enh: CVE-2018-3646: document all sysfs variations, fix --sysfs-only path

src/vulns/CVE-2018-3646.sh

@@ -13,6 +13,53 @@ check_CVE_2018_3646_linux() {
     if sys_interface_check "$VULN_SYSFS_BASE/l1tf" '.*' quiet; then
         # this kernel has the /sys interface, trust it over everything
         sys_interface_available=1
+        # quiet mode doesn't set ret_sys_interface_check_status, derive it ourselves.
+        #
+        # Complete sysfs message inventory for l1tf, traced via git blame
+        # on mainline (~/linux) and stable (~/linux-stable):
+        #
+        # all versions:
+        #   "Not affected"                          (cpu_show_common, d1059518b4789)
+        #   "Vulnerable"                            (cpu_show_common fallthrough, d1059518b4789)
+        #
+        # --- mainline ---
+        # 17dbca119312 (v4.18-rc1, initial l1tf sysfs):
+        #   "Mitigation: Page Table Inversion"
+        # 72c6d2db64fa (v4.18-rc1, renamed + added VMX reporting):
+        #   "Mitigation: PTE Inversion"                                  (no KVM_INTEL, or VMX=AUTO)
+        #   "Mitigation: PTE Inversion; VMX: SMT <smt>, L1D <flush>"    (KVM_INTEL enabled)
+        #     <flush>: auto | vulnerable | conditional cache flushes | cache flushes
+        # a7b9020b06ec (v4.18-rc1, added EPT disabled state):
+        #     <flush>: + EPT disabled
+        # ea156d192f52 (v4.18-rc7, reordered VMX/SMT fields):
+        #   "Mitigation: PTE Inversion; VMX: EPT disabled"              (no SMT part)
+        #   "Mitigation: PTE Inversion; VMX: vulnerable"                (NEVER + SMT active, no SMT part)
+        #   "Mitigation: PTE Inversion; VMX: <flush>, SMT <smt>"        (all other cases)
+        # 8e0b2b916662 (v4.18, added flush not necessary):
+        #     <flush>: + flush not necessary
+        # 130d6f946f6f (v4.20-rc4, no string change):
+        #     SMT detection changed from cpu_smt_control to sched_smt_active()
+        #
+        # --- stable backports ---
+        # 4.4.y: no VMX reporting (only "PTE Inversion" / "Vulnerable" / "Not affected").
+        #   initially backported as "Page Table Inversion" (bf0cca01b873),
+        #   renamed to "PTE Inversion" in stable-only commit 6db8c0882912 (May 2019).
+        # 4.9.y, 4.14.y: full VMX reporting, post-reorder format.
+        #   the pre-reorder format ("SMT <smt>, L1D <flush>") and the post-reorder
+        #   format ("VMX: <flush>, SMT <smt>") landed in the same stable release
+        #   (4.9.120, 4.14.63), so no stable release ever shipped the pre-reorder format.
+        #   sched_smt_active() backported (same strings, different runtime behavior).
+        # 4.17.y, 4.18.y: full VMX reporting, post-reorder format.
+        #   still uses cpu_smt_control (sched_smt_active() not backported to these EOL branches).
+        #
+        # <smt> is one of: vulnerable | disabled
+        #
+        # all messages start with either "Not affected", "Mitigation", or "Vulnerable"
+        if echo "$ret_sys_interface_check_fullmsg" | grep -qEi '^(Not affected|Mitigation)'; then
+            status=OK
+        elif echo "$ret_sys_interface_check_fullmsg" | grep -qi '^Vulnerable'; then
+            status=VULN
+        fi
     fi
     l1d_mode=-1
     if [ "$opt_sysfs_only" != 1 ]; then
@@ -142,40 +189,48 @@ check_CVE_2018_3646_linux() {
     elif [ "$ret_sys_interface_check_fullmsg" = "Not affected" ]; then
         # just in case a very recent kernel knows better than we do
         pvulnstatus "$cve" OK "your kernel reported your CPU model as not affected"
-    elif [ "$g_has_vmm" = 0 ]; then
+    elif [ -z "$msg" ]; then
-        pvulnstatus "$cve" OK "this system is not running a hypervisor"
+        if [ "$opt_sysfs_only" != 1 ]; then
-    else
+            if [ "$g_has_vmm" = 0 ]; then
-        if [ "$ept_disabled" = 1 ]; then
+                pvulnstatus "$cve" OK "this system is not running a hypervisor"
-            pvulnstatus "$cve" OK "EPT is disabled which mitigates the vulnerability"
+            elif [ "$ept_disabled" = 1 ]; then
-        elif [ "$opt_paranoid" = 0 ]; then
+                pvulnstatus "$cve" OK "EPT is disabled which mitigates the vulnerability"
-            if [ "$l1d_mode" -ge 1 ]; then
+            elif [ "$opt_paranoid" = 0 ]; then
-                pvulnstatus "$cve" OK "L1D flushing is enabled and mitigates the vulnerability"
+                if [ "$l1d_mode" -ge 1 ]; then
+                    pvulnstatus "$cve" OK "L1D flushing is enabled and mitigates the vulnerability"
+                else
+                    pvulnstatus "$cve" VULN "disable EPT or enable L1D flushing to mitigate the vulnerability"
+                fi
             else
-                pvulnstatus "$cve" VULN "disable EPT or enable L1D flushing to mitigate the vulnerability"
+                if [ "$l1d_mode" -ge 2 ]; then
+                    if [ "$smt_enabled" = 1 ]; then
+                        pvulnstatus "$cve" OK "L1D unconditional flushing and Hyper-Threading disabled are mitigating the vulnerability"
+                    else
+                        pvulnstatus "$cve" VULN "Hyper-Threading must be disabled to fully mitigate the vulnerability"
+                    fi
+                else
+                    if [ "$smt_enabled" = 1 ]; then
+                        pvulnstatus "$cve" VULN "L1D unconditional flushing should be enabled to fully mitigate the vulnerability"
+                    else
+                        pvulnstatus "$cve" VULN "enable L1D unconditional flushing and disable Hyper-Threading to fully mitigate the vulnerability"
+                    fi
+                fi
+            fi
+
+            if [ "$l1d_mode" -gt 3 ]; then
+                pr_warn
+                pr_warn "This host is a Xen Dom0. Please make sure that you are running your DomUs"
+                pr_warn "with a kernel which contains CVE-2018-3646 mitigations."
+                pr_warn
+                pr_warn "See https://www.suse.com/support/kb/doc/?id=7023078 and XSA-273 for details."
             fi
         else
-            if [ "$l1d_mode" -ge 2 ]; then
+            # --sysfs-only: sysfs was available (otherwise msg would be set), use its result
-                if [ "$smt_enabled" = 1 ]; then
+            pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
-                    pvulnstatus "$cve" OK "L1D unconditional flushing and Hyper-Threading disabled are mitigating the vulnerability"
-                else
-                    pvulnstatus "$cve" VULN "Hyper-Threading must be disabled to fully mitigate the vulnerability"
-                fi
-            else
-                if [ "$smt_enabled" = 1 ]; then
-                    pvulnstatus "$cve" VULN "L1D unconditional flushing should be enabled to fully mitigate the vulnerability"
-                else
-                    pvulnstatus "$cve" VULN "enable L1D unconditional flushing and disable Hyper-Threading to fully mitigate the vulnerability"
-                fi
-            fi
-        fi
-
-        if [ "$l1d_mode" -gt 3 ]; then
-            pr_warn
-            pr_warn "This host is a Xen Dom0. Please make sure that you are running your DomUs"
-            pr_warn "with a kernel which contains CVE-2018-3646 mitigations."
-            pr_warn
-            pr_warn "See https://www.suse.com/support/kb/doc/?id=7023078 and XSA-273 for details."
         fi
+    else
+        # msg was set explicitly: either sysfs-not-available error, or a sysfs override
+        pvulnstatus "$cve" "$status" "$msg"
     fi
 }