enh: --no-runtime and --no-hw modes replacing --live and implicit 'offline' mode

2026-04-09 10:13:18 +02:00 · 2026-04-08 20:53:00 +02:00
parent 3f7e0a11f7
commit b9c203120b
23 changed files with 135 additions and 118 deletions
--- a/src/vulns/CVE-2018-3646.sh
+++ b/src/vulns/CVE-2018-3646.sh
@@ -69,7 +69,7 @@ check_CVE_2018_3646_linux() {
        pr_info "* Mitigation 1 (KVM)"
        pr_info_nol "  * EPT is disabled: "
        ept_disabled=-1
-        if [ "$opt_live" = 1 ]; then
+        if [ "$opt_runtime" = 1 ]; then
            if ! [ -r "$SYS_MODULE_BASE/kvm_intel/parameters/ept" ]; then
                pstatus blue N/A "the kvm_intel module is not loaded"
            elif [ "$(cat "$SYS_MODULE_BASE/kvm_intel/parameters/ept")" = N ]; then
@@ -79,12 +79,12 @@ check_CVE_2018_3646_linux() {
                pstatus yellow NO
            fi
        else
-            pstatus blue N/A "not testable in offline mode"
+            pstatus blue N/A "not testable in no-runtime mode"
        fi

        pr_info "* Mitigation 2"
        pr_info_nol "  * L1D flush is supported by kernel: "
-        if [ "$opt_live" = 1 ] && grep -qw flush_l1d "$g_procfs/cpuinfo"; then
+        if [ "$opt_runtime" = 1 ] && grep -qw flush_l1d "$g_procfs/cpuinfo"; then
            l1d_kernel="found flush_l1d in $g_procfs/cpuinfo"
        fi
        if [ -z "$l1d_kernel" ]; then
@@ -106,7 +106,7 @@ check_CVE_2018_3646_linux() {
        fi

        pr_info_nol "  * L1D flush enabled: "
-        if [ "$opt_live" = 1 ]; then
+        if [ "$opt_runtime" = 1 ]; then
            if [ -n "$ret_sys_interface_check_fullmsg" ]; then
                # vanilla: VMX: $l1dstatus, SMT $smtstatus
                # Red Hat: VMX: SMT $smtstatus, L1D $l1dstatus
@@ -152,18 +152,18 @@ check_CVE_2018_3646_linux() {
            fi
        else
            l1d_mode=-1
-            pstatus blue N/A "not testable in offline mode"
+            pstatus blue N/A "not testable in no-runtime mode"
        fi

        pr_info_nol "  * Hardware-backed L1D flush supported: "
-        if [ "$opt_live" = 1 ]; then
+        if [ "$opt_runtime" = 1 ]; then
            if grep -qw flush_l1d "$g_procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then
                pstatus green YES "performance impact of the mitigation will be greatly reduced"
            else
                pstatus blue NO "flush will be done in software, this is slower"
            fi
        else
-            pstatus blue N/A "not testable in offline mode"
+            pstatus blue N/A "not testable in no-runtime mode"
        fi

        pr_info_nol "  * Hyper-Threading (SMT) is enabled: "