Store the per-core implementer/part/arch/variant/revision lists
space-separated (no embedded newlines, which also cleans up JSON and
prometheus output) and dedup them for the human-readable display, so
homogeneous systems show e.g. "0x41" instead of repeating it per core.
Addresses issue #336: when running inside a VM (KVM, VMware, ESXi,
Hyper-V, VirtualBox), the hypervisor can present a fake CPUID and
microcode version to the guest, making the microcode up-to-date check
meaningless or misleading.
Changes:
- Add is_running_as_guest() to 370_hw_vmm.sh: detects VM guest status
by checking for the 'hypervisor' CPUID flag in /proc/cpuinfo, which
is exposed by KVM, VMware, Hyper-V, VirtualBox and most other
hypervisors. Result is cached in g_is_guest_vm / g_is_guest_vm_reason.
- Add "Running as VM guest: YES/NO" line to the CPU details block in
check_cpu() (400_hw_check.sh), shown for both x86 and ARM guests.
- Add a pr_warn block after the microcode-is-latest check in check_cpu()
advising the user to verify microcode information on the hypervisor
host when a VM guest is detected.
- Add minimal ARM CPU details block in check_cpu(): vendor, model name,
implementer(s), part(s), architecture(s), and VM guest status. ARM CPUs
previously got no output from check_cpu() due to the x86-only early
return guard.
- Expose guest VM status in JSON output (250_output_emitters.sh):
- system section: guest_vm (bool) and guest_vm_reason (string)
- cpu_microcode section: unreliable_in_vm (bool)
CVE_REGISTRY gains an optional fifth field that tags checks as x86-only or
arm-only, untagged entries apply everywhere. The main CVE dispatcher and the
affectedness summary both skip gated entries in default "all CVEs" runs,
removing the noise of arm64 errata on x86 hosts and of x86 CVEs on ARM hosts
across text, json, nrpe and prometheus outputs. Explicit --cve/--variant/--errata
selection bypasses the gate so manual queries still run anywhere.
The gate honours no-hw mode by ignoring the host CPU and keying off the
inspected kernel's architecture only, which handles cross-arch offline
analysis driven by --kernel/--config/--map.
Add detection for three speculation/security-relevant ARM64 errata
families that are tracked by vendor erratum IDs rather than CVEs: Speculative
AT TLB corruption (1165522/1319367/1319537/1530923), speculative unprivileged
load (2966298/3117295), and MSR SSBS not self-synchronizing (3194386 and
siblings). Reserves a new CVE-0001-NNNN placeholder range for vendor errata
and adds a --errata <number> selector alongside --variant/--cve.
CPU affection is determined per-core from (implementer, part, variant,
revision) tuples read from /proc/cpuinfo, matching the kernel's MIDR ranges
(including Kryo4xx Silver for erratum 1530923). Kernel mitigation detection
uses the erratum-specific CONFIG_ARM64_ERRATUM_NNNN symbols, kernel image
descriptor strings, and dmesg output (no sysfs for these)
speed47
Stéphane Lesimple
github-actions[bot]
林博仁 Buo-ren Lin