enh: --no-runtime and --no-hw modes replacing --live and implicit 'offline' mode

src/libs/002_core_globals.sh

@@ -4,26 +4,29 @@ show_usage() {
     # shellcheck disable=SC2086
     cat <<EOF
 	Usage:
-		Live mode (auto):   $(basename $0) [options]
-		Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
-		Offline mode:       $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
+		Live mode:    $(basename $0) [options] [--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]
+		No-runtime:   $(basename $0) [options] --no-runtime <--kernel <kimage>> [--config <kconfig>] [--map <mapfile>]
+		No-hw:        $(basename $0) [options] --no-hw <--kernel <kimage>> [--config <kconfig>] [--map <mapfile>]
 
 	Modes:
-		Two modes are available.
+		Three modes are available.
 
-		First mode is the "live" mode (default), it does its best to find information about the currently running kernel.
-		To run under this mode, just start the script without any option (you can also use --live explicitly)
-
-		Second mode is the "offline" mode, where you can inspect a non-running kernel.
-		This mode is automatically enabled when you specify the location of the kernel file, config and System.map files:
+		First mode is the "live" mode (default), it does its best to find information about the currently
+		running kernel. To run under this mode, just start the script without any option.
+		You can optionally specify --kernel, --config, or --map to help the script locate files it
+		couldn't auto-detect, without changing the mode.
 
 		--kernel kernel_file	specify a (possibly compressed) Linux or BSD kernel file
 		--config kernel_config	specify a kernel config file (Linux only)
 		--map kernel_map_file	specify a kernel System.map file (Linux only)
 
-		If you want to use live mode while specifying the location of the kernel, config or map file yourself,
-		you can add --live to the above options, to tell the script to run in live mode instead of the offline mode,
-		which is enabled by default when at least one file is specified on the command line.
+		Second mode is "no-runtime" (--no-runtime), where the script inspects the local CPU hardware
+		but skips all running-kernel artifacts (/sys, /proc, dmesg). Use this when you have a kernel
+		image from another system but want to check it against this CPU.
+
+		Third mode is "no-hw" (--no-hw), where the script skips both CPU hardware inspection and
+		running-kernel artifacts. Use this for pure static analysis of a kernel image, for example
+		when inspecting an embedded kernel from a different architecture.
 
 	Options:
 		--no-color		don't use color codes
@@ -55,7 +58,8 @@ show_usage() {
 		--cve CVE		specify which CVE you'd like to check, by default all supported CVEs are checked
 					can be used multiple times (e.g. --cve CVE-2017-5753 --cve CVE-2020-0543)
 		--hw-only		only check for CPU information, don't check for any variant
-		--no-hw			skip CPU information and checks, if you're inspecting a kernel not to be run on this host
+		--no-runtime		skip running-kernel checks (/sys, /proc, dmesg), still inspect local CPU hardware
+		--no-hw			skip CPU information and running-kernel checks (implies --no-runtime)
 		--vmm [auto,yes,no]	override the detection of the presence of a hypervisor, default: auto
 		--no-intel-db		don't use the builtin Intel DB of affected processors
 		--allow-msr-write	allow probing for write-only MSRs, this might produce kernel logs or be blocked by your system
@@ -114,7 +118,7 @@ g_os=$(uname -s)
 opt_kernel=''
 opt_config=''
 opt_map=''
-opt_live=-1
+opt_runtime=1
 opt_no_color=0
 opt_batch=0
 opt_batch_format='text'

src/libs/230_util_optparse.sh

@@ -47,7 +47,7 @@ while [ -n "${1:-}" ]; do
         opt_arch_prefix="$2"
         shift 2
     elif [ "$1" = "--live" ]; then
-        opt_live=1
+        # deprecated, kept for backward compatibility (live is now the default)
         shift
     elif [ "$1" = "--no-color" ]; then
         opt_no_color=1
@@ -74,8 +74,12 @@ while [ -n "${1:-}" ]; do
     elif [ "$1" = "--hw-only" ]; then
         opt_hw_only=1
         shift
+    elif [ "$1" = "--no-runtime" ]; then
+        opt_runtime=0
+        shift
     elif [ "$1" = "--no-hw" ]; then
         opt_no_hw=1
+        opt_runtime=0
         shift
     elif [ "$1" = "--allow-msr-write" ]; then
         opt_allow_msr_write=1
@@ -334,11 +338,13 @@ if [ "$opt_no_hw" = 1 ] && [ "$opt_hw_only" = 1 ]; then
     exit 255
 fi
 
-if [ "$opt_live" = -1 ]; then
-    if [ -n "$opt_kernel" ] || [ -n "$opt_config" ] || [ -n "$opt_map" ]; then
-        # no --live specified and we have a least one of the kernel/config/map files on the cmdline: offline mode
-        opt_live=0
-    else
-        opt_live=1
-    fi
+if [ "$opt_runtime" = 0 ] && [ "$opt_sysfs_only" = 1 ]; then
+    pr_warn "Incompatible options specified (--no-runtime and --sysfs-only), aborting"
+    exit 255
 fi
+
+if [ "$opt_runtime" = 0 ] && [ -z "$opt_kernel" ] && [ -z "$opt_config" ] && [ -z "$opt_map" ]; then
+    pr_warn "Option --no-runtime requires at least one of --kernel, --config, or --map"
+    exit 255
+fi
+

src/libs/250_output_emitters.sh

@@ -68,10 +68,12 @@ _json_bool() {
 _build_json_meta() {
     local timestamp mode
     timestamp=$(date -u '+%Y-%m-%dT%H:%M:%SZ' 2>/dev/null || echo "unknown")
-    if [ "$opt_live" = 1 ]; then
-        mode="live"
+    if [ "$opt_no_hw" = 1 ]; then
+        mode="no-hw"
+    elif [ "$opt_runtime" = 0 ]; then
+        mode="no-runtime"
     else
-        mode="offline"
+        mode="live"
     fi
     local run_as_root
     if [ "$(id -u)" -eq 0 ]; then
@@ -97,7 +99,7 @@ _build_json_meta() {
 # shellcheck disable=SC2034
 _build_json_system() {
     local kernel_release kernel_version kernel_arch smt_val
-    if [ "$opt_live" = 1 ]; then
+    if [ "$opt_runtime" = 1 ]; then
         kernel_release=$(uname -r)
         kernel_version=$(uname -v)
         kernel_arch=$(uname -m)
@@ -383,7 +385,7 @@ _emit_prometheus() {
 # shellcheck disable=SC2034
 _build_prometheus_system_info() {
     local kernel_release kernel_arch hypervisor_host sys_labels
-    if [ "$opt_live" = 1 ]; then
+    if [ "$opt_runtime" = 1 ]; then
         kernel_release=$(uname -r 2>/dev/null || true)
         kernel_arch=$(uname -m 2>/dev/null || true)
     else

src/libs/400_hw_check.sh

@@ -89,7 +89,7 @@ if [ "$opt_cpu" != all ] && [ "$opt_cpu" -gt "$g_max_core_id" ]; then
     exit 255
 fi
 
-if [ "$opt_live" = 1 ]; then
+if [ "$opt_runtime" = 1 ]; then
     pr_info "Checking for vulnerabilities on current system"
 
     # try to find the image of the current running kernel
@@ -251,7 +251,7 @@ else
     fi
     if [ -n "$g_kernel_version" ]; then
         # in live mode, check if the img we found is the correct one
-        if [ "$opt_live" = 1 ]; then
+        if [ "$opt_runtime" = 1 ]; then
             pr_verbose "Kernel image is \033[35m$g_kernel_version"
             if ! echo "$g_kernel_version" | grep -qF "$(uname -r)"; then
                 pr_warn "Possible discrepancy between your running kernel '$(uname -r)' and the image '$g_kernel_version' we found ($opt_kernel), results might be incorrect"
@@ -283,7 +283,7 @@ sys_interface_check() {
     msg=''
     ret_sys_interface_check_fullmsg=''
 
-    if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r "$file" ]; then
+    if [ "$opt_runtime" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r "$file" ]; then
         :
     else
         g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_SYSFS_$(basename "$file")_RET=1")
@@ -352,7 +352,7 @@ sys_interface_check() {
 check_kernel_info() {
     local config_display
     pr_info "\033[1;34mKernel information\033[0m"
-    if [ "$opt_live" = 1 ]; then
+    if [ "$opt_runtime" = 1 ]; then
         pr_info "* Kernel is \033[35m$g_os $(uname -r) $(uname -v) $(uname -m)\033[0m"
     elif [ -n "$g_kernel_version" ]; then
         pr_info "* Kernel is \033[35m$g_kernel_version\033[0m"
@@ -456,7 +456,7 @@ check_cpu() {
         ret=invalid
         pstatus yellow NO "unknown CPU"
     fi
-    if [ -z "$cap_ibrs" ] && [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ]; then
+    if [ -z "$cap_ibrs" ] && [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ]; then
         # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo
         if grep ^flags "$g_procfs/cpuinfo" | grep -qw ibrs; then
             cap_ibrs='IBRS (cpuinfo)'
@@ -533,7 +533,7 @@ check_cpu() {
         if [ $ret = $READ_CPUID_RET_OK ]; then
             cap_ibpb='IBPB_SUPPORT'
             pstatus green YES "IBPB_SUPPORT feature bit"
-        elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw ibpb; then
+        elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw ibpb; then
             # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo
             cap_ibpb='IBPB (cpuinfo)'
             pstatus green YES "ibpb flag in $g_procfs/cpuinfo"
@@ -604,7 +604,7 @@ check_cpu() {
         ret=invalid
         pstatus yellow UNKNOWN "unknown CPU"
     fi
-    if [ -z "$cap_stibp" ] && [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ]; then
+    if [ -z "$cap_stibp" ] && [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ]; then
         # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo
         if grep ^flags "$g_procfs/cpuinfo" | grep -qw stibp; then
             cap_stibp='STIBP (cpuinfo)'
@@ -676,7 +676,7 @@ check_cpu() {
         fi
     fi
 
-    if [ -z "$cap_ssbd" ] && [ "$ret24" = $READ_CPUID_RET_ERR ] && [ "$ret25" = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ]; then
+    if [ -z "$cap_ssbd" ] && [ "$ret24" = $READ_CPUID_RET_ERR ] && [ "$ret25" = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ]; then
         # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo
         if grep ^flags "$g_procfs/cpuinfo" | grep -qw ssbd; then
             cap_ssbd='SSBD (cpuinfo)'
@@ -740,7 +740,7 @@ check_cpu() {
     if [ $ret = $READ_CPUID_RET_OK ]; then
         pstatus green YES "L1D flush feature bit"
         cap_l1df=1
-    elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw flush_l1d; then
+    elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw flush_l1d; then
         # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo
         pstatus green YES "flush_l1d flag in $g_procfs/cpuinfo"
         cap_l1df=1
@@ -760,7 +760,7 @@ check_cpu() {
         if [ $ret = $READ_CPUID_RET_OK ]; then
             cap_md_clear=1
             pstatus green YES "MD_CLEAR feature bit"
-        elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw md_clear; then
+        elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw md_clear; then
             # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo
             cap_md_clear=1
             pstatus green YES "md_clear flag in $g_procfs/cpuinfo"
@@ -830,7 +830,7 @@ check_cpu() {
         if [ $ret = $READ_CPUID_RET_OK ]; then
             pstatus green YES
             cap_arch_capabilities=1
-        elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw arch_capabilities; then
+        elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw arch_capabilities; then
             # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo
             pstatus green YES "arch_capabilities flag in $g_procfs/cpuinfo"
             cap_arch_capabilities=1