enh: --no-runtime and --no-hw modes replacing --live and implicit 'offline' mode

2026-04-11 11:13:21 +02:00 · 2026-04-08 20:53:00 +02:00
parent 3f7e0a11f7
commit b9c203120b
23 changed files with 135 additions and 118 deletions
--- a/src/vulns/CVE-2017-5754.sh
+++ b/src/vulns/CVE-2017-5754.sh
@@ -104,7 +104,7 @@ check_CVE_2017_5754_linux() {

        mount_debugfs
        pr_info_nol "  * PTI enabled and active: "
-        if [ "$opt_live" = 1 ]; then
+        if [ "$opt_runtime" = 1 ]; then
            dmesg_grep="Kernel/User page tables isolation: enabled"
            dmesg_grep="$dmesg_grep|Kernel page table isolation enabled"
            dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
@@ -150,7 +150,7 @@ check_CVE_2017_5754_linux() {
                pstatus yellow NO
            fi
        else
-            pstatus blue N/A "not testable in offline mode"
+            pstatus blue N/A "not testable in no-runtime mode"
        fi

        pti_performance_check
@@ -167,7 +167,7 @@ check_CVE_2017_5754_linux() {
    is_xen_dom0 && xen_pv_domo=1
    is_xen_domU && xen_pv_domu=1

-    if [ "$opt_live" = 1 ]; then
+    if [ "$opt_runtime" = 1 ]; then
        # checking whether we're running under Xen PV 64 bits. If yes, we are affected by affected_variant3
        # (unless we are a Dom0)
        pr_info_nol "* Running as a Xen PV DomU: "
@@ -183,7 +183,7 @@ check_CVE_2017_5754_linux() {
        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
    elif [ -z "$msg" ]; then
        # if msg is empty, sysfs check didn't fill it, rely on our own test
-        if [ "$opt_live" = 1 ]; then
+        if [ "$opt_runtime" = 1 ]; then
            if [ "$kpti_enabled" = 1 ]; then
                pvulnstatus "$cve" OK "PTI mitigates the vulnerability"
            elif [ "$xen_pv_domo" = 1 ]; then
@@ -209,12 +209,12 @@ check_CVE_2017_5754_linux() {
            fi
        else
            if [ -n "$kpti_support" ]; then
-                pvulnstatus "$cve" OK "offline mode: PTI will mitigate the vulnerability if enabled at runtime"
+                pvulnstatus "$cve" OK "no-runtime mode: PTI will mitigate the vulnerability if enabled at runtime"
            elif [ "$kpti_can_tell" = 1 ]; then
                pvulnstatus "$cve" VULN "PTI is needed to mitigate the vulnerability"
                explain "If you're using a distro kernel, upgrade your distro to get the latest kernel available. Otherwise, recompile the kernel with the CONFIG_(MITIGATION_)PAGE_TABLE_ISOLATION option (named CONFIG_KAISER for some kernels), or the CONFIG_UNMAP_KERNEL_AT_EL0 option (for ARM64)"
            else
-                pvulnstatus "$cve" UNK "offline mode: not enough information"
+                pvulnstatus "$cve" UNK "no-runtime mode: not enough information"
                explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect."
            fi
        fi