chore: prepare for dev-build renaming to test-build

chore: set VERSION when building
update dev docs and refactor CVE list in readme
2026-04-01 12:47:07 +02:00 · 2026-03-31 20:16:47 +00:00 · 2026-03-31 20:16:47 +00:00 · 2026-03-31 20:16:47 +00:00 · 2026-03-31 20:16:47 +00:00 · 2026-03-31 20:16:47 +00:00
61 changed files with 9115 additions and 1693 deletions
--- a/.github/workflows/expected_cve_count
+++ b/.github/workflows/expected_cve_count
@@ -0,0 +1 @@
+21
--- a/.github/workflows/source-build.yml
+++ b/.github/workflows/source-build.yml
@@ -0,0 +1,108 @@
+name: source-build
+
+on:
+  push:
+    branches:
+      - source
+
+jobs:
+  source-build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        persist-credentials: true
+    - name: install prerequisites
+      run: sudo apt-get update && sudo apt-get install -y shellcheck shfmt jq sqlite3 iucode-tool make
+    - name: build and check
+      run: |
+        make build fmt-check shellcheck
+        mv spectre-meltdown-checker.sh dist/
+    - name: check direct execution
+      run: |
+        expected=$(cat .github/workflows/expected_cve_count)
+        cd dist
+        nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
+        if [ "$nb" -ne "$expected" ]; then
+          echo "Invalid number of CVEs reported: $nb instead of $expected"
+          exit 1
+        else
+          echo "OK $nb CVEs reported"
+        fi
+    - name: check docker compose run execution
+      run: |
+        expected=$(cat .github/workflows/expected_cve_count)
+        cd dist
+        docker compose build
+        nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
+        if [ "$nb" -ne "$expected" ]; then
+          echo "Invalid number of CVEs reported: $nb instead of $expected"
+          exit 1
+        else
+          echo "OK $nb CVEs reported"
+        fi
+    - name: check docker run execution
+      run: |
+        expected=$(cat .github/workflows/expected_cve_count)
+        cd dist
+        docker build -t spectre-meltdown-checker .
+        nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
+        if [ "$nb" -ne "$expected" ]; then
+          echo "Invalid number of CVEs reported: $nb instead of $expected"
+          exit 1
+        else
+          echo "OK $nb CVEs reported"
+        fi
+    - name: check fwdb update (separated)
+      run: |
+        cd dist
+        nbtmp1=$(find /tmp 2>/dev/null | wc -l)
+        ./spectre-meltdown-checker.sh --update-fwdb; ret=$?
+        if [ "$ret" != 0 ]; then
+          echo "Non-zero return value: $ret"
+          exit 1
+        fi
+        nbtmp2=$(find /tmp 2>/dev/null | wc -l)
+        if [ "$nbtmp1" != "$nbtmp2" ]; then
+          echo "Left temporary files!"
+          exit 1
+        fi
+        if ! [ -e ~/.mcedb ]; then
+          echo "No .mcedb file found after updating fwdb"
+          exit 1
+        fi
+    - name: check fwdb update (builtin)
+      run: |
+        cd dist
+        nbtmp1=$(find /tmp 2>/dev/null | wc -l)
+        ./spectre-meltdown-checker.sh --update-builtin-fwdb; ret=$?
+        if [ "$ret" != 0 ]; then
+          echo "Non-zero return value: $ret"
+          exit 1
+        fi
+        nbtmp2=$(find /tmp 2>/dev/null | wc -l)
+        if [ "$nbtmp1" != "$nbtmp2" ]; then
+          echo "Left temporary files!"
+          exit 1
+        fi
+    - name: create a pull request to source-build
+      run: |
+        tmpdir=$(mktemp -d)
+        mv ./dist/* $tmpdir/
+        rm -rf ./dist
+        git fetch origin source-build
+        git checkout -f source-build
+        mv $tmpdir/* .
+        git add *
+        echo =#=#= DIFF CACHED
+        git diff --cached
+        echo =#=#= STATUS
+        git status
+        echo =#=#= COMMIT
+        git config --global user.name "github-actions[bot]"
+        git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+        git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b'
+        git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b' | git commit -F -
+        git push
--- a/.github/workflows/test-build.yml
+++ b/.github/workflows/test-build.yml
@@ -0,0 +1,108 @@
+name: test-build
+
+on:
+  push:
+    branches:
+      - test
+
+jobs:
+  test-build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        persist-credentials: true
+    - name: install prerequisites
+      run: sudo apt-get update && sudo apt-get install -y shellcheck shfmt jq sqlite3 iucode-tool make
+    - name: build and check
+      run: |
+        make build fmt-check shellcheck
+        mv spectre-meltdown-checker.sh dist/
+    - name: check direct execution
+      run: |
+        expected=$(cat .github/workflows/expected_cve_count)
+        cd dist
+        nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
+        if [ "$nb" -ne "$expected" ]; then
+          echo "Invalid number of CVEs reported: $nb instead of $expected"
+          exit 1
+        else
+          echo "OK $nb CVEs reported"
+        fi
+    - name: check docker compose run execution
+      run: |
+        expected=$(cat .github/workflows/expected_cve_count)
+        cd dist
+        docker compose build
+        nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
+        if [ "$nb" -ne "$expected" ]; then
+          echo "Invalid number of CVEs reported: $nb instead of $expected"
+          exit 1
+        else
+          echo "OK $nb CVEs reported"
+        fi
+    - name: check docker run execution
+      run: |
+        expected=$(cat .github/workflows/expected_cve_count)
+        cd dist
+        docker build -t spectre-meltdown-checker .
+        nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
+        if [ "$nb" -ne "$expected" ]; then
+          echo "Invalid number of CVEs reported: $nb instead of $expected"
+          exit 1
+        else
+          echo "OK $nb CVEs reported"
+        fi
+    - name: check fwdb update (separated)
+      run: |
+        cd dist
+        nbtmp1=$(find /tmp 2>/dev/null | wc -l)
+        ./spectre-meltdown-checker.sh --update-fwdb; ret=$?
+        if [ "$ret" != 0 ]; then
+          echo "Non-zero return value: $ret"
+          exit 1
+        fi
+        nbtmp2=$(find /tmp 2>/dev/null | wc -l)
+        if [ "$nbtmp1" != "$nbtmp2" ]; then
+          echo "Left temporary files!"
+          exit 1
+        fi
+        if ! [ -e ~/.mcedb ]; then
+          echo "No .mcedb file found after updating fwdb"
+          exit 1
+        fi
+    - name: check fwdb update (builtin)
+      run: |
+        cd dist
+        nbtmp1=$(find /tmp 2>/dev/null | wc -l)
+        ./spectre-meltdown-checker.sh --update-builtin-fwdb; ret=$?
+        if [ "$ret" != 0 ]; then
+          echo "Non-zero return value: $ret"
+          exit 1
+        fi
+        nbtmp2=$(find /tmp 2>/dev/null | wc -l)
+        if [ "$nbtmp1" != "$nbtmp2" ]; then
+          echo "Left temporary files!"
+          exit 1
+        fi
+    - name: push artifact to the test-build branch
+      run: |
+        tmpdir=$(mktemp -d)
+        mv ./dist/* $tmpdir/
+        rm -rf ./dist
+        git fetch origin test-build
+        git checkout -f test-build
+        mv $tmpdir/* .
+        git add *
+        echo =#=#= DIFF CACHED
+        git diff --cached
+        echo =#=#= STATUS
+        git status
+        echo =#=#= COMMIT
+        git config --global user.name "github-actions[bot]"
+        git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+        git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b'
+        git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b' | git commit -F -
+        git push
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+spectre-meltdown-checker.sh
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -0,0 +1,488 @@
+# Project Overview
+
+spectre-meltdown-checker is a single self-contained shell script (`spectre-meltdown-checker.sh`) that detects system vulnerability to several transient execution CPU CVEs (Spectre, Meltdown, and related). It supports Linux and BSD (FreeBSD, NetBSD, DragonFlyBSD) on x86, amd64, ARM, and ARM64.
+
+The script must stay POSIX-compatible, and not use features only available in specific shells such as `bash` or `zsh`. The `local` keyword is accepted however.
+
+## Project Mission
+
+This tool exists to give system administrators simple, actionable answers to two questions:
+
+1. **Am I vulnerable?**
+2. **What do I have to do to mitigate these vulnerabilities on my system?**
+
+The script does not run exploits and cannot guarantee security. It reports whether a system is **affected**, **vulnerable**, or **mitigated** against known transient execution vulnerabilities, and provides detailed insight into the prerequisites for full mitigation (microcode, kernel, hypervisor, etc.).
+
+### Why this tool still matters
+
+Even though the Linux `sysfs` hierarchy (`/sys/devices/system/cpu/vulnerabilities/`) now reports mitigation status for most vulnerabilities, this script provides value beyond what `sysfs` offers:
+
+- **Independent of kernel knowledge**: A given kernel only understands vulnerabilities known at compile time. This script's detection logic is maintained independently, so it can identify gaps a kernel doesn't yet know about.
+- **Detailed prerequisite breakdown**: Mitigating a vulnerability can involve multiple layers (microcode, host kernel, hypervisor, guest kernel, software). The script shows exactly which pieces are in place and which are missing.
+- **Offline kernel analysis**: The script can inspect a kernel image before it is booted (`--kernel`, `--config`, `--map`), verifying it carries the expected mitigations.
+- **Backport-aware**: It detects actual capabilities rather than checking version strings, so it works correctly with vendor kernels that silently backport or forward-port patches.
+- **Covers gaps in sysfs**: Some vulnerabilities (e.g. Zenbleed) are not reported through `sysfs` at all.
+
+### Terminology
+
+These terms have precise meanings throughout the codebase and output:
+
+- **Affected**: The CPU hardware, as shipped from the factory, is known to be concerned by a vulnerability. Says nothing about whether the vulnerability is currently exploitable.
+- **Vulnerable**: The system uses an affected CPU *and* has no (or insufficient) mitigations in place, meaning the vulnerability can be exploited.
+- **Mitigated**: A previously vulnerable system has all required layers updated so the vulnerability cannot be exploited.
+
+## Branch Model
+
+The project uses 4 branches organized in two pipelines (production and dev/test). Developers work on the source branches; CI builds the monolithic script and pushes it to the corresponding output branch.
+
+| Branch | Contents | Pushed by |
+|--------|----------|-----------|
+| **`test`** | Dev/test source (split files + Makefile) | Developers |
+| **`test-build`** | Monolithic test script (built artifact) | CI from `test` |
+| **`source`** | Production source (split files + Makefile) | Developers |
+| **`source-build`** | Monolithic test script (built artifact) | CI from `source` |
+| **`master`** | Monolithic production script (built artifact) | PR by developers from `source-build` |
+
+- **`source`** and **`test`** contain the split source files and the Makefile. These are the branches developers commit to.
+- **`master`**, **`source-build`** and **`test-build`** contain only the monolithic `spectre-meltdown-checker.sh` built by CI. Nobody commits to these directly.
+- **`master`** is the preexisting production branch that users pull from. It cannot be renamed.
+- **`test-build`** is a testing branch that users can pull from to test pre-release versions.
+- **`source-build`** is a preprod branch to prepare the artifact before merging to **`master`**.
+
+Typical workflow:
+1. Feature/fix branches are created from `test` and merged back into `test`.
+2. CI builds the script and pushes it to `test-build` for testing.
+3. When ready for release, `test` is merged into `source`.
+4. CI builds the script and pushes it to `source-build` for production.
+5. Developer creates a PR from `source-build` to `master`.
+
+## Versioning
+
+The project follows semantic versioning in the format `X.Y.Z`:
+
+- **X** = the current year, in `YY` format.
+- **Y** = the number of CVEs supported by the script, which corresponds to the number of files under `src/vulns/`.
+- **Z** = `MMDDVAL`, where `MMDD` is the UTC build date and `VAL` is a 3-digit value (000–999) that increases monotonically throughout the day, computed as `seconds_since_midnight_UTC * 1000 / 86400`.
+
+The version is patched automatically by `build.sh` into the `VERSION=` variable of the assembled script. The source file (`src/libs/001_core_header.sh`) carries a placeholder value that is overwritten at build time.
+
+## Linting and Testing
+
+```bash
+# Assemble the final script
+make build
+
+# Lint the generated script
+make fmt-check shellcheck
+
+# Run the script (requires root for full results)
+sudo ./spectre-meltdown-checker.sh
+
+# Run specific tests that we might have just added (variant name)
+sudo ./spectre-meltdown-checker.sh --variant l1tf --variant taa
+
+# Run specific tests that we might have just added (CVE name)
+sudo ./spectre-meltdown-checker.sh --cve CVE-2018-3640 --cve CVE-2022-40982
+
+# Batch JSON mode (CI validates exactly 19 CVEs in output)
+sudo ./spectre-meltdown-checker.sh --batch json | jq '.[] | .CVE' | wc -l  # must be 19
+
+# Update microcode firmware database
+sudo ./spectre-meltdown-checker.sh --update-fwdb
+
+# Docker
+docker-compose build && docker-compose run --rm spectre-meltdown-checker
+```
+
+There is no separate test suite. CI (`.github/workflows/check.yml`) runs shellcheck, tab-indentation checks, a live execution test validating 19 CVEs, Docker builds, and a firmware DB update test that checks for temp file leaks.
+
+## Architecture
+
+The entire tool is a single bash script with no external script dependencies. Key structural sections:
+
+- **Output/logging functions** (~line 253): `pr_warn`, `pr_info`, `pr_verbose`, `pr_debug`, `explain`, `pstatus`, `pvulnstatus` — verbosity-aware output with color support
+- **CPU detection** (~line 2171): `parse_cpu_details`, `is_intel`/`is_amd`/`is_hygon`, `read_cpuid`, `read_msr`, `is_cpu_smt_enabled` — hardware identification via CPUID/MSR registers
+- **Microcode database** (embedded): Intel/AMD microcode version lookup via `read_mcedb`/`read_inteldb`; updated automatically via `.github/workflows/autoupdate.yml`
+- **Kernel analysis** (~line 1568): `extract_kernel`, `try_decompress` — extracts and inspects kernel images (handles gzip, bzip2, xz, lz4, zstd compression)
+- **Vulnerability checks**: 19 `check_CVE_<year>_<number>()` functions, each with `_linux()` and `_bsd()` variants. Uses whitelist logic (assumes affected unless proven otherwise)
+- **Main flow** (~line 6668): Parse options → detect CPU → loop through requested CVEs → output results (text/json/nrpe/prometheus) → cleanup
+
+## Key Design Principles
+
+These rules are non-negotiable and govern how every part of the script is written:
+
+### 1. Production-safe
+
+It must always be okay to run this script in a production environment.
+
+- **1a. Non-destructive**: Never modify the system. If the script loads a kernel module it needs (e.g. `cpuid`, `msr`), it must unload it on exit.
+- **1b. Report only**: Never attempt to "fix" or "mitigate" any vulnerability, or modify any configuration. The script reports status and leaves all decisions to the sysadmin.
+- **1c. No exploit execution**: Never run any kind of exploit or proof-of-concept. This would violate rule 1a, could cause unpredictable system behavior, and may produce wrong conclusions (especially for Spectre-class PoCs that require very specific build options and prerequisites).
+
+### 2. Never hardcode kernel versions
+
+Never look at the kernel version string to determine whether it supports a mitigation. This would defeat the script's purpose: it must detect mitigations in unknown, vendor-patched, or backported kernels. Similarly, do not blindly trust what `sysfs` reports when it is possible to verify directly.
+
+### 3. Never hardcode microcode versions
+
+Never look at the microcode version to determine whether it has the proper mitigation mechanisms. Instead, probe for the mechanisms themselves (CPUID bits, MSR values), as the kernel would.
+
+### 4. Assume affected unless proven otherwise (whitelist approach)
+
+When a CPU is not explicitly known to be unaffected by a vulnerability, assume that it is affected. This conservative default has been the right call since the early Spectre/Meltdown days and remains sound.
+
+### 5. Offline mode
+
+The script can analyze a non-running kernel via `--kernel`, `--config`, `--map` flags, allowing verification before deployment.
+
+## CVE Inclusion Criteria
+
+A vulnerability should be supported by this tool when mitigating it requires **kernel modifications**, **microcode modifications**, or **both**.
+
+A vulnerability is **out of scope** when:
+
+- Mitigation is handled entirely by a driver or userspace software update (e.g. CVE-2019-14615, which requires an Intel driver update).
+- The vulnerability is a regression from a bad backport and cannot be detected without hardcoding kernel versions (violates rule 2).
+- The vendor has determined it is not a new attack and issued no kernel or microcode changes, leaving nothing for the script to check.
+- The industry has collectively decided not to address the vulnerability (no mitigations exist), leaving nothing to verify.
+
+When evaluating whether to add a new CVE, check the [information-tagged issues](https://github.com/speed47/spectre-meltdown-checker/issues?q=is%3Aissue+label%3Ainformation) for prior discussion and precedent.
+
+## POSIX Compliance
+
+The script must run on both Linux and BSD systems (FreeBSD, NetBSD, DragonFlyBSD). This means all external tool invocations must use only POSIX-specified options. Many tools have GNU extensions that are not available on BSD, or BSD extensions that are not available on GNU/Linux. When in doubt, test on both.
+
+Common traps to avoid:
+
+| Tool | Non-portable usage | Portable alternative |
+|------|--------------------|----------------------|
+| `sed` | `-r` (GNU extended regex flag) | `-E` (accepted by both GNU and BSD) |
+| `grep` | `-P` (Perl regex, GNU only) | Use `awk` or rework the pattern |
+| `sort` | `-V` (version sort, GNU only) | Extract numeric fields and compare with `awk` or shell arithmetic |
+| `cut` | `-w` (whitespace delimiter, BSD only) | `awk '{print $N}'` |
+| `stat` | `-c %Y` (GNU format) | Try GNU first, fall back to BSD: `stat -c %Y ... 2>/dev/null \|\| stat -f %m ...` |
+| `date` | `-d @timestamp` (GNU only) | Try GNU first, fall back to BSD: `date -d @ts ... 2>/dev/null \|\| date -r ts ...` |
+| `xargs` | `-r` (no-op if empty, GNU only) | Guard with a prior `[ -n "..." ]` check, or accept the harmless empty invocation |
+| `readlink` | `-f` (canonicalize, GNU only) | Use only in Linux-specific code paths, or reimplement with `cd`/`pwd` |
+| `dd` | `iflag=`, `oflag=` (GNU only) | Use only in Linux-specific code paths (e.g. `/dev/cpu/*/msr`) |
+
+When a tool genuinely has no portable equivalent, restrict the non-portable call to a platform-specific code path (i.e. inside a BSD-only or Linux-only branch) and document why.
+
+## Return Codes
+
+0 = not vulnerable, 2 = vulnerable, 3 = unknown, 255 = error
+
+## Variable naming conventions
+
+This script uses the following naming rules for variables:
+
+`UPPER_SNAKE_CASE`  : Constants and enums (e.g. READ_MSR_RET_OK, EAX), declared with `readonly` on the assignment line (e.g. `readonly FOO="bar"`).
+                      When they're used as values affected to "Out-parameters" of a function, they should follow the `<FUNC>_RET_*` pattern.
+                      Such variables should be declared right above the definition of the function they're dedicated to.
+                      Other general constants go at the top of the file, below the `VERSION` affectation.
+`opt_*`             : Command-line options set during argument parsing (e.g. opt_verbose, opt_batch).
+`cpu_*`             : CPU identification/state filled by parse_cpu_details() (e.g. cpu_family, cpu_model).
+`cap_*`             : CPU capability flags read from hardware/firmware (e.g. cap_verw_clear, cap_rdcl_no).
+                      All `cap_*` variables are set in `check_cpu()`. They come in two flavors:
+                      - **Immunity bits** (`cap_*_no`): The CPU vendor declares this hardware is not affected by a vulnerability.
+                        The `_no` suffix mirrors the vendor's own bit naming (e.g. RDCL_NO, GDS_NO, TSA_SQ_NO).
+                        These are consumed in `is_cpu_affected()` to mark a CPU as immune.
+                      - **Mitigation bits** (all other `cap_*`): Microcode or hardware provides a mechanism to work around
+                        a vulnerability the CPU *does* have (e.g. cap_verw_clear, cap_ibrs, cap_ssbd).
+                        These are consumed in `check_CVE_*_linux()` functions to assess mitigation status.
+`affected_*`        : Per-CVE vulnerability status from is_cpu_affected() (e.g. affected_l1tf).
+`ret_<func>_*`      : "Out-parameters" set by a function for its caller (e.g. ret_read_cpuid_value, ret_read_msr_msg).
+                        The <func> matches the function name so ownership is obvious, these variables can't be written
+                        to by any other function than <func>, nor by toplevel.
+`g_*`               : Other global (i.e. non-`local`) variables that don't match cases previously described.
+`<name>`            : Scratch/temporary variables inside functions (e.g. core, msg, col).
+                        These must be declared as `local`. These must not match any naming pattern above.
+                        Any variable that is only used in the scope of a given function falls in this category.
+
+Additionally, all vars must start with a [a-z] character, never by an underscore.
+
+## Function naming conventions
+
+Functions follow two naming tiers:
+
+`public_function`   : Top-level functions called directly from the main flow or from other public functions.
+                      Examples: `parse_cpu_details`, `read_cpuid`, `check_CVE_2017_5754`.
+
+`_private_function` : Utility/helper functions that exist solely to factorize code shared by other functions.
+                      These must never be called directly from the top-level main flow.
+                      Examples: `_echo`, `_emit_json`, `_cve_registry_field`.
+
+## How to Implement a New CVE Check
+
+Adding a new CVE follows a fixed pattern. Every check uses the same three-function structure and the same decision algorithm. This section walks through both.
+
+### Prerequisites
+
+Before writing code, verify the CVE meets the inclusion criteria (see "CVE Inclusion Criteria" above). The vulnerability must require kernel and/or microcode changes to mitigate.
+
+### Step 1: Create the Vulnerability File
+
+Create `src/vulns/CVE-YYYY-NNNNN.sh`. The file must contain exactly three functions:
+
+```sh
+# vim: set ts=4 sw=4 sts=4 et:
+####################
+# SHORT_NAME section
+
+# CVE-YYYY-NNNNN SHORT_NAME (one-line description) - entry point
+check_CVE_YYYY_NNNNN() {
+	check_cve 'CVE-YYYY-NNNNN'
+}
+
+# CVE-YYYY-NNNNN SHORT_NAME (one-line description) - Linux mitigation check
+check_CVE_YYYY_NNNNN_linux() {
+	# ... (see Step 3)
+}
+
+# CVE-YYYY-NNNNN SHORT_NAME (one-line description) - BSD mitigation check
+check_CVE_YYYY_NNNNN_bsd() {
+	if ! is_cpu_affected "$cve"; then
+		pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+	else
+		pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
+	fi
+}
+```
+
+The entry point calls `check_cve`, which prints the CVE header and dispatches to `_linux()` or `_bsd()` based on `$g_os`. If BSD mitigations are not yet understood, use the stub above — it correctly reports UNK rather than a false OK.
+
+### Step 2: Register the CVE in the CPU Affection Logic
+
+In `src/libs/200_cpu_affected.sh`, add an `affected_yourname` variable and populate it inside `is_cpu_affected()`. The variable follows the whitelist principle: **assume affected (`1`) unless you can prove the CPU is immune (`0`)**. Two kinds of evidence can prove immunity:
+
+- **Static identifiers**: CPU vendor, family, model, stepping — these identify the hardware design.
+- **Hardware immunity `cap_*` bits**: CPUID or MSR bits that the CPU vendor defines to explicitly declare "this hardware is not affected" (e.g. `cap_rdcl_no` for Meltdown, `cap_ssb_no` for Variant 4, `cap_gds_no` for Downfall, `cap_tsa_sq_no`/`cap_tsa_l1_no` for TSA). These are read in `check_cpu()` and stored as `cap_*` globals.
+
+Never use microcode version strings.
+
+**Important**: Do not confuse hardware immunity bits with *mitigation* capability bits. A hardware immunity bit (e.g. `GDS_NO`, `TSA_SQ_NO`) declares that the CPU design is architecturally free of the vulnerability — it belongs here in `is_cpu_affected()`. A mitigation capability bit (e.g. `VERW_CLEAR`, `MD_CLEAR`) indicates that updated microcode provides a mechanism to work around a vulnerability the CPU *does* have — it belongs in the `check_CVE_YYYY_NNNNN_linux()` function (Phase 2), where it is used to determine whether mitigations are in place.
+
+### Step 3: Implement the Linux Check
+
+The `_linux()` function follows a standard algorithm with four phases:
+
+**Phase 1 — Initialize and check sysfs:**
+
+```sh
+check_CVE_YYYY_NNNNN_linux() {
+	local status sys_interface_available msg
+	status=UNK
+	sys_interface_available=0
+	msg=''
+	if sys_interface_check "$VULN_SYSFS_BASE/vuln_name"; then
+		sys_interface_available=1
+		status=$ret_sys_interface_check_status
+	fi
+```
+
+`sys_interface_check` reads `/sys/devices/system/cpu/vulnerabilities/<name>` and parses the kernel's own assessment into `ret_sys_interface_check_status` (OK/VULN/UNK) and `ret_sys_interface_check_fullmsg`. If the sysfs file doesn't exist (older kernel, or the CVE predates kernel awareness), it returns false and `sys_interface_available` stays 0.
+
+**Phase 2 — Custom detection (kernel + runtime):**
+
+Guarded by `if [ "$opt_sysfs_only" != 1 ]; then` so users who trust sysfs can skip it.
+
+This is where the real detection lives. Check for mitigations at each layer:
+
+- **Kernel support**: Determine whether the kernel carries the mitigation code. Three sources of evidence are available, and any one of them is sufficient:
+
+  - **Kernel image** (`$g_kernel`): Search for strings or symbols that prove the mitigation code is compiled in.
+    ```sh
+    if grep -q 'mitigation_string' "$g_kernel"; then
+        kernel_mitigated="found mitigation evidence in kernel image"
+    fi
+    ```
+    Guard with `if [ -n "$g_kernel_err" ]; then` first — the kernel image may be unavailable.
+
+  - **Kernel config** (`$g_kernel_config`): Look for the `CONFIG_*` option that enables the mitigation.
+    ```sh
+    if [ -n "$g_kernel_config" ] && grep -q '^CONFIG_MITIGATION_NAME=y' "$g_kernel_config"; then
+        kernel_mitigated="found mitigation config option enabled"
+    fi
+    ```
+
+  - **System.map** (`$g_kernel_map`): Look for function names directly linked to the mitigation.
+    ```sh
+    if [ -n "$g_kernel_map" ] && grep -q 'mitigation_function_name' "$g_kernel_map"; then
+        kernel_mitigated="found mitigation function in System.map"
+    fi
+    ```
+
+  Each source may independently be unavailable (offline mode without the file, or stripped kernel), so check all that are present. A match in any one confirms kernel support.
+
+- **Runtime state** (live mode only): Read MSRs, check cpuinfo flags, parse dmesg, inspect debugfs.
+  ```sh
+  if [ "$opt_live" = 1 ]; then
+      read_msr 0xADDRESS
+      ret=$?
+      if [ "$ret" = "$READ_MSR_RET_OK" ]; then
+          # check specific bits in ret_read_msr_value_lo / ret_read_msr_value_hi
+      fi
+  else
+      pstatus blue N/A "not testable in offline mode"
+  fi
+  ```
+
+- **Microcode capabilities**: Check CPUID bits or MSR flags that indicate the CPU firmware supports the mitigation. Never compare microcode version numbers directly.
+
+Close the `opt_sysfs_only` block with the forced-sysfs fallback:
+```sh
+	elif [ "$sys_interface_available" = 0 ]; then
+		msg="/sys vulnerability interface use forced, but it's not available!"
+		status=UNK
+	fi
+```
+
+**Phase 3 — CPU affection gate:**
+
+```sh
+	if ! is_cpu_affected "$cve"; then
+		pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+```
+
+If the CPU is not affected, nothing else matters — report OK and return. This overrides any sysfs or custom detection result.
+
+**Phase 4 — Final status determination:**
+
+For affected CPUs, combine the evidence from Phase 2 into a final verdict:
+
+```sh
+	elif [ "$opt_sysfs_only" != 1 ]; then
+		if [ "$microcode_ok" = 1 ] && [ -n "$kernel_mitigated" ]; then
+			pvulnstatus "$cve" OK "Both kernel and microcode mitigate the vulnerability"
+		elif [ "$microcode_ok" = 1 ]; then
+			pvulnstatus "$cve" OK "Microcode mitigates the vulnerability"
+		elif [ -n "$kernel_mitigated" ]; then
+			pvulnstatus "$cve" OK "Kernel mitigates the vulnerability"
+		else
+			pvulnstatus "$cve" VULN "Neither kernel nor microcode mitigate the vulnerability"
+			explain "Remediation advice here..."
+		fi
+	else
+		pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
+	fi
+}
+```
+
+The exact combination logic depends on the CVE. Some require **both** microcode and kernel fixes (report VULN if either is missing). Others are mitigated by **either** layer alone (report OK if one is present). Some also require SMT to be disabled — check with `is_cpu_smt_enabled()`.
+
+### Cross-Cutting Features
+
+Several command-line options affect the logic inside `_linux()` checks. New CVE implementations must account for them where relevant.
+
+#### `--explain` (`opt_explain`)
+
+When the user passes `--explain`, the `explain()` function prints actionable "How to fix" remediation advice. Call `explain` whenever reporting a VULN status, so the user knows what concrete steps to take:
+
+```sh
+pvulnstatus "$cve" VULN "Neither kernel nor microcode mitigate the vulnerability"
+explain "Update your kernel to a version that includes the mitigation, and update your CPU microcode. If you are using a distro, make sure you are up to date."
+```
+
+The text should be specific: mention kernel parameters to set (`nosmt`), sysctl knobs to toggle, or which component needs updating. If SMT must be disabled, say so explicitly. Multiple `explain` calls can be made for different failure paths, each tailored to the specific gap found. `explain` is a no-op when `--explain` was not passed, so it is always safe to call.
+
+#### `--paranoid` (`opt_paranoid`)
+
+Paranoid mode raises the bar for what counts as "mitigated". In normal mode, conditional mitigations or partial defenses may be accepted as sufficient. In paranoid mode, only the **maximum security configuration** qualifies as OK.
+
+The most common effect is requiring SMT (Hyper-Threading) to be disabled. For example, MDS and TAA mitigations are considered incomplete in paranoid mode if SMT is still enabled, because a sibling thread could still exploit the vulnerability:
+
+```sh
+if [ "$opt_paranoid" != 1 ] || [ "$kernel_smt_allowed" = 0 ]; then
+    pvulnstatus "$cve" OK "Microcode and kernel mitigate the vulnerability"
+else
+    pvulnstatus "$cve" VULN "Mitigation is active but SMT must be disabled for full protection"
+fi
+```
+
+Other paranoid-mode effects include requiring unconditional (rather than conditional) L1D flushing, or requiring TSX to be fully disabled. When implementing a new CVE, consider whether there is a stricter configuration that paranoid mode should enforce and add the appropriate `opt_paranoid` branches.
+
+#### `--vmm` (`opt_vmm`)
+
+The `--vmm` option tells the script whether the system is a hypervisor host running untrusted virtual machines. It accepts three values: `auto` (default, auto-detect by looking for `qemu`/`kvm`/`xen` processes), `yes` (force hypervisor mode), or `no` (force non-hypervisor mode). The result is stored in `g_has_vmm` by the `check_has_vmm()` function.
+
+Some vulnerabilities (e.g. L1TF/CVE-2018-3646, ITLBMH/CVE-2018-12207) only matter — or require additional mitigations — when the host is running a hypervisor with untrusted guests. If `g_has_vmm` is 0, the system can be reported as not vulnerable to these VMM-specific aspects:
+
+```sh
+if [ "$g_has_vmm" = 0 ]; then
+    pvulnstatus "$cve" OK "this system is not running a hypervisor"
+else
+    # check hypervisor-specific mitigations (L1D flushing, EPT, etc.)
+fi
+```
+
+CVEs that need VMM context should call `check_has_vmm` early in their `_linux()` function. Note the interaction with paranoid mode: when `--paranoid` is active and `--vmm` was not explicitly set, the script assumes a hypervisor is present (`g_has_vmm=2`), erring on the side of caution.
+
+### Step 4: Wire Up and Test
+
+1. **Add the CVE name mapping** in the `cve2name()` function so the header prints a human-readable name.
+2. **Build** the monolithic script with `make`.
+3. **Test live**: Run the built script and confirm your CVE appears in the output and reports a sensible status.
+4. **Test batch JSON**: Run with `--batch json` and verify the CVE count incremented by one (currently 19 → 20).
+5. **Test offline**: Run with `--kernel`/`--config`/`--map` pointing to a kernel image and verify the offline code path reports correctly.
+6. **Lint**: Run `shellcheck` on the monolithic script and fix any warnings.
+7. **Update `dist/README.md`**: Add details about the new CVE check (name, description, what it detects) so that the user-facing documentation stays in sync with the implementation.
+
+### Key Rules to Remember
+
+- **Never hardcode kernel or microcode versions** — detect capabilities directly (design principles 2 and 3).
+- **Assume affected by default** — only mark a CPU as unaffected when there is positive evidence (design principle 4).
+- **Always handle both live and offline modes** — use `$opt_live` to branch, and print `N/A "not testable in offline mode"` for runtime-only checks when offline.
+- **Use `explain()`** when reporting VULN to give actionable remediation advice (see "Cross-Cutting Features" above).
+- **Handle `--paranoid` and `--vmm`** when the CVE has stricter mitigation tiers or VMM-specific aspects (see "Cross-Cutting Features" above).
+- **All indentation must use tabs** (CI enforces this).
+- **Stay POSIX-compatible** — no bashisms, no GNU-only flags in portable code paths.
+
+## Function documentation headers
+
+Every function must have a documentation header immediately above its definition. The format is:
+
+```sh
+# <short description of what the function does>
+# Sets: <comma-separated list of global variables written by this function>
+# Returns: <return value constants or description>
+<function_name>()
+{
+```
+
+**Header lines** (all optional except the description):
+
+| Line         | When to include | Example |
+|--------------|-----------------|---------|
+| Description  | Always          | `# Read CPUID register value across one or all cores` |
+| `# Args:`    | When the function takes positional parameters | `# Args: $1=msr_address $2=cpu_index(optional, default 0)` |
+| `# Sets:`    | When the function writes any `ret_*` or other global variable | `# Sets: ret_read_cpuid_value, ret_read_cpuid_msg` |
+| `# Returns:` | When the function uses explicit return codes (constants) | `# Returns: READ_CPUID_RET_OK \| READ_CPUID_RET_ERR \| READ_CPUID_RET_KO` |
+| `# Callers:` | **Required** for `_private` (underscore-prefixed) functions | `# Callers: pvulnstatus, pstatus` |
+
+**Rules:**
+
+- The `# Sets:` line is critical — it makes global side effects explicit so any reviewer can immediately see what a function mutates.
+- The `# Callers:` line is required for all `_`-prefixed functions. It documents which functions depend on this helper, making it safe to refactor.
+- Keep descriptions to one line when possible. If more context is needed, add continuation comment lines before the structured lines.
+- Parameter documentation uses `$1=name` format. Append `(optional, default X)` for optional parameters.
+
+**Full example:**
+
+```sh
+# Read a single MSR register on one CPU core
+# Args: $1=msr_address $2=cpu_index(optional, default 0)
+# Sets: ret_read_msr_value, ret_read_msr_msg
+# Returns: READ_MSR_RET_OK | READ_MSR_RET_ERR | READ_MSR_RET_KO
+read_msr()
+{
+```
+
+**Private function example:**
+
+```sh
+# Emit a single CVE result as a JSON object to the batch output buffer
+# Args: $1=cve_id $2=status $3=message
+# Callers: _record_result
+_emit_json()
+{
+```
--- a/674
+++ b/674
@@ -1,674 +0,0 @@
-                    GNU GENERAL PUBLIC LICENSE
-                       Version 3, 29 June 2007
-
- Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The GNU General Public License is a free, copyleft license for
-software and other kinds of works.
-
-  The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works.  By contrast,
-the GNU General Public License is intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.  We, the Free Software Foundation, use the
-GNU General Public License for most of our software; it applies also to
-any other work released this way by its authors.  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-  To protect your rights, we need to prevent others from denying you
-these rights or asking you to surrender the rights.  Therefore, you have
-certain responsibilities if you distribute copies of the software, or if
-you modify it: responsibilities to respect the freedom of others.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must pass on to the recipients the same
-freedoms that you received.  You must make sure that they, too, receive
-or can get the source code.  And you must show them these terms so they
-know their rights.
-
-  Developers that use the GNU GPL protect your rights with two steps:
-(1) assert copyright on the software, and (2) offer you this License
-giving you legal permission to copy, distribute and/or modify it.
-
-  For the developers' and authors' protection, the GPL clearly explains
-that there is no warranty for this free software.  For both users' and
-authors' sake, the GPL requires that modified versions be marked as
-changed, so that their problems will not be attributed erroneously to
-authors of previous versions.
-
-  Some devices are designed to deny users access to install or run
-modified versions of the software inside them, although the manufacturer
-can do so.  This is fundamentally incompatible with the aim of
-protecting users' freedom to change the software.  The systematic
-pattern of such abuse occurs in the area of products for individuals to
-use, which is precisely where it is most unacceptable.  Therefore, we
-have designed this version of the GPL to prohibit the practice for those
-products.  If such problems arise substantially in other domains, we
-stand ready to extend this provision to those domains in future versions
-of the GPL, as needed to protect the freedom of users.
-
-  Finally, every program is threatened constantly by software patents.
-States should not allow patents to restrict development and use of
-software on general-purpose computers, but in those that do, we wish to
-avoid the special danger that patents applied to a free program could
-make it effectively proprietary.  To prevent this, the GPL assures that
-patents cannot be used to render the program non-free.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                       TERMS AND CONDITIONS
-
-  0. Definitions.
-
-  "This License" refers to version 3 of the GNU General Public License.
-
-  "Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
-  "The Program" refers to any copyrightable work licensed under this
-License.  Each licensee is addressed as "you".  "Licensees" and
-"recipients" may be individuals or organizations.
-
-  To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy.  The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
-  A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-  To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy.  Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-  To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies.  Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
-  An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License.  If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-  1. Source Code.
-
-  The "source code" for a work means the preferred form of the work
-for making modifications to it.  "Object code" means any non-source
-form of a work.
-
-  A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-  The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form.  A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-  The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities.  However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work.  For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-  The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
-  The Corresponding Source for a work in source code form is that
-same work.
-
-  2. Basic Permissions.
-
-  All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met.  This License explicitly affirms your unlimited
-permission to run the unmodified Program.  The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work.  This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-  You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force.  You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright.  Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
-  Conveying under any other circumstances is permitted solely under
-the conditions stated below.  Sublicensing is not allowed; section 10
-makes it unnecessary.
-
-  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
-  No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-  When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work's
-users, your or third parties' legal rights to forbid circumvention of
-technological measures.
-
-  4. Conveying Verbatim Copies.
-
-  You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-  You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-  5. Conveying Modified Source Versions.
-
-  You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
-    a) The work must carry prominent notices stating that you modified
-    it, and giving a relevant date.
-
-    b) The work must carry prominent notices stating that it is
-    released under this License and any conditions added under section
-    7.  This requirement modifies the requirement in section 4 to
-    "keep intact all notices".
-
-    c) You must license the entire work, as a whole, under this
-    License to anyone who comes into possession of a copy.  This
-    License will therefore apply, along with any applicable section 7
-    additional terms, to the whole of the work, and all its parts,
-    regardless of how they are packaged.  This License gives no
-    permission to license the work in any other way, but it does not
-    invalidate such permission if you have separately received it.
-
-    d) If the work has interactive user interfaces, each must display
-    Appropriate Legal Notices; however, if the Program has interactive
-    interfaces that do not display Appropriate Legal Notices, your
-    work need not make them do so.
-
-  A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit.  Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-  6. Conveying Non-Source Forms.
-
-  You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
-    a) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by the
-    Corresponding Source fixed on a durable physical medium
-    customarily used for software interchange.
-
-    b) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by a
-    written offer, valid for at least three years and valid for as
-    long as you offer spare parts or customer support for that product
-    model, to give anyone who possesses the object code either (1) a
-    copy of the Corresponding Source for all the software in the
-    product that is covered by this License, on a durable physical
-    medium customarily used for software interchange, for a price no
-    more than your reasonable cost of physically performing this
-    conveying of source, or (2) access to copy the
-    Corresponding Source from a network server at no charge.
-
-    c) Convey individual copies of the object code with a copy of the
-    written offer to provide the Corresponding Source.  This
-    alternative is allowed only occasionally and noncommercially, and
-    only if you received the object code with such an offer, in accord
-    with subsection 6b.
-
-    d) Convey the object code by offering access from a designated
-    place (gratis or for a charge), and offer equivalent access to the
-    Corresponding Source in the same way through the same place at no
-    further charge.  You need not require recipients to copy the
-    Corresponding Source along with the object code.  If the place to
-    copy the object code is a network server, the Corresponding Source
-    may be on a different server (operated by you or a third party)
-    that supports equivalent copying facilities, provided you maintain
-    clear directions next to the object code saying where to find the
-    Corresponding Source.  Regardless of what server hosts the
-    Corresponding Source, you remain obligated to ensure that it is
-    available for as long as needed to satisfy these requirements.
-
-    e) Convey the object code using peer-to-peer transmission, provided
-    you inform other peers where the object code and Corresponding
-    Source of the work are being offered to the general public at no
-    charge under subsection 6d.
-
-  A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-  A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling.  In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage.  For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product.  A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
-  "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source.  The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
-  If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information.  But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-  The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed.  Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
-  Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-  7. Additional Terms.
-
-  "Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law.  If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-  When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it.  (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.)  You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-  Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
-    a) Disclaiming warranty or limiting liability differently from the
-    terms of sections 15 and 16 of this License; or
-
-    b) Requiring preservation of specified reasonable legal notices or
-    author attributions in that material or in the Appropriate Legal
-    Notices displayed by works containing it; or
-
-    c) Prohibiting misrepresentation of the origin of that material, or
-    requiring that modified versions of such material be marked in
-    reasonable ways as different from the original version; or
-
-    d) Limiting the use for publicity purposes of names of licensors or
-    authors of the material; or
-
-    e) Declining to grant rights under trademark law for use of some
-    trade names, trademarks, or service marks; or
-
-    f) Requiring indemnification of licensors and authors of that
-    material by anyone who conveys the material (or modified versions of
-    it) with contractual assumptions of liability to the recipient, for
-    any liability that these contractual assumptions directly impose on
-    those licensors and authors.
-
-  All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10.  If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term.  If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-  If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-  Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
-  8. Termination.
-
-  You may not propagate or modify a covered work except as expressly
-provided under this License.  Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-  However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
-  Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-  Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License.  If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-  9. Acceptance Not Required for Having Copies.
-
-  You are not required to accept this License in order to receive or
-run a copy of the Program.  Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance.  However,
-nothing other than this License grants you permission to propagate or
-modify any covered work.  These actions infringe copyright if you do
-not accept this License.  Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-  10. Automatic Licensing of Downstream Recipients.
-
-  Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License.  You are not responsible
-for enforcing compliance by third parties with this License.
-
-  An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations.  If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-  You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License.  For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-  11. Patents.
-
-  A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based.  The
-work thus licensed is called the contributor's "contributor version".
-
-  A contributor's "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version.  For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-  Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-  In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement).  To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-  If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients.  "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-  If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-  A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License.  You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
-  Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-  12. No Surrender of Others' Freedom.
-
-  If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all.  For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
-  13. Use with the GNU Affero General Public License.
-
-  Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU Affero General Public License into a single
-combined work, and to convey the resulting work.  The terms of this
-License will continue to apply to the part which is the covered work,
-but the special requirements of the GNU Affero General Public License,
-section 13, concerning interaction through a network will apply to the
-combination as such.
-
-  14. Revised Versions of this License.
-
-  The Free Software Foundation may publish revised and/or new versions of
-the GNU General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation.  If the Program does not specify a version number of the
-GNU General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
-  If the Program specifies that a proxy can decide which future
-versions of the GNU General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
-  Later license versions may give you additional or different
-permissions.  However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-  15. Disclaimer of Warranty.
-
-  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-  16. Limitation of Liability.
-
-  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
-  17. Interpretation of Sections 15 and 16.
-
-  If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-  If the program does terminal interaction, make it output a short
-notice like this when it starts in an interactive mode:
-
-    <program>  Copyright (C) <year>  <name of author>
-    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, your program's commands
-might be different; for a GUI interface, you would use an "about box".
-
-  You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU GPL, see
-<http://www.gnu.org/licenses/>.
-
-  The GNU General Public License does not permit incorporating your program
-into proprietary programs.  If your program is a subroutine library, you
-may consider it more useful to permit linking proprietary applications with
-the library.  If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.  But first, please read
-<http://www.gnu.org/philosophy/why-not-lgpl.html>.
--- a/23
+++ b/23
@@ -0,0 +1,23 @@
+SHFMT      := shfmt
+SHFMT_OPTS := -i 4 -ci -ln bash
+
+OUTPUT     := spectre-meltdown-checker.sh
+SRC_FILES  := $(shell find src -name '*.sh' -type f) build.sh
+
+.PHONY: all build shellcheck fmt fmt-check
+
+all: build shellcheck fmt-check
+
+build:
+	@./build.sh $(OUTPUT)
+
+shellcheck: $(OUTPUT)
+	@echo Running shellcheck...
+	@shellcheck $(OUTPUT)
+
+fmt:
+	$(SHFMT) -w $(SHFMT_OPTS) $(SRC_FILES)
+
+fmt-check:
+	@echo Checking formatting...
+	@$(SHFMT) -d $(SHFMT_OPTS) $(SRC_FILES)
--- a/README.md
+++ b/README.md
@@ -1,45 +0,0 @@
-Spectre & Meltdown Checker
-==========================
-
-A simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
-
-Without options, it'll inspect your currently running kernel. 
-You can also specify a kernel image on the command line, if you'd like to inspect a kernel you're not running.
-
-The script will do its best to detect mitigations, including backported non-vanilla patches, regardless of the advertised kernel version number.
-
-## Example of script output
-
-![checker](https://framapic.org/6O4v4AAwMenv/M6J4CFWwsB3z.png)
-
-## Quick summary of the CVEs
-
-**CVE-2017-5753** bounds check bypass (Spectre Variant 1)
-
-   - Impact: Kernel & all software
-   - Mitigation: recompile software *and* kernel with a modified compiler that introduces the LFENCE opcode at the proper positions in the resulting code
-   - Performance impact of the mitigation: negligible
-
-**CVE-2017-5715** branch target injection (Spectre Variant 2)
-
-   - Impact: Kernel
-   - Mitigation 1: new opcode via microcode update that should be used by up to date compilers to protect the BTB (by flushing indirect branch predictors)
-   - Mitigation 2: introducing "retpoline" into compilers, and recompile software/OS with it
-   - Performance impact of the mitigation: high for mitigation 1, medium for mitigation 2, depending on your CPU
-
-**CVE-2017-5754** rogue data cache load (Meltdown)
-
-   - Impact: Kernel
-   - Mitigation: updated kernel (with PTI/KPTI patches), updating the kernel is enough
-   - Performance impact of the mitigation: low to medium
-
-## Disclaimer
-
-This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the collectively named "speculative execution" vulnerabilities. It doesn't attempt to run any kind of exploit, and can't guarantee that your system is secure, but rather helps you verifying whether your system has the known correct mitigations in place.
-However, some mitigations could also exist in your kernel that this script doesn't know (yet) how to detect, or it might falsely detect mitigations that in the end don't work as expected (for example, on backported or modified kernels).
-
-Your system exposure also depends on your CPU. As of now, AMD and ARM processors are marked as immune to some or all of these vulnerabilities (except some specific ARM models). All Intel processors manufactured since circa 1995 are thought to be vulnerable. Whatever processor one uses, one might seek more information from the manufacturer of that processor and/or of the device in which it runs.
-
-The nature of the discovered vulnerabilities being quite new, the landscape of vulnerable processors can be expected to change over time, which is why this script makes the assumption that all CPUs are vulnerable, except if the manufacturer explicitly stated otherwise in a verifiable public announcement.
-
-This tool has been released in the hope that it'll be useful, but don't use it to jump to conclusions about your security.
--- a/UNSUPPORTED_CVE_LIST.md
+++ b/UNSUPPORTED_CVE_LIST.md
@@ -0,0 +1,21 @@
+# Unsupported CVEs
+
+This document lists transient execution CVEs that have been evaluated and determined to be **out of scope** for this tool. See the "CVE Inclusion Criteria" section in [DEVELOPMENT.md](DEVELOPMENT.md) for the general policy.
+
+## CVE-2024-36348 — AMD Transient Scheduler Attack (UMIP bypass)
+
+**Bulletin:** [AMD-SB-7029](https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7029.html)
+**CVSS:** 3.8 (Low)
+
+A transient execution vulnerability in some AMD processors may allow a user process to speculatively infer CPU configuration registers even when UMIP is enabled.
+
+**Why out of scope:** AMD has determined that "leakage of CPU Configuration does not result in leakage of sensitive information" and has marked this CVE as "No fix planned" across all affected product lines. No microcode or kernel mitigations have been issued, leaving nothing for this script to check.
+
+## CVE-2024-36349 — AMD Transient Scheduler Attack (TSC_AUX leak)
+
+**Bulletin:** [AMD-SB-7029](https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7029.html)
+**CVSS:** 3.8 (Low)
+
+A transient execution vulnerability in some AMD processors may allow a user process to infer TSC_AUX even when such a read is disabled.
+
+**Why out of scope:** AMD has determined that "leakage of TSC_AUX does not result in leakage of sensitive information" and has marked this CVE as "No fix planned" across all affected product lines. No microcode or kernel mitigations have been issued, leaving nothing for this script to check.
--- a/build.sh
+++ b/build.sh
@@ -0,0 +1,60 @@
+#!/bin/sh
+# vim: set ts=4 sw=4 sts=4 et:
+# Assemble spectre-meltdown-checker.sh from src/ fragments.
+# Usage: ./build.sh [output_file]
+#   default output: spectre-meltdown-checker.sh
+set -e
+
+SRCDIR="$(dirname "$0")/src"
+OUTPUT="${1:-$(dirname "$0")/spectre-meltdown-checker.sh}"
+
+SECTIONS="
+libs/*.sh
+vulns-helpers/*.sh
+vulns/*.sh
+main.sh
+db/*.sh
+"
+
+first=1
+for pattern in $SECTIONS; do
+    # shellcheck disable=SC2086
+    for file in "$SRCDIR"/$pattern; do
+        [ -f "$file" ] || continue
+        # source file marker
+        relpath="${file#"$SRCDIR"/}"
+        if [ "$first" = 1 ]; then
+            # first file (001_core_header.sh): emit verbatim, keeps shebang
+            cat "$file"
+            first=0
+        else
+            # separator blank line + source marker between fragments
+            echo ""
+            echo "# >>>>>> $relpath <<<<<<"
+            echo ""
+            # strip accidental shebang on line 1
+            {
+                IFS= read -r line
+                case "$line" in
+                    '#!'*) ;; # skip shebang
+                    *) printf '%s\n' "$line" ;;
+                esac
+                cat
+            } <"$file"
+        fi
+    done
+done >"$OUTPUT"
+
+chmod +x "$OUTPUT"
+
+# Patch VERSION= with semantic version: X.Y.Z
+# X=YY, Y=number of CVE files in src/vulns/, Z=MMDDVAL
+# VAL is a 3-digit (000-999) value derived from seconds since midnight UTC
+cve_count=$(find "$SRCDIR/vulns" -maxdepth 1 -name '*.sh' -type f | wc -l | tr -d ' ')
+epoch=$(date -u +%s)
+secs_since_midnight=$((epoch % 86400))
+val=$(printf '%03d' $((secs_since_midnight * 1000 / 86400)))
+version="$(date -u +%y).${cve_count}.$(date -u +%m%d)${val}"
+sed -i "s/^VERSION=.*/VERSION='${version}'/" "$OUTPUT"
+
+echo "Assembled $OUTPUT ($(wc -l <"$OUTPUT") lines, version $version)"
--- a/dist/Dockerfile
+++ b/dist/Dockerfile
@@ -0,0 +1,7 @@
+FROM alpine:latest
+
+RUN apk --update --no-cache add kmod binutils grep perl zstd wget sharutils unzip sqlite procps coreutils iucode-tool gzip xz bzip2 lz4
+
+COPY spectre-meltdown-checker.sh /
+
+ENTRYPOINT ["/spectre-meltdown-checker.sh"]
--- a/dist/FAQ.md
+++ b/dist/FAQ.md
@@ -0,0 +1,145 @@
+# Questions
+
+- [What to expect from this tool?](#what-to-expect-from-this-tool)
+- [Why was this script written in the first place?](#why-was-this-script-written-in-the-first-place)
+- [Why are those vulnerabilities so different than regular CVEs?](#why-are-those-vulnerabilities-so-different-than-regular-cves)
+- [What do "affected", "vulnerable" and "mitigated" mean exactly?](#what-do-affected-vulnerable-and-mitigated-mean-exactly)
+- [What are the main design decisions regarding this script?](#what-are-the-main-design-decisions-regarding-this-script)
+- [Everything is indicated in `sysfs` now, is this script still useful?](#everything-is-indicated-in-sysfs-now-is-this-script-still-useful)
+- [How does this script work?](#how-does-this-script-work)
+- [Which BSD OSes are supported?](#which-bsd-oses-are-supported)
+- [Why is my OS not supported?](#why-is-my-os-not-supported)
+- [The tool says there is an updated microcode for my CPU, but I don't have it!](#the-tool-says-there-is-an-updated-microcode-for-my-cpu-but-i-dont-have-it)
+- [The tool says that I need a more up-to-date microcode, but I have the more recent version!](#the-tool-says-that-i-need-a-more-up-to-date-microcode-but-i-have-the-more-recent-version)
+- [Which rules are governing the support of a CVE in this tool?](#which-rules-are-governing-the-support-of-a-cve-in-this-tool)
+
+# Answers
+
+## What to expect from this tool?
+
+This tool does its best to determine where your system stands on each of the collectively named [transient execution](https://en.wikipedia.org/wiki/Transient_execution_CPU_vulnerability) vulnerabilities (also sometimes called "speculative execution" vulnerabilities) that were made public since early 2018. It doesn't attempt to run any kind of exploit, and can't guarantee that your system is secure, but rather helps you verifying if your system is affected, and if it is, checks whether it has the known mitigations in place to avoid being vulnerable.
+Some mitigations could also exist in your kernel that this script doesn't know (yet) how to detect, or it might falsely detect mitigations that in the end don't work as expected (for example, on backported or modified kernels).
+
+Please also note that for Spectre vulnerabilities, all software can possibly be exploited, this tool only verifies that the kernel (which is the core of the system) you're using has the proper protections in place. Verifying all the other software is out of the scope of this tool. As a general measure, ensure you always have the most up to date stable versions of all the software you use, especially for those who are exposed to the world, such as network daemons and browsers.
+
+This tool has been released in the hope that it'll be useful, but don't use it to jump to definitive conclusions about your security: hardware vulnerabilities are [complex beasts](#why-are-those-vulnerabilities-so-different-than-regular-cves), and collective understanding of each vulnerability is evolving with time.
+
+## Why was this script written in the first place?
+
+The first commit of this script is dated *2018-01-07*, only 4 days after the world first heard about the Meltdown and the Spectre attacks. With those attacks disclosure, a _whole new range of vulnerabilities_ that were previously thought to be mostly theoretical and only possible in very controlled environments (labs) - hence of little interest for most except researchers - suddenly became completely mainstream and apparently trivial to conduct on an immensely large number of systems.
+
+On the few hours and days after that date, the whole industry went crazy. Proper, verified information about these vulnerabilities was incredibly hard to find, because before this, even the CPU vendors never had to deal with managing security vulnerabilities at scale, as software vendors do since decades. There were a lot of FUD, and the apparent silence of the vendors was enough for most to fear the worst. The whole industry had everything to learn about this new type of vulnerabilities. However, most systems administrators had a few simple questions:
+
+- Am **I** vulnerable? And if yes,
+- What do I have to do to mitigate these vulnerabilities on **my** system?
+
+Unfortunately, answering those questions was very difficult (and still is to some extent), even if the safe answer to the first question was "you probably are". This script was written to try to give simple answers to those simple questions, and was made to evolve as the information about these vulnerabilities became available. On the first few days, there was several new versions published **per day**.
+
+## Why are those vulnerabilities so different than regular CVEs?
+
+Those are hardware vulnerabilities, while most of the CVEs we see everyday are software vulnerabilities. A quick comparison would be:
+
+Software vulnerability:
+- Can be fixed? Yes.
+- How to fix? Update the software (or uninstall it!)
+
+Hardware vulnerability:
+- Can be fixed? No, only mitigated (or buy new hardware!)
+- How to ~~fix~~ mitigate? In the worst case scenario, 5 "layers" need to be updated: the microcode/firmware, the host OS kernel, the hypervisor, the VM OS kernel, and possibly all the software running on the machine. Sometimes only a subset of those layers need to be updated. In yet other cases, there can be several possible mitigations for the same vulnerability, implying different layers. Yes, it can get horribly complicated.
+
+A more detailed video explanation is available here: https://youtu.be/2gB9U1EcCss?t=425
+
+## What do "affected", "vulnerable" and "mitigated" mean exactly?
+
+- **Affected** means that your CPU's hardware, as it went out of the factory, is known to be concerned by a specific vulnerability, i.e. the vulnerability applies to your hardware model. Note that it says nothing about whether a given vulnerability can actually be used to exploit your system. However, an unaffected CPU will never be vulnerable, and doesn't need to have mitigations in place.
+- **Vulnerable** implies that you're using an **affected** CPU, and means that a given vulnerability can be exploited on your system, because no (or insufficient) mitigations are in place.
+- **Mitigated** implies that a previously **vulnerable** system has followed all the steps (updated all the required layers) to ensure a given vulnerability cannot be exploited. About what "layers" mean, see [the previous question](#why-are-those-vulnerabilities-so-different-than-regular-cves).
+
+## What are the main design decisions regarding this script?
+
+There are a few rules that govern how this tool is written.
+
+1) It should be okay to run this script in a production environment. This implies, but is not limited to:
+
+   * 1a. Never modify the system it's running on, and if it needs to e.g. load a kernel module it requires, that wasn't loaded before it was launched, it'll take care to unload it on exit
+   * 1b. Never attempt to "fix" or "mitigate" any vulnerability, or modify any configuration. It just reports what it thinks is the status of your system. It leaves all decisions to the sysadmin.
+   * 1c. Never attempt to run any kind of exploit to tell whether a vulnerability is mitigated, because it would violate 1a), could lead to unpredictable system behavior, and might even lead to wrong conclusions, as some PoC must be compiled with specific options and prerequisites, otherwise giving wrong information (especially for Spectre). If you want to run PoCs, do it yourself, but please read carefully about the PoC and the vulnerability. PoCs about a hardware vulnerability are way more complicated and prone to false conclusions than PoCs for software vulnerabilities.
+
+2) Never look at the kernel version to tell whether it supports mitigation for a given vulnerability. This implies never hardcoding version numbers in the script. This would defeat the purpose: this script should be able to detect mitigations in unknown kernels, with possibly backported or forward-ported patches. Also, don't believe what `sysfs` says, when possible. See the next question about this.
+
+3) Never look at the microcode version to tell whether it has the proper mechanisms in place to support mitigation for a given vulnerability. This implies never hardcoding version numbers in the script. Instead, look for said mechanisms, as the kernel would do.
+
+4) When a CPU is not known to be explicitly unaffected by a vulnerability, make the assumption that it is. This strong design choice has it roots in the early speculative execution vulnerability days (see [this answer](#why-was-this-script-written-in-the-first-place)), and is still a good approach as of today.
+
+## Everything is indicated in `sysfs` now, is this script still useful?
+
+A lot as changed since 2018. Nowadays, the industry adapted and this range of vulnerabilities is almost "business as usual", as software vulnerabilities are. However, due to their complexity, it's still not as easy as just checking a version number to ensure a vulnerability is closed.
+
+Granted, we now have a standard way under Linux to check whether our system is affected, vulnerable, mitigated against most of these vulnerabilities. By having a look at the `sysfs` hierarchy, and more precisely the `/sys/devices/system/cpu/vulnerabilities/` folder, one can have a pretty good insight about its system state for each of the listed vulnerabilities. Note that the output can be a little different with some vendors (e.g. Red Hat has some slightly different output than the vanilla kernel for some vulnerabilities), but it's still a gigantic leap forward, given where we were in 2018 when this script was started, and it's very good news. The kernel is the proper place to have this because the kernel knows everything about itself (the mitigations it might have), and the CPU (its model, and microcode features that are exposed). Note however that some vulnerabilities are not reported through this file hierarchy at all, such as Zenbleed.
+
+However I see a few reasons why this script might still be useful to you, and that's why its development has not halted when the `sysfs` hierarchy came out:
+
+- A given version of the kernel doesn't have knowledge about the future. To put it in another way: a given version of the kernel only has the understanding of a vulnerability available at the time it was compiled. Let me explain this: when a new vulnerability comes out, new versions of the microcode and kernels are released, with mitigations in place. With such a kernel, a new `sysfs` entry will appear. However, after a few weeks or months, corner cases can be discovered, previously-thought unaffected CPUs can turn out to be affected in the end, and sometimes mitigations can end up being insufficient.  Of course, if you're always running the latest kernel version from kernel.org, this issue might be limited for you. The spectre-meltdown-checker script doesn't depend on a kernel's knowledge and understanding of a vulnerability to compute its output. That is, unless you tell it to (using the `--sysfs-only` option).
+
+- Mitigating a vulnerability completely can sometimes be tricky, and have a lot of complicated prerequisites, depending on your kernel version, CPU vendor, model and even sometimes stepping, CPU microcode, hypervisor support, etc. The script gives a very detailed insight about each of the prerequisites of mitigation for every vulnerability, step by step, hence pointing out what is missing on your system as a whole to completely mitigate an issue.
+
+- The script can be pointed at a kernel image, and will deep dive into it, telling you if this kernel will mitigate vulnerabilities that might be present on your system. This is a good way to verify before booting a new kernel, that it'll mitigate the vulnerabilities you expect it to, especially if you modified a few config options around these topics.
+
+- The script will also work regardless of the custom patches that might be integrated in the kernel you're running (or you're pointing it to, in offline mode), and completely ignores the advertised kernel version, to tell whether a given kernel mitigates vulnerabilities. This is especially useful for non-vanilla kernel, where patches might be backported, sometimes silently (this has already happened, too).
+
+- Educational purposes: the script gives interesting insights about a vulnerability, and how the different parts of the system work together to mitigate it.
+
+There are probably other reasons, but that are the main ones that come to mind. In the end, of course, only you can tell whether it's useful for your use case ;)
+
+## How does this script work?
+
+On one hand, the script gathers information about your CPU, and the features exposed by its microcode. To do this, it uses the low-level CPUID instruction (through the `cpuid` kernel module under Linux, and the `cpucontrol` tool under BSD), and queries to the MSR registers of your CPU (through the `msr` kernel module under Linux, and the `cpucontrol` tool under BSD).
+
+On another hand, the script looks into the kernel image your system is running on, for clues about the mitigations it supports. Of course, this is very specific for each operating system, even if the implemented mitigation is functionally the same, the actual code is completely specific. As you can imagine, the Linux kernel code has a few in common with a BSD kernel code, for example. Under Linux, the script supports looking into the kernel image, and possibly the System.map and kernel config file, if these are available. Under BSD, it looks into the kernel file only.
+
+Then, for each vulnerability it knows about, the script decides whether your system is [affected, vulnerable, and mitigated](#what-do-affected-vulnerable-and-mitigated-mean-exactly) against it, using the information it gathered about your hardware and your kernel.
+
+## Which BSD OSes are supported?
+
+For the BSD range of operating systems, the script will work as long as the BSD you're using supports `cpuctl` and `linprocfs`. This is not the case for OpenBSD for example. Known BSD flavors having proper support are: FreeBSD, NetBSD, DragonflyBSD. Derivatives of those should also work. To know why other BSDs will likely never be supported, see [why is my OS not supported?](#why-is-my-os-not-supported).
+
+## Why is my OS not supported?
+
+This tool only supports Linux, and [some flavors of BSD](#which-bsd-oses-are-supported). Other OSes will most likely never be supported, due to [how this script works](#how-does-this-script-work). It would require implementing these OSes specific way of querying the CPU. It would also require to get documentation (if available) about how this OS mitigates each vulnerability, down to this OS kernel code, and if documentation is not available, reverse-engineer the difference between a known old version of a kernel, and a kernel that mitigates a new vulnerability. This means that all the effort has to be duplicated times the number of supported OSes, as everything is specific, by construction. It also implies having a deep understanding of every OS, which takes years to develop. However, if/when other tools appear for other OSes, that share the same goal of this one, they might be listed here as a convenience.
+
+## The tool says there is an updated microcode for my CPU, but I don't have it!
+
+Even if your operating system is fully up to date, the tool might still tell you that there is a more recent microcode version for your CPU. Currently, it uses (and merges) information from 4 sources:
+
+- The official [Intel microcode repository](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files)
+- The awesome platomav's [MCExtractor database](https://github.com/platomav/MCExtractor) for non-Intel CPUs
+- The official [linux-firmware](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git) repository for AMD
+- Specific Linux kernel commits that sometimes hardcode microcode versions, such as for [Zenbleed](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=522b1d69219d8f083173819fde04f994aa051a98) or for the bad [Spectre](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/cpu/intel.c#n141) microcodes
+
+Generally, it means a more recent version of the microcode has been seen in the wild. However, fully public availability of this microcode might be limited yet, or your OS vendor might have chosen not to ship this new version (yet), maybe because it's currently being tested, or for other reasons. This tool can't tell you when or if this will be the case. You should ask your vendor about it. Technically, you can still go and upgrade your microcode yourself, and use this tool to confirm whether you did it successfully. Updating the microcode for you is out of the scope of this tool, as this would violate [rule 1b](#what-are-the-main-design-decisions-regarding-this-script).
+
+## The tool says that I need a more up-to-date microcode, but I have the more recent version!
+
+This can happen for a few reasons:
+
+- Your CPU is no longer supported by the vendor. In that case, new versions of the microcode will never be published, and vulnerabilities requiring microcode features will never be fixed. On most of these vulnerabilities, you'll have no way to mitigate the issue on a vulnerable system, appart from buying a more recent CPU. Sometimes, you might be able to mitigate the issue by disabling a CPU feature instead (often at the cost of speed). When this is the case, the script will list this as one of the possible mitigations for the vulnerability.
+
+- The vulnerability is recent, and your CPU has not yet received a microcode update for the vendor. Often, these updates come in batches, and it can take several batches to cover all the supported CPUs.
+
+In both cases, you can contact your vendor to know whether there'll be an update or not, and if yes, when. For Intel, at the time this FAQ entry was written, such guidance was [available here](https://software.intel.com/content/www/us/en/develop/topics/software-security-guidance/processors-affected-consolidated-product-cpu-model.html).
+
+## Which rules are governing the support of a CVE in this tool?
+
+On the early days, it was easy: just Spectre and Meltdown (hence the tool name), because that's all we had. Now that this range of vulnerability is seeing a bunch of newcomers every year, this question is legitimate.
+
+To stick with this tool's goal, a good indication as to why a CVE should be supported, is when mitigating it requires either kernel modifications, microcode modifications, or both.
+
+Counter-examples include (non-exhaustive list):
+
+- [CVE-2019-14615](https://github.com/speed47/spectre-meltdown-checker/issues/340), mitigating this issue is done by updating the Intel driver. This is out of the scope of this tool.
+- [CVE-2019-15902](https://github.com/speed47/spectre-meltdown-checker/issues/304), this CVE is due to a bad backport in the stable kernel. If the faulty backport was part of the mitigation of another supported CVE, and this bad backport was detectable (without hardcoding kernel versions, see [rule 2](#why-are-those-vulnerabilities-so-different-than-regular-cves)), it might have been added as a bullet point in the concerned CVE's section in the tool. However, this wasn't the case.
+- The "[Take A Way](https://github.com/speed47/spectre-meltdown-checker/issues/344)" vulnerability, AMD said that they believe this is not a new attack, hence there were no microcode and no kernel modification made. As there is nothing to look for, this is out of the scope of this tool.
+- [CVE-2020-0550](https://github.com/speed47/spectre-meltdown-checker/issues/347), the vendor thinks this is hardly exploitable in the wild, and as mitigations would be too performance impacting, as a whole the industry decided to not address it. As there is nothing to check for, this is out of the scope of this tool.
+- [CVE-2020-0551](https://github.com/speed47/spectre-meltdown-checker/issues/348), the industry decided to not address it, as it is believed mitigations for other CVEs render this attack practically hard to make, Intel just released an updated SDK for SGX to help mitigate the issue, but this is out of the scope of this tool.
+
+Look for the [information](https://github.com/speed47/spectre-meltdown-checker/issues?q=is%3Aissue+is%3Aopen+label%3Ainformation) tag in the issues list for more examples.
--- a/dist/README.md
+++ b/dist/README.md
@@ -0,0 +1,191 @@
+Spectre & Meltdown Checker
+==========================
+
+A shell script to assess your system's resilience against the several [transient execution](https://en.wikipedia.org/wiki/Transient_execution_CPU_vulnerability) CVEs that were published since early 2018, and give you guidance as to how to mitigate them.
+
+CVE | Aliases | Impact | Mitigation | Perf. impact
+--- | ------- | ------ | ---------- | ------------
+[CVE-2017-5753](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753) | Spectre V1 | Kernel & all software | Recompile with LFENCE-inserting compiler | Negligible
+[CVE-2017-5715](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715) | Spectre V2 | Kernel | Microcode (IBRS) and/or retpoline | Medium to high
+[CVE-2017-5754](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754) | Meltdown | Kernel | Kernel update (PTI/KPTI) | Low to medium
+[CVE-2018-3640](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3640) | Variant 3a | Kernel | Microcode update | Negligible
+[CVE-2018-3639](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639) | Variant 4, SSB | JIT software | Microcode + kernel update | Low to medium
+[CVE-2018-3615](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3615) | Foreshadow (SGX) | SGX enclaves | Microcode update | Negligible
+[CVE-2018-3620](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3620) | Foreshadow-NG (OS/SMM) | Kernel & SMM | Kernel update (PTE inversion) | Negligible
+[CVE-2018-3646](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646) | Foreshadow-NG (VMM) | VMM/hypervisors | Kernel update (L1d flush) or disable EPT/SMT | Low to significant
+[CVE-2018-12126](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126) | MSBDS, Fallout | Kernel | Microcode + kernel update (MDS group) | Low to significant
+[CVE-2018-12130](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130) | MFBDS, ZombieLoad | Kernel | Microcode + kernel update (MDS group) | Low to significant
+[CVE-2018-12127](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127) | MLPDS, RIDL | Kernel | Microcode + kernel update (MDS group) | Low to significant
+[CVE-2019-11091](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11091) | MDSUM, RIDL | Kernel | Microcode + kernel update (MDS group) | Low to significant
+[CVE-2019-11135](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135) | TAA, ZombieLoad V2 | Kernel | Microcode + kernel update | Low to significant
+[CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | iTLB Multihit, No eXcuses | VMM/hypervisors | Disable hugepages or update hypervisor | Low to significant
+[CVE-2020-0543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543) | SRBDS, CROSSTalk | All software (RDRAND/RDSEED) | Microcode + kernel update | Low
+[CVE-2022-40982](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982) | Downfall, GDS | Kernel & all software | Microcode update or disable AVX | Negligible to significant (AVX-heavy)
+[CVE-2023-20569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569) | Inception, SRSO | Kernel & all software | Kernel + microcode update | Low to significant
+[CVE-2023-20593](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593) | Zenbleed | Kernel & all software | Kernel (MSR bit) or microcode update | Negligible
+[CVE-2023-23583](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23583) | Reptar | All software | Microcode update | Low
+[CVE-2024-36350](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36350) | TSA-SQ | Kernel & all software (AMD) | Microcode + kernel update; SMT increases exposure | Low to medium
+[CVE-2024-36357](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36357) | TSA-L1 | Kernel & all software (AMD) | Microcode + kernel update | Low to medium
+
+<details>
+<summary>Detailed CVE descriptions</summary>
+
+**CVE-2017-5753 — Bounds Check Bypass (Spectre Variant 1)**
+
+An attacker can train the branch predictor to mispredict a bounds check, causing the CPU to speculatively access out-of-bounds memory. This affects all software, including the kernel, because any conditional bounds check can potentially be exploited. Mitigation requires recompiling software and the kernel with a compiler that inserts LFENCE instructions (or equivalent speculation barriers like `array_index_nospec`) at the proper positions. The performance impact is negligible because the barriers only apply to specific, targeted code patterns.
+
+**CVE-2017-5715 — Branch Target Injection (Spectre Variant 2)**
+
+An attacker can poison the Branch Target Buffer (BTB) to redirect speculative execution of indirect branches in the kernel, leaking kernel memory. Two mitigation strategies exist: (1) microcode updates providing IBRS (Indirect Branch Restricted Speculation), which flushes branch predictor state on privilege transitions — this has a medium to high performance cost, especially on older hardware; or (2) retpoline, a compiler technique that replaces indirect branches with a construct the speculator cannot exploit — this has a lower performance cost but requires recompiling the kernel and sensitive software.
+
+**CVE-2017-5754 — Rogue Data Cache Load (Meltdown)**
+
+On affected Intel processors, a user process can speculatively read kernel memory despite lacking permission. The CPU eventually raises a fault, but the data leaves observable traces in the cache. Mitigation is entirely kernel-side: Page Table Isolation (PTI/KPTI) unmaps most kernel memory from user-space page tables, so there is nothing to speculatively read. The performance impact is low to medium, mainly from the increased TLB pressure caused by switching page tables on every kernel entry and exit.
+
+**CVE-2018-3640 — Rogue System Register Read (Variant 3a)**
+
+Similar to Meltdown but targeting system registers: an unprivileged process can speculatively read privileged system register values (such as Model-Specific Registers) and exfiltrate them via a side channel. Mitigation requires a microcode update only — no kernel changes are needed. Performance impact is negligible.
+
+**CVE-2018-3639 — Speculative Store Bypass (Variant 4)**
+
+The CPU may speculatively load a value from memory before a preceding store to the same address completes, reading stale data. This primarily affects software using JIT compilation (e.g. JavaScript engines, eBPF), where an attacker can craft code that exploits the store-to-load dependency. No known exploitation against the kernel itself has been demonstrated. Mitigation requires a microcode update (providing the SSBD mechanism) plus a kernel update that allows affected software to opt in to the protection via prctl(). The performance impact is low to medium, depending on how frequently the mitigation is activated.
+
+**CVE-2018-3615 — L1 Terminal Fault (Foreshadow, SGX)**
+
+The original Foreshadow attack targets Intel SGX enclaves. When a page table entry's Present bit is cleared, the CPU may still speculatively use the physical address in the entry to fetch data from the L1 cache, bypassing SGX protections. An attacker can extract secrets (attestation keys, sealed data) from SGX enclaves. Mitigation requires a microcode update that includes modifications to SGX behavior. Performance impact is negligible.
+
+**CVE-2018-3620 — L1 Terminal Fault (Foreshadow-NG, OS/SMM)**
+
+A generalization of Foreshadow beyond SGX: unprivileged user-space code can exploit the same L1TF mechanism to read kernel memory or System Management Mode (SMM) memory. Mitigation requires a kernel update that implements PTE inversion — marking non-present page table entries with invalid physical addresses so the L1 cache cannot contain useful data at those addresses. Performance impact is negligible because PTE inversion is a one-time change to the page table management logic with no runtime overhead.
+
+**CVE-2018-3646 — L1 Terminal Fault (Foreshadow-NG, VMM)**
+
+A guest VM can exploit L1TF to read memory belonging to the host or other guests, because the hypervisor's page tables may have non-present entries pointing to valid host physical addresses still resident in L1. Mitigation options include: flushing the L1 data cache on every VM entry (via a kernel update providing L1d flush support), disabling Extended Page Tables (EPT), or disabling Hyper-Threading (SMT) to prevent a sibling thread from refilling the L1 cache during speculation. The performance impact ranges from low to significant depending on the chosen mitigation, with L1d flushing on VM entry being the most practical but still measurable on VM-heavy workloads.
+
+**CVE-2018-12126 — Microarchitectural Store Buffer Data Sampling (MSBDS, Fallout)**
+
+**CVE-2018-12130 — Microarchitectural Fill Buffer Data Sampling (MFBDS, ZombieLoad)**
+
+**CVE-2018-12127 — Microarchitectural Load Port Data Sampling (MLPDS, RIDL)**
+
+**CVE-2019-11091 — Microarchitectural Data Sampling Uncacheable Memory (MDSUM, RIDL)**
+
+These four CVEs are collectively known as "MDS" (Microarchitectural Data Sampling) vulnerabilities. They exploit different CPU internal buffers — store buffer, fill buffer, load ports, and uncacheable memory paths — that can leak recently accessed data across privilege boundaries during speculative execution. An unprivileged attacker can observe data recently processed by the kernel or other processes. Mitigation requires a microcode update (providing the MD_CLEAR mechanism) plus a kernel update that uses VERW to clear affected buffers on privilege transitions. Disabling Hyper-Threading (SMT) provides additional protection because sibling threads share these buffers. The performance impact is low to significant, depending on the frequency of kernel transitions and whether SMT is disabled.
+
+**CVE-2019-11135 — TSX Asynchronous Abort (TAA, ZombieLoad V2)**
+
+On CPUs with Intel TSX, a transactional abort can leave data from the line fill buffers in a state observable through side channels, similar to the MDS vulnerabilities but triggered through TSX. Mitigation requires a microcode update plus kernel support to either clear affected buffers or disable TSX entirely (via the TSX_CTRL MSR). The performance impact is low to significant, similar to MDS, with the option to eliminate the attack surface entirely by disabling TSX at the cost of losing transactional memory support.
+
+**CVE-2018-12207 — Machine Check Exception on Page Size Changes (iTLB Multihit, No eXcuses)**
+
+A malicious guest VM can trigger a machine check exception (MCE) — crashing the entire host — by creating specific conditions in the instruction TLB involving page size changes. This is a denial-of-service vulnerability affecting hypervisors running untrusted guests. Mitigation requires either disabling hugepage use in the hypervisor or updating the hypervisor to avoid the problematic iTLB configurations. The performance impact ranges from low to significant depending on the approach: disabling hugepages can substantially impact memory-intensive workloads.
+
+**CVE-2020-0543 — Special Register Buffer Data Sampling (SRBDS, CROSSTalk)**
+
+Certain special CPU instructions (RDRAND, RDSEED, EGETKEY) read data through a shared staging buffer that is accessible across all cores via speculative execution. An attacker running code on any core can observe the output of these instructions from a victim on a different core, including extracting cryptographic keys from SGX enclaves (a complete ECDSA key was demonstrated). This is notable as one of the first cross-core speculative execution attacks. Mitigation requires a microcode update that serializes access to the staging buffer, plus a kernel update to manage the mitigation. Performance impact is low, mainly affecting workloads that heavily use RDRAND/RDSEED.
+
+**CVE-2022-40982 — Gather Data Sampling (GDS, Downfall)**
+
+The AVX GATHER instructions can leak data from previously used vector registers across privilege boundaries through the shared gather data buffer. This affects any software using AVX2 or AVX-512 on vulnerable Intel processors. Mitigation is provided by a microcode update that clears the gather buffer, or alternatively by disabling the AVX feature entirely. Performance impact is negligible for most workloads but can be significant (up to 50%) for AVX-heavy applications such as HPC and AI inference.
+
+**CVE-2023-20569 — Return Address Security (Inception, SRSO)**
+
+On AMD Zen 1 through Zen 4 processors, an attacker can manipulate the return address predictor to redirect speculative execution on return instructions, leaking kernel memory. Mitigation requires both a kernel update (providing SRSO safe-return sequences or IBPB-on-entry) and a microcode update (providing SBPB on Zen 3/4, or IBPB support on Zen 1/2 — which additionally requires SMT to be disabled). Performance impact ranges from low to significant depending on the chosen mitigation and CPU generation.
+
+**CVE-2023-20593 — Cross-Process Information Leak (Zenbleed)**
+
+A bug in AMD Zen 2 processors causes the VZEROUPPER instruction to incorrectly zero register files during speculative execution, leaving stale data from other processes observable in vector registers. This can leak data across any privilege boundary, including from the kernel and other processes, at rates up to 30 KB/s per core. Mitigation is available either through a microcode update that fixes the bug, or through a kernel workaround that sets the FP_BACKUP_FIX bit (bit 9) in the DE_CFG MSR, disabling the faulty optimization. Either approach alone is sufficient. Performance impact is negligible.
+
+**CVE-2023-23583 — Redundant Prefix Issue (Reptar)**
+
+A bug in Intel processors causes unexpected behavior when executing instructions with specific redundant REX prefixes. Depending on the circumstances, this can result in a system crash (MCE), unpredictable behavior, or potentially privilege escalation. Any software running on an affected CPU can trigger the bug. Mitigation requires a microcode update. Performance impact is low.
+
+**CVE-2024-36350 — Transient Scheduler Attack, Store Queue (TSA-SQ)**
+
+On AMD Zen 3 and Zen 4 processors, the CPU's transient scheduler may speculatively retrieve stale data from the store queue during certain timing windows, allowing an attacker to infer data from previous store operations across privilege boundaries. The attack can also leak data between SMT sibling threads. Mitigation requires both a microcode update (exposing the VERW_CLEAR capability) and a kernel update (CONFIG_MITIGATION_TSA, Linux 6.16+) that uses the VERW instruction to clear CPU buffers on user/kernel transitions and before VMRUN. The kernel also clears buffers on idle when SMT is active. Performance impact is low to medium.
+
+**CVE-2024-36357 — Transient Scheduler Attack, L1 (TSA-L1)**
+
+On AMD Zen 3 and Zen 4 processors, the CPU's transient scheduler may speculatively retrieve stale data from the L1 data cache during certain timing windows, allowing an attacker to infer data in the L1D cache across privilege boundaries. Mitigation requires the same microcode and kernel updates as TSA-SQ: a microcode update exposing VERW_CLEAR and a kernel update (CONFIG_MITIGATION_TSA, Linux 6.16+) that clears CPU buffers via VERW on privilege transitions. Performance impact is low to medium.
+
+</details>
+
+Supported operating systems:
+- Linux (all versions, flavors and distros)
+- FreeBSD, NetBSD, DragonFlyBSD and derivatives (others BSDs are [not supported](FAQ.md#which-bsd-oses-are-supported))
+
+For Linux systems, the tool will detect mitigations, including backported non-vanilla patches, regardless of the advertised kernel version number and the distribution (such as Debian, Ubuntu, CentOS, RHEL, Fedora, openSUSE, Arch, ...), it also works if you've compiled your own kernel. More information [here](FAQ.md#how-does-this-script-work).
+
+Other operating systems such as MacOS, Windows, ESXi, etc. [will most likely never be supported](FAQ.md#why-is-my-os-not-supported).
+
+Supported architectures:
+- `x86` (32 bits)
+- `amd64`/`x86_64` (64 bits)
+- `ARM` and `ARM64`
+- other architectures will work, but mitigations (if they exist) might not always be detected
+
+## Frequently Asked Questions (FAQ)
+
+- What is the purpose of this tool?
+- Why was it written?
+- How can it be useful to me?
+- How does it work?
+- What can I expect from it?
+
+All these questions (and more) have detailed answers in the [FAQ](FAQ.md), please have a look!
+
+## Easy way to run the script
+
+- Get the latest version of the script using `curl` *or* `wget`
+
+```bash
+curl -L https://meltdown.ovh -o spectre-meltdown-checker.sh
+wget https://meltdown.ovh -O spectre-meltdown-checker.sh
+```
+
+- Inspect the script. You never blindly run scripts you downloaded from the Internet, do you?
+
+```bash
+vim spectre-meltdown-checker.sh
+```
+
+- When you're ready, run the script as root
+
+```bash
+chmod +x spectre-meltdown-checker.sh
+sudo ./spectre-meltdown-checker.sh
+```
+
+### Run the script in a docker container
+
+#### With docker-compose
+
+```shell
+docker compose build
+docker compose run --rm spectre-meltdown-checker
+```
+
+Note that on older versions of docker, `docker-compose` is a separate command, so you might
+need to replace the two `docker compose` occurences above by `docker-compose`.
+
+#### Without docker-compose
+
+```shell
+docker build -t spectre-meltdown-checker .
+docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker
+```
+
+## Example of script output
+
+- Intel Haswell CPU running under Ubuntu 16.04 LTS
+
+![haswell](https://user-images.githubusercontent.com/218502/108764885-6dcfc380-7553-11eb-81ac-4d19060a3acf.png)
+
+- AMD Ryzen running under OpenSUSE Tumbleweed
+
+![ryzen](https://user-images.githubusercontent.com/218502/108764896-70321d80-7553-11eb-9dd2-fad2a0a1a737.png)
+
+- Batch mode (JSON flavor)
+
+![batch](https://user-images.githubusercontent.com/218502/108764902-71634a80-7553-11eb-9678-fd304995fa64.png)
+
--- a/dist/docker-compose.yml
+++ b/dist/docker-compose.yml
@@ -0,0 +1,13 @@
+services:
+  spectre-meltdown-checker:
+    build:
+      context: ./
+      dockerfile: ./Dockerfile
+    image: spectre-meltdown-checker:latest
+    container_name: spectre-meltdown-checker
+    privileged: true
+    network_mode: none
+    volumes:
+      - /boot:/boot:ro
+      - /dev/cpu:/dev/cpu:ro
+      - /lib/modules:/lib/modules:ro
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -1,974 +0,0 @@
-#! /bin/sh
-# Spectre & Meltdown checker
-#
-# Check for the latest version at:
-# https://github.com/speed47/spectre-meltdown-checker
-# git clone https://github.com/speed47/spectre-meltdown-checker.git
-# or wget https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
-#
-# Stephane Lesimple
-#
-VERSION=0.29
-
-# Script configuration
-show_usage()
-{
-	cat <<EOF
-	Usage:
-		Live mode:    `basename $0` [options] [--live]
-		Offline mode: `basename $0` [options] [--kernel <vmlinux_file>] [--config <kernel_config>] [--map <kernel_map_file>]
-
-	Modes:
-		Two modes are available.
-
-		First mode is the "live" mode (default), it does its best to find information about the currently running kernel.
-		To run under this mode, just start the script without any option (you can also use --live explicitly)
-
-		Second mode is the "offline" mode, where you can inspect a non-running kernel.
-		You'll need to specify the location of the vmlinux file, and if possible, the corresponding config and System.map files:
-
-		--kernel vmlinux_file		Specify a (possibly compressed) vmlinux file
-		--config kernel_config		Specify a kernel config file
-		--map	 kernel_map_file	Specify a kernel System.map file
-
-	Options:
-		--no-color			Don't use color codes
-		--verbose, -v			Increase verbosity level
-		--no-sysfs			Don't use the /sys interface even if present
-		--batch text			Produce machine readable output, this is the default if --batch is specified alone
-		--batch json			Produce JSON output formatted for Puppet, Ansible, Chef...
-		--batch nrpe			Produce machine readable output formatted for NRPE
-		--variant [1,2,3]		Specify which variant you'd like to check, by default all variants are checked
-						Can be specified multiple times (e.g. --variant 2 --variant 3)
-
-
-	IMPORTANT:
-	A false sense of security is worse than no security at all.
-	Please use the --disclaimer option to understand exactly what this script does.
-
-EOF
-}
-
-show_disclaimer()
-{
-	cat <<EOF
-Disclaimer:
-
-This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the
-collectively named "speculative execution" vulnerabilities. It doesn't attempt to run any kind of exploit, and can't guarantee
-that your system is secure, but rather helps you verifying whether your system has the known correct mitigations in place.
-However, some mitigations could also exist in your kernel that this script doesn't know (yet) how to detect, or it might
-falsely detect mitigations that in the end don't work as expected (for example, on backported or modified kernels).
-
-Your system exposure also depends on your CPU. As of now, AMD and ARM processors are marked as immune to some or all of these
-vulnerabilities (except some specific ARM models). All Intel processors manufactured since circa 1995 are thought to be vulnerable.
-Whatever processor one uses, one might seek more information from the manufacturer of that processor and/or of the device
-in which it runs.
-
-The nature of the discovered vulnerabilities being quite new, the landscape of vulnerable processors can be expected
-to change over time, which is why this script makes the assumption that all CPUs are vulnerable, except if the manufacturer
-explicitly stated otherwise in a verifiable public announcement.
-
-This tool has been released in the hope that it'll be useful, but don't use it to jump to conclusions about your security.
-
-EOF
-}
-
-# parse options
-opt_kernel=''
-opt_config=''
-opt_map=''
-opt_live_explicit=0
-opt_live=1
-opt_no_color=0
-opt_batch=0
-opt_batch_format="text"
-opt_verbose=1
-opt_variant1=0
-opt_variant2=0
-opt_variant3=0
-opt_allvariants=1
-opt_no_sysfs=0
-
-nrpe_critical=0
-nrpe_unknown=0
-nrpe_vuln=""
-
-__echo()
-{
-	opt="$1"
-	shift
-	_msg="$@"
-	if [ "$opt_no_color" = 1 ] ; then
-		# strip ANSI color codes
-		_msg=$(/bin/echo -e  "$_msg" | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g")
-	fi
-	# explicitly call /bin/echo to avoid shell builtins that might not take options
-	/bin/echo $opt -e "$_msg"
-}
-
-_echo()
-{
-	if [ $opt_verbose -ge $1 ]; then
-		shift
-		__echo '' "$@"
-	fi
-}
-
-_echo_nol()
-{
-	if [ $opt_verbose -ge $1 ]; then
-		shift
-		__echo -n "$@"
-	fi
-}
-
-_warn()
-{
-	_echo 0 "\033[31m${@}\033[0m" >&2
-}
-
-_info()
-{
-	_echo 1 "$@"
-}
-
-_info_nol()
-{
-	_echo_nol 1 "$@"
-}
-
-_verbose()
-{
-	_echo 2 "$@"
-}
-
-_debug()
-{
-	_echo 3 "\033[34m(debug) $@\033[0m"
-}
-
-is_cpu_vulnerable()
-{
-	# param: 1, 2 or 3 (variant)
-	# returns 0 if vulnerable, 1 if not vulnerable
-	# (note that in shell, a return of 0 is success)
-	# by default, everything is vulnerable, we work in a "whitelist" logic here.
-	# usage: is_cpu_vulnerable 2 && do something if vulnerable
-	variant1=0
-	variant2=0
-	variant3=0
-
-	if grep -q AMD /proc/cpuinfo; then
-		# AMD revised their statement about variant2 => vulnerable
-		# https://www.amd.com/en/corporate/speculative-execution
-		variant3=1
-	elif grep -qi 'CPU implementer\s*:\s*0x41' /proc/cpuinfo; then
-		# ARM
-		# reference: https://developer.arm.com/support/security-update
-		cpupart=$(awk '/CPU part/         {print $4;exit}' /proc/cpuinfo)
-		cpuarch=$(awk '/CPU architecture/ {print $3;exit}' /proc/cpuinfo)
-		if [ -n "$cpupart" -a -n "$cpuarch" ]; then
-			# Cortex-R7 and Cortex-R8 are real-time and only used in medical devices or such
-			# I can't find their CPU part number, but it's probably not that useful anyway
-			# model R7 R8 A9    A15   A17   A57   A72    A73    A75
-			# part   ?  ? 0xc09 0xc0f 0xc0e 0xd07 0xd08  0xd09  0xd0a
-			# arch  7? 7? 7     7     7     8     8      8      8
-			if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -Eq '^0x(c09|c0f|c0e)$'; then
-				# armv7 vulnerable chips
-				:
-			elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(d07|d08|d09|d0a)$'; then
-				# armv8 vulnerable chips
-				:
-			else
-				variant1=1
-				variant2=1
-			fi
-			# for variant3, only A75 is vulnerable
-			if ! [ "$cpuarch" = 8 -a "$cpupart" = 0xd0a ]; then
-				variant3=1
-			fi
-		fi
-	fi
-
-	[ "$1" = 1 ] && return $variant1
-	[ "$1" = 2 ] && return $variant2
-	[ "$1" = 3 ] && return $variant3
-	echo "$0: error: invalid variant '$1' passed to is_cpu_vulnerable()" >&2
-	exit 1
-}
-
-show_header()
-{
-	_info "\033[1;34mSpectre and Meltdown mitigation detection tool v$VERSION\033[0m"
-	_info
-}
-
-parse_opt_file()
-{
-	# parse_opt_file option_name option_value
-	option_name="$1"
-	option_value="$2"
-	if [ -z "$option_value" ]; then
-		show_header
-		show_usage
-		echo "$0: error: --$option_name expects one parameter (a file)" >&2
-		exit 1
-	elif [ ! -e "$option_value" ]; then
-		show_header
-		echo "$0: error: couldn't find file $option_value" >&2
-		exit 1
-	elif [ ! -f "$option_value" ]; then
-		show_header
-		echo "$0: error: $option_value is not a file" >&2
-		exit 1
-	elif [ ! -r "$option_value" ]; then
-		show_header
-		echo "$0: error: couldn't read $option_value (are you root?)" >&2
-		exit 1
-	fi
-	echo "$option_value"
-	exit 0
-}
-
-while [ -n "$1" ]; do
-	if [ "$1" = "--kernel" ]; then
-		opt_kernel=$(parse_opt_file kernel "$2")
-		[ $? -ne 0 ] && exit $?
-		shift 2
-		opt_live=0
-	elif [ "$1" = "--config" ]; then
-		opt_config=$(parse_opt_file config "$2")
-		[ $? -ne 0 ] && exit $?
-		shift 2
-		opt_live=0
-	elif [ "$1" = "--map" ]; then
-		opt_map=$(parse_opt_file map "$2")
-		[ $? -ne 0 ] && exit $?
-		shift 2
-		opt_live=0
-	elif [ "$1" = "--live" ]; then
-		opt_live_explicit=1
-		shift
-	elif [ "$1" = "--no-color" ]; then
-		opt_no_color=1
-		shift
-	elif [ "$1" = "--no-sysfs" ]; then
-		opt_no_sysfs=1
-		shift
-	elif [ "$1" = "--batch" ]; then
-		opt_batch=1
-		opt_verbose=0
-		shift
-		case "$1" in
-			text|nrpe|json) opt_batch_format="$1"; shift;;
-			--*) ;;    # allow subsequent flags
-			'') ;;     # allow nothing at all
-			*)
-				echo "$0: error: unknown batch format '$1'"
-				echo "$0: error: --batch expects a format from: text, nrpe, json"
-				exit 1 >&2
-				;;
-		esac
-	elif [ "$1" = "-v" -o "$1" = "--verbose" ]; then
-		opt_verbose=$(expr $opt_verbose + 1)
-		shift
-	elif [ "$1" = "--variant" ]; then
-		if [ -z "$2" ]; then
-			echo "$0: error: option --variant expects a parameter (1, 2 or 3)" >&2
-			exit 1
-		fi
-		case "$2" in
-			1) opt_variant1=1; opt_allvariants=0;;
-			2) opt_variant2=1; opt_allvariants=0;;
-			3) opt_variant3=1; opt_allvariants=0;;
-			*)
-				echo "$0: error: invalid parameter '$2' for --variant, expected either 1, 2 or 3" >&2;
-				exit 1;;
-		esac
-		shift 2
-	elif [ "$1" = "-h" -o "$1" = "--help" ]; then
-		show_header
-		show_usage
-		exit 0
-	elif [ "$1" = "--version" ]; then
-		opt_no_color=1
-		show_header
-		exit 1
-	elif [ "$1" = "--disclaimer" ]; then
-		show_header
-		show_disclaimer
-		exit 0
-	else
-		show_header
-		show_usage
-		echo "$0: error: unknown option '$1'"
-		exit 1
-	fi
-done
-
-show_header
-
-# print status function
-pstatus()
-{
-	if [ "$opt_no_color" = 1 ]; then
-		_info_nol "$2"
-	else
-		case "$1" in
-			red)    col="\033[101m\033[30m";;
-			green)  col="\033[102m\033[30m";;
-			yellow) col="\033[103m\033[30m";;
-			blue)   col="\033[104m\033[30m";;
-			*)      col="";;
-		esac
-		_info_nol "$col $2 \033[0m"
-	fi
-	[ -n "$3" ] && _info_nol " ($3)"
-	_info
-}
-
-# Print the final status of a vulnerability (incl. batch mode)
-# Arguments are: CVE UNK/OK/VULN description
-pvulnstatus()
-{
-	if [ "$opt_batch" = 1 ]; then
-                case "$opt_batch_format" in
-                        text) _echo 0 "$1: $2 ($3)";;
-                        nrpe)
-                              case "$2" in
-                                       UKN) nrpe_unknown="1";;
-                                       VULN) nrpe_critical="1"; nrpe_vuln="$nrpe_vuln $1";;
-                              esac
-                              ;;
-                        json)
-                              case "$1" in
-                                       CVE-2017-5753) aka="SPECTRE VARIANT 1";;
-                                       CVE-2017-5715) aka="SPECTRE VARIANT 2";;
-                                       CVE-2017-5754) aka="MELTDOWN";;
-                              esac
-                              case "$2" in
-                                       UKN)  is_vuln="unknown";;
-                                       VULN) is_vuln="true";;
-                                       OK)   is_vuln="false";;
-                              esac
-                              json_output="${json_output:-[}{\"NAME\":\""$aka"\",\"CVE\":\""$1"\",\"VULNERABLE\":$is_vuln,\"INFOS\":\""$3"\"},"
-                              ;;
-		esac
-	fi
-
-	_info_nol "> \033[46m\033[30mSTATUS:\033[0m "
-	vulnstatus="$2"
-	shift 2
-	case "$vulnstatus" in
-		UNK) pstatus yellow UNKNOWN "$@";;
-		VULN) pstatus red 'VULNERABLE' "$@";;
-		OK) pstatus green 'NOT VULNERABLE' "$@";;
-	esac
-}
-
-
-# The 3 below functions are taken from the extract-linux script, available here:
-# https://github.com/torvalds/linux/blob/master/scripts/extract-vmlinux
-# The functions have been modified for better integration to this script
-# The original header of the file has been retained below
-
-# ----------------------------------------------------------------------
-# extract-vmlinux - Extract uncompressed vmlinux from a kernel image
-#
-# Inspired from extract-ikconfig
-# (c) 2009,2010 Dick Streefland <dick@streefland.net>
-#
-# (c) 2011      Corentin Chary <corentin.chary@gmail.com>
-#
-# Licensed under the GNU General Public License, version 2 (GPLv2).
-# ----------------------------------------------------------------------
-
-vmlinux=''
-vmlinux_err=''
-check_vmlinux()
-{
-	readelf -h "$1" > /dev/null 2>&1 || return 1
-	return 0
-}
-
-try_decompress()
-{
-	# The obscure use of the "tr" filter is to work around older versions of
-	# "grep" that report the byte offset of the line instead of the pattern.
-
-	# Try to find the header ($1) and decompress from here
-	for     pos in `tr "$1\n$2" "\n$2=" < "$6" | grep -abo "^$2"`
-	do
-		_debug "try_decompress: magic for $3 found at offset $pos"
-		if ! which "$3" >/dev/null 2>&1; then
-			vmlinux_err="missing '$3' tool, please install it, usually it's in the '$5' package"
-			return 0
-		fi
-		pos=${pos%%:*}
-		tail -c+$pos "$6" 2>/dev/null | $3 $4 > $vmlinuxtmp 2>/dev/null
-		if check_vmlinux "$vmlinuxtmp"; then
-			vmlinux="$vmlinuxtmp"
-			_debug "try_decompress: decompressed with $3 successfully!"
-			return 0
-		else
-			_debug "try_decompress: decompression with $3 did not work"
-		fi
-	done
-	return 1
-}
-
-extract_vmlinux()
-{
-	[ -n "$1" ] || return 1
-	# Prepare temp files:
-	vmlinuxtmp="$(mktemp /tmp/vmlinux-XXXXXX)"
-	trap "rm -f $vmlinuxtmp" EXIT
-
-	# Initial attempt for uncompressed images or objects:
-	if check_vmlinux "$1"; then
-		cat "$1" > "$vmlinuxtmp"
-		vmlinux=$vmlinuxtmp
-		return 0
-	fi
-
-	# That didn't work, so retry after decompression.
-	try_decompress '\037\213\010'     xy    gunzip  ''      gunzip      "$1" && return 0
-	try_decompress '\3757zXZ\000'     abcde unxz    ''      xz-utils    "$1" && return 0
-	try_decompress 'BZh'              xy    bunzip2 ''      bzip2       "$1" && return 0
-	try_decompress '\135\0\0\0'       xxx   unlzma  ''      xz-utils    "$1" && return 0
-	try_decompress '\211\114\132'     xy    'lzop'  '-d'    lzop        "$1" && return 0
-	try_decompress '\002\041\114\030' xyy   'lz4'   '-d -l' liblz4-tool "$1" && return 0
-	return 1
-}
-
-# end of extract-vmlinux functions
-
-# check for mode selection inconsistency
-if [ "$opt_live_explicit" = 1 ]; then
-	if [ -n "$opt_kernel" -o -n "$opt_config" -o -n "$opt_map" ]; then
-		show_usage
-		echo "$0: error: incompatible modes specified, use either --live or --kernel/--config/--map"
-		exit 1
-	fi
-fi
-
-# root check (only for live mode, for offline mode, we already checked if we could read the files)
-
-if [ "$opt_live" = 1 ]; then
-	if [ "$(id -u)" -ne 0 ]; then
-		_warn "Note that you should launch this script with root privileges to get accurate information."
-		_warn "We'll proceed but you might see permission denied errors."
-		_warn "To run it as root, you can try the following command: sudo $0"
-		_warn
-	fi
-	_info "Checking for vulnerabilities against running kernel \033[35m"$(uname -s) $(uname -r) $(uname -v) $(uname -m)"\033[0m"
-	_info "CPU is\033[35m"$(grep '^model name' /proc/cpuinfo | cut -d: -f2 | head -1)"\033[0m"
-
-	# try to find the image of the current running kernel
-	# first, look for the BOOT_IMAGE hint in the kernel cmdline
-	if [ -r /proc/cmdline ] && grep -q 'BOOT_IMAGE=' /proc/cmdline; then
-		opt_kernel=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2)
-		_debug "found opt_kernel=$opt_kernel in /proc/cmdline"
-		# if we have a dedicated /boot partition, our bootloader might have just called it /
-		# so try to prepend /boot and see if we find anything
-		[ -e "/boot/$opt_kernel" ] && opt_kernel="/boot/$opt_kernel"
-		_debug "opt_kernel is now $opt_kernel"
-		# else, the full path is already there (most probably /boot/something)
-	fi
-	# if we didn't find a kernel, default to guessing
-	if [ ! -e "$opt_kernel" ]; then
-		[ -e /boot/vmlinuz-linux       ] && opt_kernel=/boot/vmlinuz-linux
-		[ -e /boot/vmlinuz-linux-libre ] && opt_kernel=/boot/vmlinuz-linux-libre
-		[ -e /boot/vmlinuz-$(uname -r) ] && opt_kernel=/boot/vmlinuz-$(uname -r)
-		[ -e /boot/kernel-$( uname -r) ] && opt_kernel=/boot/kernel-$( uname -r)
-		[ -e /boot/bzImage-$(uname -r) ] && opt_kernel=/boot/bzImage-$(uname -r)
-		[ -e /boot/kernel-genkernel-$(uname -m)-$(uname -r) ] && opt_kernel=/boot/kernel-genkernel-$(uname -m)-$(uname -r)
-	fi
-
-	# system.map
-	if [ -e /proc/kallsyms ] ; then
-		opt_map="/proc/kallsyms"
-	elif [ -e /boot/System.map-$(uname -r) ] ; then
-		opt_map=/boot/System.map-$(uname -r)
-	fi
-
-	# config
-	if [ -e /proc/config.gz ] ; then
-		dumped_config="$(mktemp /tmp/config-XXXXXX)"
-		gunzip -c /proc/config.gz > $dumped_config
-		# dumped_config will be deleted at the end of the script
-		opt_config=$dumped_config
-	elif [ -e /boot/config-$(uname -r) ]; then
-		opt_config=/boot/config-$(uname -r)
-	fi
-else
-	_info "Checking for vulnerabilities against specified kernel"
-fi
-if [ -n "$opt_kernel" ]; then
-	_verbose "Will use vmlinux image \033[35m$opt_kernel\033[0m"
-else
-	_verbose "Will use no vmlinux image (accuracy might be reduced)"
-fi
-if [ -n "$dumped_config" ]; then
-	_verbose "Will use kconfig \033[35m/proc/config.gz\033[0m"
-elif [ -n "$opt_config" ]; then
-	_verbose "Will use kconfig \033[35m$opt_config\033[0m"
-else
-	_verbose "Will use no kconfig (accuracy might be reduced)"
-fi
-if [ -n "$opt_map" ]; then
-	_verbose "Will use System.map file \033[35m$opt_map\033[0m"
-else
-	_verbose "Will use no System.map file (accuracy might be reduced)"
-fi
-
-if [ -e "$opt_kernel" ]; then
-	if ! which readelf >/dev/null 2>&1; then
-		vmlinux_err="missing 'readelf' tool, please install it, usually it's in the 'binutils' package"
-	else
-		extract_vmlinux "$opt_kernel"
-	fi
-else
-	vmlinux_err="couldn't find your kernel image in /boot, if you used netboot, this is normal"
-fi
-if [ -z "$vmlinux" -o ! -r "$vmlinux" ]; then
-	[ -z "$vmlinux_err" ] && vmlinux_err="couldn't extract your kernel from $opt_kernel"
-fi
-
-_info
-
-# end of header stuff
-
-# now we define some util functions and the check_*() funcs, as
-# the user can choose to execute only some of those
-
-mount_debugfs()
-{
-	if [ ! -e /sys/kernel/debug/sched_features ]; then
-		# try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
-		mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
-	fi
-}
-
-umount_debugfs()
-{
-	if [ "$mounted_debugfs" = 1 ]; then
-		# umount debugfs if we did mount it ourselves
-		umount /sys/kernel/debug
-	fi
-}
-
-sys_interface_check()
-{
-	[ "$opt_live" = 1 -a "$opt_no_sysfs" = 0 -a -r "$1" ] || return 1
-	_info_nol "* Checking whether we're safe according to the /sys interface: "
-	if grep -qi '^not affected' "$1"; then
-		# Not affected
-		status=OK
-		pstatus green YES "kernel confirms that your CPU is unaffected"
-	elif grep -qi '^mitigation' "$1"; then
-		# Mitigation: PTI
-		status=OK
-		pstatus green YES "kernel confirms that the mitigation is active"
-	elif grep -qi '^vulnerable' "$1"; then
-		# Vulnerable
-		status=VULN
-		pstatus red NO "kernel confirms your system is vulnerable"
-	else
-		status=UNK
-		pstatus yellow UNKNOWN "unknown value reported by kernel"
-	fi
-	msg=$(cat "$1")
-	_debug "sys_interface_check: $1=$msg"
-	return 0
-}
-
-###################
-# SPECTRE VARIANT 1
-check_variant1()
-{
-	_info "\033[1;34mCVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'\033[0m"
-
-	status=UNK
-	sys_interface_available=0
-	msg=''
-	if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spectre_v1"; then
-		# this kernel has the /sys interface, trust it over everything
-		sys_interface_available=1
-	else
-		# no /sys interface (or offline mode), fallback to our own ways
-		_info_nol "* Checking count of LFENCE opcodes in kernel: "
-		if [ -n "$vmlinux_err" ]; then
-			msg="couldn't check ($vmlinux_err)"
-			status=UNK
-			pstatus yellow UNKNOWN
-		else
-			if ! which objdump >/dev/null 2>&1; then
-				msg="missing 'objdump' tool, please install it, usually it's in the binutils package"
-				status=UNK
-				pstatus yellow UNKNOWN
-			else
-				# here we disassemble the kernel and count the number of occurrences of the LFENCE opcode
-				# in non-patched kernels, this has been empirically determined as being around 40-50
-				# in patched kernels, this is more around 70-80, sometimes way higher (100+)
-				# v0.13: 68 found in a 3.10.23-xxxx-std-ipv6-64 (with lots of modules compiled-in directly), which doesn't have the LFENCE patches,
-				# so let's push the threshold to 70.
-				nb_lfence=$(objdump -d "$vmlinux" | grep -wc lfence)
-				if [ "$nb_lfence" -lt 70 ]; then
-					msg="only $nb_lfence opcodes found, should be >= 70, heuristic to be improved when official patches become available"
-					status=VULN
-					pstatus red NO
-				else
-					msg="$nb_lfence opcodes found, which is >= 70, heuristic to be improved when official patches become available"
-					status=OK
-					pstatus green YES
-				fi
-			fi
-		fi
-	fi
-
-	# if we have the /sys interface, don't even check is_cpu_vulnerable ourselves, the kernel already does it
-	if [ "$sys_interface_available" = 0 ] && ! is_cpu_vulnerable 1; then
-		# override status & msg in case CPU is not vulnerable after all
-		msg="your CPU vendor reported your CPU model as not vulnerable"
-		status=OK
-	fi
-
-	# report status
-	pvulnstatus CVE-2017-5753 "$status" "$msg"
-}
-
-###################
-# SPECTRE VARIANT 2
-check_variant2()
-{
-	_info "\033[1;34mCVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'\033[0m"
-
-	status=UNK
-	sys_interface_available=0
-	msg=''
-	if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spectre_v2"; then
-		# this kernel has the /sys interface, trust it over everything
-		sys_interface_available=1
-	else
-		_info "* Mitigation 1"
-		_info_nol "*   Hardware (CPU microcode) support for mitigation: "
-		if [ ! -e /dev/cpu/0/msr ]; then
-			# try to load the module ourselves (and remember it so we can rmmod it afterwards)
-			modprobe msr 2>/dev/null && insmod_msr=1
-			_debug "attempted to load module msr, ret=$insmod_msr"
-		fi
-		if [ ! -e /dev/cpu/0/msr ]; then
-			pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?"
-		else
-			# the new MSR 'SPEC_CTRL' is at offset 0x48
-			# here we use dd, it's the same as using 'rdmsr 0x48' but without needing the rdmsr tool
-			# if we get a read error, the MSR is not there
-			dd if=/dev/cpu/0/msr of=/dev/null bs=8 count=1 skip=9 2>/dev/null
-			if [ $? -eq 0 ]; then
-				pstatus green YES
-			else
-				pstatus red NO
-			fi
-		fi
-
-		if [ "$insmod_msr" = 1 ]; then
-			# if we used modprobe ourselves, rmmod the module
-			rmmod msr 2>/dev/null
-			_debug "attempted to unload module msr, ret=$?"
-		fi
-
-		_info_nol "*   Kernel support for IBRS: "
-		if [ "$opt_live" = 1 ]; then
-			mount_debugfs
-			for ibrs_file in \
-				/sys/kernel/debug/ibrs_enabled \
-				/sys/kernel/debug/x86/ibrs_enabled \
-				/proc/sys/kernel/ibrs_enabled; do
-				if [ -e "$ibrs_file" ]; then
-					# if the file is there, we have IBRS compiled-in
-					# /sys/kernel/debug/ibrs_enabled: vanilla
-					# /sys/kernel/debug/x86/ibrs_enabled: RedHat (see https://access.redhat.com/articles/3311301)
-					# /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed
-					pstatus green YES
-					ibrs_supported=1
-					ibrs_enabled=$(cat "$ibrs_file" 2>/dev/null)
-					_debug "ibrs: found $ibrs_file=$ibrs_enabled"
-					break
-				else
-					_debug "ibrs: file $ibrs_file doesn't exist"
-				fi
-			done
-		fi
-		if [ "$ibrs_supported" != 1 -a -n "$opt_map" ]; then
-			if grep -q spec_ctrl "$opt_map"; then
-				pstatus green YES
-				ibrs_supported=1
-				_debug "ibrs: found '*spec_ctrl*' symbol in $opt_map"
-			fi
-		fi
-		if [ "$ibrs_supported" != 1 ]; then
-			pstatus red NO
-		fi
-
-		_info_nol "*   IBRS enabled for Kernel space: "
-		if [ "$opt_live" = 1 ]; then
-			# 0 means disabled
-			# 1 is enabled only for kernel space
-			# 2 is enabled for kernel and user space
-			case "$ibrs_enabled" in
-				"") [ "$ibrs_supported" = 1 ] && pstatus yellow UNKNOWN || pstatus red NO;;
-				0)     pstatus red NO;;
-				1 | 2) pstatus green YES;;
-				*)     pstatus yellow UNKNOWN;;
-			esac
-		else
-			pstatus blue N/A "not testable in offline mode"
-		fi
-
-		_info_nol "*   IBRS enabled for User space: "
-		if [ "$opt_live" = 1 ]; then
-			case "$ibrs_enabled" in
-				"") [ "$ibrs_supported" = 1 ] && pstatus yellow UNKNOWN || pstatus red NO;;
-				0 | 1) pstatus red NO;;
-				2) pstatus green YES;;
-				*) pstatus yellow UNKNOWN;;
-			esac
-		else
-			pstatus blue N/A "not testable in offline mode"
-		fi
-
-		_info "* Mitigation 2"
-		_info_nol "*   Kernel compiled with retpoline option: "
-		# We check the RETPOLINE kernel options
-		if [ -r "$opt_config" ]; then
-			if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
-				pstatus green YES
-				retpoline=1
-				_debug "retpoline: found "$(grep '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
-			else
-				pstatus red NO
-			fi
-		else
-			pstatus yellow UNKNOWN "couldn't read your kernel configuration"
-		fi
-
-		_info_nol "*   Kernel compiled with a retpoline-aware compiler: "
-		# Now check if the compiler used to compile the kernel knows how to insert retpolines in generated asm
-		# For gcc, this is -mindirect-branch=thunk-extern (detected by the kernel makefiles)
-		# See gcc commit https://github.com/hjl-tools/gcc/commit/23b517d4a67c02d3ef80b6109218f2aadad7bd79
-		# In latest retpoline LKML patches, the noretpoline_setup symbol exists only if CONFIG_RETPOLINE is set
-		# *AND* if the compiler is retpoline-compliant, so look for that symbol
-		if [ -n "$opt_map" ]; then
-			# look for the symbol
-			if grep -qw noretpoline_setup "$opt_map"; then
-				retpoline_compiler=1
-				pstatus green YES "noretpoline_setup symbol found in System.map"
-			else
-				pstatus red NO
-			fi
-		elif [ -n "$vmlinux" ]; then
-			# look for the symbol
-			if which nm >/dev/null 2>&1; then
-				# the proper way: use nm and look for the symbol
-				if nm "$vmlinux" 2>/dev/null | grep -qw 'noretpoline_setup'; then
-					retpoline_compiler=1
-					pstatus green YES "noretpoline_setup found in vmlinux symbols"
-				else
-					pstatus red NO
-				fi
-			elif grep -q noretpoline_setup "$vmlinux"; then
-				# if we don't have nm, nevermind, the symbol name is long enough to not have
-				# any false positive using good old grep directly on the binary
-				retpoline_compiler=1
-				pstatus green YES "noretpoline_setup found in vmlinux"
-			else
-				pstatus red NO
-			fi
-		else
-			pstatus yellow UNKNOWN "couldn't find your kernel image or System.map"
-		fi
-	fi
-
-	# if we have the /sys interface, don't even check is_cpu_vulnerable ourselves, the kernel already does it
-	if [ "$sys_interface_available" = 0 ] && ! is_cpu_vulnerable 2; then
-		# override status & msg in case CPU is not vulnerable after all
-		pvulnstatus CVE-2017-5715 OK "your CPU vendor reported your CPU model as not vulnerable"
-	elif [ -z "$msg" ]; then
-		# if msg is empty, sysfs check didn't fill it, rely on our own test
-		if [ "$retpoline" = 1 -a "$retpoline_compiler" = 1 ]; then
-			pvulnstatus CVE-2017-5715 OK "retpoline mitigate the vulnerability"
-		elif [ "$opt_live" = 1 ]; then
-			if [ "$ibrs_enabled" = 1 -o "$ibrs_enabled" = 2 ]; then
-				pvulnstatus CVE-2017-5715 OK "IBRS mitigates the vulnerability"
-			else
-				pvulnstatus CVE-2017-5715 VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability"
-			fi
-		else
-			if [ "$ibrs_supported" = 1 ]; then
-				pvulnstatus CVE-2017-5715 OK "offline mode: IBRS will mitigate the vulnerability if enabled at runtime"
-			else
-				pvulnstatus CVE-2017-5715 VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability"
-			fi
-		fi
-	else
-		pvulnstatus CVE-2017-5715 "$status" "$msg"
-	fi
-}
-
-########################
-# MELTDOWN aka VARIANT 3
-check_variant3()
-{
-	_info "\033[1;34mCVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'\033[0m"
-
-	status=UNK
-	sys_interface_available=0
-	msg=''
-	if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/meltdown"; then
-		# this kernel has the /sys interface, trust it over everything
-		sys_interface_available=1
-	else
-		_info_nol "* Kernel supports Page Table Isolation (PTI): "
-		kpti_support=0
-		kpti_can_tell=0
-		if [ -n "$opt_config" ]; then
-			kpti_can_tell=1
-			if grep -Eq '^(CONFIG_PAGE_TABLE_ISOLATION|CONFIG_KAISER)=y' "$opt_config"; then
-				_debug "kpti_support: found option "$(grep -E '^(CONFIG_PAGE_TABLE_ISOLATION|CONFIG_KAISER)=y' "$opt_config")" in $opt_config"
-				kpti_support=1
-			fi
-		fi
-		if [ "$kpti_support" = 0 -a -n "$opt_map" ]; then
-			# it's not an elif: some backports don't have the PTI config but still include the patch
-			# so we try to find an exported symbol that is part of the PTI patch in System.map
-			kpti_can_tell=1
-			if grep -qw kpti_force_enabled "$opt_map"; then
-				_debug "kpti_support: found kpti_force_enabled in $opt_map"
-				kpti_support=1
-			fi
-		fi
-		if [ "$kpti_support" = 0 -a -n "$vmlinux" ]; then
-			# same as above but in case we don't have System.map and only vmlinux, look for the
-			# nopti option that is part of the patch (kernel command line option)
-			kpti_can_tell=1
-			if ! which strings >/dev/null 2>&1; then
-				pstatus yellow UNKNOWN "missing 'strings' tool, please install it, usually it's in the binutils package"
-			else
-				if strings "$vmlinux" | grep -qw nopti; then
-					_debug "kpti_support: found nopti string in $vmlinux"
-					kpti_support=1
-				fi
-			fi
-		fi
-
-		if [ "$kpti_support" = 1 ]; then
-			pstatus green YES
-		elif [ "$kpti_can_tell" = 1 ]; then
-			pstatus red NO
-		else
-			pstatus yellow UNKNOWN "couldn't read your kernel configuration nor System.map file"
-		fi
-
-		mount_debugfs
-		_info_nol "* PTI enabled and active: "
-		if [ "$opt_live" = 1 ]; then
-			dmesg_grep="Kernel/User page tables isolation: enabled"
-			dmesg_grep="$dmesg_grep|Kernel page table isolation enabled"
-			dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
-			if grep ^flags /proc/cpuinfo | grep -qw pti; then
-				# vanilla PTI patch sets the 'pti' flag in cpuinfo
-				_debug "kpti_enabled: found 'pti' flag in /proc/cpuinfo"
-				kpti_enabled=1
-			elif grep ^flags /proc/cpuinfo | grep -qw kaiser; then
-				# kernel line 4.9 sets the 'kaiser' flag in cpuinfo
-				_debug "kpti_enabled: found 'kaiser' flag in /proc/cpuinfo"
-				kpti_enabled=1
-			elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then
-				# RedHat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301
-				kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
-				_debug "kpti_enabled: file /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled"
-			elif dmesg | grep -Eq "$dmesg_grep"; then
-				# if we can't find the flag, grep dmesg output
-				_debug "kpti_enabled: found hint in dmesg: "$(dmesg | grep -E "$dmesg_grep")
-				kpti_enabled=1
-			elif [ -r /var/log/dmesg ] && grep -Eq "$dmesg_grep" /var/log/dmesg; then
-				# if we can't find the flag in dmesg output, grep in /var/log/dmesg when readable
-				_debug "kpti_enabled: found hint in /var/log/dmesg: "$(grep -E "$dmesg_grep" /var/log/dmesg)
-				kpti_enabled=1
-			else
-				_debug "kpti_enabled: couldn't find any hint that PTI is enabled"
-				kpti_enabled=0
-			fi
-			if [ "$kpti_enabled" = 1 ]; then
-				pstatus green YES
-			else
-				pstatus red NO
-			fi
-		else
-			pstatus blue N/A "can't verify if PTI is enabled in offline mode"
-		fi
-	fi
-
-	# if we have the /sys interface, don't even check is_cpu_vulnerable ourselves, the kernel already does it
-	cve='CVE-2017-5754'
-	if [ "$sys_interface_available" = 0 ] && ! is_cpu_vulnerable 3; then
-		# override status & msg in case CPU is not vulnerable after all
-		pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
-	elif [ -z "$msg" ]; then
-		# if msg is empty, sysfs check didn't fill it, rely on our own test
-		if [ "$opt_live" = 1 ]; then
-			if [ "$kpti_enabled" = 1 ]; then
-				pvulnstatus $cve OK "PTI mitigates the vulnerability"
-			else
-				pvulnstatus $cve VULN "PTI is needed to mitigate the vulnerability"
-			fi
-		else
-			if [ "$kpti_support" = 1 ]; then
-				pvulnstatus $cve OK "offline mode: PTI will mitigate the vulnerability if enabled at runtime"
-			else
-				pvulnstatus $cve VULN "PTI is needed to mitigate the vulnerability"
-			fi
-		fi
-	else
-		pvulnstatus $cve "$status" "$msg"
-	fi
-}
-
-# now run the checks the user asked for
-if [ "$opt_variant1" = 1 -o "$opt_allvariants" = 1 ]; then
-	check_variant1
-	_info
-fi
-if [ "$opt_variant2" = 1 -o "$opt_allvariants" = 1 ]; then
-	check_variant2
-	_info
-fi
-if [ "$opt_variant3" = 1 -o "$opt_allvariants" = 1 ]; then
-	check_variant3
-	_info
-fi
-
-_info "A false sense of security is worse than no security at all, see --disclaimer"
-
-# this'll umount only if we mounted debugfs ourselves
-umount_debugfs
-
-# cleanup the temp decompressed config
-[ -n "$dumped_config" ] && rm -f "$dumped_config"
-
-if [ "$opt_batch" = 1 -a "$opt_batch_format" = "nrpe" ]; then
-	if [ ! -z "$nrpe_vuln" ]; then
-		echo "Vulnerable:$nrpe_vuln"
-	else
-		echo "OK"
-	fi
-	[ "$nrpe_critical" = 1 ] && exit 2  # critical
-	[ "$nrpe_unknown" = 1 ] && exit 3  # unknown
-	exit 0  # ok
-fi
-
-if [ "$opt_batch" = 1 -a "$opt_batch_format" = "json" ]; then
-	_echo 0 ${json_output%?}]
-fi
--- a/src/db/100_inteldb.sh
+++ b/src/db/100_inteldb.sh
@@ -0,0 +1,118 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# Dump from Intel affected CPU page:
+# - https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html
+# Only currently-supported CPUs are listed, so only rely on it if the current CPU happens to be in the list.
+# We merge it with info from the following file:
+# - https://software.intel.com/content/dam/www/public/us/en/documents/affected-processors-transient-execution-attacks-by-cpu-aug02.xlsx
+# As it contains some information from older processors, however when information is contradictory between the two sources, the HTML takes precedence as
+# it is expected to be updated, whereas the xslx seems to be frozen.
+#
+# N: Not affected
+# S: Affected, software fix
+# H: Affected, hardware fix
+# M: Affected, MCU update needed
+# B: Affected, BIOS update needed
+# X: Affected, no planned mitigation
+# Y: Affected (this is from the xlsx, no details are available)
+#
+# %%% INTELDB
+# 0x000206A7,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=Y,2018-12130=Y,2018-12207=Y,2018-3615=Y,2018-3620=Y,2018-3639=Y,2018-3640=Y,2018-3646=Y,2019-11135=N,2020-0543=N,
+# 0x000206D6,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=Y,2018-12130=Y,2018-12207=Y,2018-3615=Y,2018-3620=Y,2018-3639=Y,2018-3640=Y,2018-3646=Y,2019-11135=N,2020-0543=N,
+# 0x000206D7,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=Y,2018-12130=Y,2018-12207=Y,2018-3615=Y,2018-3620=Y,2018-3639=Y,2018-3640=Y,2018-3646=Y,2019-11135=N,2020-0543=N,
+# 0x00030673,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=N,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,
+# 0x00030678,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=N,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,
+# 0x00030679,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=N,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,
+# 0x000306A9,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=Y,2018-12130=Y,2018-12207=Y,2018-3615=Y,2018-3620=Y,2018-3639=Y,2018-3640=Y,2018-3646=Y,2019-11135=N,2020-0543=Y,
+# 0x000306C3,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=Y,2018-12130=Y,2018-12207=Y,2018-3615=Y,2018-3620=Y,2018-3639=Y,2018-3640=Y,2018-3646=Y,2019-11135=N,2020-0543=Y,
+# 0x000306D4,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=Y,2018-12130=Y,2018-12207=Y,2018-3615=Y,2018-3620=Y,2018-3639=Y,2018-3640=Y,2018-3646=Y,2019-11135=Y,2020-0543=Y,
+# 0x000306E4,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=Y,2018-12130=Y,2018-12207=Y,2018-3615=Y,2018-3620=Y,2018-3639=Y,2018-3640=Y,2018-3646=Y,2019-11135=N,2020-0543=N,
+# 0x000306E7,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=Y,2018-12130=Y,2018-12207=Y,2018-3615=Y,2018-3620=Y,2018-3639=Y,2018-3640=Y,2018-3646=Y,2019-11135=N,2020-0543=N,
+# 0x000306F2,2017-5715=MS,2017-5753=S,2017-5754=S,2018-12126=MS,2018-12127=MS,2018-12130=MS,2018-12207=S,2018-3615=MS,2018-3620=MS,2018-3639=MS,2018-3640=M,2018-3646=MS,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x000306F4,2017-5715=MS,2017-5753=S,2017-5754=S,2018-12126=MS,2018-12127=MS,2018-12130=MS,2018-12207=S,2018-3615=MS,2018-3620=MS,2018-3639=MS,2018-3640=M,2018-3646=MS,2019-11135=MS,2020-0543=N,2022-40982=N,
+# 0x00040651,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=Y,2018-12130=Y,2018-12207=Y,2018-3615=Y,2018-3620=Y,2018-3639=Y,2018-3640=Y,2018-3646=Y,2019-11135=N,2020-0543=Y,
+# 0x00040661,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=Y,2018-12130=Y,2018-12207=Y,2018-3615=Y,2018-3620=Y,2018-3639=Y,2018-3640=Y,2018-3646=Y,2019-11135=N,2020-0543=Y,
+# 0x00040671,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=Y,2018-12130=Y,2018-12207=Y,2018-3615=Y,2018-3620=Y,2018-3639=Y,2018-3640=Y,2018-3646=Y,2019-11135=Y,2020-0543=Y,
+# 0x000406A0,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=N,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,
+# 0x000406C3,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=N,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,
+# 0x000406C4,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=N,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,
+# 0x000406D8,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=N,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,
+# 0x000406E3,2017-5715=MS,2017-5753=S,2017-5754=S,2018-12126=MS,2018-12127=MS,2018-12130=MS,2018-12207=S,2018-3615=MS,2018-3620=MS,2018-3639=MS,2018-3640=M,2018-3646=MS,2019-11135=MS,2020-0543=MS,
+# 0x000406F1,2017-5715=MS,2017-5753=S,2017-5754=S,2018-12126=MS,2018-12127=MS,2018-12130=MS,2018-12207=S,2018-3615=MS,2018-3620=MS,2018-3639=MS,2018-3640=M,2018-3646=MS,2019-11135=MS,2020-0543=N,2022-40982=N,
+# 0x00050653,2017-5715=MS,2017-5753=S,2017-5754=S,2018-12126=MS,2018-12127=MS,2018-12130=MS,2018-12207=S,2018-3615=MS,2018-3620=MS,2018-3639=MS,2018-3640=M,2018-3646=MS,2019-11135=MS,2020-0543=N,2022-40982=M,
+# 0x00050654,2017-5715=MS,2017-5753=S,2017-5754=S,2018-12126=MS,2018-12127=MS,2018-12130=MS,2018-12207=S,2018-3615=MS,2018-3620=MS,2018-3639=MS,2018-3640=M,2018-3646=MS,2019-11135=MS,2020-0543=N,2022-40982=M,
+# 0x00050656,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=S,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=MS,2020-0543=N,2022-40982=M,
+# 0x00050657,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=S,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=MS,2020-0543=N,2022-40982=M,
+# 0x0005065A,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=S,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x0005065B,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=S,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x00050662,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=Y,2018-12130=Y,2018-12207=Y,2018-3615=Y,2018-3620=Y,2018-3639=Y,2018-3640=Y,2018-3646=Y,2019-11135=Y,2020-0543=N,
+# 0x00050663,2017-5715=MS,2017-5753=S,2017-5754=S,2018-12126=MS,2018-12127=MS,2018-12130=MS,2018-12207=S,2018-3615=MS,2018-3620=MS,2018-3639=MS,2018-3640=M,2018-3646=MS,2019-11135=MS,2020-0543=N,2022-40982=N,
+# 0x00050664,2017-5715=MS,2017-5753=S,2017-5754=S,2018-12126=MS,2018-12127=MS,2018-12130=MS,2018-12207=S,2018-3615=MS,2018-3620=MS,2018-3639=MS,2018-3640=M,2018-3646=MS,2019-11135=MS,2020-0543=N,2022-40982=N,
+# 0x00050665,2017-5715=MS,2017-5753=S,2017-5754=S,2018-12126=MS,2018-12127=MS,2018-12130=MS,2018-12207=S,2018-3615=MS,2018-3620=MS,2018-3639=MS,2018-3640=M,2018-3646=MS,2019-11135=MS,2020-0543=N,2022-40982=N,
+# 0x000506A0,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=N,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,
+# 0x000506C9,2017-5715=MS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=MS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x000506CA,2017-5715=MS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=MS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x000506D0,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=N,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,
+# 0x000506E3,2017-5715=MS,2017-5753=S,2017-5754=S,2018-12126=MS,2018-12127=MS,2018-12130=MS,2018-12207=S,2018-3615=MS,2018-3620=MS,2018-3639=MS,2018-3640=M,2018-3646=MS,2019-11135=MS,2020-0543=MS,2022-40982=N,
+# 0x000506F1,2017-5715=MS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=MS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x00060650,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=N,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,
+# 0x000606A0,2017-5715=Y,2017-5753=Y,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=Y,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,
+# 0x000606A4,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x000606A5,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x000606A6,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x000606C1,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x000606E1,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=N,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,
+# 0x0007065A,2017-5715=Y,2017-5753=Y,2017-5754=Y,2018-12126=Y,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=N,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,
+# 0x000706A1,2017-5715=MS,2017-5753=S,2017-5754=S,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=MS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x000706A8,2017-5715=MS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x000706E5,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=HM,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x00080660,2017-5715=Y,2017-5753=Y,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=Y,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,
+# 0x00080664,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x00080665,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=MS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x00080667,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=MS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x000806A0,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=HM,2018-12127=N,2018-12130=N,2018-12207=S,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x000806A1,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=HM,2018-12127=N,2018-12130=N,2018-12207=S,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x000806C0,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x000806C1,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x000806C2,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x000806D0,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x000806D1,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x000806E9,2017-5715=MS,2017-5753=S,2017-5754=S,2018-12126=MS,2018-12127=MS,2018-12130=MS,2018-12207=S,2018-3615=MS,2018-3620=MS,2018-3639=MS,2018-3640=M,2018-3646=MS,2019-11135=MS,2020-0543=M,2022-40982=M,
+# 0x000806EA,2017-5715=MS,2017-5753=S,2017-5754=S,2018-12126=MS,2018-12127=MS,2018-12130=MS,2018-12207=S,2018-3615=MS,2018-3620=MS,2018-3639=MS,2018-3640=M,2018-3646=MS,2019-11135=MS,2020-0543=MS,2022-40982=M,
+# 0x000806EB,2017-5715=MS,2017-5753=S,2017-5754=N,2018-12126=MS,2018-12127=MS,2018-12130=MS,2018-12207=S,2018-3615=N,2018-3620=N,2018-3639=MS,2018-3640=M,2018-3646=N,2019-11135=MS,2020-0543=MS,2022-40982=M,
+# 0x000806EC,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=S,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=MS,2020-0543=MS,2022-40982=M,
+# 0x000806F7,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x000806F8,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x00090660,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x00090661,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x00090670,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x00090671,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x00090672,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x00090673,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x00090674,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x00090675,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=MS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x000906A0,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=MS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x000906A2,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=MS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x000906A3,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=MS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x000906A4,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=MS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x000906C0,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x000906E9,2017-5715=MS,2017-5753=S,2017-5754=S,2018-12126=MS,2018-12127=MS,2018-12130=MS,2018-12207=S,2018-3615=MS,2018-3620=MS,2018-3639=MS,2018-3640=M,2018-3646=MS,2019-11135=MS,2020-0543=MS,2022-40982=M,
+# 0x000906EA,2017-5715=MS,2017-5753=S,2017-5754=S,2018-12126=MS,2018-12127=MS,2018-12130=MS,2018-12207=S,2018-3615=MS,2018-3620=MS,2018-3639=MS,2018-3640=M,2018-3646=MS,2019-11135=MS,2020-0543=MS,2022-40982=M,
+# 0x000906EB,2017-5715=MS,2017-5753=S,2017-5754=S,2018-12126=MS,2018-12127=MS,2018-12130=MS,2018-12207=S,2018-3615=MS,2018-3620=MS,2018-3639=MS,2018-3640=M,2018-3646=MS,2019-11135=MS,2020-0543=MS,2022-40982=M,
+# 0x000906EC,2017-5715=MS,2017-5753=S,2017-5754=N,2018-12126=MS,2018-12127=MS,2018-12130=MS,2018-12207=S,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=M,2018-3646=N,2019-11135=MS,2020-0543=MS,2022-40982=M,
+# 0x000906ED,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=S,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=M,2018-3646=N,2019-11135=MS,2020-0543=MS,2022-40982=M,
+# 0x000A0650,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=S,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=M,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x000A0651,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=S,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=M,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x000A0652,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=S,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=M,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x000A0653,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=S,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=M,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x000A0655,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=S,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=M,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x000A0660,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=S,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=M,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x000A0661,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=S,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=M,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x000A0670,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x000A0671,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=M,
+# 0x000A0680,2017-5715=Y,2017-5753=Y,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=Y,2018-3615=N,2018-3620=N,2018-3639=Y,2018-3640=Y,2018-3646=N,2019-11135=N,2020-0543=N,
+# 0x000B0671,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x000B06A2,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x000B06A3,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x000B06F2,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# 0x000B06F5,2017-5715=HS,2017-5753=S,2017-5754=N,2018-12126=N,2018-12127=N,2018-12130=N,2018-12207=N,2018-3615=N,2018-3620=N,2018-3639=HS,2018-3640=N,2018-3646=N,2019-11135=N,2020-0543=N,2022-40982=N,
+# %%% ENDOFINTELDB
--- a/src/db/200_mcedb.sh
+++ b/src/db/200_mcedb.sh
@@ -0,0 +1,613 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# We're using MCE.db from the excellent platomav's MCExtractor project
+# The builtin version follows, but the user can download an up-to-date copy (to be stored in their $HOME) by using --update-fwdb
+# To update the builtin version itself (by *modifying* this very file), use --update-builtin-fwdb
+#
+# The format below is:
+# X,CPUID_HEX,MICROCODE_VERSION_HEX,YYYYMMDD
+# with X being either I for Intel, or A for AMD
+# When the date is unknown it defaults to 20000101
+
+# %%% MCEDB v349+i20260227+615b
+# I,0x00000611,0xFF,0x00000B27,19961218
+# I,0x00000612,0xFF,0x000000C6,19961210
+# I,0x00000616,0xFF,0x000000C6,19961210
+# I,0x00000617,0xFF,0x000000C6,19961210
+# I,0x00000619,0xFF,0x000000D2,19980218
+# I,0x00000630,0xFF,0x00000013,19960827
+# I,0x00000632,0xFF,0x00000020,19960903
+# I,0x00000633,0xFF,0x00000036,19980923
+# I,0x00000634,0xFF,0x00000037,19980923
+# I,0x00000650,0x01,0x00000040,19990525
+# I,0x00000650,0x02,0x00000041,19990525
+# I,0x00000650,0x08,0x00000045,19990525
+# I,0x00000651,0x01,0x00000040,19990525
+# I,0x00000652,0x01,0x0000002A,19990512
+# I,0x00000652,0x02,0x0000002C,19990517
+# I,0x00000652,0x04,0x0000002B,19990512
+# I,0x00000653,0x01,0x00000010,19990628
+# I,0x00000653,0x02,0x0000000C,19990518
+# I,0x00000653,0x04,0x0000000B,19990520
+# I,0x00000653,0x08,0x0000000D,19990518
+# I,0x00000660,0x01,0x0000000A,19990505
+# I,0x00000665,0x10,0x00000003,19990505
+# I,0x0000066A,0x02,0x0000000C,19990505
+# I,0x0000066A,0x08,0x0000000D,19990505
+# I,0x0000066A,0x20,0x0000000B,19990505
+# I,0x0000066D,0x02,0x00000005,19990312
+# I,0x0000066D,0x08,0x00000006,19990312
+# I,0x0000066D,0x20,0x00000007,19990505
+# I,0x00000670,0xFF,0x00000007,19980602
+# I,0x00000671,0x04,0x00000014,19980811
+# I,0x00000672,0x04,0x00000038,19990922
+# I,0x00000673,0x04,0x0000002E,19990910
+# I,0x00000680,0xFF,0x00000017,19990610
+# I,0x00000681,0x01,0x0000000D,19990921
+# I,0x00000681,0x04,0x00000010,19990921
+# I,0x00000681,0x08,0x0000000F,19990921
+# I,0x00000681,0x10,0x00000011,19990921
+# I,0x00000681,0x20,0x0000000E,19990921
+# I,0x00000683,0x08,0x00000008,19991015
+# I,0x00000683,0x20,0x00000007,19991015
+# I,0x00000686,0x01,0x00000007,20000505
+# I,0x00000686,0x02,0x0000000A,20000504
+# I,0x00000686,0x04,0x00000002,20000504
+# I,0x00000686,0x10,0x00000008,20000505
+# I,0x00000686,0x80,0x0000000C,20000504
+# I,0x0000068A,0x10,0x00000001,20001102
+# I,0x0000068A,0x20,0x00000004,20001207
+# I,0x0000068A,0x80,0x00000005,20001207
+# I,0x00000690,0xFF,0x00000004,20000206
+# I,0x00000691,0xFF,0x00000001,20020527
+# I,0x00000692,0xFF,0x00000001,20020620
+# I,0x00000694,0xFF,0x00000002,20020926
+# I,0x00000695,0x10,0x00000007,20041109
+# I,0x00000695,0x20,0x00000007,20041109
+# I,0x00000695,0x80,0x00000047,20041109
+# I,0x00000696,0xFF,0x00000001,20000707
+# I,0x000006A0,0x04,0x00000003,20000110
+# I,0x000006A1,0x04,0x00000001,20000306
+# I,0x000006A4,0xFF,0x00000001,20000616
+# I,0x000006B0,0xFF,0x0000001A,20010129
+# I,0x000006B1,0x10,0x0000001C,20010215
+# I,0x000006B1,0x20,0x0000001D,20010220
+# I,0x000006B4,0x10,0x00000001,20020110
+# I,0x000006B4,0x20,0x00000002,20020111
+# I,0x000006D0,0xFF,0x00000006,20030522
+# I,0x000006D1,0xFF,0x00000009,20030709
+# I,0x000006D2,0xFF,0x00000010,20030814
+# I,0x000006D6,0x20,0x00000018,20041017
+# I,0x000006D8,0xFF,0x00000021,20060831
+# I,0x000006E0,0xFF,0x00000008,20050215
+# I,0x000006E1,0xFF,0x0000000C,20050413
+# I,0x000006E4,0xFF,0x00000026,20050816
+# I,0x000006E8,0x20,0x00000039,20051115
+# I,0x000006EC,0x20,0x00000054,20060501
+# I,0x000006EC,0x80,0x00000059,20060912
+# I,0x000006F0,0xFF,0x00000005,20050818
+# I,0x000006F1,0xFF,0x00000012,20051129
+# I,0x000006F2,0x01,0x0000005D,20101002
+# I,0x000006F2,0x20,0x0000005C,20101002
+# I,0x000006F4,0xFF,0x00000028,20060417
+# I,0x000006F5,0xFF,0x00000039,20060727
+# I,0x000006F6,0x01,0x000000D0,20100930
+# I,0x000006F6,0x04,0x000000D2,20101001
+# I,0x000006F6,0x20,0x000000D1,20101001
+# I,0x000006F7,0x10,0x0000006A,20101002
+# I,0x000006F7,0x40,0x0000006B,20101002
+# I,0x000006F9,0xFF,0x00000084,20061012
+# I,0x000006FA,0x80,0x00000095,20101002
+# I,0x000006FB,0x01,0x000000BA,20101003
+# I,0x000006FB,0x04,0x000000BC,20101003
+# I,0x000006FB,0x08,0x000000BB,20101003
+# I,0x000006FB,0x10,0x000000BA,20101003
+# I,0x000006FB,0x20,0x000000BA,20101003
+# I,0x000006FB,0x40,0x000000BC,20101003
+# I,0x000006FB,0x80,0x000000BA,20101003
+# I,0x000006FD,0x01,0x000000A4,20101002
+# I,0x000006FD,0x20,0x000000A4,20101002
+# I,0x000006FD,0x80,0x000000A4,20101002
+# I,0x00000F00,0xFF,0xFFFF0001,20000130
+# I,0x00000F01,0xFF,0xFFFF0007,20000404
+# I,0x00000F02,0xFF,0xFFFF000B,20000518
+# I,0x00000F03,0xFF,0xFFFF0001,20000518
+# I,0x00000F04,0xFF,0xFFFF0010,20000803
+# I,0x00000F05,0xFF,0x0000000C,20000824
+# I,0x00000F06,0xFF,0x00000004,20000911
+# I,0x00000F07,0x01,0x00000012,20020716
+# I,0x00000F07,0x02,0x00000008,20001115
+# I,0x00000F08,0xFF,0x00000008,20001101
+# I,0x00000F09,0xFF,0x00000008,20010104
+# I,0x00000F0A,0x01,0x00000013,20020716
+# I,0x00000F0A,0x02,0x00000015,20020821
+# I,0x00000F0A,0x04,0x00000014,20020716
+# I,0x00000F11,0xFF,0x0000000A,20030729
+# I,0x00000F12,0x04,0x0000002E,20030502
+# I,0x00000F13,0xFF,0x00000005,20030508
+# I,0x00000F20,0xFF,0x00000001,20010423
+# I,0x00000F21,0xFF,0x00000003,20010529
+# I,0x00000F22,0xFF,0x00000005,20030729
+# I,0x00000F23,0xFF,0x0000000D,20010817
+# I,0x00000F24,0x02,0x0000001F,20030605
+# I,0x00000F24,0x04,0x0000001E,20030605
+# I,0x00000F24,0x10,0x00000021,20030610
+# I,0x00000F25,0x01,0x00000029,20040811
+# I,0x00000F25,0x02,0x0000002A,20040811
+# I,0x00000F25,0x04,0x0000002B,20040811
+# I,0x00000F25,0x10,0x0000002C,20040826
+# I,0x00000F26,0x02,0x00000010,20040805
+# I,0x00000F27,0x02,0x00000038,20030604
+# I,0x00000F27,0x04,0x00000037,20030604
+# I,0x00000F27,0x08,0x00000039,20030604
+# I,0x00000F29,0x02,0x0000002D,20040811
+# I,0x00000F29,0x04,0x0000002E,20040811
+# I,0x00000F29,0x08,0x0000002F,20040811
+# I,0x00000F30,0xFF,0x00000013,20030815
+# I,0x00000F31,0xFF,0x0000000B,20031021
+# I,0x00000F32,0x0D,0x0000000A,20040511
+# I,0x00000F33,0x0D,0x0000000C,20050421
+# I,0x00000F34,0x1D,0x00000017,20050421
+# I,0x00000F36,0xFF,0x00000007,20040309
+# I,0x00000F37,0xFF,0x00000003,20031218
+# I,0x00000F40,0xFF,0x00000006,20040318
+# I,0x00000F41,0x02,0x00000016,20050421
+# I,0x00000F41,0xBD,0x00000017,20050422
+# I,0x00000F42,0xFF,0x00000003,20050421
+# I,0x00000F43,0x9D,0x00000005,20050421
+# I,0x00000F44,0x9D,0x00000006,20050421
+# I,0x00000F46,0xFF,0x00000004,20050411
+# I,0x00000F47,0x9D,0x00000003,20050421
+# I,0x00000F48,0x01,0x0000000C,20060508
+# I,0x00000F48,0x02,0x0000000E,20080115
+# I,0x00000F48,0x5F,0x00000007,20050630
+# I,0x00000F49,0xBD,0x00000003,20050421
+# I,0x00000F4A,0x5C,0x00000004,20051214
+# I,0x00000F4A,0x5D,0x00000002,20050610
+# I,0x00000F60,0xFF,0x00000005,20050124
+# I,0x00000F61,0xFF,0x00000008,20050610
+# I,0x00000F62,0x04,0x0000000F,20051215
+# I,0x00000F63,0xFF,0x00000005,20051010
+# I,0x00000F64,0x01,0x00000002,20051215
+# I,0x00000F64,0x34,0x00000004,20051223
+# I,0x00000F65,0x01,0x00000008,20060426
+# I,0x00000F66,0xFF,0x0000001B,20060310
+# I,0x00000F68,0x22,0x00000009,20060714
+# I,0x00001632,0x00,0x00000002,19980610
+# I,0x00010650,0xFF,0x00000002,20060513
+# I,0x00010660,0xFF,0x00000004,20060612
+# I,0x00010661,0x01,0x00000043,20101004
+# I,0x00010661,0x02,0x00000042,20101004
+# I,0x00010661,0x80,0x00000044,20101004
+# I,0x00010670,0xFF,0x00000005,20070209
+# I,0x00010671,0xFF,0x00000106,20070329
+# I,0x00010674,0xFF,0x84050100,20070726
+# I,0x00010676,0x01,0x0000060F,20100929
+# I,0x00010676,0x04,0x0000060F,20100929
+# I,0x00010676,0x10,0x0000060F,20100929
+# I,0x00010676,0x40,0x0000060F,20100929
+# I,0x00010676,0x80,0x0000060F,20100929
+# I,0x00010677,0x10,0x0000070A,20100929
+# I,0x0001067A,0x11,0x00000A0B,20100928
+# I,0x0001067A,0x44,0x00000A0B,20100928
+# I,0x0001067A,0xA0,0x00000A0B,20100928
+# I,0x000106A0,0xFF,0xFFFF001A,20071128
+# I,0x000106A1,0xFF,0xFFFF000B,20080220
+# I,0x000106A2,0xFF,0xFFFF0019,20080714
+# I,0x000106A4,0x03,0x00000012,20130621
+# I,0x000106A5,0x03,0x0000001D,20180511
+# I,0x000106C0,0xFF,0x00000007,20070824
+# I,0x000106C1,0xFF,0x00000109,20071203
+# I,0x000106C2,0x01,0x00000217,20090410
+# I,0x000106C2,0x04,0x00000218,20090410
+# I,0x000106C2,0x08,0x00000219,20090410
+# I,0x000106C9,0xFF,0x00000007,20090213
+# I,0x000106CA,0x01,0x00000107,20090825
+# I,0x000106CA,0x04,0x00000107,20090825
+# I,0x000106CA,0x08,0x00000107,20090825
+# I,0x000106CA,0x10,0x00000107,20090825
+# I,0x000106D0,0xFF,0x00000005,20071204
+# I,0x000106D1,0x08,0x00000029,20100930
+# I,0x000106E0,0xFF,0xFFFF0022,20090116
+# I,0x000106E1,0xFF,0xFFFF000D,20090206
+# I,0x000106E2,0xFF,0xFFFF0011,20090924
+# I,0x000106E3,0xFF,0xFFFF0011,20090512
+# I,0x000106E4,0xFF,0x00000003,20130701
+# I,0x000106E5,0x13,0x0000000A,20180508
+# I,0x000106F0,0xFF,0xFFFF0009,20090210
+# I,0x000106F1,0xFF,0xFFFF0007,20090210
+# I,0x00020650,0xFF,0xFFFF0008,20090218
+# I,0x00020651,0xFF,0xFFFF0018,20090818
+# I,0x00020652,0x12,0x00000011,20180508
+# I,0x00020654,0xFF,0xFFFF0007,20091124
+# I,0x00020655,0x92,0x00000007,20180423
+# I,0x00020661,0x01,0x00000104,20091023
+# I,0x00020661,0x02,0x00000105,20110718
+# I,0x000206A0,0xFF,0x00000029,20091102
+# I,0x000206A1,0xFF,0x00000007,20091223
+# I,0x000206A2,0xFF,0x00000027,20100502
+# I,0x000206A3,0xFF,0x00000009,20100609
+# I,0x000206A4,0xFF,0x00000022,20100414
+# I,0x000206A5,0xFF,0x00000007,20100722
+# I,0x000206A6,0xFF,0x90030028,20100924
+# I,0x000206A7,0x12,0x0000002F,20190217
+# I,0x000206C0,0xFF,0xFFFF001C,20091214
+# I,0x000206C1,0xFF,0x00000006,20091222
+# I,0x000206C2,0x03,0x0000001F,20180508
+# I,0x000206D0,0xFF,0x80000006,20100816
+# I,0x000206D1,0xFF,0x80000106,20101201
+# I,0x000206D2,0xFF,0xAF506958,20110714
+# I,0x000206D3,0xFF,0xAF50696A,20110816
+# I,0x000206D5,0xFF,0xAF5069E5,20120118
+# I,0x000206D6,0x6D,0x00000621,20200304
+# I,0x000206D7,0x6D,0x0000071A,20200324
+# I,0x000206E0,0xFF,0xE3493401,20090108
+# I,0x000206E1,0xFF,0xE3493402,20090224
+# I,0x000206E2,0xFF,0xFFFF0004,20081001
+# I,0x000206E3,0xFF,0xE4486547,20090701
+# I,0x000206E4,0xFF,0xFFFF0008,20090619
+# I,0x000206E5,0xFF,0xFFFF0018,20091215
+# I,0x000206E6,0x04,0x0000000D,20180515
+# I,0x000206F0,0xFF,0x00000005,20100729
+# I,0x000206F1,0xFF,0x00000008,20101013
+# I,0x000206F2,0x05,0x0000003B,20180516
+# I,0x00030650,0xFF,0x00000009,20120118
+# I,0x00030651,0xFF,0x00000110,20131014
+# I,0x00030660,0xFF,0x00000003,20101103
+# I,0x00030661,0xFF,0x0000010F,20150721
+# I,0x00030669,0xFF,0x0000010D,20130515
+# I,0x00030671,0xFF,0x00000117,20130410
+# I,0x00030672,0xFF,0x0000022E,20140401
+# I,0x00030673,0xFF,0x83290100,20190916
+# I,0x00030678,0x02,0x00000838,20190422
+# I,0x00030678,0x0C,0x00000838,20190422
+# I,0x00030679,0x0F,0x0000090D,20190710
+# I,0x000306A0,0xFF,0x00000007,20110407
+# I,0x000306A2,0xFF,0x0000000C,20110725
+# I,0x000306A4,0xFF,0x00000007,20110908
+# I,0x000306A5,0xFF,0x00000009,20111110
+# I,0x000306A6,0xFF,0x00000004,20111114
+# I,0x000306A8,0xFF,0x00000010,20120220
+# I,0x000306A9,0x12,0x00000021,20190213
+# I,0x000306C0,0xFF,0xFFFF0013,20111110
+# I,0x000306C1,0xFF,0xFFFF0014,20120725
+# I,0x000306C2,0xFF,0xFFFF0006,20121017
+# I,0x000306C3,0x32,0x00000028,20191112
+# I,0x000306D1,0xFF,0xFFFF0009,20131015
+# I,0x000306D2,0xFF,0xFFFF0009,20131219
+# I,0x000306D3,0xFF,0xE3121338,20140825
+# I,0x000306D4,0xC0,0x0000002F,20191112
+# I,0x000306E0,0xFF,0xE920080F,20121113
+# I,0x000306E2,0xFF,0xE9220827,20130523
+# I,0x000306E3,0xFF,0x00000308,20130321
+# I,0x000306E4,0xED,0x0000042E,20190314
+# I,0x000306E6,0xED,0x00000600,20130619
+# I,0x000306E7,0xED,0x00000715,20190314
+# I,0x000306F0,0xFF,0xFFFF0017,20130730
+# I,0x000306F1,0xFF,0xD141D629,20140416
+# I,0x000306F2,0x6F,0x00000049,20210811
+# I,0x000306F3,0xFF,0x0000000D,20160211
+# I,0x000306F4,0x80,0x0000001A,20210524
+# I,0x00040650,0xFF,0xFFFF000B,20121206
+# I,0x00040651,0x72,0x00000026,20191112
+# I,0x00040660,0xFF,0xFFFF0011,20121012
+# I,0x00040661,0x32,0x0000001C,20191112
+# I,0x00040670,0xFF,0xFFFF0006,20140304
+# I,0x00040671,0x22,0x00000022,20191112
+# I,0x000406A0,0xFF,0x80124001,20130521
+# I,0x000406A8,0xFF,0x0000081F,20140812
+# I,0x000406A9,0xFF,0x0000081F,20140812
+# I,0x000406C1,0xFF,0x0000010B,20140814
+# I,0x000406C2,0xFF,0x00000221,20150218
+# I,0x000406C3,0x01,0x00000368,20190423
+# I,0x000406C4,0x01,0x00000411,20190423
+# I,0x000406D0,0xFF,0x0000000E,20130612
+# I,0x000406D8,0x01,0x0000012D,20190916
+# I,0x000406E1,0xFF,0x00000020,20141111
+# I,0x000406E2,0xFF,0x0000002C,20150521
+# I,0x000406E3,0xC0,0x000000F0,20211112
+# I,0x000406E8,0xFF,0x00000026,20160414
+# I,0x000406F0,0xFF,0x00000014,20150702
+# I,0x000406F1,0xFF,0x0B000041,20240216
+# I,0x00050650,0xFF,0x8000002B,20160208
+# I,0x00050651,0xFF,0x8000002B,20160208
+# I,0x00050652,0xFF,0x80000037,20170502
+# I,0x00050653,0x97,0x01000191,20230728
+# I,0x00050654,0xB7,0x02007006,20230306
+# I,0x00050655,0xB7,0x03000010,20181116
+# I,0x00050656,0xFF,0x04003901,20241212
+# I,0x00050657,0xBF,0x05003901,20241212
+# I,0x0005065A,0xFF,0x86002302,20210416
+# I,0x0005065B,0xBF,0x07002B01,20241212
+# I,0x00050661,0xFF,0xF1000008,20150130
+# I,0x00050662,0x10,0x0000001C,20190617
+# I,0x00050663,0x10,0x0700001C,20210612
+# I,0x00050664,0x10,0x0F00001A,20210612
+# I,0x00050665,0x10,0x0E000015,20230803
+# I,0x00050670,0xFF,0xFFFF0030,20151113
+# I,0x00050671,0xFF,0x000001B6,20180108
+# I,0x000506A0,0xFF,0x00000038,20150112
+# I,0x000506C0,0xFF,0x00000002,20140613
+# I,0x000506C2,0x01,0x00000014,20180511
+# I,0x000506C8,0xFF,0x90011010,20160323
+# I,0x000506C9,0x03,0x00000048,20211116
+# I,0x000506CA,0x03,0x00000028,20211116
+# I,0x000506D1,0xFF,0x00000102,20150605
+# I,0x000506E0,0xFF,0x00000018,20141119
+# I,0x000506E1,0xFF,0x0000002A,20150602
+# I,0x000506E2,0xFF,0x0000002E,20150815
+# I,0x000506E3,0x36,0x000000F0,20211112
+# I,0x000506E8,0xFF,0x00000034,20160710
+# I,0x000506F0,0xFF,0x00000010,20160607
+# I,0x000506F1,0x01,0x0000003E,20231005
+# I,0x00060660,0xFF,0x0000000C,20160821
+# I,0x00060661,0xFF,0x0000000E,20170128
+# I,0x00060662,0xFF,0x00000022,20171129
+# I,0x00060663,0x80,0x0000002A,20180417
+# I,0x000606A0,0xFF,0x80000031,20200308
+# I,0x000606A4,0xFF,0x0B000280,20200817
+# I,0x000606A5,0x87,0x0C0002F0,20210308
+# I,0x000606A6,0x87,0x0D000421,20250819
+# I,0x000606C0,0xFF,0xFD000220,20210629
+# I,0x000606C1,0x10,0x010002F1,20250819
+# I,0x000606E0,0xFF,0x0000000B,20161104
+# I,0x000606E1,0xFF,0x00000108,20190423
+# I,0x000606E4,0xFF,0x0000000C,20190124
+# I,0x000706A0,0xFF,0x00000026,20170712
+# I,0x000706A1,0x01,0x00000042,20240419
+# I,0x000706A8,0x01,0x00000026,20241205
+# I,0x000706E0,0xFF,0x0000002C,20180614
+# I,0x000706E1,0xFF,0x00000042,20190420
+# I,0x000706E2,0xFF,0x00000042,20190420
+# I,0x000706E3,0xFF,0x81000008,20181002
+# I,0x000706E4,0xFF,0x00000046,20190905
+# I,0x000706E5,0x80,0x000000CC,20250724
+# I,0x00080650,0xFF,0x00000018,20180108
+# I,0x00080664,0xFF,0x4C000025,20230926
+# I,0x00080665,0xFF,0x4C000026,20240228
+# I,0x00080667,0xFF,0x4C000026,20240228
+# I,0x000806A0,0xFF,0x00000010,20190507
+# I,0x000806A1,0x10,0x00000033,20230113
+# I,0x000806C0,0xFF,0x00000068,20200402
+# I,0x000806C1,0x80,0x000000BE,20250724
+# I,0x000806C2,0xC2,0x0000003E,20250724
+# I,0x000806D0,0xFF,0x00000054,20210507
+# I,0x000806D1,0xC2,0x00000058,20250724
+# I,0x000806E9,0x10,0x000000F6,20240201
+# I,0x000806E9,0xC0,0x000000F6,20240201
+# I,0x000806EA,0xC0,0x000000F6,20240201
+# I,0x000806EB,0xD0,0x000000F6,20240201
+# I,0x000806EC,0x94,0x00000100,20241117
+# I,0x000806F1,0xFF,0x800003C0,20220327
+# I,0x000806F2,0xFF,0x8C0004E0,20211112
+# I,0x000806F3,0xFF,0x8D000520,20220812
+# I,0x000806F4,0x10,0x2C000421,20250825
+# I,0x000806F4,0x87,0x2B000661,20250825
+# I,0x000806F5,0x10,0x2C000421,20250825
+# I,0x000806F5,0x87,0x2B000661,20250825
+# I,0x000806F6,0x10,0x2C000421,20250825
+# I,0x000806F6,0x87,0x2B000661,20250825
+# I,0x000806F7,0x87,0x2B000661,20250825
+# I,0x000806F8,0x10,0x2C000421,20250825
+# I,0x000806F8,0x87,0x2B000661,20250825
+# I,0x00090660,0xFF,0x00000009,20200617
+# I,0x00090661,0x01,0x0000001A,20240405
+# I,0x00090670,0xFF,0x00000019,20201111
+# I,0x00090671,0xFF,0x0000001C,20210614
+# I,0x00090672,0x07,0x0000003E,20251012
+# I,0x00090674,0xFF,0x00000219,20210425
+# I,0x00090675,0x07,0x0000003E,20251012
+# I,0x000906A0,0xFF,0x0000001C,20210614
+# I,0x000906A1,0xFF,0x0000011F,20211104
+# I,0x000906A2,0xFF,0x00000315,20220102
+# I,0x000906A3,0x80,0x0000043B,20251012
+# I,0x000906A4,0x40,0x0000000C,20250710
+# I,0x000906A4,0x80,0x0000043B,20251012
+# I,0x000906C0,0x01,0x24000026,20230926
+# I,0x000906E9,0x2A,0x000000F8,20230928
+# I,0x000906EA,0x22,0x000000FA,20240728
+# I,0x000906EB,0x02,0x000000F6,20240201
+# I,0x000906EC,0x22,0x000000F8,20240201
+# I,0x000906ED,0x22,0x00000104,20241114
+# I,0x000A0650,0xFF,0x000000BE,20191010
+# I,0x000A0651,0xFF,0x000000C2,20191113
+# I,0x000A0652,0x20,0x00000100,20241114
+# I,0x000A0653,0x22,0x00000100,20241114
+# I,0x000A0654,0xFF,0x000000C6,20200123
+# I,0x000A0655,0x22,0x00000100,20241114
+# I,0x000A0660,0x80,0x00000102,20241114
+# I,0x000A0661,0x80,0x00000100,20241114
+# I,0x000A0670,0xFF,0x0000002C,20201124
+# I,0x000A0671,0x02,0x00000065,20250724
+# I,0x000A0680,0xFF,0x80000002,20200121
+# I,0x000A06A1,0xFF,0x00000017,20230518
+# I,0x000A06A2,0xFF,0x00000011,20230627
+# I,0x000A06A4,0xE6,0x00000028,20250924
+# I,0x000A06C0,0xFF,0x00000013,20230901
+# I,0x000A06C1,0xFF,0x00000005,20231201
+# I,0x000A06D0,0xFF,0x10000680,20240818
+# I,0x000A06D1,0x20,0x0A000133,20251009
+# I,0x000A06D1,0x95,0x01000405,20251031
+# I,0x000A06E1,0x97,0x01000303,20251202
+# I,0x000A06F0,0xFF,0x80000360,20240130
+# I,0x000A06F3,0x01,0x03000382,20250730
+# I,0x000B0650,0x80,0x0000000D,20250925
+# I,0x000B0664,0xFF,0x00000030,20250529
+# I,0x000B0670,0xFF,0x0000000E,20220220
+# I,0x000B0671,0x32,0x00000133,20251008
+# I,0x000B0674,0x32,0x00000133,20251008
+# I,0x000B06A2,0xE0,0x00006134,20251008
+# I,0x000B06A3,0xE0,0x00006134,20251008
+# I,0x000B06A8,0xE0,0x00006134,20251008
+# I,0x000B06D0,0xFF,0x0000001A,20240610
+# I,0x000B06D1,0x80,0x00000125,20250828
+# I,0x000B06E0,0x19,0x00000021,20250912
+# I,0x000B06F2,0x07,0x0000003E,20251012
+# I,0x000B06F5,0x07,0x0000003E,20251012
+# I,0x000B06F6,0x07,0x0000003E,20251012
+# I,0x000B06F7,0x07,0x0000003E,20251012
+# I,0x000C0652,0x82,0x0000011B,20250803
+# I,0x000C0660,0xFF,0x00000018,20240516
+# I,0x000C0662,0x82,0x0000011B,20250803
+# I,0x000C0664,0x82,0x0000011B,20250803
+# I,0x000C06A2,0x82,0x0000011B,20250803
+# I,0x000C06C0,0xFF,0x00000012,20250325
+# I,0x000C06C1,0xFF,0x00000115,20251203
+# I,0x000C06C2,0xFF,0x00000115,20251203
+# I,0x000C06C3,0xFF,0x00000115,20251203
+# I,0x000C06F1,0x87,0x210002D3,20250825
+# I,0x000C06F2,0x87,0x210002D3,20250825
+# I,0x000D0670,0xFF,0x00000003,20250825
+# I,0x000D06D0,0xFF,0x00000340,20250807
+# I,0x00FF0671,0xFF,0x0000010E,20220907
+# I,0x00FF0672,0xFF,0x0000000D,20210816
+# I,0x00FF0675,0xFF,0x0000000D,20210816
+# A,0x00000F00,0xFF,0x02000008,20070614
+# A,0x00000F01,0xFF,0x0000001C,20021031
+# A,0x00000F10,0xFF,0x00000003,20020325
+# A,0x00000F11,0xFF,0x0000001F,20030220
+# A,0x00000F48,0xFF,0x00000046,20040719
+# A,0x00000F4A,0xFF,0x00000047,20040719
+# A,0x00000F50,0xFF,0x00000024,20021212
+# A,0x00000F51,0xFF,0x00000025,20030115
+# A,0x00010F50,0xFF,0x00000041,20040225
+# A,0x00020F10,0xFF,0x0000004D,20050428
+# A,0x00040F01,0xFF,0xC0012102,20050916
+# A,0x00040F0A,0xFF,0x00000068,20060920
+# A,0x00040F13,0xFF,0x0000007A,20080508
+# A,0x00040F14,0xFF,0x00000062,20060127
+# A,0x00040F1B,0xFF,0x0000006D,20060920
+# A,0x00040F33,0xFF,0x0000007B,20080514
+# A,0x00060F80,0xFF,0x00000083,20060929
+# A,0x000C0F1B,0xFF,0x0000006E,20060921
+# A,0x000F0F00,0xFF,0x00000005,20020627
+# A,0x000F0F01,0xFF,0x00000015,20020627
+# A,0x00100F00,0xFF,0x01000020,20070326
+# A,0x00100F20,0xFF,0x010000CA,20100331
+# A,0x00100F22,0xFF,0x010000C9,20100331
+# A,0x00100F2A,0xFF,0x01000084,20000101
+# A,0x00100F40,0xFF,0x01000085,20080501
+# A,0x00100F41,0xFF,0x010000DB,20111024
+# A,0x00100F42,0xFF,0x01000092,20081021
+# A,0x00100F43,0xFF,0x010000C8,20100311
+# A,0x00100F52,0xFF,0x010000DB,20000101
+# A,0x00100F53,0xFF,0x010000C8,20000101
+# A,0x00100F62,0xFF,0x010000C7,20100311
+# A,0x00100F80,0xFF,0x010000DA,20111024
+# A,0x00100F81,0xFF,0x010000D9,20111012
+# A,0x00100F91,0xFF,0x010000D9,20000101
+# A,0x00100FA0,0xFF,0x010000DC,20111024
+# A,0x00120F00,0xFF,0x03000002,20100324
+# A,0x00200F30,0xFF,0x02000018,20070921
+# A,0x00200F31,0xFF,0x02000057,20080502
+# A,0x00200F32,0xFF,0x02000034,20080307
+# A,0x00300F01,0xFF,0x0300000E,20101004
+# A,0x00300F10,0xFF,0x03000027,20111209
+# A,0x00500F00,0xFF,0x0500000B,20100601
+# A,0x00500F01,0xFF,0x0500001A,20100908
+# A,0x00500F10,0xFF,0x05000029,20130121
+# A,0x00500F20,0xFF,0x05000119,20130118
+# A,0x00580F00,0xFF,0x0500000B,20100601
+# A,0x00580F01,0xFF,0x0500001A,20100908
+# A,0x00580F10,0xFF,0x05000028,20101124
+# A,0x00580F20,0xFF,0x05000103,20110526
+# A,0x00600F00,0xFF,0x06000017,20101029
+# A,0x00600F01,0xFF,0x0600011F,20110227
+# A,0x00600F10,0xFF,0x06000425,20110408
+# A,0x00600F11,0xFF,0x0600050D,20110627
+# A,0x00600F12,0xFF,0x0600063E,20180207
+# A,0x00600F20,0xFF,0x06000852,20180206
+# A,0x00610F00,0xFF,0x0600100E,20111102
+# A,0x00610F01,0xFF,0x0600111F,20180305
+# A,0x00630F00,0xFF,0x0600301C,20130817
+# A,0x00630F01,0xFF,0x06003109,20180227
+# A,0x00660F00,0xFF,0x06006108,20150302
+# A,0x00660F01,0xFF,0x0600611A,20180126
+# A,0x00670F00,0xFF,0x06006705,20180220
+# A,0x00680F00,0xFF,0x06000017,20101029
+# A,0x00680F01,0xFF,0x0600011F,20110227
+# A,0x00680F10,0xFF,0x06000410,20110314
+# A,0x00690F00,0xFF,0x06001009,20110613
+# A,0x00700F00,0xFF,0x0700002A,20121218
+# A,0x00700F01,0xFF,0x07000110,20180209
+# A,0x00730F00,0xFF,0x07030009,20131206
+# A,0x00730F01,0xFF,0x07030106,20180209
+# A,0x00800F00,0xFF,0x0800002A,20161006
+# A,0x00800F10,0xFF,0x0800100C,20170131
+# A,0x00800F11,0xFF,0x08001139,20240822
+# A,0x00800F12,0xFF,0x08001279,20241111
+# A,0x00800F82,0xFF,0x0800820E,20240815
+# A,0x00810F00,0xFF,0x08100004,20161120
+# A,0x00810F10,0xFF,0x0810101B,20240716
+# A,0x00810F11,0xFF,0x08101104,20240703
+# A,0x00810F80,0xFF,0x08108002,20180605
+# A,0x00810F81,0xFF,0x0810810E,20241112
+# A,0x00820F00,0xFF,0x08200002,20180214
+# A,0x00820F01,0xFF,0x08200105,20241111
+# A,0x00830F00,0xFF,0x08300027,20190401
+# A,0x00830F10,0xFF,0x0830107F,20241111
+# A,0x00850F00,0xFF,0x08500004,20180212
+# A,0x00860F00,0xFF,0x0860000E,20200127
+# A,0x00860F01,0xFF,0x0860010F,20241118
+# A,0x00860F81,0xFF,0x08608109,20241118
+# A,0x00870F00,0xFF,0x08700004,20181206
+# A,0x00870F10,0xFF,0x08701035,20241118
+# A,0x00880F40,0xFF,0x08804005,20210312
+# A,0x00890F00,0xFF,0x08900007,20200921
+# A,0x00890F01,0xFF,0x08900103,20201105
+# A,0x00890F02,0xFF,0x08900203,20230915
+# A,0x00890F10,0xFF,0x08901003,20230919
+# A,0x008A0F00,0xFF,0x08A0000B,20241125
+# A,0x00A00F00,0xFF,0x0A000033,20200413
+# A,0x00A00F10,0xFF,0x0A00107A,20240226
+# A,0x00A00F11,0xFF,0x0A0011DE,20250418
+# A,0x00A00F12,0xFF,0x0A001247,20250327
+# A,0x00A00F80,0xFF,0x0A008005,20230707
+# A,0x00A00F82,0xFF,0x0A00820F,20241111
+# A,0x00A10F00,0xFF,0x0A10004B,20220309
+# A,0x00A10F01,0xFF,0x0A100104,20220207
+# A,0x00A10F0B,0xFF,0x0A100B07,20220610
+# A,0x00A10F10,0xFF,0x0A101020,20220913
+# A,0x00A10F11,0xFF,0x0A101158,20250609
+# A,0x00A10F12,0xFF,0x0A101253,20250612
+# A,0x00A10F80,0xFF,0x0A108005,20230613
+# A,0x00A10F81,0xFF,0x0A10810C,20241112
+# A,0x00A20F00,0xFF,0x0A200025,20200121
+# A,0x00A20F10,0xFF,0x0A201030,20241111
+# A,0x00A20F12,0xFF,0x0A201213,20241205
+# A,0x00A40F00,0xFF,0x0A400016,20210330
+# A,0x00A40F40,0xFF,0x0A404002,20210408
+# A,0x00A40F41,0xFF,0x0A40410A,20241111
+# A,0x00A50F00,0xFF,0x0A500014,20241111
+# A,0x00A60F00,0xFF,0x0A600005,20211220
+# A,0x00A60F11,0xFF,0x0A601119,20230613
+# A,0x00A60F12,0xFF,0x0A60120C,20241110
+# A,0x00A60F13,0xFF,0x0A601302,20250228
+# A,0x00A70F00,0xFF,0x0A700003,20220517
+# A,0x00A70F40,0xFF,0x0A704001,20220721
+# A,0x00A70F41,0xFF,0x0A70410A,20241108
+# A,0x00A70F42,0xFF,0x0A704202,20230713
+# A,0x00A70F52,0xFF,0x0A70520A,20241111
+# A,0x00A70F80,0xFF,0x0A70800A,20241111
+# A,0x00A70FC0,0xFF,0x0A70C00A,20241111
+# A,0x00A80F00,0xFF,0x0A80000B,20241122
+# A,0x00A80F01,0xFF,0x0A80010A,20241119
+# A,0x00A90F00,0xFF,0x0A90000C,20250710
+# A,0x00A90F01,0xFF,0x0A90010D,20250612
+# A,0x00AA0F00,0xFF,0x0AA00009,20221006
+# A,0x00AA0F01,0xFF,0x0AA00116,20230619
+# A,0x00AA0F02,0xFF,0x0AA0021C,20250612
+# A,0x00B00F00,0xFF,0x0B00004D,20240318
+# A,0x00B00F10,0xFF,0x0B001016,20240318
+# A,0x00B00F20,0xFF,0x0B002032,20241003
+# A,0x00B00F21,0xFF,0x0B002161,20251105
+# A,0x00B00F80,0xFF,0x0B008011,20241211
+# A,0x00B00F81,0xFF,0x0B008121,20251020
+# A,0x00B10F00,0xFF,0x0B10000F,20240320
+# A,0x00B10F10,0xFF,0x0B101058,20251105
+# A,0x00B20F40,0xFF,0x0B204037,20251019
+# A,0x00B40F00,0xFF,0x0B400034,20240318
+# A,0x00B40F40,0xFF,0x0B404035,20251020
+# A,0x00B40F41,0xFF,0x0B404108,20251020
+# A,0x00B60F00,0xFF,0x0B600037,20251019
+# A,0x00B60F80,0xFF,0x0B608038,20251019
+# A,0x00B70F00,0xFF,0x0B700037,20251019
--- a/src/libs/001_core_header.sh
+++ b/src/libs/001_core_header.sh
@@ -0,0 +1,51 @@
+#! /bin/sh
+# SPDX-License-Identifier: GPL-3.0-only
+# vim: set ts=4 sw=4 sts=4 et:
+# shellcheck disable=SC2317,SC2329,SC3043
+#
+# Spectre & Meltdown checker
+#
+# Check for the latest version at:
+# https://github.com/speed47/spectre-meltdown-checker
+# git clone https://github.com/speed47/spectre-meltdown-checker.git
+# or wget https://meltdown.ovh -O spectre-meltdown-checker.sh
+# or curl -L https://meltdown.ovh -o spectre-meltdown-checker.sh
+#
+# Stephane Lesimple
+#
+VERSION='1.0.0'
+
+# --- Common paths and basedirs ---
+readonly VULN_SYSFS_BASE="/sys/devices/system/cpu/vulnerabilities"
+readonly DEBUGFS_BASE="/sys/kernel/debug"
+readonly SYS_MODULE_BASE="/sys/module"
+readonly CPU_DEV_BASE="/dev/cpu"
+readonly BSD_CPUCTL_DEV_BASE="/dev/cpuctl"
+
+trap 'exit_cleanup' EXIT
+trap 'pr_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT
+# Clean up temporary files and undo module/mount side effects on exit
+exit_cleanup() {
+    local saved_ret
+    saved_ret=$?
+    # cleanup the temp decompressed config & kernel image
+    [ -n "${g_dumped_config:-}" ] && [ -f "$g_dumped_config" ] && rm -f "$g_dumped_config"
+    [ -n "${g_kerneltmp:-}" ] && [ -f "$g_kerneltmp" ] && rm -f "$g_kerneltmp"
+    [ -n "${g_kerneltmp2:-}" ] && [ -f "$g_kerneltmp2" ] && rm -f "$g_kerneltmp2"
+    [ -n "${g_mcedb_tmp:-}" ] && [ -f "$g_mcedb_tmp" ] && rm -f "$g_mcedb_tmp"
+    [ -n "${g_intel_tmp:-}" ] && [ -d "$g_intel_tmp" ] && rm -rf "$g_intel_tmp"
+    [ -n "${g_linuxfw_tmp:-}" ] && [ -f "$g_linuxfw_tmp" ] && rm -f "$g_linuxfw_tmp"
+    [ "${g_mounted_debugfs:-}" = 1 ] && umount "$DEBUGFS_BASE" 2>/dev/null
+    [ "${g_mounted_procfs:-}" = 1 ] && umount "$g_procfs" 2>/dev/null
+    [ "${g_insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
+    [ "${g_insmod_msr:-}" = 1 ] && rmmod msr 2>/dev/null
+    [ "${g_kldload_cpuctl:-}" = 1 ] && kldunload cpuctl 2>/dev/null
+    [ "${g_kldload_vmm:-}" = 1 ] && kldunload vmm 2>/dev/null
+    exit "$saved_ret"
+}
+
+# if we were git clone'd, adjust VERSION
+if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; then
+    g_describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null)
+    [ -n "$g_describe" ] && VERSION=$(echo "$g_describe" | sed -e s/^v//)
+fi
--- a/src/libs/002_core_globals.sh
+++ b/src/libs/002_core_globals.sh
@@ -0,0 +1,200 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# Print command-line usage information to stdout
+show_usage() {
+    # shellcheck disable=SC2086
+    cat <<EOF
+	Usage:
+		Live mode (auto):   $(basename $0) [options]
+		Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
+		Offline mode:       $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
+
+	Modes:
+		Two modes are available.
+
+		First mode is the "live" mode (default), it does its best to find information about the currently running kernel.
+		To run under this mode, just start the script without any option (you can also use --live explicitly)
+
+		Second mode is the "offline" mode, where you can inspect a non-running kernel.
+		This mode is automatically enabled when you specify the location of the kernel file, config and System.map files:
+
+		--kernel kernel_file	specify a (possibly compressed) Linux or BSD kernel file
+		--config kernel_config	specify a kernel config file (Linux only)
+		--map kernel_map_file	specify a kernel System.map file (Linux only)
+
+		If you want to use live mode while specifying the location of the kernel, config or map file yourself,
+		you can add --live to the above options, to tell the script to run in live mode instead of the offline mode,
+		which is enabled by default when at least one file is specified on the command line.
+
+	Options:
+		--no-color		don't use color codes
+		--verbose, -v		increase verbosity level, possibly several times
+		--explain		produce an additional human-readable explanation of actions to take to mitigate a vulnerability
+		--paranoid		require IBPB to deem Variant 2 as mitigated
+					also require SMT disabled + unconditional L1D flush to deem Foreshadow-NG VMM as mitigated
+					also require SMT disabled to deem MDS vulnerabilities mitigated
+
+		--no-sysfs		don't use the /sys interface even if present [Linux]
+		--sysfs-only		only use the /sys interface, don't run our own checks [Linux]
+		--coreos		special mode for CoreOS (use an ephemeral toolbox to inspect kernel) [Linux]
+
+		--arch-prefix PREFIX	specify a prefix for cross-inspecting a kernel of a different arch, for example "aarch64-linux-gnu-",
+					so that invoked tools will be prefixed with this (i.e. aarch64-linux-gnu-objdump)
+		--batch text		produce machine readable output, this is the default if --batch is specified alone
+		--batch short		produce only one line with the vulnerabilities separated by spaces
+		--batch json		produce JSON output formatted for Puppet, Ansible, Chef...
+		--batch nrpe		produce machine readable output formatted for NRPE
+		--batch prometheus      produce output for consumption by prometheus-node-exporter
+
+		--variant VARIANT	specify which variant you'd like to check, by default all variants are checked.
+					can be used multiple times (e.g. --variant 3a --variant l1tf)
+					for a list of supported VARIANT parameters, use --variant help
+		--cve CVE		specify which CVE you'd like to check, by default all supported CVEs are checked
+					can be used multiple times (e.g. --cve CVE-2017-5753 --cve CVE-2020-0543)
+		--hw-only		only check for CPU information, don't check for any variant
+		--no-hw			skip CPU information and checks, if you're inspecting a kernel not to be run on this host
+		--vmm [auto,yes,no]	override the detection of the presence of a hypervisor, default: auto
+		--no-intel-db		don't use the builtin Intel DB of affected processors
+		--allow-msr-write	allow probing for write-only MSRs, this might produce kernel logs or be blocked by your system
+		--cpu [#,all]		interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)
+		--update-fwdb		update our local copy of the CPU microcodes versions database (using the awesome
+					MCExtractor project and the Intel firmwares GitHub repository)
+		--update-builtin-fwdb	same as --update-fwdb but update builtin DB inside the script itself
+		--dump-mock-data	used to mimick a CPU on an other system, mainly used to help debugging this script
+
+	Return codes:
+		0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error)
+
+	IMPORTANT:
+	A false sense of security is worse than no security at all.
+	Please use the --disclaimer option to understand exactly what this script does.
+
+EOF
+}
+
+# Print the legal disclaimer about tool accuracy and limitations
+show_disclaimer() {
+    cat <<EOF
+Disclaimer:
+
+This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the
+collectively named "transient execution" (aka "speculative execution") vulnerabilities that started to appear
+since early 2018 with the infamous Spectre & Meltdown.
+
+This tool does NOT attempt to run any kind of exploit, and can't 100% guarantee that your system is secure,
+but rather helps you verifying whether your system has the known correct mitigations in place.
+However, some mitigations could also exist in your kernel that this script doesn't know (yet) how to detect, or it might
+falsely detect mitigations that in the end don't work as expected (for example, on backported or modified kernels).
+
+Your system affectability to a given vulnerability depends on your CPU model and CPU microcode version, whereas the
+mitigations in place depend on your CPU (model and microcode), your kernel version, and both the runtime configuration
+of your CPU (through bits set through the MSRs) and your kernel. The script attempts to explain everything for each
+vulnerability, so you know where your system stands. For a given vulnerability, detailed information is sometimes
+available using the \`--explain\` switch.
+
+Please also note that for the Spectre-like vulnerabilities, all software can possibly be exploited, in which case
+this tool only verifies that the kernel (which is the core of the system) you're using has the proper protections
+in place. Verifying all the other software is out of the scope of this tool, as it can't be done in a simple way.
+As a general measure, ensure you always have the most up to date stable versions of all the software you use,
+especially for those who are exposed to the world, such as network daemons and browsers.
+
+For more information and answers to related questions, please refer to the FAQ.md file.
+
+This tool has been released in the hope that it'll be useful, but don't use it to jump to conclusions about your security.
+
+EOF
+}
+
+g_os=$(uname -s)
+
+# parse options
+opt_kernel=''
+opt_config=''
+opt_map=''
+opt_live=-1
+opt_no_color=0
+opt_batch=0
+opt_batch_format='text'
+opt_verbose=1
+opt_cve_list=''
+opt_cve_all=1
+opt_no_sysfs=0
+opt_sysfs_only=0
+opt_coreos=0
+opt_arch_prefix=''
+opt_hw_only=0
+opt_no_hw=0
+opt_vmm=-1
+opt_allow_msr_write=0
+opt_cpu=0
+opt_explain=0
+opt_paranoid=0
+opt_mock=0
+opt_intel_db=1
+
+g_critical=0
+g_unknown=0
+g_nrpe_vuln=''
+
+# CVE Registry: single source of truth for all CVE metadata.
+# Fields: cve_id|json_key_name|affected_var_suffix|complete_name_and_aliases
+readonly CVE_REGISTRY='
+CVE-2017-5753|SPECTRE VARIANT 1|variant1|Spectre Variant 1, bounds check bypass
+CVE-2017-5715|SPECTRE VARIANT 2|variant2|Spectre Variant 2, branch target injection
+CVE-2017-5754|MELTDOWN|variant3|Variant 3, Meltdown, rogue data cache load
+CVE-2018-3640|VARIANT 3A|variant3a|Variant 3a, rogue system register read
+CVE-2018-3639|VARIANT 4|variant4|Variant 4, speculative store bypass
+CVE-2018-3615|L1TF SGX|variantl1tf_sgx|Foreshadow (SGX), L1 terminal fault
+CVE-2018-3620|L1TF OS|variantl1tf|Foreshadow-NG (OS), L1 terminal fault
+CVE-2018-3646|L1TF VMM|variantl1tf|Foreshadow-NG (VMM), L1 terminal fault
+CVE-2018-12126|MSBDS|msbds|Fallout, microarchitectural store buffer data sampling (MSBDS)
+CVE-2018-12130|MFBDS|mfbds|ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)
+CVE-2018-12127|MLPDS|mlpds|RIDL, microarchitectural load port data sampling (MLPDS)
+CVE-2019-11091|MDSUM|mdsum|RIDL, microarchitectural data sampling uncacheable memory (MDSUM)
+CVE-2019-11135|TAA|taa|ZombieLoad V2, TSX Asynchronous Abort (TAA)
+CVE-2018-12207|ITLBMH|itlbmh|No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)
+CVE-2020-0543|SRBDS|srbds|Special Register Buffer Data Sampling (SRBDS)
+CVE-2023-20593|ZENBLEED|zenbleed|Zenbleed, cross-process information leak
+CVE-2022-40982|DOWNFALL|downfall|Downfall, gather data sampling (GDS)
+CVE-2023-20569|INCEPTION|inception|Inception, return address security (RAS)
+CVE-2023-23583|REPTAR|reptar|Reptar, redundant prefix issue
+CVE-2024-36350|TSA_SQ|tsa|Transient Scheduler Attack - Store Queue (TSA-SQ)
+CVE-2024-36357|TSA_L1|tsa|Transient Scheduler Attack - L1 (TSA-L1)
+'
+
+# Derive the supported CVE list from the registry
+g_supported_cve_list=$(echo "$CVE_REGISTRY" | grep '^CVE-' | cut -d'|' -f1)
+
+# Look up a field from the CVE registry
+# Args: $1=cve_id $2=field_number (see CVE_REGISTRY format above)
+# Callers: cve2name, _is_cpu_affected_cached, pvulnstatus
+_cve_registry_field() {
+    local line
+    line=$(echo "$CVE_REGISTRY" | grep -E "^$1\|")
+    if [ -z "$line" ]; then
+        echo "$0: error: invalid CVE '$1' passed to _cve_registry_field()" >&2
+        exit 255
+    fi
+    echo "$line" | cut -d'|' -f"$2"
+}
+
+# find a sane command to print colored messages, we prefer `printf` over `echo`
+# because `printf` behavior is more standard across Linux/BSD
+# we'll try to avoid using shell builtins that might not take options
+g_echo_cmd_type='echo'
+# ignore SC2230 here because `which` ignores builtins while `command -v` doesn't, and
+# we don't want builtins here. Even if `which` is not installed, we'll fallback to the
+# `echo` builtin anyway, so this is safe.
+# shellcheck disable=SC2230
+if command -v printf >/dev/null 2>&1; then
+    g_echo_cmd=$(command -v printf)
+    g_echo_cmd_type='printf'
+elif which echo >/dev/null 2>&1; then
+    g_echo_cmd=$(which echo)
+else
+    # maybe the `which` command is broken?
+    [ -x /bin/echo ] && g_echo_cmd=/bin/echo
+    # for Android
+    [ -x /system/bin/echo ] && g_echo_cmd=/system/bin/echo
+fi
+# still empty? fallback to builtin
+[ -z "$g_echo_cmd" ] && g_echo_cmd='echo'
--- a/src/libs/100_output_print.sh
+++ b/src/libs/100_output_print.sh
@@ -0,0 +1,106 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# Low-level echo wrapper handling color stripping and printf/echo portability
+# Args: $1=opt(-n for no newline, '' for normal) $2...=message
+# Callers: _pr_echo, _pr_echo_nol
+_pr_echo_raw() {
+    local opt msg interpret_chars ctrlchar
+    opt="$1"
+    shift
+    msg="$*"
+
+    if [ "$opt_no_color" = 1 ]; then
+        # strip ANSI color codes
+        # some sed versions (i.e. toybox) can't seem to handle
+        # \033 aka \x1B correctly, so do it for them.
+        if [ "$g_echo_cmd_type" = printf ]; then
+            interpret_chars=''
+        else
+            interpret_chars='-e'
+        fi
+        ctrlchar=$($g_echo_cmd $interpret_chars "\033")
+        msg=$($g_echo_cmd $interpret_chars "$msg" | sed -E "s/$ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
+    fi
+    if [ "$g_echo_cmd_type" = printf ]; then
+        if [ "$opt" = "-n" ]; then
+            $g_echo_cmd "$msg"
+        else
+            $g_echo_cmd "$msg\n"
+        fi
+    else
+        # shellcheck disable=SC2086
+        $g_echo_cmd $opt -e "$msg"
+    fi
+}
+
+# Print a message if the current verbosity level is high enough
+# Args: $1=minimum_verbosity_level $2...=message
+# Callers: pr_warn, pr_info, pr_verbose, pr_debug, _emit_text, toplevel batch output
+_pr_echo() {
+    if [ "$opt_verbose" -ge "$1" ]; then
+        shift
+        _pr_echo_raw '' "$*"
+    fi
+}
+
+# Print a message without trailing newline if the current verbosity level is high enough
+# Args: $1=minimum_verbosity_level $2...=message
+# Callers: pr_info_nol, pr_verbose_nol
+_pr_echo_nol() {
+    if [ "$opt_verbose" -ge "$1" ]; then
+        shift
+        _pr_echo_raw -n "$*"
+    fi
+}
+
+# Print a warning message in red to stderr (verbosity 0, always shown)
+# Args: $1...=message
+pr_warn() {
+    _pr_echo 0 "\033[31m$*\033[0m" >&2
+}
+
+# Print an informational message (verbosity >= 1)
+# Args: $1...=message
+pr_info() {
+    _pr_echo 1 "$*"
+}
+
+# Print an informational message without trailing newline (verbosity >= 1)
+# Args: $1...=message
+pr_info_nol() {
+    _pr_echo_nol 1 "$*"
+}
+
+# Print a verbose message (verbosity >= 2)
+# Args: $1...=message
+pr_verbose() {
+    _pr_echo 2 "$*"
+}
+
+# Print a verbose message without trailing newline (verbosity >= 2)
+# Args: $1...=message
+pr_verbose_nol() {
+    _pr_echo_nol 2 "$*"
+}
+
+# Print a debug message in blue (verbosity >= 3)
+# Args: $1...=message
+pr_debug() {
+    _pr_echo 3 "\033[34m(debug) $*\033[0m"
+}
+
+# Print a "How to fix" explanation when --explain is enabled
+# Args: $1...=fix description
+explain() {
+    if [ "$opt_explain" = 1 ]; then
+        pr_info ''
+        pr_info "> \033[41m\033[30mHow to fix:\033[0m $*"
+    fi
+}
+
+# Convert a CVE ID to its human-readable vulnerability name
+# Args: $1=cve_id (e.g. "CVE-2017-5753")
+cve2name() {
+    _cve_registry_field "$1" 4
+}
+
+g_is_cpu_affected_cached=0
--- a/src/libs/200_cpu_affected.sh
+++ b/src/libs/200_cpu_affected.sh
@@ -0,0 +1,478 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# Return the cached affected_* status for a given CVE
+# Args: $1=cve_id
+# Returns: 0 if affected, 1 if not affected
+# Callers: is_cpu_affected
+_is_cpu_affected_cached() {
+    local suffix
+    suffix=$(_cve_registry_field "$1" 3)
+    # shellcheck disable=SC2086
+    eval "return \$affected_${suffix}"
+}
+
+# Determine whether the current CPU is affected by a given CVE using whitelist logic
+# Args: $1=cve_id (one of the $g_supported_cve_list items)
+# Returns: 0 if affected, 1 if not affected
+is_cpu_affected() {
+    local result cpuid_hex reptar_ucode_list tuple fixed_ucode_ver affected_fmspi affected_fms ucode_platformid_mask affected_cpuid i cpupart cpuarch
+
+    # if CPU is Intel and is in our dump of the Intel official affected CPUs page, use it:
+    if is_intel; then
+        cpuid_hex=$(printf "0x%08X" $((cpu_cpuid)))
+        if [ "${g_intel_line:-}" = "no" ]; then
+            pr_debug "is_cpu_affected: $cpuid_hex not in Intel database (cached)"
+        elif [ -z "$g_intel_line" ]; then
+            g_intel_line=$(read_inteldb | grep -F "$cpuid_hex," | head -n1)
+            if [ -z "$g_intel_line" ]; then
+                g_intel_line=no
+                pr_debug "is_cpu_affected: $cpuid_hex not in Intel database"
+            fi
+        fi
+        if [ "$g_intel_line" != "no" ]; then
+            result=$(echo "$g_intel_line" | grep -Eo ,"$(echo "$1" | cut -c5-)"'=[^,]+' | cut -d= -f2)
+            pr_debug "is_cpu_affected: inteldb for $1 says '$result'"
+
+            # handle special case for Foreshadow SGX (CVE-2018-3615):
+            # even if we are affected to L1TF (CVE-2018-3620/CVE-2018-3646), if there's no SGX on our CPU,
+            # then we're not affected to the original Foreshadow.
+            if [ "$1" = "CVE-2018-3615" ] && [ "$cap_sgx" = 0 ]; then
+                # not affected
+                return 1
+            fi
+            # /special case
+
+            if [ "$result" = "N" ]; then
+                # not affected
+                return 1
+            elif [ -n "$result" ]; then
+                # non-empty string != N means affected
+                return 0
+            fi
+        fi
+    fi
+
+    # Otherwise, do it ourselves
+
+    if [ "$g_is_cpu_affected_cached" = 1 ]; then
+        _is_cpu_affected_cached "$1"
+        return $?
+    fi
+
+    affected_variant1=''
+    affected_variant2=''
+    affected_variant3=''
+    affected_variant3a=''
+    affected_variant4=''
+    affected_variantl1tf=''
+    affected_msbds=''
+    affected_mfbds=''
+    affected_mlpds=''
+    affected_mdsum=''
+    affected_taa=''
+    affected_itlbmh=''
+    affected_srbds=''
+    # Zenbleed and Inception are both AMD specific, look for "is_amd" below:
+    affected_zenbleed=immune
+    affected_inception=immune
+    # TSA is AMD specific (Zen 3/4), look for "is_amd" below:
+    affected_tsa=immune
+    # Downfall & Reptar are Intel specific, look for "is_intel" below:
+    affected_downfall=immune
+    affected_reptar=immune
+
+    if is_cpu_mds_free; then
+        [ -z "$affected_msbds" ] && affected_msbds=immune
+        [ -z "$affected_mfbds" ] && affected_mfbds=immune
+        [ -z "$affected_mlpds" ] && affected_mlpds=immune
+        [ -z "$affected_mdsum" ] && affected_mdsum=immune
+        pr_debug "is_cpu_affected: cpu not affected by Microarchitectural Data Sampling"
+    fi
+
+    if is_cpu_taa_free; then
+        [ -z "$affected_taa" ] && affected_taa=immune
+        pr_debug "is_cpu_affected: cpu not affected by TSX Asynhronous Abort"
+    fi
+
+    if is_cpu_srbds_free; then
+        [ -z "$affected_srbds" ] && affected_srbds=immune
+        pr_debug "is_cpu_affected: cpu not affected by Special Register Buffer Data Sampling"
+    fi
+
+    if is_cpu_specex_free; then
+        affected_variant1=immune
+        affected_variant2=immune
+        affected_variant3=immune
+        affected_variant3a=immune
+        affected_variant4=immune
+        affected_variantl1tf=immune
+        affected_msbds=immune
+        affected_mfbds=immune
+        affected_mlpds=immune
+        affected_mdsum=immune
+        affected_taa=immune
+        affected_srbds=immune
+    elif is_intel; then
+        # Intel
+        # https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not affected
+        # https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown affected
+        # model name : Pentium(R) Dual-Core  CPU      E5200  @ 2.50GHz
+        if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
+            affected_variant1=vuln
+            [ -z "$affected_variant2" ] && affected_variant2=immune
+            affected_variant3=vuln
+        fi
+        if [ "$cap_rdcl_no" = 1 ]; then
+            # capability bit for future Intel processor that will explicitly state
+            # that they're not affected to Meltdown
+            # this var is set in check_cpu()
+            [ -z "$affected_variant3" ] && affected_variant3=immune
+            [ -z "$affected_variantl1tf" ] && affected_variantl1tf=immune
+            pr_debug "is_cpu_affected: RDCL_NO is set so not vuln to meltdown nor l1tf"
+        fi
+        if [ "$cap_ssb_no" = 1 ]; then
+            # capability bit for future Intel processor that will explicitly state
+            # that they're not affected to Variant 4
+            # this var is set in check_cpu()
+            [ -z "$affected_variant4" ] && affected_variant4=immune
+            pr_debug "is_cpu_affected: SSB_NO is set so not vuln to affected_variant4"
+        fi
+        if is_cpu_ssb_free; then
+            [ -z "$affected_variant4" ] && affected_variant4=immune
+            pr_debug "is_cpu_affected: cpu not affected by speculative store bypass so not vuln to affected_variant4"
+        fi
+        # variant 3a
+        if [ "$cpu_family" = 6 ]; then
+            if [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] || [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ]; then
+                pr_debug "is_cpu_affected: xeon phi immune to variant 3a"
+                [ -z "$affected_variant3a" ] && affected_variant3a=immune
+            elif [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_D" ]; then
+                # https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html
+                # https://github.com/speed47/spectre-meltdown-checker/issues/310
+                # => silvermont CPUs (aka cherry lake for tablets and brawsell for mobile/desktop) don't seem to be affected
+                # => goldmont ARE affected
+                pr_debug "is_cpu_affected: silvermont immune to variant 3a"
+                [ -z "$affected_variant3a" ] && affected_variant3a=immune
+            fi
+        fi
+        # L1TF (RDCL_NO already checked above)
+        if [ "$cpu_family" = 6 ]; then
+            if [ "$cpu_model" = "$INTEL_FAM6_ATOM_SALTWELL" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_SALTWELL_TABLET" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_SALTWELL_MID" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_BONNELL" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_BONNELL_MID" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_D" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT_MID" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT_NP" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_TREMONT_D" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ]; then
+
+                pr_debug "is_cpu_affected: intel family 6 but model known to be immune to l1tf"
+                [ -z "$affected_variantl1tf" ] && affected_variantl1tf=immune
+            else
+                pr_debug "is_cpu_affected: intel family 6 is vuln to l1tf"
+                affected_variantl1tf=vuln
+            fi
+        elif [ "$cpu_family" -lt 6 ]; then
+            pr_debug "is_cpu_affected: intel family < 6 is immune to l1tf"
+            [ -z "$affected_variantl1tf" ] && affected_variantl1tf=immune
+        fi
+        # Downfall
+        if [ "$cap_gds_no" = 1 ]; then
+            # capability bit for future Intel processors that will explicitly state
+            # that they're unaffected by GDS. Also set by hypervisors on virtual CPUs
+            # so that the guest kernel doesn't try to mitigate GDS when it's already mitigated on the host
+            pr_debug "is_cpu_affected: downfall: not affected (GDS_NO)"
+        elif [ "$cpu_family" = 6 ]; then
+            # list from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=64094e7e3118aff4b0be8ff713c242303e139834
+            set -u
+            if [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_X" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE_L" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ICELAKE_L" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ICELAKE_D" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ICELAKE_X" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_COMETLAKE" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_COMETLAKE_L" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_TIGERLAKE_L" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_TIGERLAKE" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ROCKETLAKE" ]; then
+                pr_debug "is_cpu_affected: downfall: affected"
+                affected_downfall=vuln
+            elif [ "$cap_avx2" = 0 ] && [ "$cap_avx512" = 0 ]; then
+                pr_debug "is_cpu_affected: downfall: no avx; immune"
+            else
+                # old Intel CPU (not in their DB), not listed as being affected by the Linux kernel,
+                # but with AVX2 or AVX512: unclear for now
+                pr_debug "is_cpu_affected: downfall: unclear, defaulting to non-affected for now"
+            fi
+            set +u
+        fi
+        # Reptar
+        # the only way to know whether a CPU is vuln, is to check whether there is a known ucode update for it,
+        # as the mitigation is only ucode-based and there's no flag exposed by the kernel or by an updated ucode.
+        # we have to hardcode the truthtable of affected CPUs vs updated ucodes...
+        # https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/redundant-prefix-issue.html
+        # list taken from:
+        # https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/commit/ece0d294a29a1375397941a4e6f2f7217910bc89#diff-e6fad0f2abbac6c9603b2e8f88fe1d151a83de708aeca1c1d93d881c958ecba4R26
+        # both pages have a lot of inconsistencies, I've tried to fix the errors the best I could, the logic being: if it's not in the
+        # blog page, then the microcode update in the commit is not related to reptar, if microcode versions differ, then the one in github is correct,
+        # if a stepping exists in the blog page but not in the commit, then the blog page is right
+        reptar_ucode_list='
+06-97-02/07,00000032
+06-97-05/07,00000032
+06-9a-03/80,00000430
+06-9a-04/80,00000430
+06-6c-01/10,01000268
+06-6a-06/87,0d0003b9
+06-7e-05/80,000000c2
+06-ba-02/e0,0000411c
+06-b7-01/32,0000011d
+06-a7-01/02,0000005d
+06-bf-05/07,00000032
+06-bf-02/07,00000032
+06-ba-03/e0,0000411c
+06-8f-08/87,2b0004d0
+06-8f-07/87,2b0004d0
+06-8f-06/87,2b0004d0
+06-8f-05/87,2b0004d0
+06-8f-04/87,2b0004d0
+06-8f-08/10,2c000290
+06-8c-01/80,000000b4
+06-8c-00/ff,000000b4
+06-8d-01/c2,0000004e
+06-8d-00/c2,0000004e
+06-8c-02/c2,00000034
+'
+        for tuple in $reptar_ucode_list; do
+            fixed_ucode_ver=$((0x$(echo "$tuple" | cut -d, -f2)))
+            affected_fmspi=$(echo "$tuple" | cut -d, -f1)
+            affected_fms=$(echo "$affected_fmspi" | cut -d/ -f1)
+            ucode_platformid_mask=0x$(echo "$affected_fmspi" | cut -d/ -f2)
+            affected_cpuid=$(
+                fms2cpuid \
+                    0x"$(echo "$affected_fms" | cut -d- -f1)" \
+                    0x"$(echo "$affected_fms" | cut -d- -f2)" \
+                    0x"$(echo "$affected_fms" | cut -d- -f3)"
+            )
+            if [ "$cpu_cpuid" = "$affected_cpuid" ] && [ $((cpu_platformid & ucode_platformid_mask)) -gt 0 ]; then
+                # this is not perfect as Intel never tells about their EOL CPUs, so more CPUs might be affected but there's no way to tell
+                affected_reptar=vuln
+                g_reptar_fixed_ucode_version=$fixed_ucode_ver
+                break
+            fi
+        done
+
+    elif is_amd || is_hygon; then
+        # AMD revised their statement about affected_variant2 => affected
+        # https://www.amd.com/en/corporate/speculative-execution
+        affected_variant1=vuln
+        affected_variant2=vuln
+        [ -z "$affected_variant3" ] && affected_variant3=immune
+        # https://www.amd.com/en/corporate/security-updates
+        # "We have not identified any AMD x86 products susceptible to the Variant 3a vulnerability in our analysis to-date."
+        [ -z "$affected_variant3a" ] && affected_variant3a=immune
+        if is_cpu_ssb_free; then
+            [ -z "$affected_variant4" ] && affected_variant4=immune
+            pr_debug "is_cpu_affected: cpu not affected by speculative store bypass so not vuln to affected_variant4"
+        fi
+        affected_variantl1tf=immune
+
+        # Zenbleed
+        amd_legacy_erratum "$(amd_model_range 0x17 0x30 0x0 0x4f 0xf)" && affected_zenbleed=vuln
+        amd_legacy_erratum "$(amd_model_range 0x17 0x60 0x0 0x7f 0xf)" && affected_zenbleed=vuln
+        amd_legacy_erratum "$(amd_model_range 0x17 0xa0 0x0 0xaf 0xf)" && affected_zenbleed=vuln
+
+        # Inception (according to kernel, zen 1 to 4)
+        if [ "$cpu_family" = $((0x17)) ] || [ "$cpu_family" = $((0x19)) ]; then
+            affected_inception=vuln
+        fi
+
+        # TSA (Zen 3/4 are affected, unless CPUID says otherwise)
+        if [ "$cap_tsa_sq_no" = 1 ] && [ "$cap_tsa_l1_no" = 1 ]; then
+            # capability bits for AMD processors that explicitly state
+            # they're not affected to TSA-SQ and TSA-L1
+            # these vars are set in check_cpu()
+            pr_debug "is_cpu_affected: TSA_SQ_NO and TSA_L1_NO are set so not vuln to TSA"
+        elif [ "$cpu_family" = $((0x19)) ]; then
+            affected_tsa=vuln
+        fi
+
+    elif [ "$cpu_vendor" = CAVIUM ]; then
+        affected_variant3=immune
+        affected_variant3a=immune
+        affected_variantl1tf=immune
+    elif [ "$cpu_vendor" = PHYTIUM ]; then
+        affected_variant3=immune
+        affected_variant3a=immune
+        affected_variantl1tf=immune
+    elif [ "$cpu_vendor" = ARM ]; then
+        # ARM
+        # reference: https://developer.arm.com/support/security-update
+        # some devices (phones or other) have several ARMs and as such different part numbers,
+        # an example is "bigLITTLE". we shouldn't rely on the first CPU only, so we check the whole list
+        i=0
+        for cpupart in $cpu_part_list; do
+            i=$((i + 1))
+            # do NOT quote $cpu_arch_list below
+            # shellcheck disable=SC2086
+            cpuarch=$(echo $cpu_arch_list | awk '{ print $'$i' }')
+            pr_debug "checking cpu$i: <$cpupart> <$cpuarch>"
+            # some kernels report AArch64 instead of 8
+            [ "$cpuarch" = "AArch64" ] && cpuarch=8
+            # some kernels report architecture with suffix (e.g. "5TEJ" for ARMv5TEJ), extract numeric prefix
+            cpuarch=$(echo "$cpuarch" | grep -oE '^[0-9]+')
+            if [ -n "$cpupart" ] && [ -n "$cpuarch" ]; then
+                # Cortex-R7 and Cortex-R8 are real-time and only used in medical devices or such
+                # I can't find their CPU part number, but it's probably not that useful anyway
+                # model R7 R8 A8  A9  A12 A15 A17 A57 A72 A73 A75 A76 A77 Neoverse-N1 Neoverse-V1 Neoverse-N1 Neoverse-V2
+                # part   ?  ? c08 c09 c0d c0f c0e d07 d08 d09 d0a d0b d0d d0c         d40	  d49	      d4f
+                # arch  7? 7? 7   7   7   7   7   8   8   8   8   8   8   8           8		  8	      8
+                #
+                # Whitelist identified non-affected processors, use vulnerability information from
+                # https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
+                # Partnumbers can be found here:
+                # https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in
+                #
+                # Maintain cumulative check of vulnerabilities -
+                # if at least one of the cpu is affected, then the system is affected
+                if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
+                    affected_variant1=vuln
+                    affected_variant2=vuln
+                    [ -z "$affected_variant3" ] && affected_variant3=immune
+                    [ -z "$affected_variant3a" ] && affected_variant3a=immune
+                    [ -z "$affected_variant4" ] && affected_variant4=immune
+                    pr_debug "checking cpu$i: armv7 A8/A9/A12/A17 non affected to variants 3, 3a & 4"
+                elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc0f; then
+                    affected_variant1=vuln
+                    affected_variant2=vuln
+                    [ -z "$affected_variant3" ] && affected_variant3=immune
+                    affected_variant3a=vuln
+                    [ -z "$affected_variant4" ] && affected_variant4=immune
+                    pr_debug "checking cpu$i: armv7 A15 non affected to variants 3 & 4"
+                elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then
+                    affected_variant1=vuln
+                    affected_variant2=vuln
+                    [ -z "$affected_variant3" ] && affected_variant3=immune
+                    affected_variant3a=vuln
+                    affected_variant4=vuln
+                    pr_debug "checking cpu$i: armv8 A57/A72 non affected to variants 3"
+                elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd09; then
+                    affected_variant1=vuln
+                    affected_variant2=vuln
+                    [ -z "$affected_variant3" ] && affected_variant3=immune
+                    [ -z "$affected_variant3a" ] && affected_variant3a=immune
+                    affected_variant4=vuln
+                    pr_debug "checking cpu$i: armv8 A73 non affected to variants 3 & 3a"
+                elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0a; then
+                    affected_variant1=vuln
+                    affected_variant2=vuln
+                    affected_variant3=vuln
+                    [ -z "$affected_variant3a" ] && affected_variant3a=immune
+                    affected_variant4=vuln
+                    pr_debug "checking cpu$i: armv8 A75 non affected to variant 3a"
+                elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
+                    affected_variant1=vuln
+                    [ -z "$affected_variant2" ] && affected_variant2=immune
+                    [ -z "$affected_variant3" ] && affected_variant3=immune
+                    [ -z "$affected_variant3a" ] && affected_variant3a=immune
+                    affected_variant4=vuln
+                    pr_debug "checking cpu$i: armv8 A76/A77/NeoverseN1 non affected to variant 2, 3 & 3a"
+                elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd40 -e 0xd49 -e 0xd4f; then
+                    affected_variant1=vuln
+                    [ -z "$affected_variant2" ] && affected_variant2=immune
+                    [ -z "$affected_variant3" ] && affected_variant3=immune
+                    [ -z "$affected_variant3a" ] && affected_variant3a=immune
+                    [ -z "$affected_variant4" ] && affected_variant4=immune
+                    pr_debug "checking cpu$i: armv8 NeoverseN2/V1/V2 non affected to variant 2, 3, 3a & 4"
+                elif [ "$cpuarch" -le 7 ] || { [ "$cpuarch" = 8 ] && [ $((cpupart)) -lt $((0xd07)) ]; }; then
+                    [ -z "$affected_variant1" ] && affected_variant1=immune
+                    [ -z "$affected_variant2" ] && affected_variant2=immune
+                    [ -z "$affected_variant3" ] && affected_variant3=immune
+                    [ -z "$affected_variant3a" ] && affected_variant3a=immune
+                    [ -z "$affected_variant4" ] && affected_variant4=immune
+                    pr_debug "checking cpu$i: arm arch$cpuarch, all immune (v7 or v8 and model < 0xd07)"
+                else
+                    affected_variant1=vuln
+                    affected_variant2=vuln
+                    affected_variant3=vuln
+                    affected_variant3a=vuln
+                    affected_variant4=vuln
+                    pr_debug "checking cpu$i: arm unknown arch$cpuarch part$cpupart, considering vuln"
+                fi
+            fi
+            pr_debug "is_cpu_affected: for cpu$i and so far, we have <$affected_variant1> <$affected_variant2> <$affected_variant3> <$affected_variant3a> <$affected_variant4>"
+        done
+        affected_variantl1tf=immune
+    fi
+
+    # we handle iTLB Multihit here (not linked to is_specex_free)
+    if is_intel; then
+        # commit f9aa6b73a407b714c9aac44734eb4045c893c6f7
+        if [ "$cpu_family" = 6 ]; then
+            if [ "$cpu_model" = "$INTEL_FAM6_ATOM_SALTWELL" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_SALTWELL_TABLET" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_SALTWELL_MID" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_BONNELL" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_BONNELL_MID" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_D" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT_MID" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ]; then
+                pr_debug "is_cpu_affected: intel family 6 but model known to be immune to itlbmh"
+                [ -z "$affected_itlbmh" ] && affected_itlbmh=immune
+            else
+                pr_debug "is_cpu_affected: intel family 6 is vuln to itlbmh"
+                affected_itlbmh=vuln
+            fi
+        elif [ "$cpu_family" -lt 6 ]; then
+            pr_debug "is_cpu_affected: intel family < 6 is immune to itlbmh"
+            [ -z "$affected_itlbmh" ] && affected_itlbmh=immune
+        fi
+    else
+        pr_debug "is_cpu_affected: non-intel not affected to itlbmh"
+        [ -z "$affected_itlbmh" ] && affected_itlbmh=immune
+    fi
+
+    pr_debug "is_cpu_affected: temp results are <$affected_variant1> <$affected_variant2> <$affected_variant3> <$affected_variant3a> <$affected_variant4> <$affected_variantl1tf>"
+    [ "$affected_variant1" = "immune" ] && affected_variant1=1 || affected_variant1=0
+    [ "$affected_variant2" = "immune" ] && affected_variant2=1 || affected_variant2=0
+    [ "$affected_variant3" = "immune" ] && affected_variant3=1 || affected_variant3=0
+    [ "$affected_variant3a" = "immune" ] && affected_variant3a=1 || affected_variant3a=0
+    [ "$affected_variant4" = "immune" ] && affected_variant4=1 || affected_variant4=0
+    [ "$affected_variantl1tf" = "immune" ] && affected_variantl1tf=1 || affected_variantl1tf=0
+    [ "$affected_msbds" = "immune" ] && affected_msbds=1 || affected_msbds=0
+    [ "$affected_mfbds" = "immune" ] && affected_mfbds=1 || affected_mfbds=0
+    [ "$affected_mlpds" = "immune" ] && affected_mlpds=1 || affected_mlpds=0
+    [ "$affected_mdsum" = "immune" ] && affected_mdsum=1 || affected_mdsum=0
+    [ "$affected_taa" = "immune" ] && affected_taa=1 || affected_taa=0
+    [ "$affected_itlbmh" = "immune" ] && affected_itlbmh=1 || affected_itlbmh=0
+    [ "$affected_srbds" = "immune" ] && affected_srbds=1 || affected_srbds=0
+    [ "$affected_zenbleed" = "immune" ] && affected_zenbleed=1 || affected_zenbleed=0
+    [ "$affected_downfall" = "immune" ] && affected_downfall=1 || affected_downfall=0
+    [ "$affected_inception" = "immune" ] && affected_inception=1 || affected_inception=0
+    [ "$affected_reptar" = "immune" ] && affected_reptar=1 || affected_reptar=0
+    [ "$affected_tsa" = "immune" ] && affected_tsa=1 || affected_tsa=0
+    affected_variantl1tf_sgx="$affected_variantl1tf"
+    # even if we are affected to L1TF, if there's no SGX, we're not affected to the original foreshadow
+    [ "$cap_sgx" = 0 ] && affected_variantl1tf_sgx=1
+    pr_debug "is_cpu_affected: final results are <$affected_variant1> <$affected_variant2> <$affected_variant3> <$affected_variant3a> <$affected_variant4> <$affected_variantl1tf> <$affected_variantl1tf_sgx>"
+    g_is_cpu_affected_cached=1
+    _is_cpu_affected_cached "$1"
+    return $?
+}
--- a/src/libs/210_cpu_detect.sh
+++ b/src/libs/210_cpu_detect.sh
@@ -0,0 +1,197 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# Check whether the CPU is known to not perform speculative execution
+# Returns: 0 if the CPU is speculation-free, 1 otherwise
+is_cpu_specex_free() {
+    # source: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/cpu/common.c#n882
+    # { X86_VENDOR_INTEL,	6, INTEL_FAM6_ATOM_SALTWELL,	X86_FEATURE_ANY },
+    # { X86_VENDOR_INTEL,	6, INTEL_FAM6_ATOM_SALTWELL_TABLET,	X86_FEATURE_ANY },
+    # { X86_VENDOR_INTEL,	6, INTEL_FAM6_ATOM_BONNELL_MID,	X86_FEATURE_ANY },
+    # { X86_VENDOR_INTEL,	6, INTEL_FAM6_ATOM_SALTWELL_MID,	X86_FEATURE_ANY },
+    # { X86_VENDOR_INTEL,	6, INTEL_FAM6_ATOM_BONNELL,	X86_FEATURE_ANY },
+    # { X86_VENDOR_CENTAUR,   5 },
+    # { X86_VENDOR_INTEL,     5 },
+    # { X86_VENDOR_NSC,       5 },
+    # { X86_VENDOR_ANY,       4 },
+
+    parse_cpu_details
+    if is_intel; then
+        if [ "$cpu_family" = 6 ]; then
+            if [ "$cpu_model" = "$INTEL_FAM6_ATOM_SALTWELL" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_SALTWELL_TABLET" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_BONNELL_MID" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_SALTWELL_MID" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_BONNELL" ]; then
+                return 0
+            fi
+        elif [ "$cpu_family" = 5 ]; then
+            return 0
+        fi
+    fi
+    [ "$cpu_family" = 4 ] && return 0
+    return 1
+}
+
+# Check whether the CPU is known to be unaffected by microarchitectural data sampling (MDS)
+# Returns: 0 if MDS-free, 1 if affected or unknown
+is_cpu_mds_free() {
+    # source: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/cpu/common.c
+    #VULNWL_INTEL(ATOM_GOLDMONT,             NO_MDS | NO_L1TF),
+    #VULNWL_INTEL(ATOM_GOLDMONT_X,           NO_MDS | NO_L1TF),
+    #VULNWL_INTEL(ATOM_GOLDMONT_PLUS,        NO_MDS | NO_L1TF),
+
+    #/* AMD Family 0xf - 0x12 */
+    #VULNWL_AMD(0x0f,        NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
+    #VULNWL_AMD(0x10,        NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
+    #VULNWL_AMD(0x11,        NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
+    #VULNWL_AMD(0x12,        NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
+
+    #/* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */
+    #VULNWL_AMD(X86_FAMILY_ANY,      NO_MELTDOWN | NO_L1TF | NO_MDS),
+    #VULNWL_HYGON(X86_FAMILY_ANY,    NO_MELTDOWN | NO_L1TF | NO_MDS),
+    parse_cpu_details
+    if is_intel; then
+        if [ "$cpu_family" = 6 ]; then
+            if [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ]; then
+                return 0
+            fi
+        fi
+        [ "$cap_mds_no" = 1 ] && return 0
+    fi
+
+    # official statement from AMD says none of their CPUs are affected
+    # https://www.amd.com/en/corporate/product-security
+    # https://www.amd.com/system/files/documents/security-whitepaper.pdf
+    if is_amd; then
+        return 0
+    elif is_hygon; then
+        return 0
+    elif [ "$cpu_vendor" = CAVIUM ]; then
+        return 0
+    elif [ "$cpu_vendor" = PHYTIUM ]; then
+        return 0
+    elif [ "$cpu_vendor" = ARM ]; then
+        return 0
+    fi
+
+    return 1
+}
+
+# Check whether the CPU is known to be unaffected by TSX Asynchronous Abort (TAA)
+# Returns: 0 if TAA-free, 1 if affected or unknown
+is_cpu_taa_free() {
+
+    if ! is_intel; then
+        return 0
+    # is intel
+    elif [ "$cap_taa_no" = 1 ] || [ "$cap_rtm" = 0 ]; then
+        return 0
+    fi
+
+    return 1
+}
+
+# Check whether the CPU is known to be unaffected by Special Register Buffer Data Sampling (SRBDS)
+# Returns: 0 if SRBDS-free, 1 if affected or unknown
+is_cpu_srbds_free() {
+    # source: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/cpu/common.c
+    #
+    # A processor is affected by SRBDS if its Family_Model and stepping is in the
+    # following list, with the exception of the listed processors
+    # exporting MDS_NO while Intel TSX is available yet not enabled. The
+    # latter class of processors are only affected when Intel TSX is enabled
+    # by software using TSX_CTRL_MSR otherwise they are not affected.
+    #
+    # =============  ============  ========
+    # common name    Family_Model  Stepping
+    # =============  ============  ========
+    # IvyBridge      06_3AH        All              (INTEL_FAM6_IVYBRIDGE)
+    #
+    # Haswell        06_3CH        All              (INTEL_FAM6_HASWELL)
+    # Haswell_L      06_45H        All              (INTEL_FAM6_HASWELL_L)
+    # Haswell_G      06_46H        All              (INTEL_FAM6_HASWELL_G)
+    #
+    # Broadwell_G    06_47H        All              (INTEL_FAM6_BROADWELL_G)
+    # Broadwell      06_3DH        All              (INTEL_FAM6_BROADWELL)
+    #
+    # Skylake_L      06_4EH        All              (INTEL_FAM6_SKYLAKE_L)
+    # Skylake        06_5EH        All              (INTEL_FAM6_SKYLAKE)
+    #
+    # Kabylake_L     06_8EH        <=0xC (MDS_NO)   (INTEL_FAM6_KABYLAKE_L)
+    #
+    # Kabylake       06_9EH        <=0xD (MDS_NO)   (INTEL_FAM6_KABYLAKE)
+    # =============  ============  ========
+    parse_cpu_details
+    if is_intel; then
+        if [ "$cpu_family" = 6 ]; then
+            if [ "$cpu_model" = "$INTEL_FAM6_IVYBRIDGE" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_HASWELL" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_HASWELL_L" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_HASWELL_G" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_BROADWELL_G" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_BROADWELL" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_L" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE" ]; then
+                return 1
+            elif [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE_L" ] && [ "$cpu_stepping" -le 12 ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE" ] && [ "$cpu_stepping" -le 13 ]; then
+                if [ "$cap_mds_no" -eq 1 ] && { [ "$cap_rtm" -eq 0 ] || [ "$cap_tsx_ctrl_rtm_disable" -eq 1 ]; }; then
+                    return 0
+                else
+                    return 1
+                fi
+            fi
+        fi
+    fi
+
+    return 0
+
+}
+
+# Check whether the CPU is known to be unaffected by Speculative Store Bypass (SSB)
+# Returns: 0 if SSB-free, 1 if affected or unknown
+is_cpu_ssb_free() {
+    # source1: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/cpu/common.c#n945
+    # source2: https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/tree/arch/x86/kernel/cpu/common.c
+    # Only list CPUs that speculate but are immune, to avoid duplication of cpus listed in is_cpu_specex_free()
+    #{ X86_VENDOR_INTEL,	6,	INTEL_FAM6_ATOM_SILVERMONT	},
+    #{ X86_VENDOR_INTEL,	6,	INTEL_FAM6_ATOM_AIRMONT		},
+    #{ X86_VENDOR_INTEL,	6,	INTEL_FAM6_ATOM_SILVERMONT_X	},
+    #{ X86_VENDOR_INTEL,	6,	INTEL_FAM6_ATOM_SILVERMONT_MID	},
+    #{ X86_VENDOR_INTEL,	6,	INTEL_FAM6_CORE_YONAH		},
+    #{ X86_VENDOR_INTEL,	6,	INTEL_FAM6_XEON_PHI_KNL		},
+    #{ X86_VENDOR_INTEL,	6,	INTEL_FAM6_XEON_PHI_KNM		},
+    #{ X86_VENDOR_AMD,	0x12,					},
+    #{ X86_VENDOR_AMD,	0x11,					},
+    #{ X86_VENDOR_AMD,	0x10,					},
+    #{ X86_VENDOR_AMD,	0xf,					},
+    parse_cpu_details
+    if is_intel; then
+        if [ "$cpu_family" = 6 ]; then
+            if [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_D" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ]; then
+                return 0
+            elif [ "$cpu_model" = "$INTEL_FAM6_CORE_YONAH" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ]; then
+                return 0
+            fi
+        fi
+    fi
+    if is_amd; then
+        if [ "$cpu_family" = "18" ] ||
+            [ "$cpu_family" = "17" ] ||
+            [ "$cpu_family" = "16" ] ||
+            [ "$cpu_family" = "15" ]; then
+            return 0
+        fi
+    fi
+    if is_hygon; then
+        return 1
+    fi
+    [ "$cpu_family" = 4 ] && return 0
+    return 1
+}
--- a/src/libs/220_util_update.sh
+++ b/src/libs/220_util_update.sh
@@ -0,0 +1,214 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# Print the tool name and version banner
+show_header() {
+    pr_info "Spectre and Meltdown mitigation detection tool v$VERSION"
+    pr_info
+}
+
+# Convert Family-Model-Stepping triplet to a CPUID value (base-10 to stdout)
+# Args: $1=family $2=model $3=stepping
+fms2cpuid() {
+    local family model stepping extfamily lowfamily extmodel lowmodel
+    family="$1"
+    model="$2"
+    stepping="$3"
+
+    if [ "$((family))" -le 15 ]; then
+        extfamily=0
+        lowfamily=$((family))
+    else
+        # when we have a family > 0xF, then lowfamily is stuck at 0xF
+        # and extfamily is ADDED to it (as in "+"), to ensure old software
+        # never sees a lowfamily < 0xF for newer families
+        lowfamily=15
+        extfamily=$(((family) - 15))
+    fi
+    extmodel=$(((model & 0xF0) >> 4))
+    lowmodel=$(((model & 0x0F) >> 0))
+    echo $(((stepping & 0x0F) | (lowmodel << 4) | (lowfamily << 8) | (extmodel << 16) | (extfamily << 20)))
+}
+
+# Download a file using wget, curl, or fetch (whichever is available)
+# Args: $1=url $2=output_file
+download_file() {
+    local ret url file
+    url="$1"
+    file="$2"
+    if command -v wget >/dev/null 2>&1; then
+        wget -q "$url" -O "$file"
+        ret=$?
+    elif command -v curl >/dev/null 2>&1; then
+        curl -sL "$url" -o "$file"
+        ret=$?
+    elif command -v fetch >/dev/null 2>&1; then
+        fetch -q "$url" -o "$file"
+        ret=$?
+    else
+        echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"
+        unset file url
+        return 1
+    fi
+    unset file url
+    if [ "$ret" != 0 ]; then
+        echo ERROR "error $ret"
+        return $ret
+    fi
+    echo DONE
+}
+
+[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
+g_mcedb_cache="$HOME/.mcedb"
+# Download and update the local microcode firmware database cache
+# Sets: g_mcedb_tmp (temp file, cleaned up on exit)
+update_fwdb() {
+    local previous_dbversion dbversion mcedb_revision iucode_tool nbfound linuxfw_hash mcedb_url intel_url linuxfw_url newfile line cpuid pfmask date version intel_timestamp intel_latest_date family model stepping sqlstm
+
+    show_header
+
+    set -e
+
+    if [ -r "$g_mcedb_cache" ]; then
+        previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$g_mcedb_cache")
+    fi
+
+    # first, download the MCE.db from the excellent platomav's MCExtractor project
+    g_mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"
+    mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+    pr_info_nol "Fetching MCE.db from the MCExtractor project... "
+    download_file "$mcedb_url" "$g_mcedb_tmp" || return $?
+
+    # second, get the Intel firmwares from GitHub
+    g_intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"
+    intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
+    pr_info_nol "Fetching Intel firmwares... "
+    ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+    download_file "$intel_url" "$g_intel_tmp/fw.zip" || return $?
+
+    # now extract MCEdb contents using sqlite
+    pr_info_nol "Extracting MCEdb data... "
+    if ! command -v sqlite3 >/dev/null 2>&1; then
+        echo ERROR "please install the \`sqlite3\` program"
+        return 1
+    fi
+    mcedb_revision=$(sqlite3 "$g_mcedb_tmp" "SELECT \"revision\" from \"MCE\"")
+    if [ -z "$mcedb_revision" ]; then
+        echo ERROR "downloaded file seems invalid"
+        return 1
+    fi
+    sqlite3 "$g_mcedb_tmp" "ALTER TABLE \"Intel\" ADD COLUMN \"origin\" TEXT"
+    sqlite3 "$g_mcedb_tmp" "ALTER TABLE \"Intel\" ADD COLUMN \"pfmask\" TEXT"
+    sqlite3 "$g_mcedb_tmp" "ALTER TABLE \"AMD\" ADD COLUMN \"origin\" TEXT"
+    sqlite3 "$g_mcedb_tmp" "ALTER TABLE \"AMD\" ADD COLUMN \"pfmask\" TEXT"
+    sqlite3 "$g_mcedb_tmp" "UPDATE \"Intel\" SET \"origin\"='mce'"
+    sqlite3 "$g_mcedb_tmp" "UPDATE \"Intel\" SET \"pfmask\"='FF'"
+    sqlite3 "$g_mcedb_tmp" "UPDATE \"AMD\" SET \"origin\"='mce'"
+    sqlite3 "$g_mcedb_tmp" "UPDATE \"AMD\" SET \"pfmask\"='FF'"
+
+    echo OK "MCExtractor database revision $mcedb_revision"
+
+    # parse Intel firmwares to get their versions
+    pr_info_nol "Integrating Intel firmwares data to db... "
+    if ! command -v unzip >/dev/null 2>&1; then
+        echo ERROR "please install the \`unzip\` program"
+        return 1
+    fi
+    (cd "$g_intel_tmp" && unzip fw.zip >/dev/null)
+    if ! [ -d "$g_intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" ]; then
+        echo ERROR "expected the 'intel-ucode' folder in the downloaded zip file"
+        return 1
+    fi
+
+    if ! command -v iucode_tool >/dev/null 2>&1; then
+        if ! command -v iucode-tool >/dev/null 2>&1; then
+            echo ERROR "please install the \`iucode-tool\` program"
+            return 1
+        else
+            iucode_tool="iucode-tool"
+        fi
+    else
+        iucode_tool="iucode_tool"
+    fi
+    #  079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev 0x0217, size 5120
+    #  078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev 0x0107, size 5120
+    $iucode_tool -l "$g_intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | grep -wF sig | while read -r line; do
+        cpuid=$(echo "$line" | grep -Eio 'sig 0x[0-9a-f]+' | awk '{print $2}')
+        cpuid=$((cpuid))
+        cpuid=$(printf "%08X" "$cpuid")
+        pfmask=$(echo "$line" | grep -Eio 'pf_mask 0x[0-9a-f]+' | awk '{print $2}')
+        pfmask=$((pfmask))
+        pfmask=$(printf "%02X" $pfmask)
+        date=$(echo "$line" | grep -Eo '(19|20)[0-9][0-9]-[01][0-9]-[0-3][0-9]' | tr -d '-')
+        version=$(echo "$line" | grep -Eio 'rev 0x[0-9a-f]+' | awk '{print $2}')
+        version=$((version))
+        version=$(printf "%08X" "$version")
+        # ensure the official Intel DB always has precedence over mcedb, even if mcedb has seen a more recent fw
+        sqlite3 "$g_mcedb_tmp" "DELETE FROM \"Intel\" WHERE \"origin\" != 'intel' AND \"cpuid\" = '$cpuid';"
+        # then insert our version
+        sqlite3 "$g_mcedb_tmp" "INSERT INTO \"Intel\" (\"origin\",\"cpuid\",\"pfmask\",\"version\",\"yyyymmdd\") VALUES ('intel','$cpuid','$pfmask','$version','$date');"
+    done
+    intel_timestamp=$(stat -c %Y "$g_intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null || stat -f %m "$g_intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)
+    if [ -n "$intel_timestamp" ]; then
+        # use this date, it matches the last commit date
+        intel_latest_date=$(date -d @"$intel_timestamp" +%Y%m%d 2>/dev/null || date -r "$intel_timestamp" +%Y%m%d)
+    else
+        echo "Falling back to the latest microcode date"
+        intel_latest_date=$(sqlite3 "$g_mcedb_tmp" "SELECT \"yyyymmdd\" FROM \"Intel\" WHERE \"origin\"='intel' ORDER BY \"yyyymmdd\" DESC LIMIT 1;")
+    fi
+    echo DONE "(version $intel_latest_date)"
+
+    # now parse the most recent linux-firmware amd-ucode README file
+    pr_info_nol "Fetching latest amd-ucode README from linux-firmware project... "
+    linuxfw_url="https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/amd-ucode/README"
+    g_linuxfw_tmp=$(mktemp -t smc-linuxfw-XXXXXX)
+    download_file "$linuxfw_url" "$g_linuxfw_tmp" || return $?
+
+    pr_info_nol "Parsing the README... "
+    nbfound=0
+    for line in $(grep -E 'Family=0x[0-9a-f]+ Model=0x[0-9a-f]+ Stepping=0x[0-9a-f]+: Patch=0x[0-9a-f]+' "$g_linuxfw_tmp" | tr " " ","); do
+        pr_debug "Parsing line $line"
+        family=$(echo "$line" | grep -Eoi 'Family=0x[0-9a-f]+' | cut -d= -f2)
+        model=$(echo "$line" | grep -Eoi 'Model=0x[0-9a-f]+' | cut -d= -f2)
+        stepping=$(echo "$line" | grep -Eoi 'Stepping=0x[0-9a-f]+' | cut -d= -f2)
+        version=$(echo "$line" | grep -Eoi 'Patch=0x[0-9a-f]+' | cut -d= -f2)
+        version=$(printf "%08X" "$((version))")
+        cpuid=$(fms2cpuid "$family" "$model" "$stepping")
+        cpuid=$(printf "%08X" "$cpuid")
+        sqlstm="INSERT INTO \"AMD\" (\"origin\",\"cpuid\",\"pfmask\",\"version\",\"yyyymmdd\") VALUES ('linux-firmware','$cpuid','FF','$version','20000101')"
+        pr_debug "family $family model $model stepping $stepping cpuid $cpuid"
+        pr_debug "$sqlstm"
+        sqlite3 "$g_mcedb_tmp" "$sqlstm"
+        nbfound=$((nbfound + 1))
+        unset family model stepping version cpuid date sqlstm
+    done
+    echo "found $nbfound microcodes"
+    unset nbfound
+
+    dbversion="$mcedb_revision+i$intel_latest_date"
+    linuxfw_hash=$(md5sum "$g_linuxfw_tmp" 2>/dev/null | cut -c1-4)
+    if [ -n "$linuxfw_hash" ]; then
+        dbversion="$dbversion+$linuxfw_hash"
+    fi
+
+    if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [ "$previous_dbversion" = "v$dbversion" ]; then
+        echo "We already have this version locally, no update needed"
+        return 0
+    fi
+
+    pr_info_nol "Building local database... "
+    {
+        echo "# Spectre & Meltdown Checker"
+        echo "# %%% MCEDB v$dbversion"
+        # we'll use the more recent fw for Intel and AMD
+        sqlite3 "$g_mcedb_tmp" "SELECT '# I,0x'||\"t1\".\"cpuid\"||',0x'||\"t1\".\"pfmask\"||',0x'||MAX(\"t1\".\"version\")||','||\"t1\".\"yyyymmdd\" FROM \"Intel\" AS \"t1\" LEFT OUTER JOIN \"Intel\" AS \"t2\" ON \"t2\".\"cpuid\"=\"t1\".\"cpuid\" AND \"t2\".\"pfmask\"=\"t1\".\"pfmask\" AND \"t2\".\"yyyymmdd\" > \"t1\".\"yyyymmdd\" WHERE \"t2\".\"yyyymmdd\" IS NULL GROUP BY \"t1\".\"cpuid\",\"t1\".\"pfmask\" ORDER BY \"t1\".\"cpuid\",\"t1\".\"pfmask\" ASC;" | grep -v '^# .,0x00000000,'
+        sqlite3 "$g_mcedb_tmp" "SELECT '# A,0x'||\"t1\".\"cpuid\"||',0x'||\"t1\".\"pfmask\"||',0x'||MAX(\"t1\".\"version\")||','||\"t1\".\"yyyymmdd\" FROM \"AMD\"   AS \"t1\" LEFT OUTER JOIN \"AMD\"   AS \"t2\" ON \"t2\".\"cpuid\"=\"t1\".\"cpuid\" AND \"t2\".\"pfmask\"=\"t1\".\"pfmask\" AND \"t2\".\"yyyymmdd\" > \"t1\".\"yyyymmdd\" WHERE \"t2\".\"yyyymmdd\" IS NULL GROUP BY \"t1\".\"cpuid\",\"t1\".\"pfmask\" ORDER BY \"t1\".\"cpuid\",\"t1\".\"pfmask\" ASC;" | grep -v '^# .,0x00000000,'
+    } >"$g_mcedb_cache"
+    echo DONE "(version $dbversion)"
+
+    if [ "$1" = builtin ]; then
+        newfile=$(mktemp -t smc-builtin-XXXXXX)
+        awk '/^# %%% MCEDB / { exit }; { print }' "$0" >"$newfile"
+        awk '{ if (NR>1) { print } }' "$g_mcedb_cache" >>"$newfile"
+        cat "$newfile" >"$0"
+        rm -f "$newfile"
+    fi
+}
--- a/src/libs/230_util_optparse.sh
+++ b/src/libs/230_util_optparse.sh
@@ -0,0 +1,297 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# Validate a command-line option that expects a readable file path
+# Args: $1=option_name $2=option_value (file path)
+parse_opt_file() {
+    local option_name option_value
+    option_name="$1"
+    option_value="$2"
+    if [ -z "$option_value" ]; then
+        show_header
+        show_usage
+        echo "$0: error: --$option_name expects one parameter (a file)" >&2
+        exit 1
+    elif [ ! -e "$option_value" ]; then
+        show_header
+        echo "$0: error: couldn't find file $option_value" >&2
+        exit 1
+    elif [ ! -f "$option_value" ]; then
+        show_header
+        echo "$0: error: $option_value is not a file" >&2
+        exit 1
+    elif [ ! -r "$option_value" ]; then
+        show_header
+        echo "$0: error: couldn't read $option_value (are you root?)" >&2
+        exit 1
+    fi
+    echo "$option_value"
+    exit 0
+}
+
+while [ -n "${1:-}" ]; do
+    if [ "$1" = "--kernel" ]; then
+        opt_kernel=$(parse_opt_file kernel "$2")
+        ret=$?
+        [ $ret -ne 0 ] && exit 255
+        shift 2
+    elif [ "$1" = "--config" ]; then
+        opt_config=$(parse_opt_file config "$2")
+        ret=$?
+        [ $ret -ne 0 ] && exit 255
+        shift 2
+    elif [ "$1" = "--map" ]; then
+        opt_map=$(parse_opt_file map "$2")
+        ret=$?
+        [ $ret -ne 0 ] && exit 255
+        shift 2
+    elif [ "$1" = "--arch-prefix" ]; then
+        opt_arch_prefix="$2"
+        shift 2
+    elif [ "$1" = "--live" ]; then
+        opt_live=1
+        shift
+    elif [ "$1" = "--no-color" ]; then
+        opt_no_color=1
+        shift
+    elif [ "$1" = "--no-sysfs" ]; then
+        opt_no_sysfs=1
+        shift
+    elif [ "$1" = "--sysfs-only" ]; then
+        opt_sysfs_only=1
+        shift
+    elif [ "$1" = "--coreos" ]; then
+        opt_coreos=1
+        shift
+    elif [ "$1" = "--coreos-within-toolbox" ]; then
+        # don't use directly: used internally by --coreos
+        opt_coreos=0
+        shift
+    elif [ "$1" = "--paranoid" ]; then
+        opt_paranoid=1
+        shift
+    elif [ "$1" = "--hw-only" ]; then
+        opt_hw_only=1
+        shift
+    elif [ "$1" = "--no-hw" ]; then
+        opt_no_hw=1
+        shift
+    elif [ "$1" = "--allow-msr-write" ]; then
+        opt_allow_msr_write=1
+        shift
+    elif [ "$1" = "--no-intel-db" ]; then
+        opt_intel_db=0
+        shift
+    elif [ "$1" = "--cpu" ]; then
+        opt_cpu=$2
+        if [ "$opt_cpu" != all ]; then
+            if echo "$opt_cpu" | grep -Eq '^[0-9]+'; then
+                opt_cpu=$((opt_cpu))
+            else
+                echo "$0: error: --cpu should be an integer or 'all', got '$opt_cpu'" >&2
+                exit 255
+            fi
+        fi
+        shift 2
+    elif [ "$1" = "--no-explain" ]; then
+        # deprecated, kept for compatibility
+        opt_explain=0
+        shift
+    elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then
+        update_fwdb
+        exit $?
+    elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then
+        update_fwdb builtin
+        exit $?
+    elif [ "$1" = "--dump-mock-data" ]; then
+        opt_mock=1
+        shift
+    elif [ "$1" = "--explain" ]; then
+        opt_explain=1
+        shift
+    elif [ "$1" = "--batch" ]; then
+        opt_batch=1
+        opt_verbose=0
+        opt_no_color=1
+        shift
+        case "$1" in
+            text | short | nrpe | json | prometheus)
+                opt_batch_format="$1"
+                shift
+                ;;
+            --*) ;; # allow subsequent flags
+            '') ;;  # allow nothing at all
+            *)
+                echo "$0: error: unknown batch format '$1'" >&2
+                echo "$0: error: --batch expects a format from: text, nrpe, json" >&2
+                exit 255
+                ;;
+        esac
+    elif [ "$1" = "-v" ] || [ "$1" = "--verbose" ]; then
+        opt_verbose=$((opt_verbose + 1))
+        [ "$opt_verbose" -ge 2 ] && opt_mock=1
+        shift
+    elif [ "$1" = "--cve" ]; then
+        if [ -z "$2" ]; then
+            echo "$0: error: option --cve expects a parameter, supported CVEs are: $g_supported_cve_list" >&2
+            exit 255
+        fi
+        selected_cve=$(echo "$g_supported_cve_list" | grep -iwo "$2")
+        if [ -n "$selected_cve" ]; then
+            opt_cve_list="$opt_cve_list $selected_cve"
+            opt_cve_all=0
+        else
+            echo "$0: error: unsupported CVE specified ('$2'), supported CVEs are: $g_supported_cve_list" >&2
+            exit 255
+        fi
+        shift 2
+    elif [ "$1" = "--vmm" ]; then
+        if [ -z "$2" ]; then
+            echo "$0: error: option --vmm (auto, yes, no)" >&2
+            exit 255
+        fi
+        case "$2" in
+            auto) opt_vmm=-1 ;;
+            yes) opt_vmm=1 ;;
+            no) opt_vmm=0 ;;
+            *)
+                echo "$0: error: expected one of (auto, yes, no) to option --vmm instead of '$2'" >&2
+                exit 255
+                ;;
+        esac
+        shift 2
+    elif [ "$1" = "--variant" ]; then
+        if [ -z "$2" ]; then
+            echo "$0: error: option --variant expects a parameter (see --variant help)" >&2
+            exit 255
+        fi
+        case "$2" in
+            help)
+                echo "The following parameters are supported for --variant (can be used multiple times):"
+                echo "1, 2, 3, 3a, 4, msbds, mfbds, mlpds, mdsum, l1tf, taa, mcepsc, srbds, zenbleed, downfall, inception, reptar, tsa, tsa-sq, tsa-l1"
+                exit 0
+                ;;
+            1)
+                opt_cve_list="$opt_cve_list CVE-2017-5753"
+                opt_cve_all=0
+                ;;
+            2)
+                opt_cve_list="$opt_cve_list CVE-2017-5715"
+                opt_cve_all=0
+                ;;
+            3)
+                opt_cve_list="$opt_cve_list CVE-2017-5754"
+                opt_cve_all=0
+                ;;
+            3a)
+                opt_cve_list="$opt_cve_list CVE-2018-3640"
+                opt_cve_all=0
+                ;;
+            4)
+                opt_cve_list="$opt_cve_list CVE-2018-3639"
+                opt_cve_all=0
+                ;;
+            msbds)
+                opt_cve_list="$opt_cve_list CVE-2018-12126"
+                opt_cve_all=0
+                ;;
+            mfbds)
+                opt_cve_list="$opt_cve_list CVE-2018-12130"
+                opt_cve_all=0
+                ;;
+            mlpds)
+                opt_cve_list="$opt_cve_list CVE-2018-12127"
+                opt_cve_all=0
+                ;;
+            mdsum)
+                opt_cve_list="$opt_cve_list CVE-2019-11091"
+                opt_cve_all=0
+                ;;
+            l1tf)
+                opt_cve_list="$opt_cve_list CVE-2018-3615 CVE-2018-3620 CVE-2018-3646"
+                opt_cve_all=0
+                ;;
+            taa)
+                opt_cve_list="$opt_cve_list CVE-2019-11135"
+                opt_cve_all=0
+                ;;
+            mcepsc)
+                opt_cve_list="$opt_cve_list CVE-2018-12207"
+                opt_cve_all=0
+                ;;
+            srbds)
+                opt_cve_list="$opt_cve_list CVE-2020-0543"
+                opt_cve_all=0
+                ;;
+            zenbleed)
+                opt_cve_list="$opt_cve_list CVE-2023-20593"
+                opt_cve_all=0
+                ;;
+            downfall)
+                opt_cve_list="$opt_cve_list CVE-2022-40982"
+                opt_cve_all=0
+                ;;
+            inception)
+                opt_cve_list="$opt_cve_list CVE-2023-20569"
+                opt_cve_all=0
+                ;;
+            reptar)
+                opt_cve_list="$opt_cve_list CVE-2023-23583"
+                opt_cve_all=0
+                ;;
+            tsa)
+                opt_cve_list="$opt_cve_list CVE-2024-36350 CVE-2024-36357"
+                opt_cve_all=0
+                ;;
+            tsa-sq)
+                opt_cve_list="$opt_cve_list CVE-2024-36350"
+                opt_cve_all=0
+                ;;
+            tsa-l1)
+                opt_cve_list="$opt_cve_list CVE-2024-36357"
+                opt_cve_all=0
+                ;;
+            *)
+                echo "$0: error: invalid parameter '$2' for --variant, see --variant help for a list" >&2
+                exit 255
+                ;;
+        esac
+        shift 2
+    elif [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
+        show_header
+        show_usage
+        exit 0
+    elif [ "$1" = "--version" ]; then
+        opt_no_color=1
+        show_header
+        exit 0
+    elif [ "$1" = "--disclaimer" ]; then
+        show_header
+        show_disclaimer
+        exit 0
+    else
+        show_header
+        show_usage
+        echo "$0: error: unknown option '$1'"
+        exit 255
+    fi
+done
+
+show_header
+
+if [ "$opt_no_sysfs" = 1 ] && [ "$opt_sysfs_only" = 1 ]; then
+    pr_warn "Incompatible options specified (--no-sysfs and --sysfs-only), aborting"
+    exit 255
+fi
+
+if [ "$opt_no_hw" = 1 ] && [ "$opt_hw_only" = 1 ]; then
+    pr_warn "Incompatible options specified (--no-hw and --hw-only), aborting"
+    exit 255
+fi
+
+if [ "$opt_live" = -1 ]; then
+    if [ -n "$opt_kernel" ] || [ -n "$opt_config" ] || [ -n "$opt_map" ]; then
+        # no --live specified and we have a least one of the kernel/config/map files on the cmdline: offline mode
+        opt_live=0
+    else
+        opt_live=1
+    fi
+fi
--- a/src/libs/240_output_status.sh
+++ b/src/libs/240_output_status.sh
@@ -0,0 +1,21 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# Print a colored status badge followed by an optional supplement
+# Args: $1=color(red|green|yellow|blue) $2=message $3=supplement(optional)
+pstatus() {
+    local col
+    if [ "$opt_no_color" = 1 ]; then
+        pr_info_nol "$2"
+    else
+        case "$1" in
+            red) col="\033[41m\033[30m" ;;
+            green) col="\033[42m\033[30m" ;;
+            yellow) col="\033[43m\033[30m" ;;
+            blue) col="\033[44m\033[30m" ;;
+            *) col="" ;;
+        esac
+        pr_info_nol "$col $2 \033[0m"
+    fi
+    [ -n "${3:-}" ] && pr_info_nol " ($3)"
+    pr_info
+    unset col
+}
--- a/src/libs/250_output_emitters.sh
+++ b/src/libs/250_output_emitters.sh
@@ -0,0 +1,123 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# --- Format-specific batch emitters ---
+
+# Emit a single CVE result as plain text
+# Args: $1=cve $2=aka $3=status $4=description
+# Callers: pvulnstatus
+_emit_text() {
+    _pr_echo 0 "$1: $3 ($4)"
+}
+
+# Append CVE ID to the space-separated short output buffer
+# Args: $1=cve $2=aka $3=status $4=description
+# Sets: g_short_output
+# Callers: pvulnstatus
+_emit_short() {
+    g_short_output="${g_short_output}$1 "
+}
+
+# Append a CVE result as a JSON object to the batch output buffer
+# Args: $1=cve $2=aka $3=status(UNK|VULN|OK) $4=description
+# Sets: g_json_output
+# Callers: pvulnstatus
+_emit_json() {
+    local is_vuln esc_name esc_infos
+    case "$3" in
+        UNK) is_vuln="null" ;;
+        VULN) is_vuln="true" ;;
+        OK) is_vuln="false" ;;
+        *)
+            echo "$0: error: unknown status '$3' passed to _emit_json()" >&2
+            exit 255
+            ;;
+    esac
+    # escape backslashes and double quotes for valid JSON strings
+    esc_name=$(printf '%s' "$2" | sed -e 's/\\/\\\\/g' -e 's/"/\\"/g')
+    esc_infos=$(printf '%s' "$4" | sed -e 's/\\/\\\\/g' -e 's/"/\\"/g')
+    [ -z "$g_json_output" ] && g_json_output='['
+    g_json_output="${g_json_output}{\"NAME\":\"$esc_name\",\"CVE\":\"$1\",\"VULNERABLE\":$is_vuln,\"INFOS\":\"$esc_infos\"},"
+}
+
+# Append vulnerable CVE IDs to the NRPE output buffer
+# Args: $1=cve $2=aka $3=status $4=description
+# Sets: g_nrpe_vuln
+# Callers: pvulnstatus
+_emit_nrpe() {
+    [ "$3" = VULN ] && g_nrpe_vuln="$g_nrpe_vuln $1"
+}
+
+# Append a CVE result as a Prometheus metric to the batch output buffer
+# Args: $1=cve $2=aka $3=status $4=description
+# Sets: g_prometheus_output
+# Callers: pvulnstatus
+_emit_prometheus() {
+    local esc_info
+    # escape backslashes and double quotes for Prometheus label values
+    esc_info=$(printf '%s' "$4" | sed -e 's/\\/\\\\/g' -e 's/"/\\"/g')
+    g_prometheus_output="${g_prometheus_output:+$g_prometheus_output\n}specex_vuln_status{name=\"$2\",cve=\"$1\",status=\"$3\",info=\"$esc_info\"} 1"
+}
+
+# Update global state used to determine the program exit code
+# Args: $1=cve $2=status(UNK|VULN|OK)
+# Sets: g_unknown, g_critical
+# Callers: pvulnstatus
+_record_result() {
+    case "$2" in
+        UNK) g_unknown="1" ;;
+        VULN) g_critical="1" ;;
+        OK) ;;
+        *)
+            echo "$0: error: unknown status '$2' passed to _record_result()" >&2
+            exit 255
+            ;;
+    esac
+}
+
+# Print the final vulnerability status for a CVE and dispatch to batch emitters
+# Args: $1=cve $2=status(UNK|OK|VULN) $3=description
+# Sets: g_pvulnstatus_last_cve
+pvulnstatus() {
+    local aka vulnstatus
+    g_pvulnstatus_last_cve="$1"
+    if [ "$opt_batch" = 1 ]; then
+        aka=$(_cve_registry_field "$1" 2)
+
+        case "$opt_batch_format" in
+            text) _emit_text "$1" "$aka" "$2" "$3" ;;
+            short) _emit_short "$1" "$aka" "$2" "$3" ;;
+            json) _emit_json "$1" "$aka" "$2" "$3" ;;
+            nrpe) _emit_nrpe "$1" "$aka" "$2" "$3" ;;
+            prometheus) _emit_prometheus "$1" "$aka" "$2" "$3" ;;
+            *)
+                echo "$0: error: invalid batch format '$opt_batch_format' specified" >&2
+                exit 255
+                ;;
+        esac
+    fi
+
+    _record_result "$1" "$2"
+
+    # display info if we're not in quiet/batch mode
+    vulnstatus="$2"
+    shift 2
+    pr_info_nol "> \033[46m\033[30mSTATUS:\033[0m "
+    : "${g_final_summary:=}"
+    case "$vulnstatus" in
+        UNK)
+            pstatus yellow 'UNKNOWN' "$@"
+            g_final_summary="$g_final_summary \033[43m\033[30m$g_pvulnstatus_last_cve:??\033[0m"
+            ;;
+        VULN)
+            pstatus red 'VULNERABLE' "$@"
+            g_final_summary="$g_final_summary \033[41m\033[30m$g_pvulnstatus_last_cve:KO\033[0m"
+            ;;
+        OK)
+            pstatus green 'NOT VULNERABLE' "$@"
+            g_final_summary="$g_final_summary \033[42m\033[30m$g_pvulnstatus_last_cve:OK\033[0m"
+            ;;
+        *)
+            echo "$0: error: unknown status '$vulnstatus' passed to pvulnstatus()" >&2
+            exit 255
+            ;;
+    esac
+}
--- a/src/libs/300_kernel_extract.sh
+++ b/src/libs/300_kernel_extract.sh
@@ -0,0 +1,152 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# The 3 below functions are taken from the extract-linux script, available here:
+# https://github.com/torvalds/linux/blob/master/scripts/extract-vmlinux
+# The functions have been modified for better integration to this script
+# The original header of the file has been retained below
+
+# ----------------------------------------------------------------------
+# extract-vmlinux - Extract uncompressed vmlinux from a kernel image
+#
+# Inspired from extract-ikconfig
+# (c) 2009,2010 Dick Streefland <dick@streefland.net>
+#
+# (c) 2011      Corentin Chary <corentin.chary@gmail.com>
+#
+# Licensed under the GNU General Public License, version 2 (GPLv2).
+# ----------------------------------------------------------------------
+
+g_kernel=''
+g_kernel_err=''
+# Validate whether a file looks like a valid uncompressed Linux kernel image
+# Args: $1=file_path
+# Sets: g_kernel, g_kernel_err
+check_kernel() {
+    local ret file mode readelf_warnings readelf_sections kernel_size
+    file="$1"
+    mode="${2:-normal}"
+    # checking the return code of readelf -h is not enough, we could get
+    # a damaged ELF file and validate it, check for stderr warnings too
+
+    # the warning "readelf: Warning: [16]: Link field (0) should index a symtab section./" can appear on valid kernels, ignore it
+    readelf_warnings=$("${opt_arch_prefix}readelf" -S "$file" 2>&1 >/dev/null | grep -v 'should index a symtab section' | tr "\n" "/")
+    ret=$?
+    readelf_sections=$("${opt_arch_prefix}readelf" -S "$file" 2>/dev/null | grep -c -e data -e text -e init)
+    kernel_size=$(stat -c %s "$file" 2>/dev/null || stat -f %z "$file" 2>/dev/null || echo 10000)
+    pr_debug "check_kernel: ret=$? size=$kernel_size sections=$readelf_sections warnings=$readelf_warnings"
+    if [ "$mode" = desperate ]; then
+        if "${opt_arch_prefix}strings" "$file" | grep -Eq '^Linux version '; then
+            pr_debug "check_kernel (desperate): ... matched!"
+            if [ "$readelf_sections" = 0 ] && grep -qF -e armv6 -e armv7 "$file"; then
+                pr_debug "check_kernel (desperate): raw arm binary found, adjusting objdump options"
+                g_objdump_options="-D -b binary -marm"
+            else
+                g_objdump_options="-d"
+            fi
+            return 0
+        else
+            pr_debug "check_kernel (desperate): ... invalid"
+        fi
+    else
+        if [ $ret -eq 0 ] && [ -z "$readelf_warnings" ] && [ "$readelf_sections" -gt 0 ]; then
+            if [ "$kernel_size" -ge 100000 ]; then
+                pr_debug "check_kernel: ... file is valid"
+                g_objdump_options="-d"
+                return 0
+            else
+                pr_debug "check_kernel: ... file seems valid but is too small, ignoring"
+            fi
+        else
+            pr_debug "check_kernel: ... file is invalid"
+        fi
+    fi
+    return 1
+}
+
+# Attempt to find and decompress a kernel image using a given compression format
+# Args: $1=magic_search $2=magic_match $3=format_name $4=decompress_cmd $5=decompress_args $6=input_file $7=output_file
+try_decompress() {
+    local pos ret
+    # The obscure use of the "tr" filter is to work around older versions of
+    # "grep" that report the byte offset of the line instead of the pattern.
+
+    # Try to find the header ($1) and decompress from here
+    pr_debug "try_decompress: looking for $3 magic in $6"
+    for pos in $(tr "$1\n$2" "\n$2=" <"$6" | grep -abo "^$2"); do
+        pr_debug "try_decompress: magic for $3 found at offset $pos"
+        if ! command -v "$3" >/dev/null 2>&1; then
+            if [ "$8" = 1 ]; then
+                # pass1: if the tool is not installed, just bail out silently
+                # and hope that the next decompression tool will be, and that
+                # it'll happen to be the proper one for this kernel
+                pr_debug "try_decompress: the '$3' tool is not installed (pass 1), try the next algo"
+            else
+                # pass2: if the tool is not installed, populate g_kernel_err this time
+                g_kernel_err="missing '$3' tool, please install it, usually it's in the '$5' package"
+                pr_debug "try_decompress: $g_kernel_err"
+            fi
+            return 1
+        fi
+        pos=${pos%%:*}
+        # shellcheck disable=SC2086
+        tail -c+$pos "$6" 2>/dev/null | $3 $4 >"$g_kerneltmp" 2>/dev/null
+        ret=$?
+        if [ ! -s "$g_kerneltmp" ]; then
+            # don't rely on $ret, sometimes it's != 0 but worked
+            # (e.g. gunzip ret=2 just means there was trailing garbage)
+            pr_debug "try_decompress: decompression with $3 failed (err=$ret)"
+        elif check_kernel "$g_kerneltmp" "$7"; then
+            g_kernel="$g_kerneltmp"
+            pr_debug "try_decompress: decompressed with $3 successfully!"
+            return 0
+        elif [ "$3" != "cat" ]; then
+            pr_debug "try_decompress: decompression with $3 worked but result is not a kernel, trying with an offset"
+            [ -z "$g_kerneltmp2" ] && g_kerneltmp2=$(mktemp -t smc-kernel-XXXXXX)
+            cat "$g_kerneltmp" >"$g_kerneltmp2"
+            try_decompress '\177ELF' xxy 'cat' '' cat "$g_kerneltmp2" && return 0
+        else
+            pr_debug "try_decompress: decompression with $3 worked but result is not a kernel"
+        fi
+    done
+    return 1
+}
+
+# Extract an uncompressed vmlinux from a possibly compressed kernel image
+# Args: $1=kernel_image_path
+# Sets: g_kerneltmp
+extract_kernel() {
+    local pass mode
+    [ -n "${1:-}" ] || return 1
+    # Prepare temp files:
+    g_kerneltmp="$(mktemp -t smc-kernel-XXXXXX)"
+
+    # Initial attempt for uncompressed images or objects:
+    if check_kernel "$1"; then
+        pr_debug "extract_kernel: found kernel is valid, no decompression needed"
+        cat "$1" >"$g_kerneltmp"
+        g_kernel=$g_kerneltmp
+        return 0
+    fi
+
+    # That didn't work, so retry after decompression.
+    for pass in 1 2; do
+        for mode in normal desperate; do
+            pr_debug "extract_kernel: pass $pass $mode mode"
+            try_decompress '\037\213\010' xy gunzip '' gunzip "$1" "$mode" "$pass" && return 0
+            try_decompress '\002\041\114\030' xyy 'lz4' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
+            try_decompress '\3757zXZ\000' abcde unxz '' xz-utils "$1" "$mode" "$pass" && return 0
+            try_decompress 'BZh' xy bunzip2 '' bzip2 "$1" "$mode" "$pass" && return 0
+            try_decompress '\135\0\0\0' xxx unlzma '' xz-utils "$1" "$mode" "$pass" && return 0
+            try_decompress '\211\114\132' xy 'lzop' '-d' lzop "$1" "$mode" "$pass" && return 0
+            try_decompress '\177ELF' xxy 'cat' '' cat "$1" "$mode" "$pass" && return 0
+            try_decompress '(\265/\375' xxy unzstd '' zstd "$1" "$mode" "$pass" && return 0
+        done
+    done
+    # g_kernel_err might already have been populated by try_decompress() if we're missing one of the tools
+    if [ -z "$g_kernel_err" ]; then
+        g_kernel_err="kernel compression format is unknown or image is invalid"
+    fi
+    pr_verbose "Couldn't extract the kernel image ($g_kernel_err), accuracy might be reduced"
+    return 1
+}
+
+# end of extract-vmlinux functions
--- a/src/libs/310_cpu_msr_load.sh
+++ b/src/libs/310_cpu_msr_load.sh
@@ -0,0 +1,32 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# Mount debugfs if not already available, remembering to unmount on cleanup
+# Sets: g_mounted_debugfs
+mount_debugfs() {
+    if [ ! -e "$DEBUGFS_BASE/sched_features" ]; then
+        # try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
+        mount -t debugfs debugfs "$DEBUGFS_BASE" 2>/dev/null && g_mounted_debugfs=1
+    fi
+}
+
+# Load the MSR kernel module (Linux) or cpuctl (BSD) if not already loaded
+# Sets: g_insmod_msr, g_kldload_cpuctl
+load_msr() {
+    [ "${g_load_msr_once:-}" = 1 ] && return
+    g_load_msr_once=1
+
+    if [ "$g_os" = Linux ]; then
+        if ! grep -qw msr "$g_procfs/modules" 2>/dev/null; then
+            modprobe msr 2>/dev/null && g_insmod_msr=1
+            pr_debug "attempted to load module msr, g_insmod_msr=$g_insmod_msr"
+        else
+            pr_debug "msr module already loaded"
+        fi
+    else
+        if ! kldstat -q -m cpuctl; then
+            kldload cpuctl 2>/dev/null && g_kldload_cpuctl=1
+            pr_debug "attempted to load module cpuctl, g_kldload_cpuctl=$g_kldload_cpuctl"
+        else
+            pr_debug "cpuctl module already loaded"
+        fi
+    fi
+}
--- a/src/libs/320_cpu_cpuid.sh
+++ b/src/libs/320_cpu_cpuid.sh
@@ -0,0 +1,177 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# Load the CPUID kernel module if not already loaded (Linux only)
+# Sets: g_insmod_cpuid
+load_cpuid() {
+    [ "${g_load_cpuid_once:-}" = 1 ] && return
+    g_load_cpuid_once=1
+
+    if [ "$g_os" = Linux ]; then
+        if ! grep -qw cpuid "$g_procfs/modules" 2>/dev/null; then
+            modprobe cpuid 2>/dev/null && g_insmod_cpuid=1
+            pr_debug "attempted to load module cpuid, g_insmod_cpuid=$g_insmod_cpuid"
+        else
+            pr_debug "cpuid module already loaded"
+        fi
+    else
+        if ! kldstat -q -m cpuctl; then
+            kldload cpuctl 2>/dev/null && g_kldload_cpuctl=1
+            pr_debug "attempted to load module cpuctl, g_kldload_cpuctl=$g_kldload_cpuctl"
+        else
+            pr_debug "cpuctl module already loaded"
+        fi
+    fi
+}
+
+# shellcheck disable=SC2034
+readonly EAX=1
+readonly EBX=2
+readonly ECX=3
+readonly EDX=4
+readonly READ_CPUID_RET_OK=0
+readonly READ_CPUID_RET_KO=1
+readonly READ_CPUID_RET_ERR=2
+# Read a CPUID register value across one or all cores
+# Args: $1=leaf $2=subleaf $3=register(EAX|EBX|ECX|EDX) $4=shift $5=bit_width $6=expected_value
+# Sets: ret_read_cpuid_value, ret_read_cpuid_msg
+# Returns: READ_CPUID_RET_OK | READ_CPUID_RET_KO | READ_CPUID_RET_ERR
+read_cpuid() {
+    local ret core first_core_ret first_core_value
+    if [ "$opt_cpu" != all ]; then
+        # we only have one core to read, do it and return the result
+        read_cpuid_one_core "$opt_cpu" "$@"
+        return $?
+    fi
+
+    # otherwise we must read all cores
+    for core in $(seq 0 "$g_max_core_id"); do
+        read_cpuid_one_core "$core" "$@"
+        ret=$?
+        if [ "$core" = 0 ]; then
+            # save the result of the first core, for comparison with the others
+            first_core_ret=$ret
+            first_core_value=$ret_read_cpuid_value
+        else
+            # compare first core with the other ones
+            if [ "$first_core_ret" != "$ret" ] || [ "$first_core_value" != "$ret_read_cpuid_value" ]; then
+                ret_read_cpuid_msg="result is not homogeneous between all cores, at least core 0 and $core differ!"
+                return $READ_CPUID_RET_ERR
+            fi
+        fi
+    done
+    # if we're here, all cores agree, return the result
+    return "$ret"
+}
+
+# Read a CPUID register value from a single CPU core
+# Args: $1=core $2=leaf $3=subleaf $4=register(EAX|EBX|ECX|EDX) $5=shift $6=bit_width $7=expected_value
+# Sets: ret_read_cpuid_value, ret_read_cpuid_msg
+# Returns: READ_CPUID_RET_OK | READ_CPUID_RET_KO | READ_CPUID_RET_ERR
+read_cpuid_one_core() {
+    local core leaf subleaf register shift mask wanted position ddskip odskip cpuid mockvarname reg reg_shifted
+    # on which core to send the CPUID instruction
+    core="$1"
+    # leaf is the value of the eax register when calling the cpuid instruction:
+    leaf="$2"
+    # subleaf is the value of the ecx register when calling the cpuid instruction:
+    subleaf="$3"
+    # eax=1 ebx=2 ecx=3 edx=4:
+    register="$4"
+    # number of bits to shift the register right to, 0-31:
+    shift="$5"
+    # mask to apply as an AND operand to the shifted register value
+    mask="$6"
+    # wanted value (optional), if present we return 0(true) if the obtained value is equal, 1 otherwise:
+    wanted="${7:-}"
+    # in any case, the read value is globally available in $ret_read_cpuid_value
+    ret_read_cpuid_value=''
+    ret_read_cpuid_msg='unknown error'
+
+    if [ $# -lt 6 ]; then
+        ret_read_cpuid_msg="read_cpuid: missing arguments, got only $#, expected at least 6: $*"
+        return $READ_CPUID_RET_ERR
+    fi
+    if [ "$register" -gt 4 ]; then
+        ret_read_cpuid_msg="read_cpuid: register must be 0-4, got $register"
+        return $READ_CPUID_RET_ERR
+    fi
+    if [ "$shift" -gt 32 ]; then
+        ret_read_cpuid_msg="read_cpuid: shift must be 0-31, got $shift"
+        return $READ_CPUID_RET_ERR
+    fi
+
+    if [ ! -e $CPU_DEV_BASE/0/cpuid ] && [ ! -e ${BSD_CPUCTL_DEV_BASE}0 ]; then
+        # try to load the module ourselves (and remember it so we can rmmod it afterwards)
+        load_cpuid
+    fi
+
+    if [ -e $CPU_DEV_BASE/0/cpuid ]; then
+        # Linux
+        if [ ! -r $CPU_DEV_BASE/0/cpuid ]; then
+            ret_read_cpuid_msg="Couldn't load cpuid module"
+            return $READ_CPUID_RET_ERR
+        fi
+        # on some kernel versions, $CPU_DEV_BASE/0/cpuid doesn't imply that the cpuid module is loaded, in that case dd returns an error,
+        # we use that fact to load the module if dd returns an error
+        if ! dd if=$CPU_DEV_BASE/0/cpuid bs=16 count=1 >/dev/null 2>&1; then
+            load_cpuid
+        fi
+        # we need leaf to be converted to decimal for dd
+        leaf=$((leaf))
+        subleaf=$((subleaf))
+        position=$((leaf + (subleaf << 32)))
+        # to avoid using iflag=skip_bytes, which doesn't exist on old versions of dd, seek to the closer multiple-of-16
+        ddskip=$((position / 16))
+        odskip=$((position - ddskip * 16))
+        # now read the value
+        cpuid=$(dd if="$CPU_DEV_BASE/$core/cpuid" bs=16 skip=$ddskip count=$((odskip + 1)) 2>/dev/null | od -j $((odskip * 16)) -A n -t u4)
+    elif [ -e ${BSD_CPUCTL_DEV_BASE}0 ]; then
+        # BSD
+        if [ ! -r ${BSD_CPUCTL_DEV_BASE}0 ]; then
+            ret_read_cpuid_msg="Couldn't read cpuid info from cpuctl"
+            return $READ_CPUID_RET_ERR
+        fi
+        cpuid=$(cpucontrol -i "$leaf","$subleaf" "${BSD_CPUCTL_DEV_BASE}$core" 2>/dev/null | cut -d: -f2-)
+        # cpuid level 0x4, level_type 0x2: 0x1c004143 0x01c0003f 0x000001ff 0x00000000
+    else
+        ret_read_cpuid_msg="Found no way to read cpuid info"
+        return $READ_CPUID_RET_ERR
+    fi
+
+    pr_debug "cpuid: leaf$leaf subleaf$subleaf on cpu$core, eax-ebx-ecx-edx: $cpuid"
+    mockvarname="SMC_MOCK_CPUID_${leaf}_${subleaf}"
+    # shellcheck disable=SC1083
+    if [ -n "$(eval echo \${"$mockvarname":-})" ]; then
+        cpuid="$(eval echo \$"$mockvarname")"
+        pr_debug "read_cpuid: MOCKING enabled for leaf $leaf subleaf $subleaf, will return $cpuid"
+        g_mocked=1
+    else
+        g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_CPUID_${leaf}_${subleaf}='$cpuid'")
+    fi
+    if [ -z "$cpuid" ]; then
+        ret_read_cpuid_msg="Failed to get cpuid data"
+        return $READ_CPUID_RET_ERR
+    fi
+
+    # get the value of the register we want
+    reg=$(echo "$cpuid" | awk '{print $'"$register"'}')
+    # Linux returns it as decimal, BSD as hex, normalize to decimal
+    reg=$((reg))
+    # shellcheck disable=SC2046
+    pr_debug "cpuid: wanted register ($register) has value $reg aka "$(printf "%08x" "$reg")
+    reg_shifted=$((reg >> shift))
+    # shellcheck disable=SC2046
+    pr_debug "cpuid: shifted value by $shift is $reg_shifted aka "$(printf "%x" "$reg_shifted")
+    ret_read_cpuid_value=$((reg_shifted & mask))
+    # shellcheck disable=SC2046
+    pr_debug "cpuid: after AND $mask, final value is $ret_read_cpuid_value aka "$(printf "%x" "$ret_read_cpuid_value")
+    if [ -n "$wanted" ]; then
+        pr_debug "cpuid: wanted $wanted and got $ret_read_cpuid_value"
+        if [ "$ret_read_cpuid_value" = "$wanted" ]; then
+            return $READ_CPUID_RET_OK
+        else
+            return $READ_CPUID_RET_KO
+        fi
+    fi
+
+    return $READ_CPUID_RET_OK
+}
--- a/src/libs/330_cpu_misc.sh
+++ b/src/libs/330_cpu_misc.sh
@@ -0,0 +1,24 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# Search dmesg for a pattern, returning nothing if the buffer has been truncated
+# Args: $1=grep_pattern
+# Sets: ret_dmesg_grep_grepped
+# Returns: 0=found, 1=not found, 2=dmesg truncated
+dmesg_grep() {
+    ret_dmesg_grep_grepped=''
+    if ! dmesg 2>/dev/null | grep -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered'; then
+        # dmesg truncated
+        return 2
+    fi
+    ret_dmesg_grep_grepped=$(dmesg 2>/dev/null | grep -E "$1" | head -n1)
+    # not found:
+    [ -z "$ret_dmesg_grep_grepped" ] && return 1
+    # found, output is in $ret_dmesg_grep_grepped
+    return 0
+}
+
+# Check whether the system is running CoreOS/Flatcar
+# Returns: 0 if CoreOS, 1 otherwise
+is_coreos() {
+    command -v coreos-install >/dev/null 2>&1 && command -v toolbox >/dev/null 2>&1 && return 0
+    return 1
+}
--- a/src/libs/340_cpu_msr.sh
+++ b/src/libs/340_cpu_msr.sh
@@ -0,0 +1,291 @@
+# vim: set ts=4 sw=4 sts=4 et:
+readonly WRITE_MSR_RET_OK=0
+readonly WRITE_MSR_RET_KO=1
+readonly WRITE_MSR_RET_ERR=2
+readonly WRITE_MSR_RET_LOCKDOWN=3
+# Write a value to an MSR register across one or all cores
+# Args: $1=msr_address $2=value(optional) $3=cpu_index(optional, default 0)
+# Sets: ret_write_msr_msg
+# Returns: WRITE_MSR_RET_OK | WRITE_MSR_RET_KO | WRITE_MSR_RET_ERR | WRITE_MSR_RET_LOCKDOWN
+write_msr() {
+    local ret core first_core_ret
+    if [ "$opt_cpu" != all ]; then
+        # we only have one core to write to, do it and return the result
+        write_msr_one_core "$opt_cpu" "$@"
+        return $?
+    fi
+
+    # otherwise we must write on all cores
+    for core in $(seq 0 "$g_max_core_id"); do
+        write_msr_one_core "$core" "$@"
+        ret=$?
+        if [ "$core" = 0 ]; then
+            # save the result of the first core, for comparison with the others
+            first_core_ret=$ret
+        else
+            # compare first core with the other ones
+            if [ "$first_core_ret" != "$ret" ]; then
+                ret_write_msr_msg="result is not homogeneous between all cores, at least core 0 and $core differ!"
+                return $WRITE_MSR_RET_ERR
+            fi
+        fi
+    done
+    # if we're here, all cores agree, return the result
+    return $ret
+}
+
+# Write a value to an MSR register on a single CPU core
+# Args: $1=core $2=msr_address $3=value
+# Sets: ret_write_msr_msg
+# Returns: WRITE_MSR_RET_OK | WRITE_MSR_RET_KO | WRITE_MSR_RET_ERR | WRITE_MSR_RET_LOCKDOWN
+write_msr_one_core() {
+    local ret core msr msr_dec value value_dec mockvarname write_denied
+    core="$1"
+    msr_dec=$(($2))
+    msr=$(printf "0x%x" "$msr_dec")
+    value_dec=$(($3))
+    value=$(printf "0x%x" "$value_dec")
+
+    ret_write_msr_msg='unknown error'
+    : "${g_msr_locked_down:=0}"
+
+    mockvarname="SMC_MOCK_WRMSR_${msr}_RET"
+    # shellcheck disable=SC2086,SC1083
+    if [ -n "$(eval echo \${$mockvarname:-})" ]; then
+        pr_debug "write_msr: MOCKING enabled for msr $msr func returns $(eval echo \$$mockvarname)"
+        g_mocked=1
+        [ "$(eval echo \$$mockvarname)" = $WRITE_MSR_RET_LOCKDOWN ] && g_msr_locked_down=1
+        return "$(eval echo \$$mockvarname)"
+    fi
+
+    if [ ! -e $CPU_DEV_BASE/0/msr ] && [ ! -e ${BSD_CPUCTL_DEV_BASE}0 ]; then
+        # try to load the module ourselves (and remember it so we can rmmod it afterwards)
+        load_msr
+    fi
+    if [ ! -e $CPU_DEV_BASE/0/msr ] && [ ! -e ${BSD_CPUCTL_DEV_BASE}0 ]; then
+        ret_read_msr_msg="is msr kernel module available?"
+        return $WRITE_MSR_RET_ERR
+    fi
+
+    write_denied=0
+    if [ "$g_os" != Linux ]; then
+        cpucontrol -m "$msr=$value" "${BSD_CPUCTL_DEV_BASE}$core" >/dev/null 2>&1
+        ret=$?
+    else
+        # for Linux
+        # convert to decimal
+        if [ ! -w $CPU_DEV_BASE/"$core"/msr ]; then
+            ret_write_msr_msg="No write permission on $CPU_DEV_BASE/$core/msr"
+            return $WRITE_MSR_RET_ERR
+        # if wrmsr is available, use it
+        elif command -v wrmsr >/dev/null 2>&1 && [ "${SMC_NO_WRMSR:-}" != 1 ]; then
+            pr_debug "write_msr: using wrmsr"
+            wrmsr $msr_dec $value_dec 2>/dev/null
+            ret=$?
+            # ret=4: msr doesn't exist, ret=127: msr.allow_writes=off
+            [ "$ret" = 127 ] && write_denied=1
+        # or fallback to dd if it supports seek_bytes, we prefer it over perl because we can tell the difference between EPERM and EIO
+        elif dd if=/dev/null of=/dev/null bs=8 count=1 seek="$msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then
+            pr_debug "write_msr: using dd"
+            awk "BEGIN{printf \"%c\", $value_dec}" | dd of=$CPU_DEV_BASE/"$core"/msr bs=8 count=1 seek="$msr_dec" oflag=seek_bytes 2>/dev/null
+            ret=$?
+            # if it failed, inspect stderrto look for EPERM
+            if [ "$ret" != 0 ]; then
+                if awk "BEGIN{printf \"%c\", $value_dec}" | dd of=$CPU_DEV_BASE/"$core"/msr bs=8 count=1 seek="$msr_dec" oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then
+                    write_denied=1
+                fi
+            fi
+        # or if we have perl, use it, any 5.x version will work
+        elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
+            pr_debug "write_msr: using perl"
+            ret=1
+            perl -e "open(M,'>','$CPU_DEV_BASE/$core/msr') and seek(M,$msr_dec,0) and exit(syswrite(M,pack(v4,$value_dec)))"
+            [ $? -eq 8 ] && ret=0
+        else
+            pr_debug "write_msr: got no wrmsr, perl or recent enough dd!"
+            g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_WRMSR_${msr}_RET=$WRITE_MSR_RET_ERR")
+            ret_write_msr_msg="missing tool, install either msr-tools or perl"
+            return $WRITE_MSR_RET_ERR
+        fi
+        if [ "$ret" != 0 ]; then
+            # * Fedora (and probably Red Hat) have a "kernel lock down" feature that prevents us to write to MSRs
+            # when this mode is enabled and EFI secure boot is enabled (see issue #303)
+            # https://src.fedoraproject.org/rpms/kernel/blob/master/f/efi-lockdown.patch
+            # when this happens, any write will fail and dmesg will have a msg printed "msr: Direct access to MSR"
+            # * A version of this patch also made it to vanilla in 5.4+, in that case the message is: 'raw MSR access is restricted'
+            # * we don't use dmesg_grep() because we don't care if dmesg is truncated here, as the message has just been printed
+            # yet more recent versions of the msr module can be set to msr.allow_writes=off, in which case no dmesg message is printed,
+            # but the write fails
+            if [ "$write_denied" = 1 ]; then
+                pr_debug "write_msr: writing to msr has been denied"
+                g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_WRMSR_${msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
+                g_msr_locked_down=1
+                ret_write_msr_msg="your kernel is configured to deny writes to MSRs from user space"
+                return $WRITE_MSR_RET_LOCKDOWN
+            elif dmesg 2>/dev/null | grep -qF "msr: Direct access to MSR"; then
+                pr_debug "write_msr: locked down kernel detected (Red Hat / Fedora)"
+                g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_WRMSR_${msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
+                g_msr_locked_down=1
+                ret_write_msr_msg="your kernel is locked down (Fedora/Red Hat), please reboot without secure boot and retry"
+                return $WRITE_MSR_RET_LOCKDOWN
+            elif dmesg 2>/dev/null | grep -qF "raw MSR access is restricted"; then
+                pr_debug "write_msr: locked down kernel detected (vanilla)"
+                g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_WRMSR_${msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
+                g_msr_locked_down=1
+                ret_write_msr_msg="your kernel is locked down, please reboot with lockdown=none in the kernel cmdline and retry"
+                return $WRITE_MSR_RET_LOCKDOWN
+            fi
+            unset write_denied
+        fi
+    fi
+
+    # normalize ret
+    if [ "$ret" = 0 ]; then
+        ret=$WRITE_MSR_RET_OK
+    else
+        ret=$WRITE_MSR_RET_KO
+    fi
+    pr_debug "write_msr: for cpu $core on msr $msr, value=$value, ret=$ret"
+    g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_WRMSR_${msr}_RET=$ret")
+    return $ret
+}
+
+readonly MSR_IA32_PLATFORM_ID=0x17
+readonly MSR_IA32_SPEC_CTRL=0x48
+readonly MSR_IA32_ARCH_CAPABILITIES=0x10a
+readonly MSR_IA32_TSX_CTRL=0x122
+readonly MSR_IA32_MCU_OPT_CTRL=0x123
+readonly READ_MSR_RET_OK=0
+readonly READ_MSR_RET_KO=1
+readonly READ_MSR_RET_ERR=2
+# Read an MSR register value across one or all cores
+# Args: $1=msr_address $2=cpu_index(optional, default 0)
+# Sets: ret_read_msr_value, ret_read_msr_value_hi, ret_read_msr_value_lo, ret_read_msr_msg
+# Returns: READ_MSR_RET_OK | READ_MSR_RET_KO | READ_MSR_RET_ERR
+read_msr() {
+    local ret core first_core_ret first_core_value
+    if [ "$opt_cpu" != all ]; then
+        # we only have one core to read, do it and return the result
+        read_msr_one_core "$opt_cpu" "$@"
+        return $?
+    fi
+
+    # otherwise we must read all cores
+    for core in $(seq 0 "$g_max_core_id"); do
+        read_msr_one_core "$core" "$@"
+        ret=$?
+        if [ "$core" = 0 ]; then
+            # save the result of the first core, for comparison with the others
+            first_core_ret=$ret
+            first_core_value=$ret_read_msr_value
+        else
+            # compare first core with the other ones
+            if [ "$first_core_ret" != "$ret" ] || [ "$first_core_value" != "$ret_read_msr_value" ]; then
+                ret_read_msr_msg="result is not homogeneous between all cores, at least core 0 and $core differ!"
+                return $READ_MSR_RET_ERR
+            fi
+        fi
+    done
+    # if we're here, all cores agree, return the result
+    return "$ret"
+}
+
+# Read an MSR register value from a single CPU core
+# Args: $1=core $2=msr_address
+# Sets: ret_read_msr_value, ret_read_msr_value_hi, ret_read_msr_value_lo, ret_read_msr_msg
+# Returns: READ_MSR_RET_OK | READ_MSR_RET_KO | READ_MSR_RET_ERR
+read_msr_one_core() {
+    local ret core msr msr_dec mockvarname msr_h msr_l mockval
+    core="$1"
+    msr_dec=$(($2))
+    msr=$(printf "0x%x" "$msr_dec")
+
+    ret_read_msr_value=''
+    ret_read_msr_value_hi=''
+    ret_read_msr_value_lo=''
+    ret_read_msr_msg='unknown error'
+
+    mockvarname="SMC_MOCK_RDMSR_${msr}"
+    # shellcheck disable=SC2086,SC1083
+    if [ -n "$(eval echo \${$mockvarname:-})" ]; then
+        mockval="$(eval echo \$$mockvarname)"
+        # accept both legacy decimal (small values) and new 16-char hex format
+        if [ "${#mockval}" -eq 16 ]; then
+            ret_read_msr_value="$mockval"
+        else
+            ret_read_msr_value=$(printf '%016x' "$mockval")
+        fi
+        ret_read_msr_value_hi=$((0x${ret_read_msr_value%????????}))
+        ret_read_msr_value_lo=$((0x${ret_read_msr_value#????????}))
+        pr_debug "read_msr: MOCKING enabled for msr $msr, returning $ret_read_msr_value"
+        g_mocked=1
+        return $READ_MSR_RET_OK
+    fi
+
+    mockvarname="SMC_MOCK_RDMSR_${msr}_RET"
+    # shellcheck disable=SC2086,SC1083
+    if [ -n "$(eval echo \${$mockvarname:-})" ] && [ "$(eval echo \$$mockvarname)" -ne 0 ]; then
+        pr_debug "read_msr: MOCKING enabled for msr $msr func returns $(eval echo \$$mockvarname)"
+        g_mocked=1
+        return "$(eval echo \$$mockvarname)"
+    fi
+
+    if [ ! -e $CPU_DEV_BASE/0/msr ] && [ ! -e ${BSD_CPUCTL_DEV_BASE}0 ]; then
+        # try to load the module ourselves (and remember it so we can rmmod it afterwards)
+        load_msr
+    fi
+    if [ ! -e $CPU_DEV_BASE/0/msr ] && [ ! -e ${BSD_CPUCTL_DEV_BASE}0 ]; then
+        ret_read_msr_msg="is msr kernel module available?"
+        return $READ_MSR_RET_ERR
+    fi
+
+    if [ "$g_os" != Linux ]; then
+        # for BSD
+        msr=$(cpucontrol -m "$msr" "${BSD_CPUCTL_DEV_BASE}$core" 2>/dev/null)
+        ret=$?
+        if [ $ret -ne 0 ]; then
+            g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_RDMSR_${msr}_RET=$READ_MSR_RET_KO")
+            return $READ_MSR_RET_KO
+        fi
+        # MSR 0x10: 0x000003e1 0xb106dded
+        msr_h=$(echo "$msr" | awk '{print $3}')
+        msr_l=$(echo "$msr" | awk '{print $4}')
+        ret_read_msr_value=$(printf '%08x%08x' "$((msr_h))" "$((msr_l))")
+    else
+        # for Linux
+        if [ ! -r $CPU_DEV_BASE/"$core"/msr ]; then
+            g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_RDMSR_${msr}_RET=$READ_MSR_RET_ERR")
+            ret_read_msr_msg="No read permission for $CPU_DEV_BASE/$core/msr"
+            return $READ_MSR_RET_ERR
+        # if rdmsr is available, use it
+        elif command -v rdmsr >/dev/null 2>&1 && [ "${SMC_NO_RDMSR:-}" != 1 ]; then
+            pr_debug "read_msr: using rdmsr on $msr"
+            ret_read_msr_value=$(rdmsr -r $msr_dec 2>/dev/null | od -A n -t x8)
+        # or if we have perl, use it, any 5.x version will work
+        elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
+            pr_debug "read_msr: using perl on $msr"
+            ret_read_msr_value=$(perl -e "open(M,'<','$CPU_DEV_BASE/$core/msr') and seek(M,$msr_dec,0) and read(M,\$_,8) and print" | od -A n -t x8)
+        # fallback to dd if it supports skip_bytes
+        elif dd if=/dev/null of=/dev/null bs=8 count=1 skip="$msr_dec" iflag=skip_bytes 2>/dev/null; then
+            pr_debug "read_msr: using dd on $msr"
+            ret_read_msr_value=$(dd if=$CPU_DEV_BASE/"$core"/msr bs=8 count=1 skip="$msr_dec" iflag=skip_bytes 2>/dev/null | od -A n -t x8)
+        else
+            pr_debug "read_msr: got no rdmsr, perl or recent enough dd!"
+            g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_RDMSR_${msr}_RET=$READ_MSR_RET_ERR")
+            ret_read_msr_msg='missing tool, install either msr-tools or perl'
+            return $READ_MSR_RET_ERR
+        fi
+        if [ -z "$ret_read_msr_value" ]; then
+            # MSR doesn't exist, don't check for $? because some versions of dd still return 0!
+            g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_RDMSR_${msr}_RET=$READ_MSR_RET_KO")
+            return $READ_MSR_RET_KO
+        fi
+        # remove sparse spaces od might give us
+        ret_read_msr_value=$(printf '%s' "$ret_read_msr_value" | tr -d ' \t\n' | tr '[:upper:]' '[:lower:]')
+    fi
+    ret_read_msr_value_hi=$((0x${ret_read_msr_value%????????}))
+    ret_read_msr_value_lo=$((0x${ret_read_msr_value#????????}))
+    g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_RDMSR_${msr}='$ret_read_msr_value'")
+    pr_debug "read_msr: MSR=$msr value is $ret_read_msr_value"
+    return $READ_MSR_RET_OK
+}
--- a/src/libs/350_cpu_detect2.sh
+++ b/src/libs/350_cpu_detect2.sh
@@ -0,0 +1,239 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# Detect and cache CPU vendor, family, model, stepping, microcode, and arch capabilities
+# Sets: cpu_vendor, cpu_family, cpu_model, cpu_stepping, cpu_cpuid, cpu_ucode, cpu_friendly_name, g_max_core_id, and many cap_* globals
+parse_cpu_details() {
+    [ "${g_parse_cpu_details_done:-}" = 1 ] && return 0
+
+    local number_of_cores arch part ret
+    if command -v nproc >/dev/null; then
+        number_of_cores=$(nproc)
+    elif echo "$g_os" | grep -q BSD; then
+        number_of_cores=$(sysctl -n hw.ncpu 2>/dev/null || echo 1)
+    elif [ -e "$g_procfs/cpuinfo" ]; then
+        number_of_cores=$(grep -c ^processor "$g_procfs/cpuinfo" 2>/dev/null || echo 1)
+    else
+        # if we don't know, default to 1 CPU
+        number_of_cores=1
+    fi
+    g_max_core_id=$((number_of_cores - 1))
+
+    cap_avx2=0
+    cap_avx512=0
+    if [ -e "$g_procfs/cpuinfo" ]; then
+        if grep -qw avx2 "$g_procfs/cpuinfo" 2>/dev/null; then cap_avx2=1; fi
+        if grep -qw avx512 "$g_procfs/cpuinfo" 2>/dev/null; then cap_avx512=1; fi
+        cpu_vendor=$(grep '^vendor_id' "$g_procfs/cpuinfo" | awk '{print $3}' | head -n1)
+        cpu_friendly_name=$(grep '^model name' "$g_procfs/cpuinfo" | cut -d: -f2- | head -n1 | sed -e 's/^ *//')
+        # special case for ARM follows
+        if grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$g_procfs/cpuinfo"; then
+            cpu_vendor='ARM'
+            # some devices (phones or other) have several ARMs and as such different part numbers,
+            # an example is "bigLITTLE", so we need to store the whole list, this is needed for is_cpu_affected
+            cpu_part_list=$(awk '/CPU part/         {print $4}' "$g_procfs/cpuinfo")
+            cpu_arch_list=$(awk '/CPU architecture/ {print $3}' "$g_procfs/cpuinfo")
+            # take the first one to fill the friendly name, do NOT quote the vars below
+            # shellcheck disable=SC2086
+            arch=$(echo $cpu_arch_list | awk '{ print $1 }')
+            # shellcheck disable=SC2086
+            part=$(echo $cpu_part_list | awk '{ print $1 }')
+            [ "$arch" = "AArch64" ] && arch=8
+            cpu_friendly_name="ARM"
+            [ -n "$arch" ] && cpu_friendly_name="$cpu_friendly_name v$arch"
+            [ -n "$part" ] && cpu_friendly_name="$cpu_friendly_name model $part"
+
+        elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$g_procfs/cpuinfo"; then
+            cpu_vendor='CAVIUM'
+        elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$g_procfs/cpuinfo"; then
+            cpu_vendor='PHYTIUM'
+        fi
+
+        cpu_family=$(grep '^cpu family' "$g_procfs/cpuinfo" | awk '{print $4}' | grep -E '^[0-9]+$' | head -n1)
+        cpu_model=$(grep '^model' "$g_procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -n1)
+        cpu_stepping=$(grep '^stepping' "$g_procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -n1)
+        cpu_ucode=$(grep '^microcode' "$g_procfs/cpuinfo" | awk '{print $3}' | head -n1)
+    else
+        cpu_vendor=$(dmesg 2>/dev/null | grep -i -m1 'Origin=' | awk '{print $2}' | cut -f2 -d= | cut -f2 -d\")
+        cpu_family=$(dmesg 2>/dev/null | grep -i -m1 'Family=' | awk '{print $4}' | cut -f2 -d=)
+        cpu_family=$((cpu_family))
+        cpu_model=$(dmesg 2>/dev/null | grep -i -m1 'Model=' | awk '{print $5}' | cut -f2 -d=)
+        cpu_model=$((cpu_model))
+        cpu_stepping=$(dmesg 2>/dev/null | grep -i -m1 'Stepping=' | awk '{print $6}' | cut -f2 -d=)
+        cpu_friendly_name=$(sysctl -n hw.model 2>/dev/null)
+    fi
+
+    # Intel processors have a 3bit Platform ID field in MSR(17H) that specifies the platform type for up to 8 types
+    # see https://elixir.bootlin.com/linux/v6.0/source/arch/x86/kernel/cpu/microcode/intel.c#L694
+    # Set it to 8 (impossible value as it is 3 bit long) by default
+    cpu_platformid=8
+    if [ "$cpu_vendor" = GenuineIntel ] && [ "$cpu_model" -ge 5 ]; then
+        read_msr $MSR_IA32_PLATFORM_ID
+        ret=$?
+        if [ $ret = $READ_MSR_RET_OK ]; then
+            # platform ID (bits 52:50) = bits 18:20 of the upper 32-bit word
+            cpu_platformid=$((1 << ((ret_read_msr_value_hi >> 18) & 7)))
+        fi
+    fi
+
+    if [ -n "${SMC_MOCK_CPU_FRIENDLY_NAME:-}" ]; then
+        cpu_friendly_name="$SMC_MOCK_CPU_FRIENDLY_NAME"
+        pr_debug "parse_cpu_details: MOCKING cpu friendly name to $cpu_friendly_name"
+        g_mocked=1
+    else
+        g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_CPU_FRIENDLY_NAME='$cpu_friendly_name'")
+    fi
+    if [ -n "${SMC_MOCK_CPU_VENDOR:-}" ]; then
+        cpu_vendor="$SMC_MOCK_CPU_VENDOR"
+        pr_debug "parse_cpu_details: MOCKING cpu vendor to $cpu_vendor"
+        g_mocked=1
+    else
+        g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_CPU_VENDOR='$cpu_vendor'")
+    fi
+    if [ -n "${SMC_MOCK_CPU_FAMILY:-}" ]; then
+        cpu_family="$SMC_MOCK_CPU_FAMILY"
+        pr_debug "parse_cpu_details: MOCKING cpu family to $cpu_family"
+        g_mocked=1
+    else
+        g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_CPU_FAMILY='$cpu_family'")
+    fi
+    if [ -n "${SMC_MOCK_CPU_MODEL:-}" ]; then
+        cpu_model="$SMC_MOCK_CPU_MODEL"
+        pr_debug "parse_cpu_details: MOCKING cpu model to $cpu_model"
+        g_mocked=1
+    else
+        g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_CPU_MODEL='$cpu_model'")
+    fi
+    if [ -n "${SMC_MOCK_CPU_STEPPING:-}" ]; then
+        cpu_stepping="$SMC_MOCK_CPU_STEPPING"
+        pr_debug "parse_cpu_details: MOCKING cpu stepping to $cpu_stepping"
+        g_mocked=1
+    else
+        g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_CPU_STEPPING='$cpu_stepping'")
+    fi
+    if [ -n "${SMC_MOCK_CPU_PLATFORMID:-}" ]; then
+        cpu_platformid="$SMC_MOCK_CPU_PLATFORMID"
+        pr_debug "parse_cpu_details: MOCKING cpu platformid name to $cpu_platformid"
+        g_mocked=1
+    else
+        g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_CPU_PLATFORMID='$cpu_platformid'")
+    fi
+
+    # get raw cpuid, it's always useful (referenced in the Intel doc for firmware updates for example)
+    if [ "$g_mocked" != 1 ] && read_cpuid 0x1 0x0 $EAX 0 0xFFFFFFFF; then
+        cpu_cpuid="$ret_read_cpuid_value"
+    else
+        # try to build it by ourselves
+        pr_debug "parse_cpu_details: build the CPUID by ourselves"
+        cpu_cpuid=$(fms2cpuid "$cpu_family" "$cpu_model" "$cpu_stepping")
+    fi
+
+    # under BSD, linprocfs often doesn't export ucode information, so fetch it ourselves the good old way
+    if [ -z "$cpu_ucode" ] && [ "$g_os" != Linux ]; then
+        load_cpuid
+        if [ -e ${BSD_CPUCTL_DEV_BASE}0 ]; then
+            # init MSR with NULLs
+            cpucontrol -m 0x8b=0 ${BSD_CPUCTL_DEV_BASE}0
+            # call CPUID
+            cpucontrol -i 1 ${BSD_CPUCTL_DEV_BASE}0 >/dev/null
+            # read MSR
+            cpu_ucode=$(cpucontrol -m 0x8b ${BSD_CPUCTL_DEV_BASE}0 | awk '{print $3}')
+            # convert to decimal
+            cpu_ucode=$((cpu_ucode))
+            # convert back to hex
+            cpu_ucode=$(printf "0x%x" "$cpu_ucode")
+        fi
+    fi
+
+    # if we got no cpu_ucode (e.g. we're in a vm), fall back to 0x0
+    : "${cpu_ucode:=0x0}"
+
+    # on non-x86 systems (e.g. ARM), these fields may not exist in cpuinfo, fall back to 0
+    : "${cpu_family:=0}"
+    : "${cpu_model:=0}"
+    : "${cpu_stepping:=0}"
+
+    if [ -n "${SMC_MOCK_CPU_UCODE:-}" ]; then
+        cpu_ucode="$SMC_MOCK_CPU_UCODE"
+        pr_debug "parse_cpu_details: MOCKING cpu ucode to $cpu_ucode"
+        g_mocked=1
+    else
+        g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_CPU_UCODE='$cpu_ucode'")
+    fi
+
+    echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$((cpu_ucode))
+    g_ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x pfid 0x%x" \
+        "$cpu_family" "$cpu_model" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid" "$cpu_platformid")
+
+    # also define those that we will need in other funcs
+    # taken from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/include/asm/intel-family.h
+    # curl -s 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/arch/x86/include/asm/intel-family.h' | awk '/#define INTEL_FAM6/ {print $2"=$(( "$3" )) # "$4,$5,$6,$7,$8,$9}' | sed -Ee 's/ +$//'
+    # shellcheck disable=SC2034
+    {
+        readonly INTEL_FAM6_CORE_YONAH=$((0x0E))           #
+        readonly INTEL_FAM6_CORE2_MEROM=$((0x0F))          #
+        readonly INTEL_FAM6_CORE2_MEROM_L=$((0x16))        #
+        readonly INTEL_FAM6_CORE2_PENRYN=$((0x17))         #
+        readonly INTEL_FAM6_CORE2_DUNNINGTON=$((0x1D))     #
+        readonly INTEL_FAM6_NEHALEM=$((0x1E))              #
+        readonly INTEL_FAM6_NEHALEM_G=$((0x1F))            # /* Auburndale / Havendale */
+        readonly INTEL_FAM6_NEHALEM_EP=$((0x1A))           #
+        readonly INTEL_FAM6_NEHALEM_EX=$((0x2E))           #
+        readonly INTEL_FAM6_WESTMERE=$((0x25))             #
+        readonly INTEL_FAM6_WESTMERE_EP=$((0x2C))          #
+        readonly INTEL_FAM6_WESTMERE_EX=$((0x2F))          #
+        readonly INTEL_FAM6_SANDYBRIDGE=$((0x2A))          #
+        readonly INTEL_FAM6_SANDYBRIDGE_X=$((0x2D))        #
+        readonly INTEL_FAM6_IVYBRIDGE=$((0x3A))            #
+        readonly INTEL_FAM6_IVYBRIDGE_X=$((0x3E))          #
+        readonly INTEL_FAM6_HASWELL=$((0x3C))              #
+        readonly INTEL_FAM6_HASWELL_X=$((0x3F))            #
+        readonly INTEL_FAM6_HASWELL_L=$((0x45))            #
+        readonly INTEL_FAM6_HASWELL_G=$((0x46))            #
+        readonly INTEL_FAM6_BROADWELL=$((0x3D))            #
+        readonly INTEL_FAM6_BROADWELL_G=$((0x47))          #
+        readonly INTEL_FAM6_BROADWELL_X=$((0x4F))          #
+        readonly INTEL_FAM6_BROADWELL_D=$((0x56))          #
+        readonly INTEL_FAM6_SKYLAKE_L=$((0x4E))            # /* Sky Lake */
+        readonly INTEL_FAM6_SKYLAKE=$((0x5E))              # /* Sky Lake */
+        readonly INTEL_FAM6_SKYLAKE_X=$((0x55))            # /* Sky Lake */
+        readonly INTEL_FAM6_KABYLAKE_L=$((0x8E))           # /* Sky Lake */
+        readonly INTEL_FAM6_KABYLAKE=$((0x9E))             # /* Sky Lake */
+        readonly INTEL_FAM6_COMETLAKE=$((0xA5))            # /* Sky Lake */
+        readonly INTEL_FAM6_COMETLAKE_L=$((0xA6))          # /* Sky Lake */
+        readonly INTEL_FAM6_CANNONLAKE_L=$((0x66))         # /* Palm Cove */
+        readonly INTEL_FAM6_ICELAKE_X=$((0x6A))            # /* Sunny Cove */
+        readonly INTEL_FAM6_ICELAKE_D=$((0x6C))            # /* Sunny Cove */
+        readonly INTEL_FAM6_ICELAKE=$((0x7D))              # /* Sunny Cove */
+        readonly INTEL_FAM6_ICELAKE_L=$((0x7E))            # /* Sunny Cove */
+        readonly INTEL_FAM6_ICELAKE_NNPI=$((0x9D))         # /* Sunny Cove */
+        readonly INTEL_FAM6_LAKEFIELD=$((0x8A))            # /* Sunny Cove / Tremont */
+        readonly INTEL_FAM6_ROCKETLAKE=$((0xA7))           # /* Cypress Cove */
+        readonly INTEL_FAM6_TIGERLAKE_L=$((0x8C))          # /* Willow Cove */
+        readonly INTEL_FAM6_TIGERLAKE=$((0x8D))            # /* Willow Cove */
+        readonly INTEL_FAM6_SAPPHIRERAPIDS_X=$((0x8F))     # /* Golden Cove */
+        readonly INTEL_FAM6_ALDERLAKE=$((0x97))            # /* Golden Cove / Gracemont */
+        readonly INTEL_FAM6_ALDERLAKE_L=$((0x9A))          # /* Golden Cove / Gracemont */
+        readonly INTEL_FAM6_RAPTORLAKE=$((0xB7))           #
+        readonly INTEL_FAM6_ATOM_BONNELL=$((0x1C))         # /* Diamondville, Pineview */
+        readonly INTEL_FAM6_ATOM_BONNELL_MID=$((0x26))     # /* Silverthorne, Lincroft */
+        readonly INTEL_FAM6_ATOM_SALTWELL=$((0x36))        # /* Cedarview */
+        readonly INTEL_FAM6_ATOM_SALTWELL_MID=$((0x27))    # /* Penwell */
+        readonly INTEL_FAM6_ATOM_SALTWELL_TABLET=$((0x35)) # /* Cloverview */
+        readonly INTEL_FAM6_ATOM_SILVERMONT=$((0x37))      # /* Bay Trail, Valleyview */
+        readonly INTEL_FAM6_ATOM_SILVERMONT_D=$((0x4D))    # /* Avaton, Rangely */
+        readonly INTEL_FAM6_ATOM_SILVERMONT_MID=$((0x4A))  # /* Merriefield */
+        readonly INTEL_FAM6_ATOM_AIRMONT=$((0x4C))         # /* Cherry Trail, Braswell */
+        readonly INTEL_FAM6_ATOM_AIRMONT_MID=$((0x5A))     # /* Moorefield */
+        readonly INTEL_FAM6_ATOM_AIRMONT_NP=$((0x75))      # /* Lightning Mountain */
+        readonly INTEL_FAM6_ATOM_GOLDMONT=$((0x5C))        # /* Apollo Lake */
+        readonly INTEL_FAM6_ATOM_GOLDMONT_D=$((0x5F))      # /* Denverton */
+        readonly INTEL_FAM6_ATOM_GOLDMONT_PLUS=$((0x7A))   # /* Gemini Lake */
+        readonly INTEL_FAM6_ATOM_TREMONT_D=$((0x86))       # /* Jacobsville */
+        readonly INTEL_FAM6_ATOM_TREMONT=$((0x96))         # /* Elkhart Lake */
+        readonly INTEL_FAM6_ATOM_TREMONT_L=$((0x9C))       # /* Jasper Lake */
+        readonly INTEL_FAM6_XEON_PHI_KNL=$((0x57))         # /* Knights Landing */
+        readonly INTEL_FAM6_XEON_PHI_KNM=$((0x85))         # /* Knights Mill */
+    }
+    g_parse_cpu_details_done=1
+}
+# Check whether the CPU vendor is Hygon
+# Returns: 0 if Hygon, 1 otherwise
--- a/src/libs/360_cpu_smt.sh
+++ b/src/libs/360_cpu_smt.sh
@@ -0,0 +1,224 @@
+# vim: set ts=4 sw=4 sts=4 et:
+is_hygon() {
+    parse_cpu_details
+    [ "$cpu_vendor" = HygonGenuine ] && return 0
+    return 1
+}
+
+# Check whether the CPU vendor is AMD
+# Returns: 0 if AMD, 1 otherwise
+is_amd() {
+    parse_cpu_details
+    [ "$cpu_vendor" = AuthenticAMD ] && return 0
+    return 1
+}
+
+# Check whether the CPU vendor is Intel
+# Returns: 0 if Intel, 1 otherwise
+is_intel() {
+    parse_cpu_details
+    [ "$cpu_vendor" = GenuineIntel ] && return 0
+    return 1
+}
+
+# Check whether SMT (HyperThreading) is enabled on the system
+# Returns: 0 if SMT enabled, 1 otherwise
+is_cpu_smt_enabled() {
+    local siblings cpucores
+    # SMT / HyperThreading is enabled if siblings != cpucores
+    if [ -e "$g_procfs/cpuinfo" ]; then
+        siblings=$(awk '/^siblings/  {print $3;exit}' "$g_procfs/cpuinfo")
+        cpucores=$(awk '/^cpu cores/ {print $4;exit}' "$g_procfs/cpuinfo")
+        if [ -n "$siblings" ] && [ -n "$cpucores" ]; then
+            if [ "$siblings" = "$cpucores" ]; then
+                return 1
+            else
+                return 0
+            fi
+        fi
+    fi
+    # we can't tell
+    return 2
+}
+
+# Check whether the current CPU microcode version is on Intel's blacklist
+# Returns: 0 if blacklisted, 1 otherwise
+is_ucode_blacklisted() {
+    local tuple model stepping ucode cpuid
+    parse_cpu_details
+    # if it's not an Intel, don't bother: it's not blacklisted
+    is_intel || return 1
+    # it also needs to be family=6
+    [ "$cpu_family" = 6 ] || return 1
+    # now, check each known bad microcode
+    # source: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/cpu/intel.c#n105
+    # 2018-02-08 update: https://newsroom.intel.com/wp-content/uploads/sites/11/2018/02/microcode-update-guidance.pdf
+    # model,stepping,microcode
+    for tuple in \
+        $INTEL_FAM6_KABYLAKE,0x0B,0x80 \
+        $INTEL_FAM6_KABYLAKE,0x0A,0x80 \
+        $INTEL_FAM6_KABYLAKE,0x09,0x80 \
+        $INTEL_FAM6_KABYLAKE_L,0x0A,0x80 \
+        $INTEL_FAM6_KABYLAKE_L,0x09,0x80 \
+        $INTEL_FAM6_SKYLAKE_X,0x03,0x0100013e \
+        $INTEL_FAM6_SKYLAKE_X,0x04,0x02000036 \
+        $INTEL_FAM6_SKYLAKE_X,0x04,0x0200003a \
+        $INTEL_FAM6_SKYLAKE_X,0x04,0x0200003c \
+        $INTEL_FAM6_BROADWELL,0x04,0x28 \
+        $INTEL_FAM6_BROADWELL_G,0x01,0x1b \
+        $INTEL_FAM6_BROADWELL_D,0x02,0x14 \
+        $INTEL_FAM6_BROADWELL_D,0x03,0x07000011 \
+        $INTEL_FAM6_BROADWELL_X,0x01,0x0b000025 \
+        $INTEL_FAM6_HASWELL_L,0x01,0x21 \
+        $INTEL_FAM6_HASWELL_G,0x01,0x18 \
+        $INTEL_FAM6_HASWELL,0x03,0x23 \
+        $INTEL_FAM6_HASWELL_X,0x02,0x3b \
+        $INTEL_FAM6_HASWELL_X,0x04,0x10 \
+        $INTEL_FAM6_IVYBRIDGE_X,0x04,0x42a \
+        $INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b \
+        $INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712; do
+        model=$(echo "$tuple" | cut -d, -f1)
+        stepping=$(($(echo "$tuple" | cut -d, -f2)))
+        if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" = "$stepping" ]; then
+            ucode=$(($(echo "$tuple" | cut -d, -f3)))
+            if [ "$cpu_ucode" = "$ucode" ]; then
+                pr_debug "is_ucode_blacklisted: we have a match! ($cpu_model/$cpu_stepping/$cpu_ucode)"
+                return 0
+            fi
+        fi
+    done
+
+    # 2024-01-09 update: https://github.com/speed47/spectre-meltdown-checker/issues/475
+    # this time the tuple is cpuid,microcode
+    for tuple in \
+        0xB0671,0x119 \
+        0xB06A2,0x4119 \
+        0xB06A3,0x4119; do
+        cpuid=$(($(echo "$tuple" | cut -d, -f1)))
+        ucode=$(($(echo "$tuple" | cut -d, -f2)))
+        if [ "$cpu_cpuid" = "$cpuid" ] && [ "$cpu_ucode" = "$ucode" ]; then
+            pr_debug "is_ucode_blacklisted: we have a match! ($cpuid/$ucode)"
+            return 0
+        fi
+    done
+
+    pr_debug "is_ucode_blacklisted: no ($cpu_model/$cpu_stepping/$cpu_ucode)"
+    return 1
+}
+
+# Check whether the CPU is a Skylake/Kabylake family processor
+# Returns: 0 if Skylake-family, 1 otherwise
+is_skylake_cpu() {
+    # return 0 if yes, 1 otherwise
+    #if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL &&
+    #		boot_cpu_data.x86 == 6) {
+    #		switch (boot_cpu_data.x86_model) {
+    #		case INTEL_FAM6_SKYLAKE_MOBILE:
+    #		case INTEL_FAM6_SKYLAKE_DESKTOP:
+    #		case INTEL_FAM6_SKYLAKE_X:
+    #		case INTEL_FAM6_KABYLAKE_MOBILE:
+    #		case INTEL_FAM6_KABYLAKE_DESKTOP:
+    #			return true;
+    parse_cpu_details
+    is_intel || return 1
+    [ "$cpu_family" = 6 ] || return 1
+    if [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_L" ] ||
+        [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE" ] ||
+        [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_X" ] ||
+        [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE_L" ] ||
+        [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE" ]; then
+        return 0
+    fi
+    return 1
+}
+
+# Check whether the CPU is vulnerable to empty RSB speculation
+# Returns: 0 if vulnerable, 1 otherwise
+is_vulnerable_to_empty_rsb() {
+    if is_intel && [ -z "$cap_rsba" ]; then
+        pr_warn "is_vulnerable_to_empty_rsb() called before ARCH CAPABILITIES MSR was read"
+    fi
+    if is_skylake_cpu || [ "$cap_rsba" = 1 ]; then
+        return 0
+    fi
+    return 1
+}
+
+# Check whether the CPU is from the AMD Zen family (Ryzen, EPYC, ...)
+# Returns: 0 if Zen, 1 otherwise
+is_zen_cpu() {
+    parse_cpu_details
+    is_amd || return 1
+    [ "$cpu_family" = 23 ] && return 0
+    return 1
+}
+
+# Check whether the CPU is a Hygon Moksha (Dhyana) family processor
+# Returns: 0 if Moksha, 1 otherwise
+is_moksha_cpu() {
+    parse_cpu_details
+    is_hygon || return 1
+    [ "$cpu_family" = 24 ] && return 0
+    return 1
+}
+
+# Encode an AMD family/model/stepping range into a single integer (mimics Linux AMD_MODEL_RANGE macro)
+# Args: $1=family $2=model_start $3=stepping_start $4=model_end $5=stepping_end
+amd_model_range() {
+    echo $((($1 << 24) | ($2 << 16) | ($3 << 12) | ($4 << 4) | ($5)))
+}
+
+# Check if the current AMD CPU falls within a given model/stepping range (mimics Linux amd_legacy_erratum)
+# Args: $1=range (output of amd_model_range)
+# Returns: 0 if CPU is in range, 1 otherwise
+amd_legacy_erratum() {
+    local range ms
+    range="$1"
+    ms=$((cpu_model << 4 | cpu_stepping))
+    if [ "$cpu_family" = $((((range) >> 24) & 0xff)) ] &&
+        [ $ms -ge $((((range) >> 12) & 0xfff)) ] &&
+        [ $ms -le $(((range) & 0xfff)) ]; then
+        return 0
+    fi
+    return 1
+}
+
+# Check whether the CPU has a microcode version that fixes Zenbleed
+# Sets: g_zenbleed_fw, g_zenbleed_fw_required
+# Returns: 0=fixed, 1=not fixed, 2=not applicable
+has_zenbleed_fixed_firmware() {
+    local tuples tuple model_low model_high fwver
+    # return cached data
+    [ -n "$g_zenbleed_fw" ] && return "$g_zenbleed_fw"
+    # or compute it:
+    g_zenbleed_fw=2 # unknown
+    # only amd
+    if ! is_amd; then
+        g_zenbleed_fw=1
+        return $g_zenbleed_fw
+    fi
+    # list of known fixed firmwares, from commit 522b1d69219d8f083173819fde04f994aa051a98
+    tuples="
+		0x30,0x3f,0x0830107a
+		0x60,0x67,0x0860010b
+		0x68,0x6f,0x08608105
+		0x70,0x7f,0x08701032
+		0xa0,0xaf,0x08a00008
+	"
+    for tuple in $tuples; do
+        model_low=$(echo "$tuple" | cut -d, -f1)
+        model_high=$(echo "$tuple" | cut -d, -f2)
+        fwver=$(echo "$tuple" | cut -d, -f3)
+        if [ $((cpu_model)) -ge $((model_low)) ] && [ $((cpu_model)) -le $((model_high)) ]; then
+            if [ $((cpu_ucode)) -ge $((fwver)) ]; then
+                g_zenbleed_fw=0 # true
+                break
+            else
+                g_zenbleed_fw=1 # false
+                g_zenbleed_fw_required=$fwver
+            fi
+        fi
+    done
+    unset tuples
+    return $g_zenbleed_fw
+}
--- a/src/libs/370_hw_vmm.sh
+++ b/src/libs/370_hw_vmm.sh
@@ -0,0 +1,57 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# Check whether the system is running as a Xen paravirtualized guest
+# Returns: 0 if Xen PV, 1 otherwise
+is_xen() {
+    local ret
+    if [ ! -d "$g_procfs/xen" ]; then
+        return 1
+    fi
+
+    # XXX do we have a better way that relying on dmesg?
+    dmesg_grep 'Booting paravirtualized kernel on Xen$'
+    ret=$?
+    if [ "$ret" -eq 2 ]; then
+        pr_warn "dmesg truncated, Xen detection will be unreliable. Please reboot and relaunch this script"
+        return 1
+    elif [ "$ret" -eq 0 ]; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+# Check whether the system is a Xen Dom0 (privileged domain)
+# Returns: 0 if Dom0, 1 otherwise
+is_xen_dom0() {
+    if ! is_xen; then
+        return 1
+    fi
+
+    if [ -e "$g_procfs/xen/capabilities" ] && grep -q "control_d" "$g_procfs/xen/capabilities"; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+# Check whether the system is a Xen DomU (unprivileged PV guest)
+# Returns: 0 if DomU, 1 otherwise
+is_xen_domU() {
+    local ret
+    if ! is_xen; then
+        return 1
+    fi
+
+    # PVHVM guests also print 'Booting paravirtualized kernel', so we need this check.
+    dmesg_grep 'Xen HVM callback vector for event delivery is enabled$'
+    ret=$?
+    if [ "$ret" -eq 0 ]; then
+        return 1
+    fi
+
+    if ! is_xen_dom0; then
+        return 0
+    else
+        return 1
+    fi
+}
--- a/src/libs/380_hw_microcode.sh
+++ b/src/libs/380_hw_microcode.sh
@@ -0,0 +1,74 @@
+# vim: set ts=4 sw=4 sts=4 et:
+g_builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")
+if [ -r "$g_mcedb_cache" ]; then
+    # we have a local cache file, but it might be older than the builtin version we have
+    g_local_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$g_mcedb_cache")
+    # compare version strings of the form vN+iYYYYMMDD+hash
+    local_v=$(echo "$g_local_dbversion" | sed 's/^v\([0-9]*\).*/\1/')
+    builtin_v=$(echo "$g_builtin_dbversion" | sed 's/^v\([0-9]*\).*/\1/')
+    local_i=$(echo "$g_local_dbversion" | sed 's/.*+i\([0-9]*\).*/\1/')
+    builtin_i=$(echo "$g_builtin_dbversion" | sed 's/.*+i\([0-9]*\).*/\1/')
+    if [ "$local_v" -gt "$builtin_v" ] ||
+        { [ "$local_v" -eq "$builtin_v" ] && [ "$local_i" -gt "$builtin_i" ]; }; then
+        g_mcedb_source="$g_mcedb_cache"
+        g_mcedb_info="local firmwares DB $g_local_dbversion"
+    fi
+fi
+# if g_mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db
+if [ -z "${g_mcedb_source:-}" ]; then
+    g_mcedb_source="$0"
+    g_mcedb_info="builtin firmwares DB $g_builtin_dbversion"
+fi
+# Read the MCExtractor microcode database (from local cache or builtin) to stdout
+read_mcedb() {
+    awk '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$g_mcedb_source"
+}
+
+# Read the Intel official affected CPUs database (builtin) to stdout
+read_inteldb() {
+    if [ "$opt_intel_db" = 1 ]; then
+        awk '/^# %%% ENDOFINTELDB/ { exit } { if (DELIM==1) { print $2 } } /^# %%% INTELDB/ { DELIM=1 }' "$0"
+    fi
+    # otherwise don't output nothing, it'll be as if the database is empty
+}
+
+# Check whether the CPU is running the latest known microcode version
+# Sets: ret_is_latest_known_ucode_latest
+# Returns: 0=latest, 1=outdated, 2=unknown
+is_latest_known_ucode() {
+    local brand_prefix tuple pfmask ucode ucode_date
+    parse_cpu_details
+    if [ "$cpu_cpuid" = 0 ]; then
+        ret_is_latest_known_ucode_latest="couldn't get your cpuid"
+        return 2
+    fi
+    ret_is_latest_known_ucode_latest="latest microcode version for your CPU model is unknown"
+    if is_intel; then
+        brand_prefix=I
+    elif is_amd; then
+        brand_prefix=A
+    else
+        return 2
+    fi
+    for tuple in $(read_mcedb | grep "$(printf "^$brand_prefix,0x%08X," "$cpu_cpuid")"); do
+        # skip if the pfmask doesn't match our platformid
+        pfmask=$(echo "$tuple" | cut -d, -f3)
+        if is_intel && [ $((cpu_platformid & pfmask)) -eq 0 ]; then
+            continue
+        fi
+        ucode=$(($(echo "$tuple" | cut -d, -f4)))
+        ucode_date=$(echo "$tuple" | cut -d, -f5 | sed -E 's=(....)(..)(..)=\1/\2/\3=')
+        pr_debug "is_latest_known_ucode: with cpuid $cpu_cpuid has ucode $cpu_ucode, last known is $ucode from $ucode_date"
+        ret_is_latest_known_ucode_latest=$(printf "latest version is 0x%x dated $ucode_date according to $g_mcedb_info" "$ucode")
+        if [ "$cpu_ucode" -ge "$ucode" ]; then
+            return 0
+        else
+            return 1
+        fi
+    done
+    pr_debug "is_latest_known_ucode: this cpuid is not referenced ($cpu_cpuid)"
+    return 2
+}
+
+# Read and cache the kernel command line from /proc/cmdline or mock
+# Sets: g_kernel_cmdline
--- a/src/libs/390_kernel_cmdline.sh
+++ b/src/libs/390_kernel_cmdline.sh
@@ -0,0 +1,16 @@
+# vim: set ts=4 sw=4 sts=4 et:
+get_cmdline() {
+    if [ -n "${g_kernel_cmdline:-}" ]; then
+        return
+    fi
+
+    if [ -n "${SMC_MOCK_CMDLINE:-}" ]; then
+        g_mocked=1
+        pr_debug "get_cmdline: using g_mocked cmdline '$SMC_MOCK_CMDLINE'"
+        g_kernel_cmdline="$SMC_MOCK_CMDLINE"
+        return
+    else
+        g_kernel_cmdline=$(cat "$g_procfs/cmdline")
+        g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_CMDLINE='$g_kernel_cmdline'")
+    fi
+}
--- a/src/libs/400_hw_check.sh
+++ b/src/libs/400_hw_check.sh
--- a/src/main.sh
+++ b/src/main.sh
@@ -0,0 +1,92 @@
+# vim: set ts=4 sw=4 sts=4 et:
+
+if [ "$opt_no_hw" = 0 ] && [ -z "$opt_arch_prefix" ]; then
+    check_cpu
+    check_cpu_vulnerabilities
+    pr_info
+fi
+
+# now run the checks the user asked for
+for cve in $g_supported_cve_list; do
+    if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | grep -qw "$cve"; then
+        check_"$(echo "$cve" | tr - _)"
+        pr_info
+    fi
+done
+
+if [ -n "$g_final_summary" ]; then
+    pr_info "> \033[46m\033[30mSUMMARY:\033[0m$g_final_summary"
+    pr_info ""
+fi
+
+if [ "$g_bad_accuracy" = 1 ]; then
+    pr_warn "We're missing some kernel info (see -v), accuracy might be reduced"
+fi
+
+g_vars=$(set | grep -Ev '^[A-Z_[:space:]]' | grep -v -F 'g_mockme=' | sort | tr "\n" '|')
+pr_debug "variables at end of script: $g_vars"
+
+if [ -n "$g_mockme" ] && [ "$opt_mock" = 1 ]; then
+    if command -v "gzip" >/dev/null 2>&1; then
+        # not a useless use of cat: gzipping cpuinfo directly doesn't work well
+        # shellcheck disable=SC2002
+        if command -v "base64" >/dev/null 2>&1; then
+            g_mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | base64 -w0)"
+        elif command -v "uuencode" >/dev/null 2>&1; then
+            g_mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | uuencode -m - | grep -Fv 'begin-base64' | grep -Fxv -- '====' | tr -d "\n")"
+        fi
+    fi
+    if [ -n "$g_mock_cpuinfo" ]; then
+        g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_CPUINFO='$g_mock_cpuinfo'")
+        unset g_mock_cpuinfo
+    fi
+    pr_info ""
+    # shellcheck disable=SC2046
+    pr_warn "To mock this CPU, set those vars: "$(echo "$g_mockme" | sort -u)
+fi
+
+# root check
+if [ "$(id -u)" -ne 0 ]; then
+    pr_warn "Note that you should launch this script with root privileges to get completely accurate information."
+    pr_warn "To run it as root, you can try the following command: sudo $0"
+    pr_warn
+fi
+
+if [ "$opt_explain" = 0 ]; then
+    pr_info "Need more detailed information about mitigation options? Use --explain"
+fi
+
+pr_info "A false sense of security is worse than no security at all, see --disclaimer"
+
+if [ "$g_mocked" = 1 ]; then
+    pr_info ""
+    pr_warn "One or several values have been g_mocked. This should only be done when debugging/testing this script."
+    pr_warn "The results do NOT reflect the actual status of the system we're running on."
+fi
+
+if [ "$opt_batch" = 1 ] && [ "$opt_batch_format" = "nrpe" ]; then
+    if [ -n "$g_nrpe_vuln" ]; then
+        echo "Vulnerable:$g_nrpe_vuln"
+    else
+        echo "OK"
+    fi
+fi
+
+if [ "$opt_batch" = 1 ] && [ "$opt_batch_format" = "short" ]; then
+    _pr_echo 0 "${g_short_output% }"
+fi
+
+if [ "$opt_batch" = 1 ] && [ "$opt_batch_format" = "json" ]; then
+    _pr_echo 0 "${g_json_output%?}]"
+fi
+
+if [ "$opt_batch" = 1 ] && [ "$opt_batch_format" = "prometheus" ]; then
+    echo "# TYPE specex_vuln_status untyped"
+    echo "# HELP specex_vuln_status Exposure of system to speculative execution vulnerabilities"
+    printf "%b\n" "$g_prometheus_output"
+fi
+
+# exit with the proper exit code
+[ "$g_critical" = 1 ] && exit 2 # critical
+[ "$g_unknown" = 1 ] && exit 3  # unknown
+exit 0                          # ok
--- a/src/vulns-helpers/check_cve.sh
+++ b/src/vulns-helpers/check_cve.sh
@@ -0,0 +1,24 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# Generic CVE check dispatcher: prints CVE header and calls the OS-specific check function
+# Args: $1=cve_id $2=func_prefix(optional, default derived from CVE ID)
+check_cve() {
+    local cve func_prefix
+    cve="$1"
+    func_prefix="${2:-check_$(echo "$cve" | tr - _)}"
+    pr_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+    if [ "$g_os" = Linux ]; then
+        if type "${func_prefix}_linux" >/dev/null 2>&1; then
+            "${func_prefix}_linux"
+        else
+            pr_warn "Unsupported OS ($g_os)"
+        fi
+    elif echo "$g_os" | grep -q BSD; then
+        if type "${func_prefix}_bsd" >/dev/null 2>&1; then
+            "${func_prefix}_bsd"
+        else
+            pr_warn "Unsupported OS ($g_os)"
+        fi
+    else
+        pr_warn "Unsupported OS ($g_os)"
+    fi
+}
--- a/src/vulns-helpers/check_mds.sh
+++ b/src/vulns-helpers/check_mds.sh
@@ -0,0 +1,218 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# MDS (microarchitectural data sampling) - BSD mitigation check
+check_mds_bsd() {
+    local kernel_md_clear kernel_smt_allowed kernel_mds_enabled kernel_mds_state
+    pr_info_nol "* Kernel supports using MD_CLEAR mitigation: "
+    if [ "$opt_live" = 1 ]; then
+        if sysctl hw.mds_disable >/dev/null 2>&1; then
+            pstatus green YES
+            kernel_md_clear=1
+        else
+            pstatus yellow NO
+            kernel_md_clear=0
+        fi
+    else
+        if grep -Fq hw.mds_disable "$opt_kernel"; then
+            pstatus green YES
+            kernel_md_clear=1
+        else
+            kernel_md_clear=0
+            pstatus yellow NO
+        fi
+    fi
+
+    pr_info_nol "* CPU Hyper-Threading (SMT) is disabled: "
+    if sysctl machdep.hyperthreading_allowed >/dev/null 2>&1; then
+        kernel_smt_allowed=$(sysctl -n machdep.hyperthreading_allowed 2>/dev/null)
+        if [ "$kernel_smt_allowed" = 1 ]; then
+            pstatus yellow NO
+        else
+            pstatus green YES
+        fi
+    else
+        pstatus yellow UNKNOWN "sysctl machdep.hyperthreading_allowed doesn't exist"
+    fi
+
+    pr_info_nol "* Kernel mitigation is enabled: "
+    if [ "$kernel_md_clear" = 1 ]; then
+        kernel_mds_enabled=$(sysctl -n hw.mds_disable 2>/dev/null)
+    else
+        kernel_mds_enabled=0
+    fi
+    case "$kernel_mds_enabled" in
+        0) pstatus yellow NO ;;
+        1) pstatus green YES "with microcode support" ;;
+        2) pstatus green YES "software-only support (SLOW)" ;;
+        3) pstatus green YES ;;
+        *) pstatus yellow UNKNOWN "unknown value $kernel_mds_enabled" ;;
+    esac
+
+    pr_info_nol "* Kernel mitigation is active: "
+    if [ "$kernel_md_clear" = 1 ]; then
+        kernel_mds_state=$(sysctl -n hw.mds_disable_state 2>/dev/null)
+    else
+        kernel_mds_state=inactive
+    fi
+    # https://github.com/freebsd/freebsd/blob/master/sys/x86/x86/cpu_machdep.c#L953
+    case "$kernel_mds_state" in
+        inactive) pstatus yellow NO ;;
+        VERW) pstatus green YES "with microcode support" ;;
+        software*) pstatus green YES "software-only support (SLOW)" ;;
+        *) pstatus yellow UNKNOWN ;;
+    esac
+
+    if ! is_cpu_affected "$cve"; then
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    else
+        if [ "$cap_md_clear" = 1 ]; then
+            if [ "$kernel_md_clear" = 1 ]; then
+                if [ "$opt_live" = 1 ]; then
+                    # mitigation must also be enabled
+                    if [ "$kernel_mds_enabled" -ge 1 ]; then
+                        if [ "$opt_paranoid" != 1 ] || [ "$kernel_smt_allowed" = 0 ]; then
+                            pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled"
+                        else
+                            pvulnstatus "$cve" VULN "Your microcode and kernel are both up to date for this mitigation, but you must disable SMT (Hyper-Threading) for a complete mitigation"
+                        fi
+                    else
+                        pvulnstatus "$cve" VULN "Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active"
+                        explain "To enable mitigation, run \`sysctl hw.mds_disable=1'. To make this change persistent across reboots, you can add 'hw.mds_disable=1' to /etc/sysctl.conf."
+                    fi
+                else
+                    pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for this mitigation"
+                fi
+            else
+                pvulnstatus "$cve" VULN "Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability"
+            fi
+        else
+            if [ "$kernel_md_clear" = 1 ]; then
+                pvulnstatus "$cve" VULN "Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability"
+            else
+                pvulnstatus "$cve" VULN "Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability"
+            fi
+        fi
+    fi
+}
+
+# MDS (microarchitectural data sampling) - Linux mitigation check
+check_mds_linux() {
+    local status sys_interface_available msg kernel_md_clear kernel_md_clear_can_tell mds_mitigated mds_smt_mitigated mystatus mymsg
+    status=UNK
+    sys_interface_available=0
+    msg=''
+    if sys_interface_check "$VULN_SYSFS_BASE/mds" '^[^;]+'; then
+        sys_interface_available=1
+        status=$ret_sys_interface_check_status
+    fi
+
+    if [ "$opt_sysfs_only" != 1 ]; then
+        pr_info_nol "* Kernel supports using MD_CLEAR mitigation: "
+        kernel_md_clear=''
+        kernel_md_clear_can_tell=1
+        if [ "$opt_live" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw md_clear; then
+            kernel_md_clear="md_clear found in $g_procfs/cpuinfo"
+            pstatus green YES "$kernel_md_clear"
+        fi
+        if [ -z "$kernel_md_clear" ]; then
+            if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
+                kernel_md_clear_can_tell=0
+            elif [ -n "$g_kernel_err" ]; then
+                kernel_md_clear_can_tell=0
+            elif "${opt_arch_prefix}strings" "$g_kernel" | grep -q 'Clear CPU buffers'; then
+                pr_debug "md_clear: found 'Clear CPU buffers' string in kernel image"
+                kernel_md_clear='found md_clear implementation evidence in kernel image'
+                pstatus green YES "$kernel_md_clear"
+            fi
+        fi
+        if [ -z "$kernel_md_clear" ]; then
+            if [ "$kernel_md_clear_can_tell" = 1 ]; then
+                pstatus yellow NO
+            else
+                pstatus yellow UNKNOWN
+            fi
+        fi
+
+        if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then
+            pr_info_nol "* Kernel mitigation is enabled and active: "
+            if echo "$ret_sys_interface_check_fullmsg" | grep -qi ^mitigation; then
+                mds_mitigated=1
+                pstatus green YES
+            else
+                mds_mitigated=0
+                pstatus yellow NO
+            fi
+            pr_info_nol "* SMT is either mitigated or disabled: "
+            if echo "$ret_sys_interface_check_fullmsg" | grep -Eq 'SMT (disabled|mitigated)'; then
+                mds_smt_mitigated=1
+                pstatus green YES
+            else
+                mds_smt_mitigated=0
+                pstatus yellow NO
+            fi
+        fi
+    elif [ "$sys_interface_available" = 0 ]; then
+        # we have no sysfs but were asked to use it only!
+        msg="/sys vulnerability interface use forced, but it's not available!"
+        status=UNK
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    else
+        if [ "$opt_sysfs_only" != 1 ]; then
+            # compute mystatus and mymsg from our own logic
+            if [ "$cap_md_clear" = 1 ]; then
+                if [ -n "$kernel_md_clear" ]; then
+                    if [ "$opt_live" = 1 ]; then
+                        # mitigation must also be enabled
+                        if [ "$mds_mitigated" = 1 ]; then
+                            if [ "$opt_paranoid" != 1 ] || [ "$mds_smt_mitigated" = 1 ]; then
+                                mystatus=OK
+                                mymsg="Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled"
+                            else
+                                mystatus=VULN
+                                mymsg="Your microcode and kernel are both up to date for this mitigation, but you must disable SMT (Hyper-Threading) for a complete mitigation"
+                            fi
+                        else
+                            mystatus=VULN
+                            mymsg="Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active"
+                        fi
+                    else
+                        mystatus=OK
+                        mymsg="Your microcode and kernel are both up to date for this mitigation"
+                    fi
+                else
+                    mystatus=VULN
+                    mymsg="Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability"
+                fi
+            else
+                if [ -n "$kernel_md_clear" ]; then
+                    mystatus=VULN
+                    mymsg="Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability"
+                else
+                    mystatus=VULN
+                    mymsg="Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability"
+                fi
+            fi
+        else
+            # sysfs only: return the status/msg we got
+            pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
+            return
+        fi
+
+        # if we didn't get a msg+status from sysfs, use ours
+        if [ -z "$msg" ]; then
+            pvulnstatus "$cve" "$mystatus" "$mymsg"
+        elif [ "$opt_paranoid" = 1 ]; then
+            # if paranoid mode is enabled, we now that we won't agree on status, so take ours
+            pvulnstatus "$cve" "$mystatus" "$mymsg"
+        elif [ "$status" = "$mystatus" ]; then
+            # if we agree on status, we'll print the common status and our message (more detailed than the sysfs one)
+            pvulnstatus "$cve" "$status" "$mymsg"
+        else
+            # if we don't agree on status, maybe our logic is flawed due to a new kernel/mitigation? use the one from sysfs
+            pvulnstatus "$cve" "$status" "$msg"
+        fi
+    fi
+}
--- a/src/vulns/CVE-2017-5715.sh
+++ b/src/vulns/CVE-2017-5715.sh
@@ -0,0 +1,603 @@
+# vim: set ts=4 sw=4 sts=4 et:
+###################
+# SPECTRE 2 SECTION
+
+# CVE-2017-5715 Spectre Variant 2 (branch target injection) - entry point
+check_CVE_2017_5715() {
+    check_cve 'CVE-2017-5715'
+}
+
+# CVE-2017-5715 Spectre Variant 2 (branch target injection) - Linux mitigation check
+check_CVE_2017_5715_linux() {
+    local status sys_interface_available msg dir bp_harden_can_tell bp_harden retpoline retpoline_compiler retpoline_compiler_reason retp_enabled rsb_filling explain_hypervisor
+    status=UNK
+    sys_interface_available=0
+    msg=''
+    if sys_interface_check "$VULN_SYSFS_BASE/spectre_v2"; then
+        # this kernel has the /sys interface, trust it over everything
+        sys_interface_available=1
+        status=$ret_sys_interface_check_status
+    fi
+    if [ "$opt_sysfs_only" != 1 ]; then
+        pr_info "* Mitigation 1"
+
+        g_ibrs_can_tell=0
+        g_ibrs_supported=''
+        g_ibrs_enabled=''
+        g_ibpb_can_tell=0
+        g_ibpb_supported=''
+        g_ibpb_enabled=''
+
+        if [ "$opt_live" = 1 ]; then
+            # in live mode, we can check for the ibrs_enabled file in debugfs
+            # all versions of the patches have it (NOT the case of IBPB or KPTI)
+            g_ibrs_can_tell=1
+            mount_debugfs
+            for dir in \
+                $DEBUGFS_BASE \
+                $DEBUGFS_BASE/x86 \
+                "$g_procfs/sys/kernel"; do
+                if [ -e "$dir/ibrs_enabled" ]; then
+                    # if the file is there, we have IBRS compiled-in
+                    # $DEBUGFS_BASE/ibrs_enabled: vanilla
+                    # $DEBUGFS_BASE/x86/ibrs_enabled: Red Hat (see https://access.redhat.com/articles/3311301)
+                    # /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed
+                    g_specex_knob_dir=$dir
+                    g_ibrs_supported="$dir/ibrs_enabled exists"
+                    g_ibrs_enabled=$(cat "$dir/ibrs_enabled" 2>/dev/null)
+                    pr_debug "ibrs: found $dir/ibrs_enabled=$g_ibrs_enabled"
+                    # if ibrs_enabled is there, ibpb_enabled will be in the same dir
+                    if [ -e "$dir/ibpb_enabled" ]; then
+                        # if the file is there, we have IBPB compiled-in (see note above for IBRS)
+                        g_ibpb_supported="$dir/ibpb_enabled exists"
+                        g_ibpb_enabled=$(cat "$dir/ibpb_enabled" 2>/dev/null)
+                        pr_debug "ibpb: found $dir/ibpb_enabled=$g_ibpb_enabled"
+                    else
+                        pr_debug "ibpb: $dir/ibpb_enabled file doesn't exist"
+                    fi
+                    break
+                else
+                    pr_debug "ibrs: $dir/ibrs_enabled file doesn't exist"
+                fi
+            done
+            # on some newer kernels, the spec_ctrl_ibrs flag in "$g_procfs/cpuinfo"
+            # is set when ibrs has been administratively enabled (usually from cmdline)
+            # which in that case means ibrs is supported *and* enabled for kernel & user
+            # as per the ibrs patch series v3
+            if [ -z "$g_ibrs_supported" ]; then
+                if grep ^flags "$g_procfs/cpuinfo" | grep -qw spec_ctrl_ibrs; then
+                    pr_debug "ibrs: found spec_ctrl_ibrs flag in $g_procfs/cpuinfo"
+                    g_ibrs_supported="spec_ctrl_ibrs flag in $g_procfs/cpuinfo"
+                    # enabled=2 -> kernel & user
+                    g_ibrs_enabled=2
+                    # XXX and what about ibpb ?
+                fi
+            fi
+            if [ -n "$ret_sys_interface_check_fullmsg" ]; then
+                # when IBPB is enabled on 4.15+, we can see it in sysfs
+                if echo "$ret_sys_interface_check_fullmsg" | grep -q 'IBPB'; then
+                    pr_debug "ibpb: found enabled in sysfs"
+                    [ -z "$g_ibpb_supported" ] && g_ibpb_supported='IBPB found enabled in sysfs'
+                    [ -z "$g_ibpb_enabled" ] && g_ibpb_enabled=1
+                fi
+                # when IBRS_FW is enabled on 4.15+, we can see it in sysfs
+                if echo "$ret_sys_interface_check_fullmsg" | grep -q '[,;] IBRS_FW'; then
+                    pr_debug "ibrs: found IBRS_FW in sysfs"
+                    [ -z "$g_ibrs_supported" ] && g_ibrs_supported='found IBRS_FW in sysfs'
+                    g_ibrs_fw_enabled=1
+                fi
+                # when IBRS is enabled on 4.15+, we can see it in sysfs
+                # on a more recent kernel, classic "IBRS" is not even longer an option, because of the performance impact.
+                # only "Enhanced IBRS" is available (on CPUs with the IBRS_ALL flag)
+                if echo "$ret_sys_interface_check_fullmsg" | grep -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
+                    pr_debug "ibrs: found IBRS in sysfs"
+                    [ -z "$g_ibrs_supported" ] && g_ibrs_supported='found IBRS in sysfs'
+                    [ -z "$g_ibrs_enabled" ] && g_ibrs_enabled=3
+                fi
+                # checking for 'Enhanced IBRS' in sysfs, enabled on CPUs with IBRS_ALL
+                if echo "$ret_sys_interface_check_fullmsg" | grep -q -e 'Enhanced IBRS'; then
+                    [ -z "$g_ibrs_supported" ] && g_ibrs_supported='found Enhanced IBRS in sysfs'
+                    # 4 isn't actually a valid value of the now extinct "g_ibrs_enabled" flag file,
+                    # that only went from 0 to 3, so we use 4 as "enhanced ibrs is enabled"
+                    g_ibrs_enabled=4
+                fi
+            fi
+            # in live mode, if ibrs or ibpb is supported and we didn't find these are enabled, then they are not
+            [ -n "$g_ibrs_supported" ] && [ -z "$g_ibrs_enabled" ] && g_ibrs_enabled=0
+            [ -n "$g_ibpb_supported" ] && [ -z "$g_ibpb_enabled" ] && g_ibpb_enabled=0
+        fi
+        if [ -z "$g_ibrs_supported" ]; then
+            check_redhat_canonical_spectre
+            if [ "$g_redhat_canonical_spectre" = 1 ]; then
+                g_ibrs_supported="Red Hat/Ubuntu variant"
+                g_ibpb_supported="Red Hat/Ubuntu variant"
+            fi
+        fi
+        if [ -z "$g_ibrs_supported" ] && [ -n "$g_kernel" ]; then
+            if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
+                :
+            else
+                g_ibrs_can_tell=1
+                g_ibrs_supported=$("${opt_arch_prefix}strings" "$g_kernel" | grep -Fw -e '[,;] IBRS_FW' | head -n1)
+                if [ -n "$g_ibrs_supported" ]; then
+                    pr_debug "ibrs: found ibrs evidence in kernel image ($g_ibrs_supported)"
+                    g_ibrs_supported="found '$g_ibrs_supported' in kernel image"
+                fi
+            fi
+        fi
+        if [ -z "$g_ibrs_supported" ] && [ -n "$opt_map" ]; then
+            g_ibrs_can_tell=1
+            if grep -q spec_ctrl "$opt_map"; then
+                g_ibrs_supported="found spec_ctrl in symbols file"
+                pr_debug "ibrs: found '*spec_ctrl*' symbol in $opt_map"
+            fi
+        fi
+        # recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat
+        # we can detect it directly in the image
+        if [ -z "$g_ibpb_supported" ] && [ -n "$g_kernel" ]; then
+            if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
+                :
+            else
+                g_ibpb_can_tell=1
+                g_ibpb_supported=$("${opt_arch_prefix}strings" "$g_kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -n1)
+                if [ -n "$g_ibpb_supported" ]; then
+                    pr_debug "ibpb: found ibpb evidence in kernel image ($g_ibpb_supported)"
+                    g_ibpb_supported="found '$g_ibpb_supported' in kernel image"
+                fi
+            fi
+        fi
+
+        pr_info_nol "  * Kernel is compiled with IBRS support: "
+        if [ -z "$g_ibrs_supported" ]; then
+            if [ "$g_ibrs_can_tell" = 1 ]; then
+                pstatus yellow NO
+            else
+                # problem obtaining/inspecting kernel or strings not installed, but if the later is true,
+                # then readelf is not installed either (both in binutils) which makes the former true, so
+                # either way g_kernel_err should be set
+                pstatus yellow UNKNOWN "couldn't check ($g_kernel_err)"
+            fi
+        else
+            if [ "$opt_verbose" -ge 2 ]; then
+                pstatus green YES "$g_ibrs_supported"
+            else
+                pstatus green YES
+            fi
+        fi
+
+        pr_info_nol "    * IBRS enabled and active: "
+        if [ "$opt_live" = 1 ]; then
+            if [ "$g_ibpb_enabled" = 2 ]; then
+                # if ibpb=2, ibrs is forcefully=0
+                pstatus blue NO "IBPB used instead of IBRS in all kernel entrypoints"
+            else
+                # 0 means disabled
+                # 1 is enabled only for kernel space
+                # 2 is enabled for kernel and user space
+                # 3 is enabled
+                # 4 is enhanced ibrs enabled
+                case "$g_ibrs_enabled" in
+                    0)
+                        if [ "$g_ibrs_fw_enabled" = 1 ]; then
+                            pstatus blue YES "for firmware code only"
+                        else
+                            pstatus yellow NO
+                        fi
+                        ;;
+                    1) if [ "$g_ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel space and firmware code"; else pstatus green YES "for kernel space"; fi ;;
+                    2) if [ "$g_ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel, user space, and firmware code"; else pstatus green YES "for both kernel and user space"; fi ;;
+                    3) if [ "$g_ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and firmware code"; else pstatus green YES; fi ;;
+                    4) pstatus green YES "Enhanced flavor, performance impact will be greatly reduced" ;;
+                    *) if [ "$cap_ibrs" != 'SPEC_CTRL' ] && [ "$cap_ibrs" != 'IBRS_SUPPORT' ] && [ "$cap_spec_ctrl" != -1 ]; then
+                        pstatus yellow NO
+                        pr_debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS"
+                    else
+                        pstatus yellow UNKNOWN
+                    fi ;;
+                esac
+            fi
+        else
+            pstatus blue N/A "not testable in offline mode"
+        fi
+
+        pr_info_nol "  * Kernel is compiled with IBPB support: "
+        if [ -z "$g_ibpb_supported" ]; then
+            if [ "$g_ibpb_can_tell" = 1 ]; then
+                pstatus yellow NO
+            else
+                # if we're in offline mode without System.map, we can't really know
+                pstatus yellow UNKNOWN "in offline mode, we need the kernel image to be able to tell"
+            fi
+        else
+            if [ "$opt_verbose" -ge 2 ]; then
+                pstatus green YES "$g_ibpb_supported"
+            else
+                pstatus green YES
+            fi
+        fi
+
+        pr_info_nol "    * IBPB enabled and active: "
+        if [ "$opt_live" = 1 ]; then
+            case "$g_ibpb_enabled" in
+                "")
+                    if [ "$g_ibrs_supported" = 1 ]; then
+                        pstatus yellow UNKNOWN
+                    else
+                        pstatus yellow NO
+                    fi
+                    ;;
+                0)
+                    pstatus yellow NO
+                    ;;
+                1) pstatus green YES ;;
+                2) pstatus green YES "IBPB used instead of IBRS in all kernel entrypoints" ;;
+                *) pstatus yellow UNKNOWN ;;
+            esac
+        else
+            pstatus blue N/A "not testable in offline mode"
+        fi
+
+        pr_info "* Mitigation 2"
+        pr_info_nol "  * Kernel has branch predictor hardening (arm): "
+        bp_harden_can_tell=0
+        bp_harden=''
+        if [ -r "$opt_config" ]; then
+            bp_harden_can_tell=1
+            bp_harden=$(grep -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
+            if [ -n "$bp_harden" ]; then
+                pstatus green YES
+                pr_debug "bp_harden: found '$bp_harden' in $opt_config"
+            fi
+        fi
+        if [ -z "$bp_harden" ] && [ -n "$opt_map" ]; then
+            bp_harden_can_tell=1
+            bp_harden=$(grep -w bp_hardening_data "$opt_map")
+            if [ -n "$bp_harden" ]; then
+                pstatus green YES
+                pr_debug "bp_harden: found '$bp_harden' in $opt_map"
+            fi
+        fi
+        if [ -z "$bp_harden" ]; then
+            if [ "$bp_harden_can_tell" = 1 ]; then
+                pstatus yellow NO
+            else
+                pstatus yellow UNKNOWN
+            fi
+        fi
+
+        pr_info_nol "  * Kernel compiled with retpoline option: "
+        # We check the RETPOLINE kernel options
+        retpoline=0
+        if [ -r "$opt_config" ]; then
+            if grep -q '^CONFIG_\(MITIGATION_\)\?RETPOLINE=y' "$opt_config"; then
+                pstatus green YES
+                retpoline=1
+                # shellcheck disable=SC2046
+                pr_debug 'retpoline: found '$(grep '^CONFIG_\(MITIGATION_\)\?RETPOLINE' "$opt_config")" in $opt_config"
+            else
+                pstatus yellow NO
+            fi
+        else
+            pstatus yellow UNKNOWN "couldn't read your kernel configuration"
+        fi
+
+        if [ "$retpoline" = 1 ]; then
+            # Now check if the compiler used to compile the kernel knows how to insert retpolines in generated asm
+            # For gcc, this is -mindirect-branch=thunk-extern (detected by the kernel makefiles)
+            # See gcc commit https://github.com/hjl-tools/gcc/commit/23b517d4a67c02d3ef80b6109218f2aadad7bd79
+            # In latest retpoline LKML patches, the noretpoline_setup symbol exists only if CONFIG_MITIGATION_RETPOLINE is set
+            # *AND* if the compiler is retpoline-compliant, so look for that symbol. The name of this kernel config
+            # option before version 6.9-rc1 is CONFIG_RETPOLINE.
+            #
+            # if there is "retpoline" in the file and NOT "minimal", then it's full retpoline
+            # (works for vanilla and Red Hat variants)
+            #
+            # since 5.15.28, this is now "Retpolines" as the implementation was switched to a generic one,
+            # so we look for both "retpoline" and "retpolines"
+            if [ "$opt_live" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then
+                if echo "$ret_sys_interface_check_fullmsg" | grep -qwi -e retpoline -e retpolines; then
+                    if echo "$ret_sys_interface_check_fullmsg" | grep -qwi minimal; then
+                        retpoline_compiler=0
+                        retpoline_compiler_reason="kernel reports minimal retpoline compilation"
+                    else
+                        retpoline_compiler=1
+                        retpoline_compiler_reason="kernel reports full retpoline compilation"
+                    fi
+                fi
+            elif [ -n "$opt_map" ]; then
+                # look for the symbol
+                if grep -qw noretpoline_setup "$opt_map"; then
+                    retpoline_compiler=1
+                    retpoline_compiler_reason="noretpoline_setup symbol found in System.map"
+                fi
+            elif [ -n "$g_kernel" ]; then
+                # look for the symbol
+                if command -v "${opt_arch_prefix}nm" >/dev/null 2>&1; then
+                    # the proper way: use nm and look for the symbol
+                    if "${opt_arch_prefix}nm" "$g_kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then
+                        retpoline_compiler=1
+                        retpoline_compiler_reason="noretpoline_setup found in kernel symbols"
+                    fi
+                elif grep -q noretpoline_setup "$g_kernel"; then
+                    # if we don't have nm, nevermind, the symbol name is long enough to not have
+                    # any false positive using good old grep directly on the binary
+                    retpoline_compiler=1
+                    retpoline_compiler_reason="noretpoline_setup found in kernel"
+                fi
+            fi
+            if [ -n "$retpoline_compiler" ]; then
+                pr_info_nol "    * Kernel compiled with a retpoline-aware compiler: "
+                if [ "$retpoline_compiler" = 1 ]; then
+                    if [ -n "$retpoline_compiler_reason" ]; then
+                        pstatus green YES "$retpoline_compiler_reason"
+                    else
+                        pstatus green YES
+                    fi
+                else
+                    if [ -n "$retpoline_compiler_reason" ]; then
+                        pstatus red NO "$retpoline_compiler_reason"
+                    else
+                        pstatus red NO
+                    fi
+                fi
+            fi
+        fi
+
+        # only Red Hat has a tunable to disable it on runtime
+        retp_enabled=-1
+        if [ "$opt_live" = 1 ]; then
+            if [ -e "$g_specex_knob_dir/retp_enabled" ]; then
+                retp_enabled=$(cat "$g_specex_knob_dir/retp_enabled" 2>/dev/null)
+                pr_debug "retpoline: found $g_specex_knob_dir/retp_enabled=$retp_enabled"
+                pr_info_nol "    * Retpoline is enabled: "
+                if [ "$retp_enabled" = 1 ]; then
+                    pstatus green YES
+                else
+                    pstatus yellow NO
+                fi
+            fi
+        fi
+
+        # only for information, in verbose mode
+        if [ "$opt_verbose" -ge 2 ]; then
+            pr_info_nol "    * Local gcc is retpoline-aware: "
+            if command -v gcc >/dev/null 2>&1; then
+                if [ -n "$(gcc -mindirect-branch=thunk-extern --version 2>&1 >/dev/null)" ]; then
+                    pstatus blue NO
+                else
+                    pstatus green YES
+                fi
+            else
+                pstatus blue NO "gcc is not installed"
+            fi
+        fi
+
+        if is_vulnerable_to_empty_rsb || [ "$opt_verbose" -ge 2 ]; then
+            pr_info_nol "  * Kernel supports RSB filling: "
+            rsb_filling=0
+            if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then
+                # if we're live and we aren't denied looking into /sys, let's do it
+                if echo "$msg" | grep -qw RSB; then
+                    rsb_filling=1
+                    pstatus green YES
+                fi
+            fi
+            if [ "$rsb_filling" = 0 ]; then
+                if [ -n "$g_kernel_err" ]; then
+                    pstatus yellow UNKNOWN "couldn't check ($g_kernel_err)"
+                else
+                    if grep -qw -e 'Filling RSB on context switch' "$g_kernel"; then
+                        rsb_filling=1
+                        pstatus green YES
+                    else
+                        rsb_filling=0
+                        pstatus yellow NO
+                    fi
+                fi
+            fi
+        fi
+
+    elif [ "$sys_interface_available" = 0 ]; then
+        # we have no sysfs but were asked to use it only!
+        msg="/sys vulnerability interface use forced, but it's not available!"
+        status=UNK
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    else
+        if [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" != 0 ] && [ -n "$g_ibpb_enabled" ] && [ "$g_ibpb_enabled" -ge 1 ] && (! is_vulnerable_to_empty_rsb || [ "$rsb_filling" = 1 ]); then
+            pvulnstatus "$cve" OK "Full retpoline + IBPB are mitigating the vulnerability"
+        elif [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" != 0 ] && [ "$opt_paranoid" = 0 ] && (! is_vulnerable_to_empty_rsb || [ "$rsb_filling" = 1 ]); then
+            pvulnstatus "$cve" OK "Full retpoline is mitigating the vulnerability"
+            if [ -n "$cap_ibpb" ]; then
+                pr_warn "You should enable IBPB to complete retpoline as a Variant 2 mitigation"
+            else
+                pr_warn "IBPB is considered as a good addition to retpoline for Variant 2 mitigation, but your CPU microcode doesn't support it"
+            fi
+        elif [ -n "$g_ibrs_enabled" ] && [ -n "$g_ibpb_enabled" ] && [ "$g_ibrs_enabled" -ge 1 ] && [ "$g_ibpb_enabled" -ge 1 ]; then
+            if [ "$g_ibrs_enabled" = 4 ]; then
+                pvulnstatus "$cve" OK "Enhanced IBRS + IBPB are mitigating the vulnerability"
+            else
+                pvulnstatus "$cve" OK "IBRS + IBPB are mitigating the vulnerability"
+            fi
+        elif [ "$g_ibpb_enabled" = 2 ] && ! is_cpu_smt_enabled; then
+            pvulnstatus "$cve" OK "Full IBPB is mitigating the vulnerability"
+        elif [ -n "$bp_harden" ]; then
+            pvulnstatus "$cve" OK "Branch predictor hardening mitigates the vulnerability"
+        elif [ -z "$bp_harden" ] && [ "$cpu_vendor" = ARM ]; then
+            pvulnstatus "$cve" VULN "Branch predictor hardening is needed to mitigate the vulnerability"
+            explain "Your kernel has not been compiled with the CONFIG_UNMAP_KERNEL_AT_EL0 option, recompile it with this option enabled."
+        elif [ "$opt_live" != 1 ]; then
+            if [ "$retpoline" = 1 ] && [ -n "$g_ibpb_supported" ]; then
+                pvulnstatus "$cve" OK "offline mode: kernel supports retpoline + IBPB to mitigate the vulnerability"
+            elif [ -n "$g_ibrs_supported" ] && [ -n "$g_ibpb_supported" ]; then
+                pvulnstatus "$cve" OK "offline mode: kernel supports IBRS + IBPB to mitigate the vulnerability"
+            elif [ "$g_ibrs_can_tell" != 1 ]; then
+                pvulnstatus "$cve" UNK "offline mode: not enough information"
+                explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect."
+            fi
+        fi
+
+        # if we arrive here and didn't already call pvulnstatus, then it's VULN, let's explain why
+        if [ "$g_pvulnstatus_last_cve" != "$cve" ]; then
+            # explain what's needed for this CPU
+            if is_vulnerable_to_empty_rsb; then
+                pvulnstatus "$cve" VULN "IBRS+IBPB or retpoline+IBPB+RSB filling, is needed to mitigate the vulnerability"
+                explain "To mitigate this vulnerability, you need either IBRS + IBPB, both requiring hardware support from your CPU microcode in addition to kernel support, or a kernel compiled with retpoline and IBPB, with retpoline requiring a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware) and IBPB requiring hardware support from your CPU microcode. You also need a recent-enough kernel that supports RSB filling if you plan to use retpoline. For Skylake+ CPUs, the IBRS + IBPB approach is generally preferred as it guarantees complete protection, and the performance impact is not as high as with older CPUs in comparison with retpoline. More information about how to enable the missing bits for those two possible mitigations on your system follow. You only need to take one of the two approaches."
+            elif is_zen_cpu || is_moksha_cpu; then
+                pvulnstatus "$cve" VULN "retpoline+IBPB is needed to mitigate the vulnerability"
+                explain "To mitigate this vulnerability, You need a kernel compiled with retpoline + IBPB support, with retpoline requiring a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware) and IBPB requiring hardware support from your CPU microcode."
+            elif is_intel || is_amd || is_hygon; then
+                pvulnstatus "$cve" VULN "IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability"
+                explain "To mitigate this vulnerability, you need either IBRS + IBPB, both requiring hardware support from your CPU microcode in addition to kernel support, or a kernel compiled with retpoline and IBPB, with retpoline requiring a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware) and IBPB requiring hardware support from your CPU microcode. The retpoline + IBPB approach is generally preferred as the performance impact is lower. More information about how to enable the missing bits for those two possible mitigations on your system follow. You only need to take one of the two approaches."
+            else
+                # in that case, we might want to trust sysfs if it's there
+                if [ -n "$msg" ]; then
+                    [ "$msg" = Vulnerable ] && msg="no known mitigation exists for your CPU vendor ($cpu_vendor)"
+                    pvulnstatus "$cve" "$status" "$msg"
+                else
+                    pvulnstatus "$cve" VULN "no known mitigation exists for your CPU vendor ($cpu_vendor)"
+                fi
+            fi
+        fi
+
+        # if we are in live mode, we can check for a lot more stuff and explain further
+        if [ "$opt_live" = 1 ] && [ "$vulnstatus" != "OK" ]; then
+            explain_hypervisor="An updated CPU microcode will have IBRS/IBPB capabilities indicated in the Hardware Check section above. If you're running under a hypervisor (KVM, Xen, VirtualBox, VMware, ...), the hypervisor needs to be up to date to be able to export the new host CPU flags to the guest. You can run this script on the host to check if the host CPU is IBRS/IBPB. If it is, and it doesn't show up in the guest, upgrade the hypervisor. You may need to reconfigure your VM to use a CPU model that has IBRS capability; in Libvirt, such CPUs are listed with an IBRS suffix."
+            # IBPB (amd & intel)
+            if { [ -z "$g_ibpb_enabled" ] || [ "$g_ibpb_enabled" = 0 ]; } && { is_intel || is_amd || is_hygon; }; then
+                if [ -z "$cap_ibpb" ]; then
+                    explain "The microcode of your CPU needs to be upgraded to be able to use IBPB. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). $explain_hypervisor"
+                fi
+                if [ -z "$g_ibpb_supported" ]; then
+                    explain "Your kernel doesn't have IBPB support, so you need to either upgrade your kernel (if you're using a distro) or recompiling a more recent kernel."
+                fi
+                if [ -n "$cap_ibpb" ] && [ -n "$g_ibpb_supported" ]; then
+                    if [ -e "$g_specex_knob_dir/g_ibpb_enabled" ]; then
+                        # newer (April 2018) Red Hat kernels have g_ibpb_enabled as ro, and automatically enables it with retpoline
+                        if [ ! -w "$g_specex_knob_dir/g_ibpb_enabled" ] && [ -e "$g_specex_knob_dir/retp_enabled" ]; then
+                            explain "Both your CPU and your kernel have IBPB support, but it is currently disabled. You kernel should enable IBPB automatically if you enable retpoline. You may enable it with \`echo 1 > $g_specex_knob_dir/retp_enabled\`."
+                        else
+                            explain "Both your CPU and your kernel have IBPB support, but it is currently disabled. You may enable it with \`echo 1 > $g_specex_knob_dir/g_ibpb_enabled\`."
+                        fi
+                    else
+                        explain "Both your CPU and your kernel have IBPB support, but it is currently disabled. You may enable it. Check in your distro's documentation on how to do this."
+                    fi
+                fi
+            elif [ "$g_ibpb_enabled" = 2 ] && is_cpu_smt_enabled; then
+                explain "You have g_ibpb_enabled set to 2, but it only offers sufficient protection when simultaneous multi-threading (aka SMT or HyperThreading) is disabled. You should reboot your system with the kernel parameter \`nosmt\`."
+            fi
+            # /IBPB
+
+            # IBRS (amd & intel)
+            if { [ -z "$g_ibrs_enabled" ] || [ "$g_ibrs_enabled" = 0 ]; } && { is_intel || is_amd || is_hygon; }; then
+                if [ -z "$cap_ibrs" ]; then
+                    explain "The microcode of your CPU needs to be upgraded to be able to use IBRS. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). $explain_hypervisor"
+                fi
+                if [ -z "$g_ibrs_supported" ]; then
+                    explain "Your kernel doesn't have IBRS support, so you need to either upgrade your kernel (if you're using a distro) or recompiling a more recent kernel."
+                fi
+                if [ -n "$cap_ibrs" ] && [ -n "$g_ibrs_supported" ]; then
+                    if [ -e "$g_specex_knob_dir/g_ibrs_enabled" ]; then
+                        explain "Both your CPU and your kernel have IBRS support, but it is currently disabled. You may enable it with \`echo 1 > $g_specex_knob_dir/g_ibrs_enabled\`."
+                    else
+                        explain "Both your CPU and your kernel have IBRS support, but it is currently disabled. You may enable it. Check in your distro's documentation on how to do this."
+                    fi
+                fi
+            fi
+            # /IBRS
+            unset explain_hypervisor
+
+            # RETPOLINE (amd & intel &hygon )
+            if is_amd || is_intel || is_hygon; then
+                if [ "$retpoline" = 0 ]; then
+                    explain "Your kernel is not compiled with retpoline support, so you need to either upgrade your kernel (if you're using a distro) or recompile your kernel with the CONFIG_MITIGATION_RETPOLINE option enabled (was named CONFIG_RETPOLINE before kernel 6.9-rc1). You also need to compile your kernel with a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware)."
+                elif [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 0 ]; then
+                    explain "Your kernel is compiled with retpoline, but without a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware)."
+                elif [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" = 0 ]; then
+                    explain "Your kernel has retpoline support and has been compiled with a retpoline-aware compiler, but retpoline is disabled. You should enable it with \`echo 1 > $g_specex_knob_dir/retp_enabled\`."
+                fi
+            fi
+            # /RETPOLINE
+        fi
+    fi
+    # sysfs msgs:
+    #1 "Vulnerable"
+    #2 "Vulnerable: Minimal generic ASM retpoline"
+    #2 "Vulnerable: Minimal AMD ASM retpoline"
+    # "Mitigation: Full generic retpoline"
+    # "Mitigation: Full AMD retpoline"
+    # $MITIGATION + ", IBPB"
+    # $MITIGATION + ", IBRS_FW"
+    #5 $MITIGATION + " - vulnerable module loaded"
+    # Red Hat only:
+    #2 "Vulnerable: Minimal ASM retpoline",
+    #3 "Vulnerable: Retpoline without IBPB",
+    #4 "Vulnerable: Retpoline on Skylake+",
+    #5 "Vulnerable: Retpoline with unsafe module(s)",
+    # "Mitigation: Full retpoline",
+    # "Mitigation: Full retpoline and IBRS (user space)",
+    # "Mitigation: IBRS (kernel)",
+    # "Mitigation: IBRS (kernel and user space)",
+    # "Mitigation: IBP disabled",
+}
+
+# CVE-2017-5715 Spectre Variant 2 (branch target injection) - BSD mitigation check
+check_CVE_2017_5715_bsd() {
+    local ibrs_disabled ibrs_active retpoline nb_thunks
+    pr_info "* Mitigation 1"
+    pr_info_nol "  * Kernel supports IBRS: "
+    ibrs_disabled=$(sysctl -n hw.ibrs_disable 2>/dev/null)
+    if [ -z "$ibrs_disabled" ]; then
+        pstatus yellow NO
+    else
+        pstatus green YES
+    fi
+
+    pr_info_nol "  * IBRS enabled and active: "
+    ibrs_active=$(sysctl -n hw.ibrs_active 2>/dev/null)
+    if [ "$ibrs_active" = 1 ]; then
+        pstatus green YES
+    else
+        pstatus yellow NO
+    fi
+
+    pr_info "* Mitigation 2"
+    pr_info_nol "  * Kernel compiled with RETPOLINE: "
+    retpoline=0
+    if [ -n "$g_kernel_err" ]; then
+        pstatus yellow UNKNOWN "couldn't check ($g_kernel_err)"
+    else
+        if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then
+            pstatus yellow UNKNOWN "missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the binutils package"
+        else
+            nb_thunks=$("${opt_arch_prefix}readelf" -s "$g_kernel" | grep -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_)
+            if [ "$nb_thunks" -gt 0 ]; then
+                retpoline=1
+                pstatus green YES "found $nb_thunks thunk(s)"
+            else
+                pstatus yellow NO
+            fi
+        fi
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ "$retpoline" = 1 ]; then
+        pvulnstatus "$cve" OK "Retpoline mitigates the vulnerability"
+    elif [ "$ibrs_active" = 1 ]; then
+        pvulnstatus "$cve" OK "IBRS mitigates the vulnerability"
+    elif [ "$ibrs_disabled" = 0 ]; then
+        pvulnstatus "$cve" VULN "IBRS is supported by your kernel but your CPU microcode lacks support"
+        explain "The microcode of your CPU needs to be upgraded to be able to use IBRS. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). To do a microcode update, you can search the ports for the \`cpupdate\` tool. Microcode updates done this way are not reboot-proof, so be sure to do it every time the system boots up."
+    elif [ "$ibrs_disabled" = 1 ]; then
+        pvulnstatus "$cve" VULN "IBRS is supported but administratively disabled on your system"
+        explain "To enable IBRS, use \`sysctl hw.ibrs_disable=0\`"
+    else
+        pvulnstatus "$cve" VULN "IBRS is needed to mitigate the vulnerability but your kernel is missing support"
+        explain "You need to either upgrade your kernel or recompile yourself a more recent version having IBRS support"
+    fi
+}
--- a/src/vulns/CVE-2017-5753.sh
+++ b/src/vulns/CVE-2017-5753.sh
@@ -0,0 +1,235 @@
+# vim: set ts=4 sw=4 sts=4 et:
+###################
+# SPECTRE 1 SECTION
+
+# CVE-2017-5753 Spectre Variant 1 (bounds check bypass) - entry point
+check_CVE_2017_5753() {
+    check_cve 'CVE-2017-5753'
+}
+
+# CVE-2017-5753 Spectre Variant 1 (bounds check bypass) - Linux mitigation check
+check_CVE_2017_5753_linux() {
+    local status sys_interface_available msg v1_mask_nospec nb_lfence v1_lfence ret explain_text
+    status=UNK
+    sys_interface_available=0
+    msg=''
+    if sys_interface_check "$VULN_SYSFS_BASE/spectre_v1"; then
+        # this kernel has the /sys interface, trust it over everything
+        # v0.33+: don't. some kernels have backported the array_index_mask_nospec() workaround without
+        # modifying the vulnerabilities/spectre_v1 file. that's bad. we can't trust it when it says Vulnerable :(
+        # see "silent backport" detection at the bottom of this func
+        sys_interface_available=1
+        status=$ret_sys_interface_check_status
+    fi
+    if [ "$opt_sysfs_only" != 1 ]; then
+        # no /sys interface (or offline mode), fallback to our own ways
+        pr_info_nol "* Kernel has array_index_mask_nospec: "
+        # vanilla: look for the Linus' mask aka array_index_mask_nospec()
+        # that is inlined at least in raw_copy_from_user (__get_user_X symbols)
+        #mov PER_CPU_VAR(current_task), %_ASM_DX
+        #cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX
+        #jae bad_get_user
+        # /* array_index_mask_nospec() are the 2 opcodes that follow */
+        #+sbb %_ASM_DX, %_ASM_DX
+        #+and %_ASM_DX, %_ASM_AX
+        #ASM_STAC
+        # x86 64bits: jae(0x0f 0x83 0x?? 0x?? 0x?? 0x??) sbb(0x48 0x19 0xd2) and(0x48 0x21 0xd0)
+        # x86 32bits: cmp(0x3b 0x82 0x?? 0x?? 0x00 0x00) jae(0x73 0x??) sbb(0x19 0xd2) and(0x21 0xd0)
+        #
+        # arm32
+        ##ifdef CONFIG_THUMB2_KERNEL
+        ##define CSDB	".inst.w 0xf3af8014"
+        ##else
+        ##define CSDB	".inst	0xe320f014"     e320f014
+        ##endif
+        #asm volatile(
+        #	"cmp	%1, %2\n"      e1500003
+        #"	sbc	%0, %1, %1\n"  e0c03000
+        #CSDB
+        #: "=r" (mask)
+        #: "r" (idx), "Ir" (sz)
+        #: "cc");
+        #
+        # http://git.arm.linux.org.uk/cgit/linux-arm.git/commit/?h=spectre&id=a78d156587931a2c3b354534aa772febf6c9e855
+        v1_mask_nospec=''
+        if [ -n "$g_kernel_err" ]; then
+            pstatus yellow UNKNOWN "couldn't check ($g_kernel_err)"
+        elif ! command -v perl >/dev/null 2>&1; then
+            pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+        else
+            perl -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$g_kernel"
+            ret=$?
+            if [ "$ret" -gt 0 ]; then
+                pstatus green YES "$ret occurrence(s) found of x86 64 bits array_index_mask_nospec()"
+                v1_mask_nospec="x86 64 bits array_index_mask_nospec"
+            else
+                perl -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$g_kernel"
+                ret=$?
+                if [ "$ret" -gt 0 ]; then
+                    pstatus green YES "$ret occurrence(s) found of x86 32 bits array_index_mask_nospec()"
+                    v1_mask_nospec="x86 32 bits array_index_mask_nospec"
+                else
+                    ret=$("${opt_arch_prefix}objdump" "$g_objdump_options" "$g_kernel" | grep -w -e f3af8014 -e e320f014 -B2 | grep -B1 -w sbc | grep -w -c cmp)
+                    if [ "$ret" -gt 0 ]; then
+                        pstatus green YES "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()"
+                        v1_mask_nospec="arm 32 bits array_index_mask_nospec"
+                    else
+                        pstatus yellow NO
+                    fi
+                fi
+            fi
+        fi
+
+        pr_info_nol "* Kernel has the Red Hat/Ubuntu patch: "
+        check_redhat_canonical_spectre
+        if [ "$g_redhat_canonical_spectre" = -1 ]; then
+            pstatus yellow UNKNOWN "missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
+        elif [ "$g_redhat_canonical_spectre" = -2 ]; then
+            pstatus yellow UNKNOWN "couldn't check ($g_kernel_err)"
+        elif [ "$g_redhat_canonical_spectre" = 1 ]; then
+            pstatus green YES
+        elif [ "$g_redhat_canonical_spectre" = 2 ]; then
+            pstatus green YES "but without IBRS"
+        else
+            pstatus yellow NO
+        fi
+
+        pr_info_nol "* Kernel has mask_nospec64 (arm64): "
+        #.macro	mask_nospec64, idx, limit, tmp
+        #sub	\tmp, \idx, \limit
+        #bic	\tmp, \tmp, \idx
+        #and	\idx, \idx, \tmp, asr #63
+        #csdb
+        #.endm
+        #$ aarch64-linux-gnu-objdump -d vmlinux | grep -w bic -A1 -B1 | grep -w sub -A2 | grep -w and -B2
+        #ffffff8008082e44:       cb190353        sub     x19, x26, x25
+        #ffffff8008082e48:       8a3a0273        bic     x19, x19, x26
+        #ffffff8008082e4c:       8a93ff5a        and     x26, x26, x19, asr #63
+        #ffffff8008082e50:       d503229f        hint    #0x14
+        # /!\ can also just be "csdb" instead of "hint #0x14" for native objdump
+        #
+        # if we have v1_mask_nospec or g_redhat_canonical_spectre>0, don't bother disassembling the kernel, the answer is no.
+        if [ -n "$v1_mask_nospec" ] || [ "$g_redhat_canonical_spectre" -gt 0 ]; then
+            pstatus yellow NO
+        elif [ -n "$g_kernel_err" ]; then
+            pstatus yellow UNKNOWN "couldn't check ($g_kernel_err)"
+        elif ! command -v perl >/dev/null 2>&1; then
+            pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+        elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
+            pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+        else
+            "${opt_arch_prefix}objdump" "$g_objdump_options" "$g_kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'
+            ret=$?
+            if [ "$ret" -eq 9 ]; then
+                pstatus green YES "mask_nospec64 macro is present and used"
+                v1_mask_nospec="arm64 mask_nospec64"
+            else
+                pstatus yellow NO
+            fi
+        fi
+
+        pr_info_nol "* Kernel has array_index_nospec (arm64): "
+        # in 4.19+ kernels, the mask_nospec64 asm64 macro is replaced by array_index_nospec, defined in nospec.h, and used in invoke_syscall()
+        # ffffff8008090a4c:       2a0203e2        mov     w2, w2
+        # ffffff8008090a50:       eb0200bf        cmp     x5, x2
+        # ffffff8008090a54:       da1f03e2        ngc     x2, xzr
+        # ffffff8008090a58:       d503229f        hint    #0x14
+        # /!\ can also just be "csdb" instead of "hint #0x14" for native objdump
+        #
+        # if we have v1_mask_nospec or g_redhat_canonical_spectre>0, don't bother disassembling the kernel, the answer is no.
+        if [ -n "$v1_mask_nospec" ] || [ "$g_redhat_canonical_spectre" -gt 0 ]; then
+            pstatus yellow NO
+        elif [ -n "$g_kernel_err" ]; then
+            pstatus yellow UNKNOWN "couldn't check ($g_kernel_err)"
+        elif ! command -v perl >/dev/null 2>&1; then
+            pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+        elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
+            pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+        else
+            "${opt_arch_prefix}objdump" -d "$g_kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'
+            ret=$?
+            if [ "$ret" -eq 9 ]; then
+                pstatus green YES "array_index_nospec macro is present and used"
+                v1_mask_nospec="arm64 array_index_nospec"
+            else
+                pstatus yellow NO
+            fi
+        fi
+
+        if [ "$opt_verbose" -ge 2 ] || { [ -z "$v1_mask_nospec" ] && [ "$g_redhat_canonical_spectre" != 1 ] && [ "$g_redhat_canonical_spectre" != 2 ]; }; then
+            # this is a slow heuristic and we don't need it if we already know the kernel is patched
+            # but still show it in verbose mode
+            pr_info_nol "* Checking count of LFENCE instructions following a jump in kernel... "
+            if [ -n "$g_kernel_err" ]; then
+                pstatus yellow UNKNOWN "couldn't check ($g_kernel_err)"
+            else
+                if ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
+                    pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+                else
+                    # here we disassemble the kernel and count the number of occurrences of the LFENCE opcode
+                    # in non-patched kernels, this has been empirically determined as being around 40-50
+                    # in patched kernels, this is more around 70-80, sometimes way higher (100+)
+                    # v0.13: 68 found in a 3.10.23-xxxx-std-ipv6-64 (with lots of modules compiled-in directly), which doesn't have the LFENCE patches,
+                    # so let's push the threshold to 70.
+                    # v0.33+: now only count lfence opcodes after a jump, way less error-prone
+                    # non patched kernel have between 0 and 20 matches, patched ones have at least 40-45
+                    nb_lfence=$("${opt_arch_prefix}objdump" "$g_objdump_options" "$g_kernel" 2>/dev/null | grep -w -B1 lfence | grep -Ewc 'jmp|jne|je')
+                    if [ "$nb_lfence" -lt 30 ]; then
+                        pstatus yellow NO "only $nb_lfence jump-then-lfence instructions found, should be >= 30 (heuristic)"
+                    else
+                        v1_lfence=1
+                        pstatus green YES "$nb_lfence jump-then-lfence instructions found, which is >= 30 (heuristic)"
+                    fi
+                fi
+            fi
+        fi
+
+    else
+        # we have no sysfs but were asked to use it only!
+        msg="/sys vulnerability interface use forced, but it's not available!"
+        status=UNK
+    fi
+
+    # report status
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ -z "$msg" ]; then
+        # if msg is empty, sysfs check didn't fill it, rely on our own test
+        if [ -n "$v1_mask_nospec" ]; then
+            pvulnstatus "$cve" OK "Kernel source has been patched to mitigate the vulnerability ($v1_mask_nospec)"
+        elif [ "$g_redhat_canonical_spectre" = 1 ] || [ "$g_redhat_canonical_spectre" = 2 ]; then
+            pvulnstatus "$cve" OK "Kernel source has been patched to mitigate the vulnerability (Red Hat/Ubuntu patch)"
+        elif [ "$v1_lfence" = 1 ]; then
+            pvulnstatus "$cve" OK "Kernel source has PROBABLY been patched to mitigate the vulnerability (jump-then-lfence instructions heuristic)"
+        elif [ -n "$g_kernel_err" ]; then
+            pvulnstatus "$cve" UNK "Couldn't find kernel image or tools missing to execute the checks"
+            explain "Re-run this script with root privileges, after installing the missing tools indicated above"
+        else
+            pvulnstatus "$cve" VULN "Kernel source needs to be patched to mitigate the vulnerability"
+            explain "Your kernel is too old to have the mitigation for Variant 1, you should upgrade to a newer kernel. If you're using a Linux distro and didn't compile the kernel yourself, you should upgrade your distro to get a newer kernel."
+        fi
+    else
+        if [ "$msg" = "Vulnerable" ] && [ -n "$v1_mask_nospec" ]; then
+            pvulnstatus "$cve" OK "Kernel source has been patched to mitigate the vulnerability (silent backport of array_index_mask_nospec)"
+        else
+            if [ "$msg" = "Vulnerable" ]; then
+                msg="Kernel source needs to be patched to mitigate the vulnerability"
+                explain_text="Your kernel is too old to have the mitigation for Variant 1, you should upgrade to a newer kernel. If you're using a Linux distro and didn't compile the kernel yourself, you should upgrade your distro to get a newer kernel."
+            fi
+            pvulnstatus "$cve" "$status" "$msg"
+            [ -n "${explain_text:-}" ] && explain "$explain_text"
+            unset explain_text
+        fi
+    fi
+}
+
+# CVE-2017-5753 Spectre Variant 1 (bounds check bypass) - BSD mitigation check
+check_CVE_2017_5753_bsd() {
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    else
+        pvulnstatus "$cve" VULN "no mitigation for BSD yet"
+    fi
+}
--- a/src/vulns/CVE-2017-5754.sh
+++ b/src/vulns/CVE-2017-5754.sh
@@ -0,0 +1,281 @@
+# vim: set ts=4 sw=4 sts=4 et:
+##################
+# MELTDOWN SECTION
+
+# no security impact but give a hint to the user in verbose mode
+# about PCID/INVPCID cpuid features that must be present to avoid
+# Check whether PCID/INVPCID are available to reduce PTI performance impact
+# refs:
+# https://marc.info/?t=151532047900001&r=1&w=2
+# https://groups.google.com/forum/m/#!topic/mechanical-sympathy/L9mHTbeQLNU
+pti_performance_check() {
+    local ret pcid invpcid
+    pr_info_nol "  * Reduced performance impact of PTI: "
+    if [ -e "$g_procfs/cpuinfo" ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw pcid; then
+        pcid=1
+    else
+        read_cpuid 0x1 0x0 "$ECX" 17 1 1
+        ret=$?
+        if [ "$ret" = "$READ_CPUID_RET_OK" ]; then
+            pcid=1
+        fi
+    fi
+
+    if [ -e "$g_procfs/cpuinfo" ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw invpcid; then
+        invpcid=1
+    else
+        read_cpuid 0x7 0x0 "$EBX" 10 1 1
+        ret=$?
+        if [ "$ret" = "$READ_CPUID_RET_OK" ]; then
+            invpcid=1
+        fi
+    fi
+
+    if [ "$invpcid" = 1 ]; then
+        pstatus green YES 'CPU supports INVPCID, performance impact of PTI will be greatly reduced'
+    elif [ "$pcid" = 1 ]; then
+        pstatus green YES 'CPU supports PCID, performance impact of PTI will be reduced'
+    else
+        pstatus blue NO 'PCID/INVPCID not supported, performance impact of PTI will be significant'
+    fi
+}
+
+# CVE-2017-5754 Meltdown (rogue data cache load) - entry point
+check_CVE_2017_5754() {
+    check_cve 'CVE-2017-5754'
+}
+
+# CVE-2017-5754 Meltdown (rogue data cache load) - Linux mitigation check
+check_CVE_2017_5754_linux() {
+    local status sys_interface_available msg kpti_support kpti_can_tell kpti_enabled dmesg_grep pti_xen_pv_domU xen_pv_domo xen_pv_domu explain_text
+    status=UNK
+    sys_interface_available=0
+    msg=''
+    if sys_interface_check "$VULN_SYSFS_BASE/meltdown"; then
+        # this kernel has the /sys interface, trust it over everything
+        sys_interface_available=1
+        status=$ret_sys_interface_check_status
+    fi
+    if [ "$opt_sysfs_only" != 1 ]; then
+        pr_info_nol "* Kernel supports Page Table Isolation (PTI): "
+        kpti_support=''
+        kpti_can_tell=0
+        if [ -n "$opt_config" ]; then
+            kpti_can_tell=1
+            kpti_support=$(grep -E -w -e 'CONFIG_(MITIGATION_)?PAGE_TABLE_ISOLATION=y' -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
+            if [ -n "$kpti_support" ]; then
+                pr_debug "kpti_support: found option '$kpti_support' in $opt_config"
+            fi
+        fi
+        if [ -z "$kpti_support" ] && [ -n "$opt_map" ]; then
+            # it's not an elif: some backports don't have the PTI config but still include the patch
+            # so we try to find an exported symbol that is part of the PTI patch in System.map
+            # parse_kpti: arm
+            kpti_can_tell=1
+            kpti_support=$(grep -w -e kpti_force_enabled -e parse_kpti "$opt_map")
+            if [ -n "$kpti_support" ]; then
+                pr_debug "kpti_support: found '$kpti_support' in $opt_map"
+            fi
+        fi
+        if [ -z "$kpti_support" ] && [ -n "$g_kernel" ]; then
+            # same as above but in case we don't have System.map and only kernel, look for the
+            # nopti option that is part of the patch (kernel command line option)
+            # 'kpti=': arm
+            kpti_can_tell=1
+            if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
+                pstatus yellow UNKNOWN "missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
+            else
+                kpti_support=$("${opt_arch_prefix}strings" "$g_kernel" | grep -w -e nopti -e kpti=)
+                if [ -n "$kpti_support" ]; then
+                    pr_debug "kpti_support: found '$kpti_support' in $g_kernel"
+                fi
+            fi
+        fi
+
+        if [ -n "$kpti_support" ]; then
+            if [ "$opt_verbose" -ge 2 ]; then
+                pstatus green YES "found '$kpti_support'"
+            else
+                pstatus green YES
+            fi
+        elif [ "$kpti_can_tell" = 1 ]; then
+            pstatus yellow NO
+        else
+            pstatus yellow UNKNOWN "couldn't read your kernel configuration nor System.map file"
+        fi
+
+        mount_debugfs
+        pr_info_nol "  * PTI enabled and active: "
+        if [ "$opt_live" = 1 ]; then
+            dmesg_grep="Kernel/User page tables isolation: enabled"
+            dmesg_grep="$dmesg_grep|Kernel page table isolation enabled"
+            dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
+            # aarch64
+            dmesg_grep="$dmesg_grep|CPU features: detected( feature)?: Kernel page table isolation \(KPTI\)"
+            if grep ^flags "$g_procfs/cpuinfo" | grep -qw pti; then
+                # vanilla PTI patch sets the 'pti' flag in cpuinfo
+                pr_debug "kpti_enabled: found 'pti' flag in $g_procfs/cpuinfo"
+                kpti_enabled=1
+            elif grep ^flags "$g_procfs/cpuinfo" | grep -qw kaiser; then
+                # kernel line 4.9 sets the 'kaiser' flag in cpuinfo
+                pr_debug "kpti_enabled: found 'kaiser' flag in $g_procfs/cpuinfo"
+                kpti_enabled=1
+            elif [ -e "$DEBUGFS_BASE/x86/pti_enabled" ]; then
+                # Red Hat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301
+                kpti_enabled=$(cat "$DEBUGFS_BASE/x86/pti_enabled" 2>/dev/null)
+                pr_debug "kpti_enabled: file $DEBUGFS_BASE/x86/pti_enabled exists and says: $kpti_enabled"
+            elif is_xen_dom0; then
+                pti_xen_pv_domU=$(xl dmesg 2>/dev/null | grep 'XPTI' | grep 'DomU enabled' | head -n1)
+
+                [ -n "$pti_xen_pv_domU" ] && kpti_enabled=1
+            fi
+            if [ -z "$kpti_enabled" ]; then
+                dmesg_grep "$dmesg_grep"
+                ret=$?
+                if [ "$ret" -eq 0 ]; then
+                    pr_debug "kpti_enabled: found hint in dmesg: $ret_dmesg_grep_grepped"
+                    kpti_enabled=1
+                elif [ "$ret" -eq 2 ]; then
+                    pr_debug "kpti_enabled: dmesg truncated"
+                    kpti_enabled=-1
+                fi
+            fi
+            if [ -z "$kpti_enabled" ]; then
+                pr_debug "kpti_enabled: couldn't find any hint that PTI is enabled"
+                kpti_enabled=0
+            fi
+            if [ "$kpti_enabled" = 1 ]; then
+                pstatus green YES
+            elif [ "$kpti_enabled" = -1 ]; then
+                pstatus yellow UNKNOWN "dmesg truncated, please reboot and relaunch this script"
+            else
+                pstatus yellow NO
+            fi
+        else
+            pstatus blue N/A "not testable in offline mode"
+        fi
+
+        pti_performance_check
+
+    elif [ "$sys_interface_available" = 0 ]; then
+        # we have no sysfs but were asked to use it only!
+        msg="/sys vulnerability interface use forced, but it's not available!"
+        status=UNK
+    fi
+
+    # Test if the current host is a Xen PV Dom0 / DomU
+    xen_pv_domo=0
+    xen_pv_domu=0
+    is_xen_dom0 && xen_pv_domo=1
+    is_xen_domU && xen_pv_domu=1
+
+    if [ "$opt_live" = 1 ]; then
+        # checking whether we're running under Xen PV 64 bits. If yes, we are affected by affected_variant3
+        # (unless we are a Dom0)
+        pr_info_nol "* Running as a Xen PV DomU: "
+        if [ "$xen_pv_domu" = 1 ]; then
+            pstatus yellow YES
+        else
+            pstatus blue NO
+        fi
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ -z "$msg" ]; then
+        # if msg is empty, sysfs check didn't fill it, rely on our own test
+        if [ "$opt_live" = 1 ]; then
+            if [ "$kpti_enabled" = 1 ]; then
+                pvulnstatus "$cve" OK "PTI mitigates the vulnerability"
+            elif [ "$xen_pv_domo" = 1 ]; then
+                pvulnstatus "$cve" OK "Xen Dom0s are safe and do not require PTI"
+            elif [ "$xen_pv_domu" = 1 ]; then
+                pvulnstatus "$cve" VULN "Xen PV DomUs are vulnerable and need to be run in HVM, PVHVM, PVH mode, or the Xen hypervisor must have the Xen's own PTI patch"
+                explain "Go to https://blog.xenproject.org/2018/01/22/xen-project-spectre-meltdown-faq-jan-22-update/ for more information"
+            elif [ "$kpti_enabled" = -1 ]; then
+                pvulnstatus "$cve" UNK "couldn't find any clue of PTI activation due to a truncated dmesg, please reboot and relaunch this script"
+            else
+                pvulnstatus "$cve" VULN "PTI is needed to mitigate the vulnerability"
+                if [ -n "$kpti_support" ]; then
+                    if [ -e "$DEBUGFS_BASE/x86/pti_enabled" ]; then
+                        explain "Your kernel supports PTI but it's disabled, you can enable it with \`echo 1 > $DEBUGFS_BASE/x86/pti_enabled\`"
+                    elif echo "$g_kernel_cmdline" | grep -q -w -e nopti -e pti=off; then
+                        explain "Your kernel supports PTI but it has been disabled on command-line, remove the nopti or pti=off option from your bootloader configuration"
+                    else
+                        explain "Your kernel supports PTI but it has been disabled, check \`dmesg\` right after boot to find clues why the system disabled it"
+                    fi
+                else
+                    explain "If you're using a distro kernel, upgrade your distro to get the latest kernel available. Otherwise, recompile the kernel with the CONFIG_(MITIGATION_)PAGE_TABLE_ISOLATION option (named CONFIG_KAISER for some kernels), or the CONFIG_UNMAP_KERNEL_AT_EL0 option (for ARM64)"
+                fi
+            fi
+        else
+            if [ -n "$kpti_support" ]; then
+                pvulnstatus "$cve" OK "offline mode: PTI will mitigate the vulnerability if enabled at runtime"
+            elif [ "$kpti_can_tell" = 1 ]; then
+                pvulnstatus "$cve" VULN "PTI is needed to mitigate the vulnerability"
+                explain "If you're using a distro kernel, upgrade your distro to get the latest kernel available. Otherwise, recompile the kernel with the CONFIG_(MITIGATION_)PAGE_TABLE_ISOLATION option (named CONFIG_KAISER for some kernels), or the CONFIG_UNMAP_KERNEL_AT_EL0 option (for ARM64)"
+            else
+                pvulnstatus "$cve" UNK "offline mode: not enough information"
+                explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect."
+            fi
+        fi
+    else
+        if [ "$xen_pv_domo" = 1 ]; then
+            msg="Xen Dom0s are safe and do not require PTI"
+            status="OK"
+        elif [ "$xen_pv_domu" = 1 ]; then
+            msg="Xen PV DomUs are vulnerable and need to be run in HVM, PVHVM, PVH mode, or the Xen hypervisor must have the Xen's own PTI patch"
+            status="VULN"
+            explain_text="Go to https://blog.xenproject.org/2018/01/22/xen-project-spectre-meltdown-faq-jan-22-update/ for more information"
+        elif [ "$msg" = "Vulnerable" ]; then
+            msg="PTI is needed to mitigate the vulnerability"
+            explain_text="If you're using a distro kernel, upgrade your distro to get the latest kernel available. Otherwise, recompile the kernel with the CONFIG_(MITIGATION_)PAGE_TABLE_ISOLATION option (named CONFIG_KAISER for some kernels), or the CONFIG_UNMAP_KERNEL_AT_EL0 option (for ARM64)"
+        fi
+        pvulnstatus "$cve" "$status" "$msg"
+        [ -z "${explain_text:-}" ] && [ "$msg" = "Vulnerable" ] && explain_text="If you're using a distro kernel, upgrade your distro to get the latest kernel available. Otherwise, recompile the kernel with the CONFIG_(MITIGATION_)PAGE_TABLE_ISOLATION option (named CONFIG_KAISER for some kernels), or the CONFIG_UNMAP_KERNEL_AT_EL0 option (for ARM64)"
+        [ -n "${explain_text:-}" ] && explain "$explain_text"
+        unset explain_text
+    fi
+
+    # Warn the user about XSA-254 recommended mitigations
+    if [ "$xen_pv_domo" = 1 ]; then
+        pr_warn
+        pr_warn "This host is a Xen Dom0. Please make sure that you are running your DomUs"
+        pr_warn "in HVM, PVHVM or PVH mode to prevent any guest-to-host / host-to-guest attacks."
+        pr_warn
+        pr_warn "See https://blog.xenproject.org/2018/01/22/xen-project-spectre-meltdown-faq-jan-22-update/ and XSA-254 for details."
+    fi
+}
+
+# CVE-2017-5754 Meltdown (rogue data cache load) - BSD mitigation check
+check_CVE_2017_5754_bsd() {
+    local kpti_enabled
+    pr_info_nol "* Kernel supports Page Table Isolation (PTI): "
+    kpti_enabled=$(sysctl -n vm.pmap.pti 2>/dev/null)
+    if [ -z "$kpti_enabled" ]; then
+        pstatus yellow NO
+    else
+        pstatus green YES
+    fi
+
+    pr_info_nol "  * PTI enabled and active: "
+    if [ "$kpti_enabled" = 1 ]; then
+        pstatus green YES
+    else
+        pstatus yellow NO
+    fi
+
+    pti_performance_check
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ "$kpti_enabled" = 1 ]; then
+        pvulnstatus "$cve" OK "PTI mitigates the vulnerability"
+    elif [ -n "$kpti_enabled" ]; then
+        pvulnstatus "$cve" VULN "PTI is supported but disabled on your system"
+    else
+        pvulnstatus "$cve" VULN "PTI is needed to mitigate the vulnerability"
+    fi
+}
--- a/src/vulns/CVE-2018-12126.sh
+++ b/src/vulns/CVE-2018-12126.sh
@@ -0,0 +1,8 @@
+# vim: set ts=4 sw=4 sts=4 et:
+###################
+# MSBDS SECTION
+
+# CVE-2018-12126 MSBDS (microarchitectural store buffer data sampling) - entry point
+check_CVE_2018_12126() {
+    check_cve 'CVE-2018-12126' check_mds
+}
--- a/src/vulns/CVE-2018-12127.sh
+++ b/src/vulns/CVE-2018-12127.sh
@@ -0,0 +1,8 @@
+# vim: set ts=4 sw=4 sts=4 et:
+###################
+# MLPDS SECTION
+
+# CVE-2018-12127 MLPDS (microarchitectural load port data sampling) - entry point
+check_CVE_2018_12127() {
+    check_cve 'CVE-2018-12127' check_mds
+}
--- a/src/vulns/CVE-2018-12130.sh
+++ b/src/vulns/CVE-2018-12130.sh
@@ -0,0 +1,8 @@
+# vim: set ts=4 sw=4 sts=4 et:
+###################
+# MFBDS SECTION
+
+# CVE-2018-12130 MFBDS (microarchitectural fill buffer data sampling) - entry point
+check_CVE_2018_12130() {
+    check_cve 'CVE-2018-12130' check_mds
+}
--- a/src/vulns/CVE-2018-12207.sh
+++ b/src/vulns/CVE-2018-12207.sh
@@ -0,0 +1,111 @@
+# vim: set ts=4 sw=4 sts=4 et:
+#######################
+# iTLB Multihit section
+
+# CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - entry point
+check_CVE_2018_12207() {
+    check_cve 'CVE-2018-12207'
+}
+
+# CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - Linux mitigation check
+check_CVE_2018_12207_linux() {
+    local status sys_interface_available msg kernel_itlbmh kernel_itlbmh_err
+    status=UNK
+    sys_interface_available=0
+    msg=''
+    if sys_interface_check "$VULN_SYSFS_BASE/itlb_multihit"; then
+        # this kernel has the /sys interface, trust it over everything
+        sys_interface_available=1
+        status=$ret_sys_interface_check_status
+    fi
+    if [ "$opt_sysfs_only" != 1 ]; then
+        check_has_vmm
+
+        pr_info_nol "* iTLB Multihit mitigation is supported by kernel: "
+        kernel_itlbmh=''
+        if [ -n "$g_kernel_err" ]; then
+            kernel_itlbmh_err="$g_kernel_err"
+        # commit 5219505fcbb640e273a0d51c19c38de0100ec5a9
+        elif grep -q 'itlb_multihit' "$g_kernel"; then
+            kernel_itlbmh="found itlb_multihit in kernel image"
+        fi
+        if [ -n "$kernel_itlbmh" ]; then
+            pstatus green YES "$kernel_itlbmh"
+        elif [ -n "$kernel_itlbmh_err" ]; then
+            pstatus yellow UNKNOWN "$kernel_itlbmh_err"
+        else
+            pstatus yellow NO
+        fi
+
+        pr_info_nol "* iTLB Multihit mitigation enabled and active: "
+        if [ "$opt_live" = 1 ]; then
+            if [ -n "$ret_sys_interface_check_fullmsg" ]; then
+                if echo "$ret_sys_interface_check_fullmsg" | grep -qF 'Mitigation'; then
+                    pstatus green YES "$ret_sys_interface_check_fullmsg"
+                else
+                    pstatus yellow NO
+                fi
+            else
+                pstatus yellow NO "itlb_multihit not found in sysfs hierarchy"
+            fi
+        else
+            pstatus blue N/A "not testable in offline mode"
+        fi
+    elif [ "$sys_interface_available" = 0 ]; then
+        # we have no sysfs but were asked to use it only!
+        msg="/sys vulnerability interface use forced, but it's not available!"
+        status=UNK
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ "$g_has_vmm" = 0 ]; then
+        pvulnstatus "$cve" OK "this system is not running a hypervisor"
+    elif [ -z "$msg" ]; then
+        # if msg is empty, sysfs check didn't fill it, rely on our own test
+        if [ "$opt_live" = 1 ]; then
+            # if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
+            pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
+        else
+            if [ -n "$kernel_itlbmh" ]; then
+                pvulnstatus "$cve" OK "Your kernel supports iTLB Multihit mitigation"
+            else
+                pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
+            fi
+        fi
+    else
+        pvulnstatus "$cve" "$status" "$msg"
+    fi
+}
+
+# CVE-2018-12207 iTLB multihit (machine check exception on page size changes) - BSD mitigation check
+check_CVE_2018_12207_bsd() {
+    local kernel_2m_x_ept
+    pr_info_nol "* Kernel supports disabling superpages for executable mappings under EPT: "
+    kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept 2>/dev/null)
+    if [ -z "$kernel_2m_x_ept" ]; then
+        pstatus yellow NO
+    else
+        pstatus green YES
+    fi
+
+    pr_info_nol "* Superpages are disabled for executable mappings under EPT: "
+    if [ "$kernel_2m_x_ept" = 0 ]; then
+        pstatus green YES
+    else
+        pstatus yellow NO
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ -z "$kernel_2m_x_ept" ]; then
+        pvulnstatus "$cve" VULN "Your kernel doesn't support mitigating this CVE, you should update it"
+    elif [ "$kernel_2m_x_ept" != 0 ]; then
+        pvulnstatus "$cve" VULN "Your kernel supports mitigating this CVE, but the mitigation is disabled"
+        explain "To enable the mitigation, use \`sysctl vm.pmap.allow_2m_x_ept=0\`"
+    else
+        pvulnstatus "$cve" OK "Your kernel has support for mitigation and the mitigation is enabled"
+    fi
+}
--- a/src/vulns/CVE-2018-3615.sh
+++ b/src/vulns/CVE-2018-3615.sh
@@ -0,0 +1,36 @@
+# vim: set ts=4 sw=4 sts=4 et:
+###########################
+# L1TF / FORESHADOW SECTION
+
+# CVE-2018-3615 Foreshadow (L1 terminal fault SGX) - entry point
+check_CVE_2018_3615() {
+    local cve
+    cve='CVE-2018-3615'
+    pr_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+
+    pr_info_nol "* CPU microcode mitigates the vulnerability: "
+    if { [ "$cap_flush_cmd" = 1 ] || { [ "$g_msr_locked_down" = 1 ] && [ "$cap_l1df" = 1 ]; }; } && [ "$cap_sgx" = 1 ]; then
+        # no easy way to detect a fixed SGX but we know that
+        # microcodes that have the FLUSH_CMD MSR also have the
+        # fixed SGX (for CPUs that support it), because Intel
+        # delivered fixed microcodes for both issues at the same time
+        #
+        # if the system we're running on is locked down (no way to write MSRs),
+        # make the assumption that if the L1D flush CPUID bit is set, probably
+        # that FLUSH_CMD MSR is here too
+        pstatus green YES
+    elif [ "$cap_sgx" = 1 ]; then
+        pstatus red NO
+    else
+        pstatus blue N/A
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ "$cap_flush_cmd" = 1 ] || { [ "$g_msr_locked_down" = 1 ] && [ "$cap_l1df" = 1 ]; }; then
+        pvulnstatus "$cve" OK "your CPU microcode mitigates the vulnerability"
+    else
+        pvulnstatus "$cve" VULN "your CPU supports SGX and the microcode is not up to date"
+    fi
+}
--- a/src/vulns/CVE-2018-3620.sh
+++ b/src/vulns/CVE-2018-3620.sh
@@ -0,0 +1,110 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# CVE-2018-3620 Foreshadow-NG OS (L1 terminal fault OS) - entry point
+check_CVE_2018_3620() {
+    check_cve 'CVE-2018-3620'
+}
+
+# CVE-2018-3620 Foreshadow-NG OS (L1 terminal fault OS) - Linux mitigation check
+check_CVE_2018_3620_linux() {
+    local status sys_interface_available msg pteinv_supported pteinv_active
+    status=UNK
+    sys_interface_available=0
+    msg=''
+    if sys_interface_check "$VULN_SYSFS_BASE/l1tf"; then
+        # this kernel has the /sys interface, trust it over everything
+        sys_interface_available=1
+        status=$ret_sys_interface_check_status
+    fi
+    if [ "$opt_sysfs_only" != 1 ]; then
+        pr_info_nol "* Kernel supports PTE inversion: "
+        if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
+            pstatus yellow UNKNOWN "missing 'strings' tool, please install it"
+            pteinv_supported=-1
+        elif [ -n "$g_kernel_err" ]; then
+            pstatus yellow UNKNOWN "$g_kernel_err"
+            pteinv_supported=-1
+        else
+            if "${opt_arch_prefix}strings" "$g_kernel" | grep -Fq 'PTE Inversion'; then
+                pstatus green YES "found in kernel image"
+                pr_debug "pteinv: found pte inversion evidence in kernel image"
+                pteinv_supported=1
+            else
+                pstatus yellow NO
+                pteinv_supported=0
+            fi
+        fi
+
+        pr_info_nol "* PTE inversion enabled and active: "
+        if [ "$opt_live" = 1 ]; then
+            if [ -n "$ret_sys_interface_check_fullmsg" ]; then
+                if echo "$ret_sys_interface_check_fullmsg" | grep -q 'Mitigation: PTE Inversion'; then
+                    pstatus green YES
+                    pteinv_active=1
+                else
+                    pstatus yellow NO
+                    pteinv_active=0
+                fi
+            else
+                pstatus yellow UNKNOWN "sysfs interface not available"
+                pteinv_active=-1
+            fi
+        else
+            pstatus blue N/A "not testable in offline mode"
+        fi
+    elif [ "$sys_interface_available" = 0 ]; then
+        # we have no sysfs but were asked to use it only!
+        msg="/sys vulnerability interface use forced, but it's not available!"
+        status=UNK
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ -z "$msg" ]; then
+        # if msg is empty, sysfs check didn't fill it, rely on our own test
+        if [ "$pteinv_supported" = 1 ]; then
+            if [ "$pteinv_active" = 1 ] || [ "$opt_live" != 1 ]; then
+                pvulnstatus "$cve" OK "PTE inversion mitigates the vulnerability"
+            else
+                pvulnstatus "$cve" VULN "Your kernel supports PTE inversion but it doesn't seem to be enabled"
+            fi
+        else
+            pvulnstatus "$cve" VULN "Your kernel doesn't support PTE inversion, update it"
+        fi
+    else
+        pvulnstatus "$cve" "$status" "$msg"
+    fi
+}
+
+# CVE-2018-3620 Foreshadow-NG OS (L1 terminal fault OS) - BSD mitigation check
+check_CVE_2018_3620_bsd() {
+    local bsd_zero_reserved
+    pr_info_nol "* Kernel reserved the memory page at physical address 0x0: "
+    if ! kldstat -q -m vmm; then
+        kldload vmm 2>/dev/null && g_kldload_vmm=1
+        pr_debug "attempted to load module vmm, g_kldload_vmm=$g_kldload_vmm"
+    else
+        pr_debug "vmm module already loaded"
+    fi
+    if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
+        # https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch
+        # this is very difficult to detect that the kernel reserved the 0 page, but this fix
+        # is part of the exact same patch than the other L1TF CVE, so we detect it
+        # and deem it as OK if the other patch is there
+        pstatus green YES
+        bsd_zero_reserved=1
+    else
+        pstatus yellow NO
+        bsd_zero_reserved=0
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    else
+        if [ "$bsd_zero_reserved" = 1 ]; then
+            pvulnstatus "$cve" OK "kernel mitigates the vulnerability"
+        else
+            pvulnstatus "$cve" VULN "your kernel needs to be updated"
+        fi
+    fi
+}
--- a/src/vulns/CVE-2018-3639.sh
+++ b/src/vulns/CVE-2018-3639.sh
@@ -0,0 +1,188 @@
+# vim: set ts=4 sw=4 sts=4 et:
+###################
+# VARIANT 4 SECTION
+
+# CVE-2018-3639 Variant 4 (speculative store bypass) - entry point
+check_CVE_2018_3639() {
+    check_cve 'CVE-2018-3639'
+}
+
+# CVE-2018-3639 Variant 4 (speculative store bypass) - Linux mitigation check
+check_CVE_2018_3639_linux() {
+    local status sys_interface_available msg kernel_ssb kernel_ssbd_enabled mitigated_processes
+    status=UNK
+    sys_interface_available=0
+    msg=''
+    if sys_interface_check "$VULN_SYSFS_BASE/spec_store_bypass"; then
+        # this kernel has the /sys interface, trust it over everything
+        sys_interface_available=1
+        status=$ret_sys_interface_check_status
+    fi
+    if [ "$opt_sysfs_only" != 1 ]; then
+        pr_info_nol "* Kernel supports disabling speculative store bypass (SSB): "
+        if [ "$opt_live" = 1 ]; then
+            if grep -Eq 'Speculation.?Store.?Bypass:' "$g_procfs/self/status" 2>/dev/null; then
+                kernel_ssb="found in $g_procfs/self/status"
+                pr_debug "found Speculation.Store.Bypass: in $g_procfs/self/status"
+            fi
+        fi
+        # arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
+        if [ -z "$kernel_ssb" ] && [ -n "$g_kernel" ] && ! grep -q 'arm64_sys_' "$g_kernel"; then
+            kernel_ssb=$("${opt_arch_prefix}strings" "$g_kernel" | grep spec_store_bypass | head -n1)
+            [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in kernel"
+        fi
+        # arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
+        if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! grep -q 'arm64_sys_' "$opt_map"; then
+            kernel_ssb=$(grep spec_store_bypass "$opt_map" | awk '{print $3}' | head -n1)
+            [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
+        fi
+        # arm64 only:
+        if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ]; then
+            kernel_ssb=$(grep -w cpu_enable_ssbs "$opt_map" | awk '{print $3}' | head -n1)
+            [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
+        fi
+        if [ -z "$kernel_ssb" ] && [ -n "$opt_config" ]; then
+            kernel_ssb=$(grep -w 'CONFIG_ARM64_SSBD=y' "$opt_config")
+            [ -n "$kernel_ssb" ] && kernel_ssb="CONFIG_ARM64_SSBD enabled in kconfig"
+        fi
+        if [ -z "$kernel_ssb" ] && [ -n "$g_kernel" ]; then
+            # this string only appears in kernel if CONFIG_ARM64_SSBD is set
+            kernel_ssb=$(grep -w "Speculative Store Bypassing Safe (SSBS)" "$g_kernel")
+            [ -n "$kernel_ssb" ] && kernel_ssb="found 'Speculative Store Bypassing Safe (SSBS)' in kernel"
+        fi
+        # /arm64 only
+
+        if [ -n "$kernel_ssb" ]; then
+            pstatus green YES "$kernel_ssb"
+        else
+            pstatus yellow NO
+        fi
+
+        kernel_ssbd_enabled=-1
+        if [ "$opt_live" = 1 ]; then
+            # https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340
+            pr_info_nol "* SSB mitigation is enabled and active: "
+            if grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$g_procfs/self/status" 2>/dev/null; then
+                kernel_ssbd_enabled=1
+                pstatus green YES "per-thread through prctl"
+            elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$g_procfs/self/status" 2>/dev/null; then
+                kernel_ssbd_enabled=2
+                pstatus green YES "global"
+            elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$g_procfs/self/status" 2>/dev/null; then
+                kernel_ssbd_enabled=0
+                pstatus yellow NO
+            elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$g_procfs/self/status" 2>/dev/null; then
+                kernel_ssbd_enabled=-2
+                pstatus blue NO "not vulnerable"
+            elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$g_procfs/self/status" 2>/dev/null; then
+                kernel_ssbd_enabled=0
+                pstatus blue NO
+            else
+                pstatus blue UNKNOWN "unknown value: $(grep -E 'Speculation.?Store.?Bypass:' "$g_procfs/self/status" 2>/dev/null | cut -d: -f2-)"
+            fi
+
+            if [ "$kernel_ssbd_enabled" = 1 ]; then
+                pr_info_nol "* SSB mitigation currently active for selected processes: "
+                # silence grep's stderr here to avoid ENOENT errors from processes that have exited since the shell's expansion of the *
+                mitigated_processes=$(find /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null |
+                    xargs -r0 grep -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null |
+                    sed s/status/exe/ | xargs -r -n1 readlink -f 2>/dev/null | xargs -r -n1 basename | sort -u | tr "\n" " " | sed 's/ $//')
+                if [ -n "$mitigated_processes" ]; then
+                    pstatus green YES "$mitigated_processes"
+                else
+                    pstatus yellow NO "no process found using SSB mitigation through prctl"
+                fi
+            fi
+        fi
+
+    elif [ "$sys_interface_available" = 0 ]; then
+        # we have no sysfs but were asked to use it only!
+        msg="/sys vulnerability interface use forced, but it's not available!"
+        status=UNK
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ -z "$msg" ] || [ "$msg" = "Vulnerable" ]; then
+        # if msg is empty, sysfs check didn't fill it, rely on our own test
+        if [ -n "$cap_ssbd" ]; then
+            if [ -n "$kernel_ssb" ]; then
+                if [ "$opt_live" = 1 ]; then
+                    if [ "$kernel_ssbd_enabled" -gt 0 ]; then
+                        pvulnstatus "$cve" OK "your CPU and kernel both support SSBD and mitigation is enabled"
+                    else
+                        pvulnstatus "$cve" VULN "your CPU and kernel both support SSBD but the mitigation is not active"
+                    fi
+                else
+                    pvulnstatus "$cve" OK "your system provides the necessary tools for software mitigation"
+                fi
+            else
+                pvulnstatus "$cve" VULN "your kernel needs to be updated"
+                explain "You have a recent-enough CPU microcode but your kernel is too old to use the new features exported by your CPU's microcode. If you're using a distro kernel, upgrade your distro to get the latest kernel available. Otherwise, recompile the kernel from recent-enough sources."
+            fi
+        else
+            if [ -n "$kernel_ssb" ]; then
+                pvulnstatus "$cve" VULN "Your CPU doesn't support SSBD"
+                explain "Your kernel is recent enough to use the CPU microcode features for mitigation, but your CPU microcode doesn't actually provide the necessary features for the kernel to use. The microcode of your CPU hence needs to be upgraded. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section)."
+            else
+                pvulnstatus "$cve" VULN "Neither your CPU nor your kernel support SSBD"
+                explain "Both your CPU microcode and your kernel are lacking support for mitigation. If you're using a distro kernel, upgrade your distro to get the latest kernel available. Otherwise, recompile the kernel from recent-enough sources. The microcode of your CPU also needs to be upgraded. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section)."
+            fi
+        fi
+    else
+        pvulnstatus "$cve" "$status" "$msg"
+    fi
+}
+
+# CVE-2018-3639 Variant 4 (speculative store bypass) - BSD mitigation check
+check_CVE_2018_3639_bsd() {
+    local kernel_ssb ssb_enabled ssb_active
+    pr_info_nol "* Kernel supports speculation store bypass: "
+    if sysctl hw.spec_store_bypass_disable >/dev/null 2>&1; then
+        kernel_ssb=1
+        pstatus green YES
+    else
+        kernel_ssb=0
+        pstatus yellow NO
+    fi
+
+    pr_info_nol "* Speculation store bypass is administratively enabled: "
+    ssb_enabled=$(sysctl -n hw.spec_store_bypass_disable 2>/dev/null)
+    pr_debug "hw.spec_store_bypass_disable=$ssb_enabled"
+    case "$ssb_enabled" in
+        0) pstatus yellow NO "disabled" ;;
+        1) pstatus green YES "enabled" ;;
+        2) pstatus green YES "auto mode" ;;
+        *) pstatus yellow NO "unavailable" ;;
+    esac
+
+    pr_info_nol "* Speculation store bypass is currently active: "
+    ssb_active=$(sysctl -n hw.spec_store_bypass_disable_active 2>/dev/null)
+    pr_debug "hw.spec_store_bypass_disable_active=$ssb_active"
+    case "$ssb_active" in
+        1) pstatus green YES ;;
+        *) pstatus yellow NO ;;
+    esac
+
+    if ! is_cpu_affected "$cve"; then
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    else
+        if [ "$ssb_active" = 1 ]; then
+            pvulnstatus "$cve" OK "SSBD mitigates the vulnerability"
+        elif [ -n "$cap_ssbd" ]; then
+            if [ "$kernel_ssb" = 1 ]; then
+                pvulnstatus "$cve" VULN "you need to enable SSBD through sysctl to mitigate the vulnerability"
+                explain "To enable SSBD right now, you can run \`sysctl hw.spec_store_bypass_disable=2'. To make this change persistent across reboots, you can add 'sysctl hw.spec_store_bypass_disable=2' to /etc/sysctl.conf."
+            else
+                pvulnstatus "$cve" VULN "your kernel needs to be updated"
+            fi
+        else
+            if [ "$kernel_ssb" = 1 ]; then
+                pvulnstatus "$cve" VULN "Your CPU doesn't support SSBD"
+            else
+                pvulnstatus "$cve" VULN "Neither your CPU nor your kernel support SSBD"
+            fi
+        fi
+    fi
+}
--- a/src/vulns/CVE-2018-3640.sh
+++ b/src/vulns/CVE-2018-3640.sh
@@ -0,0 +1,33 @@
+# vim: set ts=4 sw=4 sts=4 et:
+####################
+# VARIANT 3A SECTION
+
+# CVE-2018-3640 Variant 3a (rogue system register read) - entry point
+check_CVE_2018_3640() {
+    local status sys_interface_available msg cve
+    cve='CVE-2018-3640'
+    pr_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+
+    status=UNK
+    sys_interface_available=0
+    msg=''
+
+    pr_info_nol "* CPU microcode mitigates the vulnerability: "
+    if [ -n "$cap_ssbd" ]; then
+        # microcodes that ship with SSBD are known to also fix affected_variant3a
+        # there is no specific cpuid bit as far as we know
+        pstatus green YES
+    else
+        pstatus yellow NO
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ -n "$cap_ssbd" ]; then
+        pvulnstatus "$cve" OK "your CPU microcode mitigates the vulnerability"
+    else
+        pvulnstatus "$cve" VULN "an up-to-date CPU microcode is needed to mitigate this vulnerability"
+        explain "The microcode of your CPU needs to be upgraded to mitigate this vulnerability. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). The microcode update is enough, there is no additional OS, kernel or software change needed."
+    fi
+}
--- a/src/vulns/CVE-2018-3646.sh
+++ b/src/vulns/CVE-2018-3646.sh
@@ -0,0 +1,214 @@
+# vim: set ts=4 sw=4 sts=4 et:
+# CVE-2018-3646 Foreshadow-NG VMM (L1 terminal fault VMM) - entry point
+check_CVE_2018_3646() {
+    check_cve 'CVE-2018-3646'
+}
+
+# CVE-2018-3646 Foreshadow-NG VMM (L1 terminal fault VMM) - Linux mitigation check
+check_CVE_2018_3646_linux() {
+    local status sys_interface_available msg l1d_mode ept_disabled l1d_kernel l1d_kernel_err l1d_xen_hardware l1d_xen_hypervisor l1d_xen_pv_domU smt_enabled
+    status=UNK
+    sys_interface_available=0
+    msg=''
+    if sys_interface_check "$VULN_SYSFS_BASE/l1tf" '.*' quiet; then
+        # this kernel has the /sys interface, trust it over everything
+        sys_interface_available=1
+    fi
+    l1d_mode=-1
+    if [ "$opt_sysfs_only" != 1 ]; then
+        check_has_vmm
+
+        pr_info "* Mitigation 1 (KVM)"
+        pr_info_nol "  * EPT is disabled: "
+        ept_disabled=-1
+        if [ "$opt_live" = 1 ]; then
+            if ! [ -r "$SYS_MODULE_BASE/kvm_intel/parameters/ept" ]; then
+                pstatus blue N/A "the kvm_intel module is not loaded"
+            elif [ "$(cat "$SYS_MODULE_BASE/kvm_intel/parameters/ept")" = N ]; then
+                pstatus green YES
+                ept_disabled=1
+            else
+                pstatus yellow NO
+            fi
+        else
+            pstatus blue N/A "not testable in offline mode"
+        fi
+
+        pr_info "* Mitigation 2"
+        pr_info_nol "  * L1D flush is supported by kernel: "
+        if [ "$opt_live" = 1 ] && grep -qw flush_l1d "$g_procfs/cpuinfo"; then
+            l1d_kernel="found flush_l1d in $g_procfs/cpuinfo"
+        fi
+        if [ -z "$l1d_kernel" ]; then
+            if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
+                l1d_kernel_err="missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
+            elif [ -n "$g_kernel_err" ]; then
+                l1d_kernel_err="$g_kernel_err"
+            elif "${opt_arch_prefix}strings" "$g_kernel" | grep -qw flush_l1d; then
+                l1d_kernel='found flush_l1d in kernel image'
+            fi
+        fi
+
+        if [ -n "$l1d_kernel" ]; then
+            pstatus green YES "$l1d_kernel"
+        elif [ -n "$l1d_kernel_err" ]; then
+            pstatus yellow UNKNOWN "$l1d_kernel_err"
+        else
+            pstatus yellow NO
+        fi
+
+        pr_info_nol "  * L1D flush enabled: "
+        if [ "$opt_live" = 1 ]; then
+            if [ -n "$ret_sys_interface_check_fullmsg" ]; then
+                # vanilla: VMX: $l1dstatus, SMT $smtstatus
+                # Red Hat: VMX: SMT $smtstatus, L1D $l1dstatus
+                # $l1dstatus is one of (auto|vulnerable|conditional cache flushes|cache flushes|EPT disabled|flush not necessary)
+                # $smtstatus is one of (vulnerable|disabled)
+                # can also just be "Not affected"
+                if echo "$ret_sys_interface_check_fullmsg" | grep -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then
+                    l1d_mode=0
+                    pstatus yellow NO
+                elif echo "$ret_sys_interface_check_fullmsg" | grep -Eq '(VMX:|L1D) conditional cache flushes'; then
+                    l1d_mode=1
+                    pstatus green YES "conditional flushes"
+                elif echo "$ret_sys_interface_check_fullmsg" | grep -Eq '(VMX:|L1D) cache flushes'; then
+                    l1d_mode=2
+                    pstatus green YES "unconditional flushes"
+                else
+                    if is_xen_dom0; then
+                        l1d_xen_hardware=$(xl dmesg 2>/dev/null | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -n1)
+                        l1d_xen_hypervisor=$(xl dmesg 2>/dev/null | grep 'Xen settings:' | grep 'L1D_FLUSH' | head -n1)
+                        l1d_xen_pv_domU=$(xl dmesg 2>/dev/null | grep 'PV L1TF shadowing:' | grep 'DomU enabled' | head -n1)
+
+                        if [ -n "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n "$l1d_xen_pv_domU" ]; then
+                            l1d_mode=5
+                            pstatus green YES "for XEN guests"
+                        elif [ -n "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ]; then
+                            l1d_mode=4
+                            pstatus yellow YES "for XEN guests (HVM only)"
+                        elif [ -n "$l1d_xen_pv_domU" ]; then
+                            l1d_mode=3
+                            pstatus yellow YES "for XEN guests (PV only)"
+                        else
+                            l1d_mode=0
+                            pstatus yellow NO "for XEN guests"
+                        fi
+                    else
+                        l1d_mode=-1
+                        pstatus yellow UNKNOWN "unrecognized mode"
+                    fi
+                fi
+            else
+                l1d_mode=-1
+                pstatus yellow UNKNOWN "can't find or read $VULN_SYSFS_BASE/l1tf"
+            fi
+        else
+            l1d_mode=-1
+            pstatus blue N/A "not testable in offline mode"
+        fi
+
+        pr_info_nol "  * Hardware-backed L1D flush supported: "
+        if [ "$opt_live" = 1 ]; then
+            if grep -qw flush_l1d "$g_procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then
+                pstatus green YES "performance impact of the mitigation will be greatly reduced"
+            else
+                pstatus blue NO "flush will be done in software, this is slower"
+            fi
+        else
+            pstatus blue N/A "not testable in offline mode"
+        fi
+
+        pr_info_nol "  * Hyper-Threading (SMT) is enabled: "
+        is_cpu_smt_enabled
+        smt_enabled=$?
+        if [ "$smt_enabled" = 0 ]; then
+            pstatus yellow YES
+        elif [ "$smt_enabled" = 1 ]; then
+            pstatus green NO
+        else
+            pstatus yellow UNKNOWN
+        fi
+
+    elif [ "$sys_interface_available" = 0 ]; then
+        # we have no sysfs but were asked to use it only!
+        msg="/sys vulnerability interface use forced, but it's not available!"
+        status=UNK
+        l1d_mode=-1
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ "$ret_sys_interface_check_fullmsg" = "Not affected" ]; then
+        # just in case a very recent kernel knows better than we do
+        pvulnstatus "$cve" OK "your kernel reported your CPU model as not affected"
+    elif [ "$g_has_vmm" = 0 ]; then
+        pvulnstatus "$cve" OK "this system is not running a hypervisor"
+    else
+        if [ "$ept_disabled" = 1 ]; then
+            pvulnstatus "$cve" OK "EPT is disabled which mitigates the vulnerability"
+        elif [ "$opt_paranoid" = 0 ]; then
+            if [ "$l1d_mode" -ge 1 ]; then
+                pvulnstatus "$cve" OK "L1D flushing is enabled and mitigates the vulnerability"
+            else
+                pvulnstatus "$cve" VULN "disable EPT or enable L1D flushing to mitigate the vulnerability"
+            fi
+        else
+            if [ "$l1d_mode" -ge 2 ]; then
+                if [ "$smt_enabled" = 1 ]; then
+                    pvulnstatus "$cve" OK "L1D unconditional flushing and Hyper-Threading disabled are mitigating the vulnerability"
+                else
+                    pvulnstatus "$cve" VULN "Hyper-Threading must be disabled to fully mitigate the vulnerability"
+                fi
+            else
+                if [ "$smt_enabled" = 1 ]; then
+                    pvulnstatus "$cve" VULN "L1D unconditional flushing should be enabled to fully mitigate the vulnerability"
+                else
+                    pvulnstatus "$cve" VULN "enable L1D unconditional flushing and disable Hyper-Threading to fully mitigate the vulnerability"
+                fi
+            fi
+        fi
+
+        if [ "$l1d_mode" -gt 3 ]; then
+            pr_warn
+            pr_warn "This host is a Xen Dom0. Please make sure that you are running your DomUs"
+            pr_warn "with a kernel which contains CVE-2018-3646 mitigations."
+            pr_warn
+            pr_warn "See https://www.suse.com/support/kb/doc/?id=7023078 and XSA-273 for details."
+        fi
+    fi
+}
+
+# CVE-2018-3646 Foreshadow-NG VMM (L1 terminal fault VMM) - BSD mitigation check
+check_CVE_2018_3646_bsd() {
+    local kernel_l1d_supported kernel_l1d_enabled
+    pr_info_nol "* Kernel supports L1D flushing: "
+    if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
+        pstatus green YES
+        kernel_l1d_supported=1
+    else
+        pstatus yellow NO
+        kernel_l1d_supported=0
+    fi
+
+    pr_info_nol "* L1D flushing is enabled: "
+    kernel_l1d_enabled=$(sysctl -n hw.vmm.vmx.l1d_flush 2>/dev/null)
+    case "$kernel_l1d_enabled" in
+        0) pstatus yellow NO ;;
+        1) pstatus green YES ;;
+        "") pstatus yellow NO ;;
+        *) pstatus yellow UNKNOWN ;;
+    esac
+
+    if ! is_cpu_affected "$cve"; then
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    else
+        if [ "$kernel_l1d_enabled" = 1 ]; then
+            pvulnstatus "$cve" OK "L1D flushing mitigates the vulnerability"
+        elif [ "$kernel_l1d_supported" = 1 ]; then
+            pvulnstatus "$cve" VULN "L1D flushing is supported by your kernel but is disabled"
+        else
+            pvulnstatus "$cve" VULN "your kernel needs to be updated"
+        fi
+    fi
+}
--- a/src/vulns/CVE-2019-11091.sh
+++ b/src/vulns/CVE-2019-11091.sh
@@ -0,0 +1,8 @@
+# vim: set ts=4 sw=4 sts=4 et:
+###################
+# MDSUM SECTION
+
+# CVE-2019-11091 MDSUM (microarchitectural data sampling uncacheable memory) - entry point
+check_CVE_2019_11091() {
+    check_cve 'CVE-2019-11091' check_mds
+}
--- a/src/vulns/CVE-2019-11135.sh
+++ b/src/vulns/CVE-2019-11135.sh
@@ -0,0 +1,96 @@
+# vim: set ts=4 sw=4 sts=4 et:
+###################
+# TAA SECTION
+
+# CVE-2019-11135 TAA (TSX asynchronous abort) - entry point
+check_CVE_2019_11135() {
+    check_cve 'CVE-2019-11135'
+}
+
+# CVE-2019-11135 TAA (TSX asynchronous abort) - Linux mitigation check
+check_CVE_2019_11135_linux() {
+    local status sys_interface_available msg kernel_taa kernel_taa_err
+    status=UNK
+    sys_interface_available=0
+    msg=''
+    if sys_interface_check "$VULN_SYSFS_BASE/tsx_async_abort"; then
+        # this kernel has the /sys interface, trust it over everything
+        sys_interface_available=1
+        status=$ret_sys_interface_check_status
+    fi
+    if [ "$opt_sysfs_only" != 1 ]; then
+        pr_info_nol "* TAA mitigation is supported by kernel: "
+        kernel_taa=''
+        if [ -n "$g_kernel_err" ]; then
+            kernel_taa_err="$g_kernel_err"
+        elif grep -q 'tsx_async_abort' "$g_kernel"; then
+            kernel_taa="found tsx_async_abort in kernel image"
+        fi
+        if [ -n "$kernel_taa" ]; then
+            pstatus green YES "$kernel_taa"
+        elif [ -n "$kernel_taa_err" ]; then
+            pstatus yellow UNKNOWN "$kernel_taa_err"
+        else
+            pstatus yellow NO
+        fi
+
+        pr_info_nol "* TAA mitigation enabled and active: "
+        if [ "$opt_live" = 1 ]; then
+            if [ -n "$ret_sys_interface_check_fullmsg" ]; then
+                if echo "$ret_sys_interface_check_fullmsg" | grep -qE '^Mitigation'; then
+                    pstatus green YES "$ret_sys_interface_check_fullmsg"
+                else
+                    pstatus yellow NO
+                fi
+            else
+                pstatus yellow NO "tsx_async_abort not found in sysfs hierarchy"
+            fi
+        else
+            pstatus blue N/A "not testable in offline mode"
+        fi
+    elif [ "$sys_interface_available" = 0 ]; then
+        # we have no sysfs but were asked to use it only!
+        msg="/sys vulnerability interface use forced, but it's not available!"
+        status=UNK
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ -z "$msg" ]; then
+        # if msg is empty, sysfs check didn't fill it, rely on our own test
+        if [ "$opt_live" = 1 ]; then
+            # if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
+            pvulnstatus "$cve" VULN "Your kernel doesn't support TAA mitigation, update it"
+        else
+            if [ -n "$kernel_taa" ]; then
+                pvulnstatus "$cve" OK "Your kernel supports TAA mitigation"
+            else
+                pvulnstatus "$cve" VULN "Your kernel doesn't support TAA mitigation, update it"
+            fi
+        fi
+    else
+        if [ "$opt_paranoid" = 1 ]; then
+            # in paranoid mode, TSX or SMT enabled are not OK, even if TAA is mitigated
+            if ! echo "$ret_sys_interface_check_fullmsg" | grep -qF 'TSX disabled'; then
+                pvulnstatus "$cve" VULN "TSX must be disabled for full mitigation"
+            elif echo "$ret_sys_interface_check_fullmsg" | grep -qF 'SMT vulnerable'; then
+                pvulnstatus "$cve" VULN "SMT (HyperThreading) must be disabled for full mitigation"
+            else
+                pvulnstatus "$cve" "$status" "$msg"
+            fi
+        else
+            pvulnstatus "$cve" "$status" "$msg"
+        fi
+    fi
+}
+
+# CVE-2019-11135 TAA (TSX asynchronous abort) - BSD mitigation check
+check_CVE_2019_11135_bsd() {
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    else
+        pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
+    fi
+}
--- a/src/vulns/CVE-2020-0543.sh
+++ b/src/vulns/CVE-2020-0543.sh
@@ -0,0 +1,115 @@
+# vim: set ts=4 sw=4 sts=4 et:
+###################
+# SRBDS SECTION
+
+# CVE-2020-0543 SRBDS (special register buffer data sampling) - entry point
+check_CVE_2020_0543() {
+    check_cve 'CVE-2020-0543'
+}
+
+# CVE-2020-0543 SRBDS (special register buffer data sampling) - Linux mitigation check
+check_CVE_2020_0543_linux() {
+    local status sys_interface_available msg kernel_srbds kernel_srbds_err
+    status=UNK
+    sys_interface_available=0
+    msg=''
+    if sys_interface_check "$VULN_SYSFS_BASE/srbds"; then
+        # this kernel has the /sys interface, trust it over everything
+        sys_interface_available=1
+        status=$ret_sys_interface_check_status
+    fi
+    if [ "$opt_sysfs_only" != 1 ]; then
+        pr_info_nol "* SRBDS mitigation control is supported by the kernel: "
+        kernel_srbds=''
+        if [ -n "$g_kernel_err" ]; then
+            kernel_srbds_err="$g_kernel_err"
+        elif grep -q 'Dependent on hypervisor' "$g_kernel"; then
+            kernel_srbds="found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation"
+        fi
+        if [ -n "$kernel_srbds" ]; then
+            pstatus green YES "$kernel_srbds"
+        elif [ -n "$kernel_srbds_err" ]; then
+            pstatus yellow UNKNOWN "$kernel_srbds_err"
+        else
+            pstatus yellow NO
+        fi
+        pr_info_nol "* SRBDS mitigation control is enabled and active: "
+        if [ "$opt_live" = 1 ]; then
+            if [ -n "$ret_sys_interface_check_fullmsg" ]; then
+                if echo "$ret_sys_interface_check_fullmsg" | grep -qE '^Mitigation'; then
+                    pstatus green YES "$ret_sys_interface_check_fullmsg"
+                else
+                    pstatus yellow NO
+                fi
+            else
+                pstatus yellow NO "SRBDS not found in sysfs hierarchy"
+            fi
+        else
+            pstatus blue N/A "not testable in offline mode"
+        fi
+    elif [ "$sys_interface_available" = 0 ]; then
+        # we have no sysfs but were asked to use it only!
+        msg="/sys vulnerability interface use forced, but it's not available!"
+        status=UNK
+    fi
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    else
+        if [ "$opt_sysfs_only" != 1 ]; then
+            if [ "$cap_srbds" = 1 ]; then
+                # SRBDS mitigation control exists
+                if [ "$cap_srbds_on" = 1 ]; then
+                    # SRBDS mitigation control is enabled
+                    if [ -z "$msg" ]; then
+                        # if msg is empty, sysfs check didn't fill it, rely on our own test
+                        if [ "$opt_live" = 1 ]; then
+                            # if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
+                            pvulnstatus "$cve" OK "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated"
+                        fi
+                    else
+                        if [ -n "$kernel_srbds" ]; then
+                            pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for SRBDS mitigation control. Mitigation is enabled"
+                        else
+                            pvulnstatus "$cve" OK "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated"
+                        fi
+                    fi
+                elif [ "$cap_srbds_on" = 0 ]; then
+                    # SRBDS mitigation control is disabled
+                    if [ -z "$msg" ]; then
+                        if [ "$opt_live" = 1 ]; then
+                            # if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
+                            pvulnstatus "$cve" VULN "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated. Mitigation is disabled"
+                        fi
+                    else
+                        if [ -n "$kernel_srbds" ]; then
+                            pvulnstatus "$cve" VULN "Your microcode and kernel are both up to date for SRBDS mitigation control. Mitigation is disabled"
+                        else
+                            pvulnstatus "$cve" VULN "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated. Mitigation is disabled"
+                        fi
+                    fi
+                else
+                    # rdmsr: CPU 0 cannot read MSR 0x00000123
+                    pvulnstatus "$cve" UNK "Not able to enumerate MSR for SRBDS mitigation control"
+                fi
+            else
+                # [ $cap_srbds != 1 ]
+                pvulnstatus "$cve" VULN "Your CPU microcode may need to be updated to mitigate the vulnerability"
+            fi
+        else
+            # sysfs only: return the status/msg we got
+            pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
+            return
+        fi
+    fi
+}
+
+# CVE-2020-0543 SRBDS (special register buffer data sampling) - BSD mitigation check
+check_CVE_2020_0543_bsd() {
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    else
+        pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
+    fi
+}
--- a/src/vulns/CVE-2022-40982.sh
+++ b/src/vulns/CVE-2022-40982.sh
@@ -0,0 +1,99 @@
+# vim: set ts=4 sw=4 sts=4 et:
+#########################
+# Downfall section
+
+# CVE-2022-40982 Downfall (gather data sampling) - entry point
+check_CVE_2022_40982() {
+    check_cve 'CVE-2022-40982'
+}
+
+# CVE-2022-40982 Downfall (gather data sampling) - Linux mitigation check
+check_CVE_2022_40982_linux() {
+    local status sys_interface_available msg kernel_gds kernel_gds_err kernel_avx_disabled dmesgret ret
+    status=UNK
+    sys_interface_available=0
+    msg=''
+
+    if sys_interface_check "$VULN_SYSFS_BASE/gather_data_sampling"; then
+        # this kernel has the /sys interface, trust it over everything
+        sys_interface_available=1
+        status=$ret_sys_interface_check_status
+    fi
+
+    if [ "$opt_sysfs_only" != 1 ]; then
+        pr_info_nol "* GDS is mitigated by microcode: "
+        if [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 0 ]; then
+            pstatus green OK "microcode mitigation is supported and enabled"
+        else
+            pstatus yellow NO
+        fi
+        pr_info_nol "* Kernel supports software mitigation by disabling AVX: "
+        if [ -n "$g_kernel_err" ]; then
+            kernel_gds_err="$g_kernel_err"
+        elif grep -q 'gather_data_sampling' "$g_kernel"; then
+            kernel_gds="found gather_data_sampling in kernel image"
+        fi
+        if [ -n "$kernel_gds" ]; then
+            pstatus green YES "$kernel_gds"
+        elif [ -n "$kernel_gds_err" ]; then
+            pstatus yellow UNKNOWN "$kernel_gds_err"
+        else
+            pstatus yellow NO
+        fi
+
+        if [ -n "$kernel_gds" ]; then
+            pr_info_nol "* Kernel has disabled AVX as a mitigation: "
+
+            # Check dmesg message to see whether AVX has been disabled
+            dmesg_grep 'Microcode update needed! Disabling AVX as mitigation'
+            dmesgret=$?
+            if [ "$dmesgret" -eq 0 ]; then
+                kernel_avx_disabled="AVX disabled by the kernel (dmesg)"
+                pstatus green YES "$kernel_avx_disabled"
+            elif [ "$cap_avx2" = 0 ]; then
+                # Find out by ourselves
+                # cpuinfo says we don't have AVX2, query
+                # the CPU directly about AVX2 support
+                read_cpuid 0x7 0x0 "$EBX" 5 1 1
+                ret=$?
+                if [ "$ret" -eq "$READ_CPUID_RET_OK" ]; then
+                    kernel_avx_disabled="AVX disabled by the kernel (cpuid)"
+                    pstatus green YES "$kernel_avx_disabled"
+                elif [ "$ret" -eq "$READ_CPUID_RET_KO" ]; then
+                    pstatus yellow NO "CPU doesn't support AVX"
+                elif [ "$dmesgret" -eq 2 ]; then
+                    pstatus yellow UNKNOWN "dmesg truncated, can't tell whether mitigation is active, please reboot and relaunch this script"
+                else
+                    pstatus yellow UNKNOWN "No sign of mitigation in dmesg and couldn't read cpuid info"
+                fi
+            else
+                pstatus yellow NO "AVX support is enabled"
+            fi
+        fi
+
+    elif [ "$sys_interface_available" = 0 ]; then
+        # we have no sysfs but were asked to use it only!
+        msg="/sys vulnerability interface use forced, but it's not available!"
+        status=UNK
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ -z "$msg" ]; then
+        # if msg is empty, sysfs check didn't fill it, rely on our own test
+        if [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 0 ]; then
+            pvulnstatus "$cve" OK "Your microcode is up to date and mitigation is enabled"
+        elif [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 1 ]; then
+            pvulnstatus "$cve" VULN "Your microcode is up to date but mitigation is disabled"
+        elif [ -z "$kernel_gds" ]; then
+            pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, and your kernel doesn't support mitigation"
+        elif [ -z "$kernel_avx_disabled" ]; then
+            pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, your kernel support the mitigation but the script did not detect AVX as disabled by the kernel"
+        else
+            pvulnstatus "$cve" OK "Your microcode doesn't mitigate the vulnerability, but your kernel has disabled AVX support"
+        fi
+    else
+        pvulnstatus "$cve" "$status" "$msg"
+    fi
+}
--- a/src/vulns/CVE-2023-20569.sh
+++ b/src/vulns/CVE-2023-20569.sh
@@ -0,0 +1,170 @@
+# vim: set ts=4 sw=4 sts=4 et:
+#######################
+# Inception section
+
+# CVE-2023-20569 Inception (SRSO, speculative return stack overflow) - entry point
+check_CVE_2023_20569() {
+    check_cve 'CVE-2023-20569'
+}
+
+# CVE-2023-20569 Inception (SRSO, speculative return stack overflow) - Linux mitigation check
+check_CVE_2023_20569_linux() {
+    local status sys_interface_available msg kernel_sro kernel_sro_err kernel_srso kernel_ibpb_entry smt_enabled
+    status=UNK
+    sys_interface_available=0
+    msg=''
+
+    if sys_interface_check "$VULN_SYSFS_BASE/spec_rstack_overflow"; then
+        # this kernel has the /sys interface, trust it over everything
+        sys_interface_available=1
+        status=$ret_sys_interface_check_status
+    fi
+
+    if [ "$opt_sysfs_only" != 1 ]; then
+        pr_info_nol "* Kernel supports mitigation: "
+        if [ -n "$g_kernel_err" ]; then
+            kernel_sro_err="$g_kernel_err"
+        elif grep -q 'spec_rstack_overflow' "$g_kernel"; then
+            kernel_sro="found spec_rstack_overflow in kernel image"
+        fi
+        if [ -n "$kernel_sro" ]; then
+            pstatus green YES "$kernel_sro"
+        elif [ -n "$kernel_sro_err" ]; then
+            pstatus yellow UNKNOWN "$kernel_sro_err"
+        else
+            pstatus yellow NO
+        fi
+
+        pr_info_nol "* Kernel compiled with SRSO support: "
+        if [ -r "$opt_config" ]; then
+            # CONFIG_CPU_SRSO: Linux < 6.9
+            # CONFIG_MITIGATION_SRSO: Linux >= 6.9
+            if grep -Eq '^CONFIG_(CPU|MITIGATION)_SRSO=y' "$opt_config"; then
+                pstatus green YES
+                kernel_srso="CONFIG_(CPU|MITIGATION)_SRSO=y found in kernel config"
+            else
+                pstatus yellow NO "required for safe RET and ibpb_on_vmexit mitigations"
+            fi
+        else
+            # https://github.com/torvalds/linux/commit/138bcddb86d8a4f842e4ed6f0585abc9b1a764ff#diff-17bd24a7a7850613cced545790ac30646097e8d6207348c2bd1845f397acb390R2313
+            if [ -n "$g_kernel_err" ]; then
+                pstatus yellow UNKNOWN "$g_kernel_err"
+            elif grep -Eq 'WARNING: kernel not compiled with (CPU|MITIGATION)_SRSO' "$g_kernel"; then
+                # this msg is optimized out at compile time if the option is not enabled, see commit referenced above
+                # if it's present, then SRSO is NOT compiled in
+                pstatus yellow NO "kernel not compiled with (CPU|MITIGATION)_SRSO"
+            else
+                # if it's not present, then SRSO is compiled in IF kernel_sro==1, otherwise we're just
+                # in front of an old kernel that doesn't have the mitigation logic at all
+                if [ "$kernel_sro" = 1 ]; then
+                    kernel_srso="SRSO mitigation logic is compiled in the kernel"
+                    pstatus green OK "$kernel_srso"
+                else
+                    pstatus yellow NO "your kernel is too old and doesn't have the mitigation logic"
+                fi
+            fi
+        fi
+
+        pr_info_nol "* Kernel compiled with IBPB_ENTRY support: "
+        if [ -r "$opt_config" ]; then
+            # CONFIG_CPU_IBPB_ENTRY: Linux < 6.9
+            # CONFIG_MITIGATION_IBPB_ENTRY: Linux >= 6.9
+            if grep -Eq '^CONFIG_(CPU|MITIGATION)_IBPB_ENTRY=y' "$opt_config"; then
+                pstatus green YES
+                kernel_ibpb_entry="CONFIG_(CPU|MITIGATION)_IBPB_ENTRY=y found in kernel config"
+            else
+                pstatus yellow NO
+            fi
+        else
+            # https://github.com/torvalds/linux/commit/138bcddb86d8a4f842e4ed6f0585abc9b1a764ff#diff-17bd24a7a7850613cced545790ac30646097e8d6207348c2bd1845f397acb390R2325
+            if [ -n "$g_kernel_err" ]; then
+                pstatus yellow UNKNOWN "$g_kernel_err"
+            elif grep -Eq 'WARNING: kernel not compiled with (CPU|MITIGATION)_IBPB_ENTRY' "$g_kernel"; then
+                # this msg is optimized out at compile time if the option is not enabled, see commit referenced above
+                # if it's present, then IBPB_ENTRY is NOT compiled in
+                pstatus yellow NO "kernel not compiled with (CPU|MITIGATION)_IBPB_ENTRY"
+            else
+                # if it's not present, then IBPB_ENTRY is compiled in IF kernel_sro==1, otherwise we're just
+                # in front of an old kernel that doesn't have the mitigation logic at all
+                if [ "$kernel_sro" = 1 ]; then
+                    kernel_ibpb_entry="IBPB_ENTRY mitigation logic is compiled in the kernel"
+                    pstatus green OK "$kernel_ibpb_entry"
+                else
+                    pstatus yellow NO "your kernel is too old and doesn't have the mitigation logic"
+                fi
+            fi
+        fi
+
+        # Zen & Zen2 : if the right IBPB microcode applied + SMT off --> not vuln
+        if [ "$cpu_family" = $((0x17)) ]; then
+            pr_info_nol "* CPU supports IBPB: "
+            if [ -n "$cap_ibpb" ]; then
+                pstatus green YES "$cap_ibpb"
+            else
+                pstatus yellow NO
+            fi
+
+            pr_info_nol "* Hyper-Threading (SMT) is enabled: "
+            is_cpu_smt_enabled
+            smt_enabled=$?
+            if [ "$smt_enabled" = 0 ]; then
+                pstatus yellow YES
+            else
+                pstatus green NO
+            fi
+        # Zen 3/4 microcode brings SBPB mitigation
+        elif [ "$cpu_family" = $((0x19)) ]; then
+            pr_info_nol "* CPU supports SBPB: "
+            if [ "$cap_sbpb" = 1 ]; then
+                pstatus green YES
+            elif [ "$cap_sbpb" = 3 ]; then
+                pstatus yellow UNKNOWN "cannot write MSR, rerun with --allow-msr-write"
+            else
+                pstatus yellow NO
+            fi
+        fi
+
+    elif [ "$sys_interface_available" = 0 ]; then
+        # we have no sysfs but were asked to use it only!
+        msg="/sys vulnerability interface use forced, but it's not available!"
+        status=UNK
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ -z "$msg" ]; then
+        # if msg is empty, sysfs check didn't fill it, so we rely on our own logic
+        # Zen/Zen2
+        if [ "$cpu_family" = $((0x17)) ]; then
+            if [ "$smt_enabled" = 0 ]; then
+                pvulnstatus "$cve" VULN "SMT is enabled on your Zen/Zen2 CPU, which makes mitigation ineffective"
+                explain "For Zen/Zen2 CPUs, proper mitigation needs an up to date microcode, and SMT needs to be disabled (this can be done by adding \`nosmt\` to your kernel command line)"
+            elif [ -z "$kernel_sro" ]; then
+                pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the SRSO mitigation logic"
+            elif [ -n "$cap_ibpb" ]; then
+                pvulnstatus "$cve" OK "SMT is disabled and both your kernel and microcode support mitigation"
+            else
+                pvulnstatus "$cve" VULN "Your microcode is too old"
+            fi
+        # Zen3/Zen4
+        elif [ "$cpu_family" = $((0x19)) ]; then
+            if [ -z "$kernel_sro" ]; then
+                pvulnstatus "$cve" VULN "Your kernel is too old and doesn't have the SRSO mitigation logic"
+            elif [ -z "$kernel_srso" ] && [ -z "$kernel_ibpb_entry" ]; then
+                pvulnstatus "$cve" VULN "Your kernel doesn't have either SRSO or IBPB_ENTRY compiled-in"
+            elif [ "$cap_sbpb" = 3 ]; then
+                pvulnstatus "$cve" UNK "Couldn't verify if your microcode supports IBPB (rerun with --allow-msr-write)"
+            elif [ "$cap_sbpb" = 2 ]; then
+                pvulnstatus "$cve" VULN "Your microcode doesn't support SBPB"
+            else
+                pvulnstatus "$cve" OK "Your kernel and microcode both support mitigation"
+            fi
+        else
+            # not supposed to happen, as normally this CPU should not be affected and not run this code
+            pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+        fi
+    else
+        pvulnstatus "$cve" "$status" "$msg"
+    fi
+}
--- a/src/vulns/CVE-2023-20593.sh
+++ b/src/vulns/CVE-2023-20593.sh
@@ -0,0 +1,120 @@
+# vim: set ts=4 sw=4 sts=4 et:
+####################
+# Zenbleed section
+
+# CVE-2023-20593 Zenbleed (cross-process information leak via AVX2) - entry point
+check_CVE_2023_20593() {
+    check_cve 'CVE-2023-20593'
+}
+
+# CVE-2023-20593 Zenbleed (cross-process information leak via AVX2) - Linux mitigation check
+check_CVE_2023_20593_linux() {
+    local status sys_interface_available msg kernel_zenbleed kernel_zenbleed_err fp_backup_fix ucode_zenbleed zenbleed_print_vuln ret
+    status=UNK
+    sys_interface_available=0
+    msg=''
+    if [ "$opt_sysfs_only" != 1 ]; then
+        pr_info_nol "* Zenbleed mitigation is supported by kernel: "
+        kernel_zenbleed=''
+        if [ -n "$g_kernel_err" ]; then
+            kernel_zenbleed_err="$g_kernel_err"
+        # commit 522b1d69219d8f083173819fde04f994aa051a98
+        elif grep -q 'Zenbleed:' "$g_kernel"; then
+            kernel_zenbleed="found zenbleed message in kernel image"
+        fi
+        if [ -n "$kernel_zenbleed" ]; then
+            pstatus green YES "$kernel_zenbleed"
+        elif [ -n "$kernel_zenbleed_err" ]; then
+            pstatus yellow UNKNOWN "$kernel_zenbleed_err"
+        else
+            pstatus yellow NO
+        fi
+        pr_info_nol "* Zenbleed kernel mitigation enabled and active: "
+        if [ "$opt_live" = 1 ]; then
+            # read the DE_CFG MSR, we want to check the 9th bit
+            # don't do it on non-Zen2 AMD CPUs or later, aka Family 17h,
+            # as the behavior could be unknown on others
+            if is_amd && [ "$cpu_family" -ge $((0x17)) ]; then
+                read_msr 0xc0011029
+                ret=$?
+                if [ "$ret" = "$READ_MSR_RET_OK" ]; then
+                    if [ $((ret_read_msr_value_lo >> 9 & 1)) -eq 1 ]; then
+                        pstatus green YES "FP_BACKUP_FIX bit set in DE_CFG"
+                        fp_backup_fix=1
+                    else
+                        pstatus yellow NO "FP_BACKUP_FIX is cleared in DE_CFG"
+                        fp_backup_fix=0
+                    fi
+                elif [ "$ret" = "$READ_MSR_RET_KO" ]; then
+                    pstatus yellow UNKNOWN "Couldn't read the DE_CFG MSR"
+                else
+                    pstatus yellow UNKNOWN "$ret_read_msr_msg"
+                fi
+            else
+                fp_backup_fix=0
+                pstatus blue N/A "CPU is incompatible"
+            fi
+        else
+            pstatus blue N/A "not testable in offline mode"
+        fi
+
+        pr_info_nol "* Zenbleed mitigation is supported by CPU microcode: "
+        has_zenbleed_fixed_firmware
+        ret=$?
+        if [ "$ret" -eq 0 ]; then
+            pstatus green YES
+            ucode_zenbleed=1
+        elif [ "$ret" -eq 1 ]; then
+            pstatus yellow NO
+            ucode_zenbleed=2
+        else
+            pstatus yellow UNKNOWN
+            ucode_zenbleed=3
+        fi
+
+    elif [ "$sys_interface_available" = 0 ]; then
+        # we have no sysfs but were asked to use it only!
+        msg="/sys vulnerability interface use forced, but it's not available!"
+        status=UNK
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ -z "$msg" ]; then
+        # if msg is empty, sysfs check didn't fill it, rely on our own test
+        zenbleed_print_vuln=0
+        if [ "$opt_live" = 1 ]; then
+            if [ "$fp_backup_fix" = 1 ] && [ "$ucode_zenbleed" = 1 ]; then
+                # this should never happen, but if it does, it's interesting to know
+                pvulnstatus "$cve" OK "Both your CPU microcode and kernel are mitigating Zenbleed"
+            elif [ "$ucode_zenbleed" = 1 ]; then
+                pvulnstatus "$cve" OK "Your CPU microcode mitigates Zenbleed"
+            elif [ "$fp_backup_fix" = 1 ]; then
+                pvulnstatus "$cve" OK "Your kernel mitigates Zenbleed"
+            else
+                zenbleed_print_vuln=1
+            fi
+        else
+            if [ "$ucode_zenbleed" = 1 ]; then
+                pvulnstatus "$cve" OK "Your CPU microcode mitigates Zenbleed"
+            elif [ -n "$kernel_zenbleed" ]; then
+                pvulnstatus "$cve" OK "Your kernel mitigates Zenbleed"
+            else
+                zenbleed_print_vuln=1
+            fi
+        fi
+        if [ "$zenbleed_print_vuln" = 1 ]; then
+            pvulnstatus "$cve" VULN "Your kernel is too old to mitigate Zenbleed and your CPU microcode doesn't mitigate it either"
+            explain "Your CPU vendor may have a new microcode for your CPU model that mitigates this issue (refer to the hardware section above).\n " \
+                "Otherwise, the Linux kernel is able to mitigate this issue regardless of the microcode version you have, but in this case\n " \
+                "your kernel is too old to support this, your Linux distribution vendor might have a more recent version you should upgrade to.\n " \
+                "Note that either having an up to date microcode OR an up to date kernel is enough to mitigate this issue.\n " \
+                "To manually mitigate the issue right now, you may use the following command: \`wrmsr -a 0xc0011029 \$((\$(rdmsr -c 0xc0011029) | (1<<9)))\`,\n " \
+                "however note that this manual mitigation will only be active until the next reboot."
+        fi
+        unset zenbleed_print_vuln
+    else
+        pvulnstatus "$cve" "$status" "$msg"
+    fi
+}
--- a/src/vulns/CVE-2023-23583.sh
+++ b/src/vulns/CVE-2023-23583.sh
@@ -0,0 +1,32 @@
+# vim: set ts=4 sw=4 sts=4 et:
+#######################
+# Reptar section
+
+# CVE-2023-23583 Reptar (redundant prefix issue) - entry point
+check_CVE_2023_23583() {
+    check_cve 'CVE-2023-23583'
+}
+
+# CVE-2023-23583 Reptar (redundant prefix issue) - Linux mitigation check
+check_CVE_2023_23583_linux() {
+    local status sys_interface_available msg
+    status=UNK
+    sys_interface_available=0
+    msg=''
+
+    # there is no sysfs file for this vuln, and no kernel patch,
+    # the mitigation is only ucode-based and there's no flag exposed,
+    # so most of the work has already been done by is_cpu_affected()
+    if ! is_cpu_affected "$cve"; then
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    else
+        pr_info_nol "* Reptar is mitigated by microcode: "
+        if [ "$cpu_ucode" -lt "$g_reptar_fixed_ucode_version" ]; then
+            pstatus yellow NO "You have ucode $(printf "0x%x" "$cpu_ucode") and version $(printf "0x%x" "$g_reptar_fixed_ucode_version") minimum is required"
+            pvulnstatus "$cve" VULN "Your microcode is too old to mitigate the vulnerability"
+        else
+            pstatus green YES "You have ucode $(printf "0x%x" "$cpu_ucode") which is recent enough (>= $(printf "0x%x" "$g_reptar_fixed_ucode_version"))"
+            pvulnstatus "$cve" OK "Your microcode mitigates the vulnerability"
+        fi
+    fi
+}
--- a/src/vulns/CVE-2024-36350.sh
+++ b/src/vulns/CVE-2024-36350.sh
@@ -0,0 +1,116 @@
+# vim: set ts=4 sw=4 sts=4 et:
+####################
+# TSA-SQ section
+
+# CVE-2024-36350 TSA-SQ (transient scheduler attack - store queue) - entry point
+check_CVE_2024_36350() {
+    check_cve 'CVE-2024-36350'
+}
+
+# CVE-2024-36350 TSA-SQ (transient scheduler attack - store queue) - Linux mitigation check
+check_CVE_2024_36350_linux() {
+    local status sys_interface_available msg kernel_tsa kernel_tsa_err smt_enabled ret
+    status=UNK
+    sys_interface_available=0
+    msg=''
+
+    if sys_interface_check "$VULN_SYSFS_BASE/tsa"; then
+        # this kernel has the /sys interface, trust it over everything
+        sys_interface_available=1
+        status=$ret_sys_interface_check_status
+    fi
+
+    if [ "$opt_sysfs_only" != 1 ]; then
+        pr_info_nol "* Kernel supports TSA mitigation: "
+        kernel_tsa=''
+        kernel_tsa_err=''
+        if [ -n "$g_kernel_err" ]; then
+            kernel_tsa_err="$g_kernel_err"
+        # commit d8010d4ba43e: "Transient Scheduler Attacks:" is printed by tsa_select_mitigation()
+        elif grep -q 'Transient Scheduler Attacks' "$g_kernel"; then
+            kernel_tsa="found TSA mitigation message in kernel image"
+        fi
+        if [ -z "$kernel_tsa" ] && [ -r "$opt_config" ]; then
+            if grep -q '^CONFIG_MITIGATION_TSA=y' "$opt_config"; then
+                kernel_tsa="CONFIG_MITIGATION_TSA=y found in kernel config"
+            fi
+        fi
+        if [ -z "$kernel_tsa" ] && [ -n "$g_kernel_map" ]; then
+            if grep -q 'tsa_select_mitigation' "$g_kernel_map"; then
+                kernel_tsa="found tsa_select_mitigation in System.map"
+            fi
+        fi
+        if [ -n "$kernel_tsa" ]; then
+            pstatus green YES "$kernel_tsa"
+        elif [ -n "$kernel_tsa_err" ]; then
+            pstatus yellow UNKNOWN "$kernel_tsa_err"
+        else
+            pstatus yellow NO
+        fi
+
+        pr_info_nol "* CPU explicitly indicates not vulnerable to TSA-SQ (TSA_SQ_NO): "
+        if [ "$cap_tsa_sq_no" = 1 ]; then
+            pstatus green YES
+        elif [ "$cap_tsa_sq_no" = 0 ]; then
+            pstatus yellow NO
+        else
+            pstatus yellow UNKNOWN "couldn't read CPUID leaf 0x80000021"
+        fi
+
+        pr_info_nol "* Microcode supports VERW buffer clearing: "
+        if [ "$cap_verw_clear" = 1 ]; then
+            pstatus green YES
+        elif [ "$cap_verw_clear" = 0 ]; then
+            pstatus yellow NO
+        else
+            pstatus yellow UNKNOWN "couldn't read CPUID leaf 0x80000021"
+        fi
+
+        pr_info_nol "* Hyper-Threading (SMT) is enabled: "
+        is_cpu_smt_enabled
+        smt_enabled=$?
+        if [ "$smt_enabled" = 0 ]; then
+            pstatus yellow YES
+        else
+            pstatus green NO
+        fi
+
+    elif [ "$sys_interface_available" = 0 ]; then
+        # we have no sysfs but were asked to use it only!
+        msg="/sys vulnerability interface use forced, but it's not available!"
+        status=UNK
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ -z "$msg" ]; then
+        # if msg is empty, sysfs check didn't fill it, rely on our own test
+        if [ "$opt_sysfs_only" != 1 ]; then
+            if [ "$cap_verw_clear" = 1 ] && [ -n "$kernel_tsa" ]; then
+                if [ "$opt_paranoid" = 1 ] && [ "$smt_enabled" = 0 ]; then
+                    pvulnstatus "$cve" VULN "Mitigation active but SMT must be disabled for full TSA-SQ protection"
+                    explain "Disable SMT by adding \`nosmt\` to your kernel command line for complete protection against cross-thread TSA-SQ leakage."
+                else
+                    pvulnstatus "$cve" OK "Both kernel and microcode mitigate the vulnerability"
+                fi
+            elif [ "$cap_verw_clear" = 1 ]; then
+                pvulnstatus "$cve" VULN "Microcode supports mitigation but kernel is too old"
+                explain "Update your kernel to a version that supports CONFIG_MITIGATION_TSA (Linux 6.16+),\n " \
+                    "or check if your distribution has backported the TSA mitigation."
+            elif [ -n "$kernel_tsa" ]; then
+                pvulnstatus "$cve" VULN "Kernel supports mitigation but microcode is too old"
+                explain "Update your CPU microcode via a BIOS/firmware update from your OEM.\n " \
+                    "The microcode must expose the VERW_CLEAR capability (CPUID 0x80000021 EAX bit 5)."
+            else
+                pvulnstatus "$cve" VULN "Neither kernel nor microcode mitigate the vulnerability"
+                explain "Both a kernel update (CONFIG_MITIGATION_TSA, Linux 6.16+) and a microcode/firmware update\n " \
+                    "from your OEM are needed to mitigate this vulnerability."
+            fi
+        else
+            pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
+        fi
+    else
+        pvulnstatus "$cve" "$status" "$msg"
+    fi
+}
--- a/src/vulns/CVE-2024-36357.sh
+++ b/src/vulns/CVE-2024-36357.sh
@@ -0,0 +1,102 @@
+# vim: set ts=4 sw=4 sts=4 et:
+####################
+# TSA-L1 section
+
+# CVE-2024-36357 TSA-L1 (transient scheduler attack - L1 cache) - entry point
+check_CVE_2024_36357() {
+    check_cve 'CVE-2024-36357'
+}
+
+# CVE-2024-36357 TSA-L1 (transient scheduler attack - L1 cache) - Linux mitigation check
+check_CVE_2024_36357_linux() {
+    local status sys_interface_available msg kernel_tsa kernel_tsa_err ret
+    status=UNK
+    sys_interface_available=0
+    msg=''
+
+    if sys_interface_check "$VULN_SYSFS_BASE/tsa"; then
+        # this kernel has the /sys interface, trust it over everything
+        sys_interface_available=1
+        status=$ret_sys_interface_check_status
+    fi
+
+    if [ "$opt_sysfs_only" != 1 ]; then
+        pr_info_nol "* Kernel supports TSA mitigation: "
+        kernel_tsa=''
+        kernel_tsa_err=''
+        if [ -n "$g_kernel_err" ]; then
+            kernel_tsa_err="$g_kernel_err"
+        # commit d8010d4ba43e: "Transient Scheduler Attacks:" is printed by tsa_select_mitigation()
+        elif grep -q 'Transient Scheduler Attacks' "$g_kernel"; then
+            kernel_tsa="found TSA mitigation message in kernel image"
+        fi
+        if [ -z "$kernel_tsa" ] && [ -r "$opt_config" ]; then
+            if grep -q '^CONFIG_MITIGATION_TSA=y' "$opt_config"; then
+                kernel_tsa="CONFIG_MITIGATION_TSA=y found in kernel config"
+            fi
+        fi
+        if [ -z "$kernel_tsa" ] && [ -n "$g_kernel_map" ]; then
+            if grep -q 'tsa_select_mitigation' "$g_kernel_map"; then
+                kernel_tsa="found tsa_select_mitigation in System.map"
+            fi
+        fi
+        if [ -n "$kernel_tsa" ]; then
+            pstatus green YES "$kernel_tsa"
+        elif [ -n "$kernel_tsa_err" ]; then
+            pstatus yellow UNKNOWN "$kernel_tsa_err"
+        else
+            pstatus yellow NO
+        fi
+
+        pr_info_nol "* CPU explicitly indicates not vulnerable to TSA-L1 (TSA_L1_NO): "
+        if [ "$cap_tsa_l1_no" = 1 ]; then
+            pstatus green YES
+        elif [ "$cap_tsa_l1_no" = 0 ]; then
+            pstatus yellow NO
+        else
+            pstatus yellow UNKNOWN "couldn't read CPUID leaf 0x80000021"
+        fi
+
+        pr_info_nol "* Microcode supports VERW buffer clearing: "
+        if [ "$cap_verw_clear" = 1 ]; then
+            pstatus green YES
+        elif [ "$cap_verw_clear" = 0 ]; then
+            pstatus yellow NO
+        else
+            pstatus yellow UNKNOWN "couldn't read CPUID leaf 0x80000021"
+        fi
+
+    elif [ "$sys_interface_available" = 0 ]; then
+        # we have no sysfs but were asked to use it only!
+        msg="/sys vulnerability interface use forced, but it's not available!"
+        status=UNK
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        # override status & msg in case CPU is not vulnerable after all
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ -z "$msg" ]; then
+        # if msg is empty, sysfs check didn't fill it, rely on our own test
+        if [ "$opt_sysfs_only" != 1 ]; then
+            if [ "$cap_verw_clear" = 1 ] && [ -n "$kernel_tsa" ]; then
+                pvulnstatus "$cve" OK "Both kernel and microcode mitigate the vulnerability"
+            elif [ "$cap_verw_clear" = 1 ]; then
+                pvulnstatus "$cve" VULN "Microcode supports mitigation but kernel is too old"
+                explain "Update your kernel to a version that supports CONFIG_MITIGATION_TSA (Linux 6.16+),\n " \
+                    "or check if your distribution has backported the TSA mitigation."
+            elif [ -n "$kernel_tsa" ]; then
+                pvulnstatus "$cve" VULN "Kernel supports mitigation but microcode is too old"
+                explain "Update your CPU microcode via a BIOS/firmware update from your OEM.\n " \
+                    "The microcode must expose the VERW_CLEAR capability (CPUID 0x80000021 EAX bit 5)."
+            else
+                pvulnstatus "$cve" VULN "Neither kernel nor microcode mitigate the vulnerability"
+                explain "Both a kernel update (CONFIG_MITIGATION_TSA, Linux 6.16+) and a microcode/firmware update\n " \
+                    "from your OEM are needed to mitigate this vulnerability."
+            fi
+        else
+            pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
+        fi
+    else
+        pvulnstatus "$cve" "$status" "$msg"
+    fi
+}