enh: guard x86/arm specific checks in kernel/cpu for the proper arch

built from commit c64d4bb481
 dated 2026-04-10 18:37:32 +0200
 by Stéphane Lesimple (speed47_github@speed47.net)

.github/workflows/build.yml

@@ -25,21 +25,81 @@ jobs:
         mv spectre-meltdown-checker.sh dist/
     - name: check direct execution
       run: |
+        set -x
         expected=$(cat .github/workflows/expected_cve_count)
         cd dist
-        nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
+
+        json=$(sudo ./spectre-meltdown-checker.sh --batch json || true)
+
+        # Validate JSON is well-formed (and show it if not)
+        echo "$json" | jq . >/dev/null || {
+          echo "Invalid JSON produced by spectre-meltdown-checker.sh"
+          echo "$json"
+          exit 1
+        }
+
+        # Validate required keys exist
+        for key in meta system cpu cpu_microcode vulnerabilities; do
+          echo "$json" | jq -e ".$key" >/dev/null || {
+            echo "Missing top-level key: $key"
+            echo "$json" | jq .
+            exit 1
+          }
+        done
+
+        # Use -r to get raw scalars (no quotes)
+        fmtver=$(echo "$json" | jq -r '.meta.format_version // empty')
+        if [ "$fmtver" != "1" ]; then
+          echo "Unexpected format_version: $fmtver"
+          echo "$json" | jq .
+          exit 1
+        fi
+
+        run_as_root=$(echo "$json" | jq -r '.meta.run_as_root // empty')
+        if [ "$run_as_root" != "true" ]; then
+          echo "Expected run_as_root=true, got: $run_as_root"
+          echo "$json" | jq .
+          exit 1
+        fi
+
+        mocked=$(echo "$json" | jq -r '.meta.mocked // "false"')
+        if [ "$mocked" = "true" ]; then
+          echo "mocked=true must never appear in production"
+          echo "$json" | jq .
+          exit 1
+        fi
+
+        # Count CVEs robustly (as a number)
+        nb=$(echo "$json" | jq -r '[.vulnerabilities[].cve] | length')
         if [ "$nb" -ne "$expected" ]; then
           echo "Invalid number of CVEs reported: $nb instead of $expected"
+          echo "$json" | jq '.vulnerabilities[].cve'
           exit 1
         else
           echo "OK $nb CVEs reported"
         fi
+
+        # Validate json-terse backward compatibility
+        nb_terse=$(sudo ./spectre-meltdown-checker.sh --batch json-terse | jq -r 'map(.CVE) | length')
+        if [ "$nb_terse" -ne "$expected" ]; then
+          echo "json-terse backward compat broken: $nb_terse CVEs instead of $expected"
+          exit 1
+        else
+          echo "OK json-terse backward compat: $nb_terse CVEs"
+        fi
     - name: check docker compose run execution
       run: |
         expected=$(cat .github/workflows/expected_cve_count)
         cd dist
         docker compose build
-        nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
+        json=$(docker compose run --rm spectre-meltdown-checker --batch json || true)
+        echo "$json" | jq . > /dev/null
+        fmtver=$(echo "$json" | jq '.meta.format_version')
+        if [ "$fmtver" != "1" ]; then
+          echo "Unexpected format_version: $fmtver"
+          exit 1
+        fi
+        nb=$(echo "$json" | jq '.vulnerabilities[].cve' | wc -l)
         if [ "$nb" -ne "$expected" ]; then
           echo "Invalid number of CVEs reported: $nb instead of $expected"
           exit 1
@@ -51,7 +111,14 @@ jobs:
         expected=$(cat .github/workflows/expected_cve_count)
         cd dist
         docker build -t spectre-meltdown-checker .
-        nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
+        json=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json || true)
+        echo "$json" | jq . > /dev/null
+        fmtver=$(echo "$json" | jq '.meta.format_version')
+        if [ "$fmtver" != "1" ]; then
+          echo "Unexpected format_version: $fmtver"
+          exit 1
+        fi
+        nb=$(echo "$json" | jq '.vulnerabilities[].cve' | wc -l)
         if [ "$nb" -ne "$expected" ]; then
           echo "Invalid number of CVEs reported: $nb instead of $expected"
           exit 1
@@ -92,15 +159,19 @@ jobs:
         fi
     - name: create a pull request to ${{ github.ref_name }}-build
       run: |
+        # all the files in dist/* and .github/* must be moved as is to the -build branch root, move them out for now:
         tmpdir=$(mktemp -d)
         mv ./dist/* .github $tmpdir/
         rm -rf ./dist
+
         git fetch origin ${{ github.ref_name }}-build
         git checkout -f ${{ github.ref_name }}-build
+        rm -rf doc/
         mv $tmpdir/* .
-        rm -rf src/
+        rm -rf src/ scripts/ img/
         mkdir -p .github
         rsync -vaP --delete $tmpdir/.github/ .github/
+
         git add --all
         echo =#=#= DIFF CACHED
         git diff --cached

.github/workflows/expected_cve_count

@@ -1 +1 @@
-26
+31

.github/workflows/vuln-watch.yml

@@ -1,190 +0,0 @@
-name: Online search for vulns
-
-on:
-  schedule:
-    - cron: '42 8 * * *'
-  workflow_dispatch:
-    inputs:
-      model:
-        description: 'Claude model to use (cron runs default to Sonnet)'
-        required: false
-        type: choice
-        default: claude-sonnet-4-6
-        options:
-          - claude-sonnet-4-6
-          - claude-opus-4-7
-          - claude-haiku-4-5-20251001
-      window_hours:
-        description: 'Lookback window in hours (cron runs use 25)'
-        required: false
-        type: string
-        default: '25'
-      reconsider_age_days:
-        description: 'Only reconsider backlog entries last reviewed ≥ N days ago (0 = all, default 7)'
-        required: false
-        type: string
-        default: '7'
-
-permissions:
-  contents: read
-  actions: read           # needed to list/download previous run artifacts
-  id-token: write         # needed by claude-code-action for OIDC auth
-
-concurrency:
-  group: vuln-watch
-  cancel-in-progress: true
-
-jobs:
-  watch:
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-
-    steps:
-      # The scripts driving this workflow live on the `vuln-watch` branch so
-      # they don't clutter master (which is what ships to production). The
-      # workflow file itself MUST stay on the default branch, as GitHub only
-      # honors `schedule:` triggers on the default branch.
-      - name: Checkout vuln-watch branch (scripts + prompt)
-        uses: actions/checkout@v5
-        with:
-          ref: vuln-watch
-          fetch-depth: 1
-          persist-credentials: false
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.12'
-
-      - name: Install Python dependencies
-        run: python -m pip install --quiet feedparser
-
-      # ---- Load previous state ---------------------------------------------
-      # Find the most recent successful run of THIS workflow (other than the
-      # current one) and pull its `vuln-watch-state` artifact. On the very
-      # first run there will be none — that's fine, we start empty.
-      - name: Find previous successful run id
-        id: prev
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          set -e
-          run_id=$(gh run list \
-            --workflow="${{ github.workflow }}" \
-            --status=success \
-            --limit 1 \
-            --json databaseId \
-            --jq '.[0].databaseId // empty')
-          echo "run_id=${run_id}" >> "$GITHUB_OUTPUT"
-          if [ -n "$run_id" ]; then
-            echo "Found previous successful run: $run_id"
-          else
-            echo "No previous successful run — starting from empty state."
-          fi
-
-      - name: Download previous state artifact
-        if: steps.prev.outputs.run_id != ''
-        uses: actions/download-artifact@v5
-        continue-on-error: true   # tolerate retention expiry
-        with:
-          name: vuln-watch-state
-          path: state/
-          run-id: ${{ steps.prev.outputs.run_id }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-
-      # ---- Fetch + diff (token-free; runs every time) ---------------------
-      # Performs conditional GETs (ETag / If-Modified-Since) against every
-      # source, parses RSS/Atom/HTML, dedups against state.seen + state.aliases,
-      # applies the time-window filter, and emits new_items.json.
-      # Updates state.sources (HTTP cache metadata + per-source high-water
-      # marks) in place so the cache survives even when Claude doesn't run.
-      - name: Fetch + diff all sources
-        id: diff
-        env:
-          SCAN_DATE: ${{ github.run_started_at }}
-          # Cron runs have no `inputs` context, so the fallback kicks in.
-          WINDOW_HOURS:         ${{ inputs.window_hours || '25' }}
-          RECONSIDER_AGE_DAYS:  ${{ inputs.reconsider_age_days || '7' }}
-        run: python -m scripts.vuln_watch.fetch_and_diff
-
-      # ---- Fetch checker code so Claude can grep it for coverage ---------
-      # The orphan vuln-watch branch has none of the actual checker code,
-      # so we pull the `test` branch (the dev branch where coded-but-
-      # unreleased CVE checks live) into ./checker/. The prompt tells
-      # Claude this is the canonical source of truth for "is CVE-X already
-      # implemented?". Only fetched on days with something to classify.
-      - name: Checkout checker code (test branch) for coverage grep
-        if: steps.diff.outputs.new_count != '0' || steps.diff.outputs.reconsider_count != '0'
-        uses: actions/checkout@v5
-        with:
-          ref: test
-          path: checker
-          fetch-depth: 1
-          persist-credentials: false
-
-      # ---- Classify new items with Claude (skipped when nothing is new) ---
-      # Model selection: a manual workflow_dispatch run picks from a dropdown
-      # (defaulting to Sonnet). Scheduled cron runs have no `inputs` context,
-      # so the `|| 'claude-sonnet-4-6'` fallback kicks in — cron always uses
-      # Sonnet to keep the daily cost floor low.
-      - name: Run classifier with Claude
-        id: classify
-        if: steps.diff.outputs.new_count != '0' || steps.diff.outputs.reconsider_count != '0'
-        uses: anthropics/claude-code-action@v1
-        env:
-          SCAN_DATE: ${{ github.run_started_at }}
-        with:
-          prompt: |
-            Read the full task instructions from scripts/daily_vuln_watch_prompt.md
-            and execute them end-to-end. Your input is new_items.json (already
-            deduped, windowed, and pre-filtered — do NOT re-fetch sources).
-            Write the three watch_${TODAY}_*.md files and classifications.json.
-            Use $SCAN_DATE as the canonical timestamp.
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          # model + tool allowlist pass through claude_args (v1 dropped the
-          # dedicated `model:` and `allowed_tools:` inputs). Job-level
-          # `timeout-minutes: 20` above bounds total runtime.
-          claude_args: |
-            --model ${{ inputs.model || 'claude-sonnet-4-6' }}
-            --allowedTools "Read,Write,Edit,Bash,Grep,Glob,WebFetch"
-
-      - name: Upload Claude execution log
-        if: ${{ always() && steps.classify.outputs.execution_file != '' }}
-        uses: actions/upload-artifact@v5
-        with:
-          name: claude-execution-log-${{ github.run_id }}
-          path: ${{ steps.classify.outputs.execution_file }}
-          retention-days: 30
-          if-no-files-found: warn
-
-      # ---- Merge classifications back into state --------------------------
-      # Also writes stub watch_*.md files if the classify step was skipped, so
-      # the report artifact is consistent across runs.
-      - name: Merge classifications into state
-        if: always()
-        env:
-          SCAN_DATE: ${{ github.run_started_at }}
-        run: python -m scripts.vuln_watch.merge_state
-
-      - name: Upload new state artifact
-        if: always()
-        uses: actions/upload-artifact@v5
-        with:
-          name: vuln-watch-state
-          path: state/seen.json
-          retention-days: 90
-          if-no-files-found: error
-
-      - name: Upload daily report
-        if: always()
-        uses: actions/upload-artifact@v5
-        with:
-          name: vuln-watch-report-${{ github.run_id }}
-          path: |
-            watch_*.md
-            current_toimplement.md
-            current_tocheck.md
-            new_items.json
-            classifications.json
-          retention-days: 90
-          if-no-files-found: warn

README.md

@@ -38,7 +38,6 @@ CVE | Name | Aliases
 [CVE-2024-36357](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36357) | Transient Scheduler Attack, L1 | TSA-L1
 [CVE-2025-40300](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40300) | VM-Exit Stale Branch Prediction | VMScape
 [CVE-2024-45332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45332) | Branch Privilege Injection | BPI
-[CVE-2025-54505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54505) | AMD Zen1 Floating-Point Divider Stale Data Leak | FPDSS
 
 ## Am I at risk?
 
@@ -78,7 +77,6 @@ CVE-2024-36350 (TSA-SQ) | 💥 | 💥 (1) | 💥 | 💥 (1) | Microcode + kernel
 CVE-2024-36357 (TSA-L1) | 💥 | 💥 (1) | 💥 | 💥 (1) | Microcode + kernel update
 CVE-2025-40300 (VMScape) | ✅ | ✅ | 💥 | ✅ | Kernel update (IBPB on VM-exit)
 CVE-2024-45332 (BPI) | 💥 | ✅ | 💥 | ✅ | Microcode update
-CVE-2025-54505 (FPDSS) | 💥 | 💥 | 💥 | 💥 | Kernel update
 
 > 💥 Data can be leaked across this boundary.
 
@@ -209,10 +207,6 @@ After a guest VM exits to the host, stale branch predictions from the guest can
 
 A race condition in the branch predictor update mechanism of Intel processors (Coffee Lake through Raptor Lake, plus some server and Atom parts) allows user-space branch predictions to briefly influence kernel-space speculative execution, undermining eIBRS and IBPB protections. This means systems relying solely on eIBRS for Spectre V2 mitigation may not be fully protected without the microcode fix. Mitigation requires a microcode update (intel-microcode 20250512+) that fixes the asynchronous branch predictor update timing so that eIBRS and IBPB work as originally intended. No kernel changes are required. Performance impact is negligible.
 
-**CVE-2025-54505 — AMD Zen1 Floating-Point Divider Stale Data Leak (FPDSS)**
-
-On AMD Zen1 and Zen+ processors (EPYC 7001, EPYC Embedded 3000, Athlon 3000 with Radeon, Ryzen 3000 with Radeon, Ryzen PRO 3000 with Radeon Vega), the hardware floating-point divider can retain partial quotient data from previous operations. Under certain circumstances, those results can be leaked to another thread sharing the same divider, crossing any privilege boundary. This was assigned CVE-2025-54505 and published by AMD as AMD-SB-7053 on 2026-04-17. Mitigation requires a kernel update (mainline commit e55d98e77561, "x86/CPU: Fix FPDSS on Zen1", Linux 7.1) that sets bit 9 (ZEN1_DENORM_FIX_BIT) of MSR 0xc0011028 (MSR_AMD64_FP_CFG) unconditionally on every Zen1 CPU at boot, disabling the hardware optimization responsible for the leak. No microcode update is required: the chicken bit is present in Zen1 silicon from the factory and is independent of microcode revision. Performance impact is limited to a small reduction in floating-point divide throughput, which is why AMD does not enable the bit by default in hardware.
-
 </details>
 
 ## Unsupported CVEs

doc/UNSUPPORTED_CVE_LIST.md

@@ -124,17 +124,6 @@ A branch predictor initialization issue specific to Intel's Lion Cove microarchi
 
 These CVEs are real vulnerabilities, but no kernel or microcode fix has been issued, the mitigation is delegated to individual software, or the fix is not detectable by this tool.
 
-## CVE-2018-3665 — Lazy FP State Restore (LazyFP)
-
-- **Advisory:** [INTEL-SA-00145](https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/lazy-fp-state-restore.html)
-- **Research paper:** [LazyFP: Leaking FPU Register State using Microarchitectural Side-Channels (Stecklina & Prescher, 2018)](https://arxiv.org/abs/1806.07480)
-- **Affected CPUs:** Intel Core family (Sandy Bridge through Kaby Lake) when lazy FPU switching is in use
-- **CVSS:** 4.3 (Medium)
-
-Intel CPUs using lazy FPU state switching may speculatively expose another process's FPU/SSE/AVX register contents (including AES round keys and other cryptographic material) across context switches. The `#NM` (device-not-available) exception normally used to trigger lazy restore is delivered late enough that dependent instructions can transiently execute against the stale FPU state before the fault squashes them.
-
-**Why out of scope:** The Linux mitigation is to use eager FPU save/restore, which was already the default on Intel CPUs with XSAVEOPT well before disclosure, and was then hard-enforced upstream by the removal of all lazy FPU code in Linux 4.14 (Andy Lutomirski's "x86/fpu: Hard-disable lazy FPU mode" cleanup). There is no `/sys/devices/system/cpu/vulnerabilities/` entry, no CPUID flag, no MSR, and no kernel config option that reflects this mitigation — detection on a running kernel would require hardcoding kernel version ranges, which is against this tool's design principles (same rationale as CVE-2019-15902). In practice, any supported kernel today is eager-FPU-only, and CPUs advertising XSAVEOPT/XSAVES cannot enter the vulnerable lazy-switching mode regardless of kernel configuration.
-
 ## CVE-2018-9056 — BranchScope
 
 - **Issue:** [#169](https://github.com/speed47/spectre-meltdown-checker/issues/169)

doc/batch_json.md

@@ -102,9 +102,7 @@ boundaries by a malicious guest.  Prioritise remediation where
 
 ### `cpu`
 
-CPU hardware identification.  `null` when `--no-hw` is active, or when
-`--arch-prefix` is set (host CPU info is then suppressed to avoid mixing
-with a different-arch target kernel).
+CPU hardware identification.  `null` when `--no-hw` is active.
 
 The object uses `arch` as a discriminator: `"x86"` for Intel/AMD/Hygon CPUs,
 `"arm"` for ARM/Cavium/Phytium.  Arch-specific fields live under a matching
@@ -142,7 +140,7 @@ fields from the other architecture.
 
 #### `cpu.x86.capabilities`
 
-Every capability is a **tri-state**: `true` (present), `false` (absent), or
+Each capability is a **tri-state**: `true` (present), `false` (absent), or
 `null` (not applicable or could not be read, e.g. when not root or on AMD for
 Intel-specific features).
 
@@ -240,7 +238,7 @@ with an unknown CVE ID).
 | `status` | string | `"OK"` / `"VULN"` / `"UNK"` | Check outcome (see below) |
 | `vulnerable` | boolean \| null | `false` / `true` / `null` | `false`=OK, `true`=VULN, `null`=UNK |
 | `info` | string | | Human-readable description of the specific mitigation state or reason |
-| `sysfs_status` | string \| null | `"OK"` / `"VULN"` / `"UNK"` / null | Status as reported by the kernel via `/sys/devices/system/cpu/vulnerabilities/`; null if sysfs was not consulted for this CVE, or if the CVE's check read sysfs in silent/quiet mode (raw message is still captured in `sysfs_message`) |
+| `sysfs_status` | string \| null | `"OK"` / `"VULN"` / `"UNK"` / null | Status as reported by the kernel via `/sys/devices/system/cpu/vulnerabilities/`; null if sysfs was not consulted for this CVE |
 | `sysfs_message` | string \| null | | Raw text from the sysfs file (e.g. `"Mitigation: PTI"`); null if sysfs was not consulted |
 
 #### Status values

doc/batch_json.schema.json

@@ -127,7 +127,7 @@
     },
 
     "cpu": {
-      "description": "CPU hardware identification. Null when --no-hw is active or when --arch-prefix is set (host CPU info is then suppressed to avoid mixing with a different-arch target kernel). Contains an 'arch' discriminator ('x86' or 'arm') and a matching arch-specific sub-object with identification fields and capabilities.",
+      "description": "CPU hardware identification. Null when --no-hw is active. Contains an 'arch' discriminator ('x86' or 'arm') and a matching arch-specific sub-object with identification fields and capabilities.",
       "oneOf": [
         { "type": "null" },
         {
@@ -180,16 +180,16 @@
                   "type": ["string", "null"]
                 },
                 "capabilities": {
-                  "description": "CPU feature flags detected via CPUID and MSR reads. Every value is tri-state: true=present, false=absent, null=not applicable or unreadable.",
+                  "description": "CPU feature flags detected via CPUID and MSR reads. Each value is true (present), false (absent), or null (not applicable or could not be read).",
                   "type": "object",
                   "additionalProperties": false,
                   "properties": {
                     "spec_ctrl":                      { "type": ["boolean", "null"], "description": "SPEC_CTRL MSR present (Intel; enables IBRS + IBPB via WRMSR)" },
-                    "ibrs":                           { "type": ["boolean", "null"], "description": "IBRS supported (via SPEC_CTRL, IBRS_SUPPORT, or cpuinfo fallback)" },
-                    "ibpb":                           { "type": ["boolean", "null"], "description": "IBPB supported (via SPEC_CTRL, IBPB_SUPPORT, or cpuinfo fallback)" },
+                    "ibrs":                           { "type": ["boolean", "null"], "description": "Indirect Branch Restricted Speculation" },
+                    "ibpb":                           { "type": ["boolean", "null"], "description": "Indirect Branch Prediction Barrier" },
                     "ibpb_ret":                       { "type": ["boolean", "null"], "description": "IBPB on return (enhanced form)" },
-                    "stibp":                          { "type": ["boolean", "null"], "description": "STIBP supported (Intel/AMD/HYGON or cpuinfo fallback)" },
-                    "ssbd":                           { "type": ["boolean", "null"], "description": "SSBD supported (SPEC_CTRL, VIRT_SPEC_CTRL, non-architectural MSR, or cpuinfo fallback)" },
+                    "stibp":                          { "type": ["boolean", "null"], "description": "Single Thread Indirect Branch Predictors" },
+                    "ssbd":                           { "type": ["boolean", "null"], "description": "Speculative Store Bypass Disable" },
                     "l1d_flush":                      { "type": ["boolean", "null"], "description": "L1D cache flush instruction" },
                     "md_clear":                       { "type": ["boolean", "null"], "description": "VERW clears CPU buffers (MDS mitigation)" },
                     "arch_capabilities":              { "type": ["boolean", "null"], "description": "IA32_ARCH_CAPABILITIES MSR is present" },
@@ -231,7 +231,7 @@
                     "tsa_l1_no":                      { "type": ["boolean", "null"], "description": "Not susceptible to TSA-L1" },
                     "verw_clear":                     { "type": ["boolean", "null"], "description": "VERW clears CPU buffers" },
                     "autoibrs":                       { "type": ["boolean", "null"], "description": "AMD AutoIBRS (equivalent to enhanced IBRS on Intel)" },
-                    "sbpb":                           { "type": ["boolean", "null"], "description": "Selective Branch Predictor Barrier (AMD Inception mitigation): true if PRED_CMD MSR SBPB bit write succeeded; false if write failed; null if not verifiable (non-root, CPUID error, or CPU does not report SBPB support)" },
+                    "sbpb":                           { "type": ["boolean", "null"], "description": "Selective Branch Predictor Barrier (AMD Inception mitigation)" },
                     "avx2":                           { "type": ["boolean", "null"], "description": "AVX2 supported (relevant to Downfall / GDS)" },
                     "avx512":                         { "type": ["boolean", "null"], "description": "AVX-512 supported (relevant to Downfall / GDS)" }
                   }

doc/batch_nrpe.md

@@ -51,7 +51,6 @@ STATUS: summary | perfdata
 | VULN + UNK | `N/T CVE(s) vulnerable: CVE-A CVE-B ..., M inconclusive` |
 | UNK only | `N/T CVE checks inconclusive` |
 | Non-root + VULN | `N/T CVE(s) appear vulnerable (unconfirmed, not root): CVE-A ...` |
-| Non-root + VULN + UNK | `N/T CVE(s) appear vulnerable (unconfirmed, not root): CVE-A ..., M inconclusive` |
 
 ### Lines 2+ (long output)
 
@@ -60,19 +59,15 @@ Never parsed by the monitoring core; safe to add or reorder.
 
 #### Context notes
 
-Printed before per-CVE details when applicable.  Notes are emitted in this
-order when more than one applies:
+Printed before per-CVE details when applicable:
 
 | Note | Condition |
 |---|---|
 | `NOTE: paranoid mode active, stricter mitigation requirements applied` | `--paranoid` was used |
-| `NOTE: hypervisor host detected (reason); L1TF/MDS severity is elevated` | System is detected as a VM host (KVM, Xen, VMware…) |
+| `NOTE: hypervisor host detected (reason); L1TF/MDS severity is elevated` | System is a VM host (KVM, Xen, VMware…) |
 | `NOTE: not a hypervisor host` | System is confirmed not a VM host |
 | `NOTE: not running as root; MSR reads skipped, results may be incomplete` | Script ran without root privileges |
 
-When VMM detection did not run (e.g. `--no-hw`), neither the
-`hypervisor host detected` nor the `not a hypervisor host` note is printed.
-
 #### Per-CVE detail lines
 
 One line per non-OK CVE.  VULN entries (`[CRITICAL]`) appear before UNK

doc/batch_prometheus.md

@@ -59,7 +59,7 @@ Script metadata.  Always value `1`; all data is in labels.
 | Label | Values | Meaning |
 |---|---|---|
 | `version` | string | Script version (e.g. `25.30.0250400123`) |
-| `mode` | `live` / `no-runtime` / `no-hw` / `hw-only` | Operating mode (see below) |
+| `mode` | `live` / `offline` | `live` = running on the active kernel; `offline` = inspecting a kernel image |
 | `run_as_root` | `true` / `false` | Whether the script ran as root.  Non-root scans skip MSR reads and may miss mitigations |
 | `paranoid` | `true` / `false` | `--paranoid` mode: stricter criteria (e.g. requires SMT disabled) |
 | `sysfs_only` | `true` / `false` | `--sysfs-only` mode: only the kernel's own sysfs report was used, not independent detection |
@@ -90,16 +90,13 @@ smc_build_info{version="25.30.0250400123",mode="live",run_as_root="true",paranoi
 
 Operating system and kernel metadata.  Always value `1`.
 
-Absent entirely when none of `kernel_release`, `kernel_arch`, or
-`hypervisor_host` can be determined (e.g. non-live mode with no VMM detection).
-Each label is emitted only when its value is known; missing labels are
-omitted rather than set to an empty string.
+Absent in offline mode when neither `uname -r` nor `uname -m` is available.
 
 | Label | Values | Meaning |
 |---|---|---|
-| `kernel_release` | string | Output of `uname -r`; emitted only in live mode |
-| `kernel_arch` | string | Output of `uname -m`; emitted only in live mode |
-| `hypervisor_host` | `true` / `false` | Whether this machine is detected as a hypervisor host (running KVM, Xen, VMware, etc.); absent when VMM detection did not run (e.g. `--no-hw`) |
+| `kernel_release` | string | Output of `uname -r` (live mode only) |
+| `kernel_arch` | string | Output of `uname -m` (live mode only) |
+| `hypervisor_host` | `true` / `false` | Whether this machine is detected as a hypervisor host (running KVM, Xen, VMware, etc.) |
 
 **Example:**
 ```
@@ -117,47 +114,26 @@ a malicious guest.  Always prioritise remediation on hosts where
 ### `smc_cpu_info`
 
 CPU hardware and microcode metadata.  Always value `1`.  Absent when `--no-hw`
-is used or when `--arch-prefix` is set (host CPU info is suppressed to avoid
-mixing with a different-arch target kernel).
-
-Common labels (always emitted when the data is available):
+is used.
 
 | Label | Values | Meaning |
 |---|---|---|
-| `vendor` | string | CPU vendor (e.g. `GenuineIntel`, `AuthenticAMD`, `HygonGenuine`, `ARM`) |
+| `vendor` | string | CPU vendor (e.g. `Intel`, `AuthenticAMD`) |
 | `model` | string | CPU friendly name from `/proc/cpuinfo` |
-| `arch` | `x86` / `arm` | Architecture family; determines which arch-specific labels follow |
-| `smt` | `true` / `false` | Whether SMT (HyperThreading) is currently enabled; absent if undeterminable |
-| `microcode` | hex string | Installed microcode version (e.g. `0xf4`); absent if unreadable |
-| `microcode_latest` | hex string | Latest known-good microcode version from the firmware database; absent if the CPU is not in the database |
-| `microcode_up_to_date` | `true` / `false` | Whether `microcode == microcode_latest`; absent if either is unavailable |
-| `microcode_blacklisted` | `true` / `false` | Whether the installed microcode is known to cause problems and should be rolled back; emitted whenever `microcode` is emitted |
-
-x86-only labels (emitted when `arch="x86"`):
-
-| Label | Values | Meaning |
-|---|---|---|
 | `family` | integer string | CPU family number |
 | `model_id` | integer string | CPU model number |
 | `stepping` | integer string | CPU stepping number |
-| `cpuid` | hex string | Full CPUID value (e.g. `0x000906ed`) |
-| `codename` | string | Intel CPU codename (e.g. `Coffee Lake`); absent on AMD/Hygon |
+| `cpuid` | hex string | Full CPUID value (e.g. `0x000906ed`); absent on some ARM CPUs |
+| `codename` | string | Intel CPU codename (e.g. `Coffee Lake`); absent on AMD and ARM |
+| `smt` | `true` / `false` | Whether SMT (HyperThreading) is currently enabled |
+| `microcode` | hex string | Installed microcode version (e.g. `0xf4`) |
+| `microcode_latest` | hex string | Latest known-good microcode version from the firmware database |
+| `microcode_up_to_date` | `true` / `false` | Whether `microcode == microcode_latest` |
+| `microcode_blacklisted` | `true` / `false` | Whether the installed microcode is known to cause problems and should be rolled back |
 
-ARM-only labels (emitted when `arch="arm"`):
-
-| Label | Values | Meaning |
-|---|---|---|
-| `part_list` | string | Space-separated list of ARM part numbers across cores (e.g. `0xd0b 0xd05` on big.LITTLE) |
-| `arch_list` | string | Space-separated list of ARM architecture levels across cores (e.g. `8 8`) |
-
-**x86 example:**
+**Example:**
 ```
-smc_cpu_info{vendor="GenuineIntel",model="Intel(R) Core(TM) i7-9700K CPU @ 3.60GHz",arch="x86",family="6",model_id="158",stepping="13",cpuid="0x000906ed",codename="Coffee Lake",smt="true",microcode="0xf4",microcode_latest="0xf4",microcode_up_to_date="true",microcode_blacklisted="false"} 1
-```
-
-**ARM example:**
-```
-smc_cpu_info{vendor="ARM",model="ARM v8 model 0xd0b",arch="arm",part_list="0xd0b 0xd05",arch_list="8 8",smt="false"} 1
+smc_cpu_info{vendor="Intel",model="Intel(R) Core(TM) i7-9700K CPU @ 3.60GHz",family="6",model_id="158",stepping="13",cpuid="0x000906ed",codename="Coffee Lake",smt="true",microcode="0xf4",microcode_latest="0xf4",microcode_up_to_date="true",microcode_blacklisted="false"} 1
 ```
 
 **Microcode labels:**
@@ -364,28 +340,16 @@ smc_vulnerability_status == 1
 
 ## Caveats and edge cases
 
-**No-runtime mode (`--no-runtime`)**
+**Offline mode (`--kernel`)**
 `smc_system_info` will have no `kernel_release` or `kernel_arch` labels (those
 come from `uname`, which reports the running kernel, not the inspected one).
-`mode="no-runtime"` in `smc_build_info` signals this.  No-runtime mode is
-primarily useful for pre-deployment auditing, not fleet runtime monitoring.
+`mode="offline"` in `smc_build_info` signals this.  Offline mode is primarily
+useful for pre-deployment auditing, not fleet runtime monitoring.
 
-**No-hardware mode (`--no-hw`)**
+**`--no-hw`**
 `smc_cpu_info` is not emitted.  CPU and microcode labels are absent from all
 queries.  CVE checks that rely on hardware capability detection (`cap_*` flags,
-MSR reads) will report `unknown` status.  `mode="no-hw"` in `smc_build_info`
-signals this.
-
-**Cross-arch inspection (`--arch-prefix`)**
-When a cross-arch toolchain prefix is passed, the script suppresses the host
-CPU metadata so it does not get mixed with data from a different-arch target
-kernel: `smc_cpu_info` is not emitted, the same as under `--no-hw`.
-
-**Hardware-only mode (`--hw-only`)**
-Only hardware detection is performed; CVE checks are skipped.  `smc_cpu_info`
-is emitted but no `smc_vulnerability_status` metrics appear (and
-`smc_vulnerable_count` / `smc_unknown_count` are `0`).  `mode="hw-only"` in
-`smc_build_info` signals this.
+MSR reads) will report `unknown` status.
 
 **`--sysfs-only`**
 The script trusts the kernel's sysfs report (`/sys/devices/system/cpu/vulnerabilities/`)