Addresses issue #336: when running inside a VM (KVM, VMware, ESXi,
Hyper-V, VirtualBox), the hypervisor can present a fake CPUID and
microcode version to the guest, making the microcode up-to-date check
meaningless or misleading.
Changes:
- Add is_running_as_guest() to 370_hw_vmm.sh: detects VM guest status
by checking for the 'hypervisor' CPUID flag in /proc/cpuinfo, which
is exposed by KVM, VMware, Hyper-V, VirtualBox and most other
hypervisors. Result is cached in g_is_guest_vm / g_is_guest_vm_reason.
- Add "Running as VM guest: YES/NO" line to the CPU details block in
check_cpu() (400_hw_check.sh), shown for both x86 and ARM guests.
- Add a pr_warn block after the microcode-is-latest check in check_cpu()
advising the user to verify microcode information on the hypervisor
host when a VM guest is detected.
- Add minimal ARM CPU details block in check_cpu(): vendor, model name,
implementer(s), part(s), architecture(s), and VM guest status. ARM CPUs
previously got no output from check_cpu() due to the x86-only early
return guard.
- Expose guest VM status in JSON output (250_output_emitters.sh):
- system section: guest_vm (bool) and guest_vm_reason (string)
- cpu_microcode section: unreliable_in_vm (bool)
CVE_REGISTRY gains an optional fifth field that tags checks as x86-only or
arm-only, untagged entries apply everywhere. The main CVE dispatcher and the
affectedness summary both skip gated entries in default "all CVEs" runs,
removing the noise of arm64 errata on x86 hosts and of x86 CVEs on ARM hosts
across text, json, nrpe and prometheus outputs. Explicit --cve/--variant/--errata
selection bypasses the gate so manual queries still run anywhere.
The gate honours no-hw mode by ignoring the host CPU and keying off the
inspected kernel's architecture only, which handles cross-arch offline
analysis driven by --kernel/--config/--map.
AMD Zen 1-3 CPUs don't flush return predictions on IBPB, allowing
cross-process Spectre attacks even with IBPB-on-entry active. The kernel
fix (v6.12+, backported) adds RSB fill after IBPB on affected CPUs.
Detect this gap by checking CPUID IBPB_RET bit and kernel ibpb_no_ret
bug flag, and flag systems relying on IBPB without the RSB fill fix.
Stéphane Lesimple