]; then @@ -93,11 +93,11 @@ check_CVE_2022_29901_linux() { pstatus yellow UNKNOWN fi else - pstatus blue N/A "not testable in offline mode" + pstatus blue N/A "not testable in no-runtime mode" fi pr_info_nol "* CPU has RSB Alternate Behavior (RSBA): " - if [ "$opt_live" = 1 ] || [ "$cap_rsba" != -1 ]; then + if [ "$opt_runtime" = 1 ] || [ "$cap_rsba" != -1 ]; then if [ "$cap_rsba" = 1 ]; then pstatus yellow YES "this CPU is affected by RSB underflow" elif [ "$cap_rsba" = 0 ]; then @@ -106,7 +106,7 @@ check_CVE_2022_29901_linux() { pstatus yellow UNKNOWN fi else - pstatus blue N/A "not testable in offline mode" + pstatus blue N/A "not testable in no-runtime mode" fi elif [ "$sys_interface_available" = 0 ]; then diff --git a/src/vulns/CVE-2022-40982.sh b/src/vulns/CVE-2022-40982.sh index 8de3d1a..954ca44 100644 --- a/src/vulns/CVE-2022-40982.sh +++ b/src/vulns/CVE-2022-40982.sh @@ -145,7 +145,7 @@ check_CVE_2022_40982_linux() { if [ -n "$kernel_gds" ]; then pr_info_nol "* Kernel has disabled AVX as a mitigation: " - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then # Check dmesg message to see whether AVX has been disabled dmesg_grep 'Microcode update needed! Disabling AVX as mitigation' dmesgret=$? @@ -172,7 +172,7 @@ check_CVE_2022_40982_linux() { pstatus yellow NO "AVX support is enabled" fi else - pstatus blue N/A "not testable in offline mode" + pstatus blue N/A "not testable in no-runtime mode" fi fi diff --git a/src/vulns/CVE-2023-20588.sh b/src/vulns/CVE-2023-20588.sh index 955a7f5..5c0b5f4 100644 --- a/src/vulns/CVE-2023-20588.sh +++ b/src/vulns/CVE-2023-20588.sh @@ -101,7 +101,7 @@ check_CVE_2023_20588_linux() { pr_info_nol "* DIV0 mitigation enabled and active: " cpuinfo_div0='' dmesg_div0='' - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then if [ -e "$g_procfs/cpuinfo" ] && grep -qw 'div0' "$g_procfs/cpuinfo" 2>/dev/null; then cpuinfo_div0=1 pstatus green YES "div0 found in $g_procfs/cpuinfo bug flags" @@ -119,7 +119,7 @@ check_CVE_2023_20588_linux() { fi fi else - pstatus blue N/A "not testable in offline mode" + pstatus blue N/A "not testable in no-runtime mode" fi pr_info_nol "* SMT (Simultaneous Multi-Threading) status: " @@ -133,7 +133,7 @@ check_CVE_2023_20588_linux() { pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" elif [ -z "$msg" ]; then if [ "$opt_sysfs_only" != 1 ]; then - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then # live mode: cpuinfo div0 flag is the strongest proof the mitigation is active if [ "$cpuinfo_div0" = 1 ] || [ "$dmesg_div0" = 1 ]; then _cve_2023_20588_pvulnstatus_smt @@ -145,7 +145,7 @@ check_CVE_2023_20588_linux() { _cve_2023_20588_pvulnstatus_no_kernel fi else - # offline mode: only kernel image / System.map evidence is available + # no-runtime mode: only kernel image / System.map evidence is available if [ -n "$kernel_mitigated" ]; then pvulnstatus "$cve" OK "Mitigation: amd_clear_divider found in kernel image" else diff --git a/src/vulns/CVE-2023-20593.sh b/src/vulns/CVE-2023-20593.sh index 2669ecd..26b46cf 100644 --- a/src/vulns/CVE-2023-20593.sh +++ b/src/vulns/CVE-2023-20593.sh @@ -28,7 +28,7 @@ check_CVE_2023_20593_linux() { pstatus yellow NO fi pr_info_nol "* Zenbleed kernel mitigation enabled and active: " - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then # read the DE_CFG MSR, we want to check the 9th bit # don't do it on non-Zen2 AMD CPUs or later, aka Family 17h, # as the behavior could be unknown on others @@ -53,7 +53,7 @@ check_CVE_2023_20593_linux() { pstatus blue N/A "CPU is incompatible" fi else - pstatus blue N/A "not testable in offline mode" + pstatus blue N/A "not testable in no-runtime mode" fi pr_info_nol "* Zenbleed mitigation is supported by CPU microcode: " @@ -82,7 +82,7 @@ check_CVE_2023_20593_linux() { elif [ -z "$msg" ]; then # if msg is empty, sysfs check didn't fill it, rely on our own test zenbleed_print_vuln=0 - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then if [ "$fp_backup_fix" = 1 ] && [ "$ucode_zenbleed" = 1 ]; then # this should never happen, but if it does, it's interesting to know pvulnstatus "$cve" OK "Both your CPU microcode and kernel are mitigating Zenbleed" diff --git a/src/vulns/CVE-2023-28746.sh b/src/vulns/CVE-2023-28746.sh index a40d518..70a54e8 100644 --- a/src/vulns/CVE-2023-28746.sh +++ b/src/vulns/CVE-2023-28746.sh @@ -106,7 +106,7 @@ check_CVE_2023_28746_linux() { pstatus yellow NO fi - if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then + if [ "$opt_runtime" = 1 ] && [ "$sys_interface_available" = 1 ]; then pr_info_nol "* RFDS mitigation is enabled and active: " if echo "$ret_sys_interface_check_fullmsg" | grep -qi '^Mitigation'; then rfds_mitigated=1 @@ -129,7 +129,7 @@ check_CVE_2023_28746_linux() { if [ "$opt_sysfs_only" != 1 ]; then if [ "$cap_rfds_clear" = 1 ]; then if [ -n "$kernel_rfds" ]; then - if [ "$opt_live" = 1 ]; then + if [ "$opt_runtime" = 1 ]; then if [ "$rfds_mitigated" = 1 ]; then pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled" else