diff options
| author | tioguda | 2024-01-21 06:36:51 -0300 |
|---|---|---|
| committer | tioguda | 2024-01-21 06:36:51 -0300 |
| commit | 4e0dabd4294f9de8466f224229d667800c94515d (patch) | |
| tree | cc4e056194fa3c2e672c5754637603e41f5cadb4 | |
| parent | f5d88d590b6c19b60ad79a61a42b99617709daef (diff) | |
| download | aur-4e0dabd4294f9de8466f224229d667800c94515d.tar.gz | |
Update to 0.46+23+g0f2edb1
| -rw-r--r-- | .SRCINFO | 10 | ||||
| -rw-r--r-- | PKGBUILD | 8 | ||||
| -rw-r--r-- | translate-pt-br.patch | 817 |
3 files changed, 441 insertions, 394 deletions
@@ -1,7 +1,7 @@ pkgbase = spectre-meltdown-checker-pt-br pkgdesc = Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad verificador de vulnerabilidade/mitigação - pkgver = 0.46+20+g9b7b09a - pkgrel = 2 + pkgver = 0.46+23+g0f2edb1 + pkgrel = 1 url = https://github.com/speed47/spectre-meltdown-checker arch = any license = GPL3 @@ -9,11 +9,11 @@ pkgbase = spectre-meltdown-checker-pt-br makedepends = patch depends = sh depends = sqlite - provides = spectre-meltdown-checker=0.46+20+g9b7b09a + provides = spectre-meltdown-checker=0.46+23+g0f2edb1 conflicts = spectre-meltdown-checker - source = git+https://github.com/speed47/spectre-meltdown-checker.git#commit=9b7b09ada3caf56c1e6169a1240909010f5c8e49 + source = git+https://github.com/speed47/spectre-meltdown-checker.git#commit=0f2edb1a71733c1074550166c5e53abcfaa4d6ca source = translate-pt-br.patch sha256sums = SKIP - sha256sums = df983c4cea60be92446f5b999d271584ef3edfc6eb4746c88a927dca2d11881c + sha256sums = 60d4ba956556ce2f6a9d6799663490888fdc50654ad02ca8dca491b94a5ab826 pkgname = spectre-meltdown-checker-pt-br @@ -3,8 +3,8 @@ _pkgname=spectre-meltdown-checker pkgname=${_pkgname}-pt-br -pkgver=0.46+20+g9b7b09a -pkgrel=2 +pkgver=0.46+23+g0f2edb1 +pkgrel=1 pkgdesc="Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad verificador de vulnerabilidade/mitigação" arch=('any') url="https://github.com/speed47/${_pkgname}" @@ -13,12 +13,12 @@ depends=('sh' 'sqlite') makedepends=('git' 'patch') conflicts=("${_pkgname}") provides=("${_pkgname}=${pkgver}") -_commit=9b7b09ada3caf56c1e6169a1240909010f5c8e49 +_commit=0f2edb1a71733c1074550166c5e53abcfaa4d6ca source=("git+https://github.com/speed47/spectre-meltdown-checker.git#commit=$_commit" 'translate-pt-br.patch') sha256sums=('SKIP' - 'df983c4cea60be92446f5b999d271584ef3edfc6eb4746c88a927dca2d11881c') + '60d4ba956556ce2f6a9d6799663490888fdc50654ad02ca8dca491b94a5ab826') prepare() { cd "${srcdir}/${_pkgname}" diff --git a/translate-pt-br.patch b/translate-pt-br.patch index a465aa1962f1..81d574d034b6 100644 --- a/translate-pt-br.patch +++ b/translate-pt-br.patch @@ -1,18 +1,9 @@ -From caf9c982a03ad24a51444630692aac7c597d559f Mon Sep 17 00:00:00 2001 -From: tioguda <guda.flavio@gmail.com> -Date: Fri, 25 Aug 2023 15:00:06 -0300 -Subject: Tradução -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - - diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh -index 78ca6bd..c37c0f5 100755 +index dc272f4..230bab7 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -15,7 +15,7 @@ - VERSION='0.46' + VERSION='0.46+' trap 'exit_cleanup' EXIT -trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT @@ -208,7 +199,7 @@ index 78ca6bd..c37c0f5 100755 EOF } -@@ -280,32 +280,32 @@ explain() +@@ -299,33 +299,33 @@ explain() { if [ "$opt_explain" = 1 ] ; then _info '' @@ -238,6 +229,7 @@ index 78ca6bd..c37c0f5 100755 - CVE-2023-20593) echo "Zenbleed, cross-process information leak";; - CVE-2022-40982) echo "Downfall, gather data sampling (GDS)";; - CVE-2023-20569) echo "Inception, return address security (RAS)";; +- CVE-2023-23583) echo "Reptar, redundant prefix issue";; - *) echo "$0: error: invalid CVE '$1' passed to cve2name()" >&2; exit 255;; + CVE-2017-5753) echo "Spectre Variante 1, desvio de verificação de limites";; + CVE-2017-5715) echo "Spectre Variante 2, injeção no alvo do ramo";; @@ -257,20 +249,21 @@ index 78ca6bd..c37c0f5 100755 + CVE-2023-20593) echo "Zenbleed, vazamento de informações entre processos";; + CVE-2022-40982) echo "Downfall, coleta de amostragem de dados (GDS)";; + CVE-2023-20569) echo "Começo, segurança de endereço de retorno (RAS)";; ++ CVE-2023-23583) echo "Reptar, problema de prefixo redundante";; + *) echo "$0: erro: CVE inválido '$1' passado para cve2name()" >&2; exit 255;; esac } -@@ -332,7 +332,7 @@ _is_cpu_affected_cached() - CVE-2023-20593) return $variant_zenbleed;; +@@ -353,7 +353,7 @@ _is_cpu_affected_cached() CVE-2022-40982) return $variant_downfall;; CVE-2023-20569) return $variant_inception;; + CVE-2023-23583) return $variant_reptar;; - *) echo "$0: error: invalid variant '$1' passed to is_cpu_affected()" >&2; exit 255;; + *) echo "$0: erro: variante inválida '$1' passada para is_cpu_affected()" >&2; exit 255;; esac } -@@ -348,17 +348,17 @@ is_cpu_affected() +@@ -369,17 +369,17 @@ is_cpu_affected() if is_intel; then cpuid_hex=$(printf "0x%08X" $(( cpu_cpuid )) ) if [ "${intel_line:-}" = "no" ]; then @@ -291,7 +284,7 @@ index 78ca6bd..c37c0f5 100755 # handle special case for Foreshadow SGX (CVE-2018-3615): # even if we are affected to L1TF (CVE-2018-3620/CVE-2018-3646), if there's no SGX on our CPU, -@@ -410,17 +410,17 @@ is_cpu_affected() +@@ -432,17 +432,17 @@ is_cpu_affected() [ -z "$variant_mfbds" ] && variant_mfbds=immune [ -z "$variant_mlpds" ] && variant_mlpds=immune [ -z "$variant_mdsum" ] && variant_mdsum=immune @@ -312,7 +305,7 @@ index 78ca6bd..c37c0f5 100755 fi if is_cpu_specex_free; then -@@ -452,23 +452,23 @@ is_cpu_affected() +@@ -474,23 +474,23 @@ is_cpu_affected() # this var is set in check_cpu() [ -z "$variant3" ] && variant3=immune [ -z "$variantl1tf" ] && variantl1tf=immune @@ -340,7 +333,7 @@ index 78ca6bd..c37c0f5 100755 [ -z "$variant3a" ] && variant3a=immune elif [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT" ] || \ [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ] || \ -@@ -477,7 +477,7 @@ is_cpu_affected() +@@ -499,7 +499,7 @@ is_cpu_affected() # https://github.com/speed47/spectre-meltdown-checker/issues/310 # => silvermont CPUs (aka cherry lake for tablets and brawsell for mobile/desktop) don't seem to be affected # => goldmont ARE affected @@ -349,7 +342,7 @@ index 78ca6bd..c37c0f5 100755 [ -z "$variant3a" ] && variant3a=immune fi fi -@@ -501,14 +501,14 @@ is_cpu_affected() +@@ -523,14 +523,14 @@ is_cpu_affected() [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] || \ [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ]; then @@ -367,7 +360,7 @@ index 78ca6bd..c37c0f5 100755 [ -z "$variantl1tf" ] && variantl1tf=immune fi # Downfall -@@ -516,7 +516,7 @@ is_cpu_affected() +@@ -538,7 +538,7 @@ is_cpu_affected() # capability bit for future Intel processors that will explicitly state # that they're unaffected by GDS. Also set by hypervisors on virtual CPUs # so that the guest kernel doesn't try to mitigate GDS when it's already mitigated on the host @@ -376,7 +369,7 @@ index 78ca6bd..c37c0f5 100755 elif [ "$cpu_family" = 6 ]; then # list from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=64094e7e3118aff4b0be8ff713c242303e139834 set -u -@@ -531,14 +531,14 @@ is_cpu_affected() +@@ -553,14 +553,14 @@ is_cpu_affected() [ "$cpu_model" = "$INTEL_FAM6_TIGERLAKE_L" ] || \ [ "$cpu_model" = "$INTEL_FAM6_TIGERLAKE" ] || \ [ "$cpu_model" = "$INTEL_FAM6_ROCKETLAKE" ]; then @@ -394,7 +387,7 @@ index 78ca6bd..c37c0f5 100755 fi set +u fi -@@ -555,7 +555,7 @@ is_cpu_affected() +@@ -630,7 +630,7 @@ is_cpu_affected() [ -z "$variant3a" ] && variant3a=immune if is_cpu_ssb_free; then [ -z "$variant4" ] && variant4=immune @@ -403,7 +396,7 @@ index 78ca6bd..c37c0f5 100755 fi variantl1tf=immune -@@ -589,7 +589,7 @@ is_cpu_affected() +@@ -664,7 +664,7 @@ is_cpu_affected() # do NOT quote $cpu_arch_list below # shellcheck disable=SC2086 cpuarch=$(echo $cpu_arch_list | awk '{ print $'$i' }') @@ -412,7 +405,7 @@ index 78ca6bd..c37c0f5 100755 # some kernels report AArch64 instead of 8 [ "$cpuarch" = "AArch64" ] && cpuarch=8 if [ -n "$cpupart" ] && [ -n "$cpuarch" ]; then -@@ -612,66 +612,66 @@ is_cpu_affected() +@@ -687,66 +687,66 @@ is_cpu_affected() [ -z "$variant3" ] && variant3=immune [ -z "$variant3a" ] && variant3a=immune [ -z "$variant4" ] && variant4=immune @@ -489,7 +482,7 @@ index 78ca6bd..c37c0f5 100755 done variantl1tf=immune fi -@@ -695,22 +695,22 @@ is_cpu_affected() +@@ -770,22 +770,22 @@ is_cpu_affected() [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] || \ [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] || \ [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ]; then @@ -517,7 +510,7 @@ index 78ca6bd..c37c0f5 100755 [ "$variant1" = "immune" ] && variant1=1 || variant1=0 [ "$variant2" = "immune" ] && variant2=1 || variant2=0 [ "$variant3" = "immune" ] && variant3=1 || variant3=0 -@@ -730,7 +730,7 @@ is_cpu_affected() +@@ -806,7 +806,7 @@ is_cpu_affected() variantl1tf_sgx="$variantl1tf" # even if we are affected to L1TF, if there's no SGX, we're not affected to the original foreshadow [ "$cpuid_sgx" = 0 ] && variantl1tf_sgx=1 @@ -526,7 +519,7 @@ index 78ca6bd..c37c0f5 100755 is_cpu_affected_cached=1 _is_cpu_affected_cached "$1" return $? -@@ -945,7 +945,7 @@ is_cpu_ssb_free() +@@ -1021,7 +1021,7 @@ is_cpu_ssb_free() show_header() { @@ -535,7 +528,7 @@ index 78ca6bd..c37c0f5 100755 _info } -@@ -983,13 +983,13 @@ download_file() +@@ -1059,13 +1059,13 @@ download_file() elif command -v fetch >/dev/null 2>&1; then fetch -q "$_url" -o "$_file"; ret=$? else @@ -551,7 +544,7 @@ index 78ca6bd..c37c0f5 100755 return $ret fi echo DONE -@@ -1010,25 +1010,25 @@ update_fwdb() +@@ -1086,25 +1086,25 @@ update_fwdb() # first, download the MCE.db from the excellent platomav's MCExtractor project mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)" mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db' @@ -582,9 +575,9 @@ index 78ca6bd..c37c0f5 100755 return 1 fi sqlite3 "$mcedb_tmp" "ALTER TABLE \"Intel\" ADD COLUMN \"origin\" TEXT" -@@ -1036,23 +1036,23 @@ update_fwdb() - sqlite3 "$mcedb_tmp" "UPDATE \"Intel\" SET \"origin\"='mce'" +@@ -1116,23 +1116,23 @@ update_fwdb() sqlite3 "$mcedb_tmp" "UPDATE \"AMD\" SET \"origin\"='mce'" + sqlite3 "$mcedb_tmp" "UPDATE \"AMD\" SET \"pfmask\"='FF'" - echo OK "MCExtractor database revision $mcedb_revision" + echo OK "Revisão do banco de dados MCExtractor $mcedb_revision" @@ -611,7 +604,7 @@ index 78ca6bd..c37c0f5 100755 return 1 else iucode_tool="iucode-tool" -@@ -1080,21 +1080,21 @@ update_fwdb() +@@ -1164,21 +1164,21 @@ update_fwdb() # use this date, it matches the last commit date _intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp") else @@ -637,10 +630,10 @@ index 78ca6bd..c37c0f5 100755 _family=$( echo "$line" | grep -Eoi 'Family=0x[0-9a-f]+' | cut -d= -f2) _model=$( echo "$line" | grep -Eoi 'Model=0x[0-9a-f]+' | cut -d= -f2) _stepping=$(echo "$line" | grep -Eoi 'Stepping=0x[0-9a-f]+' | cut -d= -f2) -@@ -1104,13 +1104,13 @@ update_fwdb() - _cpuid=$(printf "0x%08X" "$_cpuid") - _date="20000101" - _sqlstm="$(printf "INSERT INTO \"AMD\" (\"origin\",\"cpuid\",\"version\",\"yyyymmdd\") VALUES ('%s','%s','%s','%s');" "linux-firmware" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")" +@@ -1187,13 +1187,13 @@ update_fwdb() + _cpuid=$(fms2cpuid "$_family" "$_model" "$_stepping") + _cpuid=$(printf "%08X" "$_cpuid") + _sqlstm="INSERT INTO \"AMD\" (\"origin\",\"cpuid\",\"pfmask\",\"version\",\"yyyymmdd\") VALUES ('linux-firmware','$_cpuid','FF','$_version','20000101')" - _debug "family $_family model $_model stepping $_stepping cpuid $_cpuid" + _debug "família $_family modelo $_model stepping $_stepping cpuid $_cpuid" _debug "$_sqlstm" @@ -653,7 +646,7 @@ index 78ca6bd..c37c0f5 100755 unset nbfound dbversion="$mcedb_revision+i$_intel_latest_date" -@@ -1120,13 +1120,13 @@ update_fwdb() +@@ -1203,19 +1203,19 @@ update_fwdb() fi if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [ "$previous_dbversion" = "v$dbversion" ]; then @@ -668,18 +661,16 @@ index 78ca6bd..c37c0f5 100755 - echo "# Spectre & Meltdown Checker"; + echo "# Spectre e Meltdown Checker"; echo "# %%% MCEDB v$dbversion"; - # ensure the official Intel DB always has precedence over mcedb, even if mcedb has seen a more recent fw - sqlite3 "$mcedb_tmp" "DELETE FROM \"Intel\" WHERE \"origin\"!='intel' AND \"cpuid\" IN (SELECT \"cpuid\" FROM \"Intel\" WHERE \"origin\"='intel' GROUP BY \"cpuid\" ORDER BY \"cpuid\" ASC);" -@@ -1134,7 +1134,7 @@ update_fwdb() - sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||\"t1\".\"cpuid\"||',0x'||MAX(\"t1\".\"version\")||','||\"t1\".\"yyyymmdd\" FROM \"Intel\" AS \"t1\" LEFT OUTER JOIN \"Intel\" AS \"t2\" ON \"t2\".\"cpuid\"=\"t1\".\"cpuid\" AND \"t2\".\"yyyymmdd\" > \"t1\".\"yyyymmdd\" WHERE \"t2\".\"yyyymmdd\" IS NULL GROUP BY \"t1\".\"cpuid\" ORDER BY \"t1\".\"cpuid\" ASC;" | grep -v '^# .,0x00000000,'; - sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||\"t1\".\"cpuid\"||',0x'||MAX(\"t1\".\"version\")||','||\"t1\".\"yyyymmdd\" FROM \"AMD\" AS \"t1\" LEFT OUTER JOIN \"AMD\" AS \"t2\" ON \"t2\".\"cpuid\"=\"t1\".\"cpuid\" AND \"t2\".\"yyyymmdd\" > \"t1\".\"yyyymmdd\" WHERE \"t2\".\"yyyymmdd\" IS NULL GROUP BY \"t1\".\"cpuid\" ORDER BY \"t1\".\"cpuid\" ASC;" | grep -v '^# .,0x00000000,'; + # we'll use the more recent fw for Intel and AMD + sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||\"t1\".\"cpuid\"||',0x'||\"t1\".\"pfmask\"||',0x'||MAX(\"t1\".\"version\")||','||\"t1\".\"yyyymmdd\" FROM \"Intel\" AS \"t1\" LEFT OUTER JOIN \"Intel\" AS \"t2\" ON \"t2\".\"cpuid\"=\"t1\".\"cpuid\" AND \"t2\".\"pfmask\"=\"t1\".\"pfmask\" AND \"t2\".\"yyyymmdd\" > \"t1\".\"yyyymmdd\" WHERE \"t2\".\"yyyymmdd\" IS NULL GROUP BY \"t1\".\"cpuid\",\"t1\".\"pfmask\" ORDER BY \"t1\".\"cpuid\",\"t1\".\"pfmask\" ASC;" | grep -v '^# .,0x00000000,'; + sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||\"t1\".\"cpuid\"||',0x'||\"t1\".\"pfmask\"||',0x'||MAX(\"t1\".\"version\")||','||\"t1\".\"yyyymmdd\" FROM \"AMD\" AS \"t1\" LEFT OUTER JOIN \"AMD\" AS \"t2\" ON \"t2\".\"cpuid\"=\"t1\".\"cpuid\" AND \"t2\".\"pfmask\"=\"t1\".\"pfmask\" AND \"t2\".\"yyyymmdd\" > \"t1\".\"yyyymmdd\" WHERE \"t2\".\"yyyymmdd\" IS NULL GROUP BY \"t1\".\"cpuid\",\"t1\".\"pfmask\" ORDER BY \"t1\".\"cpuid\",\"t1\".\"pfmask\" ASC;" | grep -v '^# .,0x00000000,'; } > "$mcedb_cache" - echo DONE "(version $dbversion)" + echo DONE "(versão $dbversion)" if [ "$1" = builtin ]; then newfile=$(mktemp -t smc-builtin-XXXXXX) -@@ -1153,19 +1153,19 @@ parse_opt_file() +@@ -1234,19 +1234,19 @@ parse_opt_file() if [ -z "$option_value" ]; then show_header show_usage @@ -703,7 +694,7 @@ index 78ca6bd..c37c0f5 100755 exit 1 fi echo "$option_value" -@@ -1228,7 +1228,7 @@ while [ -n "${1:-}" ]; do +@@ -1309,7 +1309,7 @@ while [ -n "${1:-}" ]; do if echo "$opt_cpu" | grep -Eq '^[0-9]+'; then opt_cpu=$(( opt_cpu )) else @@ -712,7 +703,7 @@ index 78ca6bd..c37c0f5 100755 exit 255 fi fi -@@ -1259,8 +1259,8 @@ while [ -n "${1:-}" ]; do +@@ -1340,8 +1340,8 @@ while [ -n "${1:-}" ]; do --*) ;; # allow subsequent flags '') ;; # allow nothing at all *) @@ -723,7 +714,7 @@ index 78ca6bd..c37c0f5 100755 exit 255 ;; esac -@@ -1270,7 +1270,7 @@ while [ -n "${1:-}" ]; do +@@ -1351,7 +1351,7 @@ while [ -n "${1:-}" ]; do shift elif [ "$1" = "--cve" ]; then if [ -z "$2" ]; then @@ -732,7 +723,7 @@ index 78ca6bd..c37c0f5 100755 exit 255 fi selected_cve=$(echo "$supported_cve_list" | grep -iwo "$2") -@@ -1278,29 +1278,29 @@ while [ -n "${1:-}" ]; do +@@ -1359,29 +1359,29 @@ while [ -n "${1:-}" ]; do opt_cve_list="$opt_cve_list $selected_cve" opt_cve_all=0 else @@ -767,16 +758,16 @@ index 78ca6bd..c37c0f5 100755 echo "1, 2, 3, 3a, 4, msbds, mfbds, mlpds, mdsum, l1tf, taa, mcepsc, srbds, zenbleed, downfall, inception"; exit 0;; 1) opt_cve_list="$opt_cve_list CVE-2017-5753"; opt_cve_all=0;; -@@ -1320,7 +1320,7 @@ while [ -n "${1:-}" ]; do - downfall) opt_cve_list="$opt_cve_list CVE-2022-40982"; opt_cve_all=0;; +@@ -1402,7 +1402,7 @@ while [ -n "${1:-}" ]; do inception) opt_cve_list="$opt_cve_list CVE-2023-20569"; opt_cve_all=0;; + reptar) opt_cve_list="$opt_cve_list CVE-2023-23583"; opt_cve_all=0;; *) - echo "$0: error: invalid parameter '$2' for --variant, see --variant help for a list" >&2; + echo "$0: erro: parâmetro inválido '$2' para --variant, consulte a ajuda de --variant para obter uma lista" >&2; exit 255 ;; esac -@@ -1340,7 +1340,7 @@ while [ -n "${1:-}" ]; do +@@ -1422,7 +1422,7 @@ while [ -n "${1:-}" ]; do else show_header show_usage @@ -785,7 +776,7 @@ index 78ca6bd..c37c0f5 100755 exit 255 fi done -@@ -1348,12 +1348,12 @@ done +@@ -1430,12 +1430,12 @@ done show_header if [ "$opt_no_sysfs" = 1 ] && [ "$opt_sysfs_only" = 1 ]; then @@ -800,7 +791,7 @@ index 78ca6bd..c37c0f5 100755 exit 255 fi -@@ -1396,11 +1396,11 @@ pvulnstatus() +@@ -1478,11 +1478,11 @@ pvulnstatus() pvulnstatus_last_cve="$1" if [ "$opt_batch" = 1 ]; then case "$1" in @@ -816,16 +807,16 @@ index 78ca6bd..c37c0f5 100755 CVE-2018-3615) aka="L1TF SGX";; CVE-2018-3620) aka="L1TF OS";; CVE-2018-3646) aka="L1TF VMM";; -@@ -1414,7 +1414,7 @@ pvulnstatus() - CVE-2023-20593) aka="ZENBLEED";; +@@ -1497,7 +1497,7 @@ pvulnstatus() CVE-2022-40982) aka="DOWNFALL";; CVE-2023-20569) aka="INCEPTION";; + CVE-2023-23583) aka="REPTAR";; - *) echo "$0: error: invalid CVE '$1' passed to pvulnstatus()" >&2; exit 255;; + *) echo "$0: erro: CVE inválido '$1' passado para pvulnstatus()" >&2; exit 255;; esac case "$opt_batch_format" in -@@ -1422,41 +1422,41 @@ pvulnstatus() +@@ -1505,41 +1505,41 @@ pvulnstatus() short) short_output="${short_output}$1 ";; json) case "$2" in @@ -878,7 +869,7 @@ index 78ca6bd..c37c0f5 100755 esac } -@@ -1493,28 +1493,28 @@ check_kernel() +@@ -1576,28 +1576,28 @@ check_kernel() _debug "check_kernel: ret=$? size=$_kernel_size sections=$_readelf_sections warnings=$_readelf_warnings" if [ "$_mode" = desperate ]; then if "${opt_arch_prefix}strings" "$_file" | grep -Eq '^Linux version '; then @@ -913,7 +904,7 @@ index 78ca6bd..c37c0f5 100755 fi fi return 1 -@@ -1526,19 +1526,19 @@ try_decompress() +@@ -1609,19 +1609,19 @@ try_decompress() # "grep" that report the byte offset of the line instead of the pattern. # Try to find the header ($1) and decompress from here @@ -937,7 +928,7 @@ index 78ca6bd..c37c0f5 100755 _debug "try_decompress: $kernel_err" fi return 1 -@@ -1549,18 +1549,18 @@ try_decompress() +@@ -1632,18 +1632,18 @@ try_decompress() if [ ! -s "$kerneltmp" ]; then # don't rely on $ret, sometimes it's != 0 but worked # (e.g. gunzip ret=2 just means there was trailing garbage) @@ -960,7 +951,7 @@ index 78ca6bd..c37c0f5 100755 fi done return 1 -@@ -1574,7 +1574,7 @@ extract_kernel() +@@ -1657,7 +1657,7 @@ extract_kernel() # Initial attempt for uncompressed images or objects: if check_kernel "$1"; then @@ -969,7 +960,7 @@ index 78ca6bd..c37c0f5 100755 cat "$1" > "$kerneltmp" kernel=$kerneltmp return 0 -@@ -1596,9 +1596,9 @@ extract_kernel() +@@ -1679,9 +1679,9 @@ extract_kernel() done # kernel_err might already have been populated by try_decompress() if we're missing one of the tools if [ -z "$kernel_err" ]; then @@ -981,7 +972,7 @@ index 78ca6bd..c37c0f5 100755 return 1 } -@@ -1621,16 +1621,16 @@ load_msr() +@@ -1704,16 +1704,16 @@ load_msr() if [ "$os" = Linux ]; then if ! grep -qw msr "$procfs/modules" 2>/dev/null; then modprobe msr 2>/dev/null && insmod_msr=1 @@ -1002,7 +993,7 @@ index 78ca6bd..c37c0f5 100755 fi fi } -@@ -1644,16 +1644,16 @@ load_cpuid() +@@ -1727,16 +1727,16 @@ load_cpuid() if [ "$os" = Linux ]; then if ! grep -qw cpuid "$procfs/modules" 2>/dev/null; then modprobe cpuid 2>/dev/null && insmod_cpuid=1 @@ -1023,7 +1014,7 @@ index 78ca6bd..c37c0f5 100755 fi fi } -@@ -1681,7 +1681,7 @@ read_cpuid() +@@ -1764,7 +1764,7 @@ read_cpuid() else # compare first core with the other ones if [ $_first_core_ret != $ret ] || [ "$_first_core_value" != "$read_cpuid_value" ]; then @@ -1032,7 +1023,7 @@ index 78ca6bd..c37c0f5 100755 return $READ_CPUID_RET_ERR fi fi -@@ -1708,18 +1708,18 @@ read_cpuid_one_core() +@@ -1791,18 +1791,18 @@ read_cpuid_one_core() _wanted="${7:-}" # in any case, the read value is globally available in $read_cpuid_value read_cpuid_value='' @@ -1055,7 +1046,7 @@ index 78ca6bd..c37c0f5 100755 return $READ_CPUID_RET_ERR fi -@@ -1731,7 +1731,7 @@ read_cpuid_one_core() +@@ -1814,7 +1814,7 @@ read_cpuid_one_core() if [ -e /dev/cpu/0/cpuid ]; then # Linux if [ ! -r /dev/cpu/0/cpuid ]; then @@ -1064,7 +1055,7 @@ index 78ca6bd..c37c0f5 100755 return $READ_CPUID_RET_ERR fi # on some kernel versions, /dev/cpu/0/cpuid doesn't imply that the cpuid module is loaded, in that case dd returns an error, -@@ -1751,13 +1751,13 @@ read_cpuid_one_core() +@@ -1834,13 +1834,13 @@ read_cpuid_one_core() elif [ -e /dev/cpuctl0 ]; then # BSD if [ ! -r /dev/cpuctl0 ]; then @@ -1080,7 +1071,7 @@ index 78ca6bd..c37c0f5 100755 return $READ_CPUID_RET_ERR fi -@@ -1766,13 +1766,13 @@ read_cpuid_one_core() +@@ -1849,13 +1849,13 @@ read_cpuid_one_core() # shellcheck disable=SC1083 if [ -n "$(eval echo \${$_mockvarname:-})" ]; then _cpuid="$(eval echo \$$_mockvarname)" @@ -1096,7 +1087,7 @@ index 78ca6bd..c37c0f5 100755 return $READ_CPUID_RET_ERR fi -@@ -1781,15 +1781,15 @@ read_cpuid_one_core() +@@ -1864,15 +1864,15 @@ read_cpuid_one_core() # Linux returns it as decimal, BSD as hex, normalize to decimal _reg=$(( _reg )) # shellcheck disable=SC2046 @@ -1116,7 +1107,200 @@ index 78ca6bd..c37c0f5 100755 if [ "$read_cpuid_value" = "$_wanted" ]; then return $READ_CPUID_RET_OK else -@@ -1884,35 +1884,35 @@ parse_cpu_details() +@@ -1930,7 +1930,7 @@ write_msr() + else + # compare first core with the other ones + if [ $_first_core_ret != $ret ]; then +- write_msr_msg="result is not homogeneous between all cores, at least core 0 and $_core differ!" ++ write_msr_msg="resultado não é homogêneo entre todos os núcleos, pelo menos o núcleo 0 e $_core diferem!" + return $WRITE_MSR_RET_ERR + fi + fi +@@ -1947,13 +1947,13 @@ write_msr_one_core() + _value_dec=$(( $3 )) + _value=$(printf "0x%x" "$_value_dec") + +- write_msr_msg='unknown error' ++ write_msr_msg='erro desconhecido' + : "${msr_locked_down:=0}" + + _mockvarname="SMC_MOCK_WRMSR_${_msr}_RET" + # shellcheck disable=SC2086,SC1083 + if [ -n "$(eval echo \${$_mockvarname:-})" ]; then +- _debug "write_msr: MOCKING enabled for msr $_msr func returns $(eval echo \$$_mockvarname)" ++ _debug "write_msr: MOCKING ativado para retornos de msr $_msr func $(eval echo \$$_mockvarname)" + mocked=1 + [ "$(eval echo \$$_mockvarname)" = $WRITE_MSR_RET_LOCKDOWN ] && msr_locked_down=1 + return "$(eval echo \$$_mockvarname)" +@@ -1964,7 +1964,7 @@ write_msr_one_core() + load_msr + fi + if [ ! -e /dev/cpu/0/msr ] && [ ! -e /dev/cpuctl0 ]; then +- read_msr_msg="is msr kernel module available?" ++ read_msr_msg="o módulo do kernel msr está disponível?" + return $WRITE_MSR_RET_ERR + fi + +@@ -1975,17 +1975,17 @@ write_msr_one_core() + # for Linux + # convert to decimal + if [ ! -w /dev/cpu/"$_core"/msr ]; then +- write_msr_msg="No write permission on /dev/cpu/$_core/msr" ++ write_msr_msg="Sem permissão de gravação em /dev/cpu/$_core/msr" + return $WRITE_MSR_RET_ERR + # if wrmsr is available, use it + elif command -v wrmsr >/dev/null 2>&1 && [ "${SMC_NO_WRMSR:-}" != 1 ]; then +- _debug "write_msr: using wrmsr" ++ _debug "write_msr: usando wrmsr" + wrmsr $_msr_dec $_value_dec 2>/dev/null; ret=$? + # ret=4: msr doesn't exist, ret=127: msr.allow_writes=off + [ "$ret" = 127 ] && _write_denied=1 + # or fallback to dd if it supports seek_bytes, we prefer it over perl because we can tell the difference between EPERM and EIO + elif dd if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then +- _debug "write_msr: using dd" ++ _debug "write_msr: usando dd" + awk "BEGIN{printf \"%c\", $_value_dec}" | dd of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$? + # if it failed, inspect stderrto look for EPERM + if [ "$ret" != 0 ]; then +@@ -1995,13 +1995,13 @@ write_msr_one_core() + fi + # or if we have perl, use it, any 5.x version will work + elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then +- _debug "write_msr: using perl" ++ _debug "write_msr: usando perl" + ret=1 + perl -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack(v4,$_value_dec)))"; [ $? -eq 8 ] && ret=0 + else +- _debug "write_msr: got no wrmsr, perl or recent enough dd!" ++ _debug "write_msr: não tenho wrmsr, perl ou dd recente o suficiente!" + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR") +- write_msr_msg="missing tool, install either msr-tools or perl" ++ write_msr_msg="ferramenta ausente, instale msr-tools ou perl" + return $WRITE_MSR_RET_ERR + fi + if [ "$ret" != 0 ]; then +@@ -2014,22 +2014,22 @@ write_msr_one_core() + # yet more recent versions of the msr module can be set to msr.allow_writes=off, in which case no dmesg message is printed, + # but the write fails + if [ "$_write_denied" = 1 ]; then +- _debug "write_msr: writing to msr has been denied" ++ _debug "write_msr: escrita para msr foi negado" + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN") + msr_locked_down=1 +- write_msr_msg="your kernel is configured to deny writes to MSRs from user space" ++ write_msr_msg="seu kernel está configurado para negar gravações em MSRs do espaço do usuário" + return $WRITE_MSR_RET_LOCKDOWN + elif dmesg | grep -qF "msr: Direct access to MSR"; then +- _debug "write_msr: locked down kernel detected (Red Hat / Fedora)" ++ _debug "write_msr: kernel bloqueado detectado (Red Hat/Fedora)" + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN") + msr_locked_down=1 +- write_msr_msg="your kernel is locked down (Fedora/Red Hat), please reboot without secure boot and retry" ++ write_msr_msg="seu kernel está bloqueado (Fedora/Red Hat), reinicie sem inicialização segura e tente novamente" + return $WRITE_MSR_RET_LOCKDOWN + elif dmesg | grep -qF "raw MSR access is restricted"; then +- _debug "write_msr: locked down kernel detected (vanilla)" ++ _debug "write_msr: kernel bloqueado detectado (vanilla)" + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN") + msr_locked_down=1 +- write_msr_msg="your kernel is locked down, please reboot with lockdown=none in the kernel cmdline and retry" ++ write_msr_msg="seu kernel está bloqueado, reinicie com lockdown=none no cmdline do kernel e tente novamente" + return $WRITE_MSR_RET_LOCKDOWN + fi + unset _write_denied +@@ -2042,7 +2042,7 @@ write_msr_one_core() + else + ret=$WRITE_MSR_RET_KO + fi +- _debug "write_msr: for cpu $_core on msr $_msr, value=$_value, ret=$ret" ++ _debug "write_msr: para cpu $_core no msr $_msr, value=$_value, ret=$ret" + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$ret") + return $ret + } +@@ -2072,7 +2072,7 @@ read_msr() + else + # compare first core with the other ones + if [ $_first_core_ret != $ret ] || [ "$_first_core_value" != "$read_msr_value" ]; then +- read_msr_msg="result is not homogeneous between all cores, at least core 0 and $_core differ!" ++ read_msr_msg="resultado não é homogêneo entre todos os núcleos, pelo menos o núcleo 0 e $_core diferem!" + return $READ_MSR_RET_ERR + fi + fi +@@ -2088,13 +2088,13 @@ read_msr_one_core() + _msr=$(printf "0x%x" "$_msr_dec") + + read_msr_value='' +- read_msr_msg='unknown error' ++ read_msr_msg='erro desconhecido' + + _mockvarname="SMC_MOCK_RDMSR_${_msr}" + # shellcheck disable=SC2086,SC1083 + if [ -n "$(eval echo \${$_mockvarname:-})" ]; then + read_msr_value="$(eval echo \$$_mockvarname)" +- _debug "read_msr: MOCKING enabled for msr $_msr, returning $read_msr_value" ++ _debug "read_msr: MOCKING ativado para msr $_msr, retornando $read_msr_value" + mocked=1 + return $READ_MSR_RET_OK + fi +@@ -2102,7 +2102,7 @@ read_msr_one_core() + _mockvarname="SMC_MOCK_RDMSR_${_msr}_RET" + # shellcheck disable=SC2086,SC1083 + if [ -n "$(eval echo \${$_mockvarname:-})" ] && [ "$(eval echo \$$_mockvarname)" -ne 0 ]; then +- _debug "read_msr: MOCKING enabled for msr $_msr func returns $(eval echo \$$_mockvarname)" ++ _debug "read_msr: MOCKING ativado para retornos de msr $_msr func $(eval echo \$$_mockvarname)" + mocked=1 + return "$(eval echo \$$_mockvarname)" + fi +@@ -2112,7 +2112,7 @@ read_msr_one_core() + load_msr + fi + if [ ! -e /dev/cpu/0/msr ] && [ ! -e /dev/cpuctl0 ]; then +- read_msr_msg="is msr kernel module available?" ++ read_msr_msg="o módulo do kernel msr está disponível?" + return $READ_MSR_RET_ERR + fi + +@@ -2131,24 +2131,24 @@ read_msr_one_core() + # for Linux + if [ ! -r /dev/cpu/"$_core"/msr ]; then + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR") +- read_msr_msg="No read permission for /dev/cpu/$_core/msr" ++ read_msr_msg="Sem permissão de leitura para /dev/cpu/$_core/msr" + return $READ_MSR_RET_ERR + # if rdmsr is available, use it + elif command -v rdmsr >/dev/null 2>&1 && [ "${SMC_NO_RDMSR:-}" != 1 ]; then +- _debug "read_msr: using rdmsr on $_msr" ++ _debug "read_msr: usando rdmsr em $_msr" + read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | od -t u8 -A n) + # or if we have perl, use it, any 5.x version will work + elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then +- _debug "read_msr: using perl on $_msr" ++ _debug "read_msr: usando perl em $_msr" + read_msr_value=$(perl -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | od -t u8 -A n) + # fallback to dd if it supports skip_bytes + elif dd if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then +- _debug "read_msr: using dd on $_msr" ++ _debug "read_msr: usando dd em $_msr" + read_msr_value=$(dd if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8 -A n) + else +- _debug "read_msr: got no rdmsr, perl or recent enough dd!" ++ _debug "read_msr: não tenho rdmsr, perl ou dd recente o suficiente!" + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR") +- read_msr_msg='missing tool, install either msr-tools or perl' ++ read_msr_msg='ferramenta ausente, instale msr-tools ou perl' + return $READ_MSR_RET_ERR + fi + if [ -z "$read_msr_value" ]; then +@@ -2160,7 +2160,7 @@ read_msr_one_core() + read_msr_value=$(( read_msr_value )) + fi + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_RDMSR_${_msr}='$read_msr_value'") +- _debug "read_msr: MSR=$_msr value is $read_msr_value" ++ _debug "read_msr: MSR=$_msr o valor é $read_msr_value" + return $READ_MSR_RET_OK + } + +@@ -2238,35 +2238,35 @@ parse_cpu_details() if [ -n "${SMC_MOCK_CPU_FRIENDLY_NAME:-}" ]; then cpu_friendly_name="$SMC_MOCK_CPU_FRIENDLY_NAME" @@ -1157,7 +1341,7 @@ index 78ca6bd..c37c0f5 100755 mocked=1 else mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CPU_STEPPING='$cpu_stepping'") -@@ -1923,7 +1923,7 @@ parse_cpu_details() +@@ -2284,7 +2284,7 @@ parse_cpu_details() cpu_cpuid="$read_cpuid_value" else # try to build it by ourselves @@ -1166,7 +1350,7 @@ index 78ca6bd..c37c0f5 100755 cpu_cpuid=$(fms2cpuid "$cpu_family" "$cpu_model" "$cpu_stepping") fi -@@ -1949,14 +1949,14 @@ parse_cpu_details() +@@ -2310,14 +2310,14 @@ parse_cpu_details() if [ -n "${SMC_MOCK_CPU_UCODE:-}" ]; then cpu_ucode="$SMC_MOCK_CPU_UCODE" @@ -1178,12 +1362,12 @@ index 78ca6bd..c37c0f5 100755 fi echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$(( cpu_ucode )) -- ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid") -+ ucode_found=$(printf "familia 0x%x modelo 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid") +- ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x pfid 0x%x" \ ++ ucode_found=$(printf "familia 0x%x modelo 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x pfid 0x%x" \ + "$cpu_family" "$cpu_model" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid" "$cpu_platformid") # also define those that we will need in other funcs - # taken from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/include/asm/intel-family.h -@@ -2109,12 +2109,12 @@ is_ucode_blacklisted() +@@ -2471,7 +2471,7 @@ is_ucode_blacklisted() if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" = "$stepping" ]; then ucode=$(( $(echo "$tuple" | cut -d, -f3) )) if [ "$cpu_ucode" = "$ucode" ]; then @@ -1192,13 +1376,22 @@ index 78ca6bd..c37c0f5 100755 return 0 fi fi +@@ -2487,12 +2487,12 @@ is_ucode_blacklisted() + cpuid=$(( $(echo "$tuple" | cut -d, -f1) )) + ucode=$(( $(echo "$tuple" | cut -d, -f2) )) + if [ "$cpu_cpuid" = "$cpuid" ] && [ "$cpu_ucode" = "$ucode" ]; then +- _debug "is_ucode_blacklisted: we have a match! ($cpuid/$ucode)" ++ _debug "is_ucode_blacklisted: temos uma partida! ($cpuid/$ucode)" + return 0 + fi done + - _debug "is_ucode_blacklisted: no ($cpu_model/$cpu_stepping/$cpu_ucode)" + _debug "is_ucode_blacklisted: não ($cpu_model/$cpu_stepping/$cpu_ucode)" return 1 } -@@ -2147,7 +2147,7 @@ is_skylake_cpu() +@@ -2525,7 +2525,7 @@ is_skylake_cpu() is_vulnerable_to_empty_rsb() { if is_intel && [ -z "$capabilities_rsba" ]; then @@ -1207,7 +1400,7 @@ index 78ca6bd..c37c0f5 100755 fi if is_skylake_cpu || [ "$capabilities_rsba" = 1 ]; then return 0 -@@ -2241,9 +2241,9 @@ is_xen() { +@@ -2619,9 +2619,9 @@ is_xen() { fi # XXX do we have a better way that relying on dmesg? @@ -1219,7 +1412,7 @@ index 78ca6bd..c37c0f5 100755 return 1 elif [ $ret -eq 0 ]; then return 0 -@@ -2272,7 +2272,7 @@ is_xen_domU() +@@ -2650,7 +2650,7 @@ is_xen_domU() fi # PVHVM guests also print 'Booting paravirtualized kernel', so we need this check. @@ -1228,7 +1421,7 @@ index 78ca6bd..c37c0f5 100755 if [ $ret -eq 0 ]; then return 1 fi -@@ -2292,13 +2292,13 @@ if [ -r "$mcedb_cache" ]; then +@@ -2670,13 +2670,13 @@ if [ -r "$mcedb_cache" ]; then older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | sort -V | head -n1) if [ "$older_dbversion" = "$builtin_dbversion" ]; then mcedb_source="$mcedb_cache" @@ -1244,7 +1437,7 @@ index 78ca6bd..c37c0f5 100755 fi read_mcedb() { -@@ -2318,10 +2318,10 @@ is_latest_known_ucode() +@@ -2696,10 +2696,10 @@ is_latest_known_ucode() # 0: yes, 1: no, 2: unknown parse_cpu_details if [ "$cpu_cpuid" = 0 ]; then @@ -1257,10 +1450,10 @@ index 78ca6bd..c37c0f5 100755 if is_intel; then cpu_brand_prefix=I elif is_amd; then -@@ -2333,15 +2333,15 @@ is_latest_known_ucode() - do - ucode=$(( $(echo "$tuple" | cut -d, -f3) )) - ucode_date=$(echo "$tuple" | cut -d, -f4 | sed -r 's=(....)(..)(..)=\1/\2/\3=') +@@ -2716,15 +2716,15 @@ is_latest_known_ucode() + fi + ucode=$(( $(echo "$tuple" | cut -d, -f4) )) + ucode_date=$(echo "$tuple" | cut -d, -f5 | sed -r 's=(....)(..)(..)=\1/\2/\3=') - _debug "is_latest_known_ucode: with cpuid $cpu_cpuid has ucode $cpu_ucode, last known is $ucode from $ucode_date" - ucode_latest=$(printf "latest version is 0x%x dated $ucode_date according to $mcedb_info" "$ucode") + _debug "is_latest_known_ucode: com cpuid $cpu_cpuid possui ucode $cpu_ucode, o último conhecido é $ucode de $ucode_date" @@ -1276,7 +1469,7 @@ index 78ca6bd..c37c0f5 100755 return 2 } -@@ -2353,7 +2353,7 @@ get_cmdline() +@@ -2736,7 +2736,7 @@ get_cmdline() if [ -n "${SMC_MOCK_CMDLINE:-}" ]; then mocked=1 @@ -1285,7 +1478,7 @@ index 78ca6bd..c37c0f5 100755 kernel_cmdline="$SMC_MOCK_CMDLINE" return else -@@ -2366,17 +2366,17 @@ get_cmdline() +@@ -2749,17 +2749,17 @@ get_cmdline() # we can't do anything useful under WSL if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then @@ -1309,7 +1502,7 @@ index 78ca6bd..c37c0f5 100755 exit 1 fi -@@ -2384,7 +2384,7 @@ fi +@@ -2767,7 +2767,7 @@ fi if [ "$opt_hw_only" = 1 ]; then if [ "$opt_cve_all" = 0 ]; then show_usage @@ -1318,7 +1511,7 @@ index 78ca6bd..c37c0f5 100755 exit 255 else opt_cve_all=0 -@@ -2395,10 +2395,10 @@ fi +@@ -2778,10 +2778,10 @@ fi # coreos mode if [ "$opt_coreos" = 1 ]; then if ! is_coreos; then @@ -1331,7 +1524,7 @@ index 78ca6bd..c37c0f5 100755 load_msr load_cpuid mount_debugfs -@@ -2407,7 +2407,7 @@ if [ "$opt_coreos" = 1 ]; then +@@ -2790,7 +2790,7 @@ if [ "$opt_coreos" = 1 ]; then exit $exitcode else if is_coreos; then @@ -1340,7 +1533,7 @@ index 78ca6bd..c37c0f5 100755 _warn fi fi -@@ -2415,21 +2415,21 @@ fi +@@ -2798,21 +2798,21 @@ fi # if we're under a BSD, try to mount linprocfs for "$procfs/cpuinfo" procfs=/proc if echo "$os" | grep -q BSD; then @@ -1366,7 +1559,7 @@ index 78ca6bd..c37c0f5 100755 fi fi -@@ -2448,14 +2448,14 @@ parse_cpu_details +@@ -2831,14 +2831,14 @@ parse_cpu_details get_cmdline if [ "$opt_cpu" != all ] && [ "$opt_cpu" -gt "$max_core_id" ]; then @@ -1385,7 +1578,7 @@ index 78ca6bd..c37c0f5 100755 # try to find the image of the current running kernel if [ -n "$opt_kernel" ]; then -@@ -2464,7 +2464,7 @@ if [ "$opt_live" = 1 ]; then +@@ -2847,7 +2847,7 @@ if [ "$opt_live" = 1 ]; then # first, look for the BOOT_IMAGE hint in the kernel cmdline elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then opt_kernel=$(echo "$kernel_cmdline" | grep -Eo 'BOOT_IMAGE=[^ ]+' | cut -d= -f2) @@ -1394,7 +1587,7 @@ index 78ca6bd..c37c0f5 100755 # if the boot partition is within a btrfs subvolume, strip the subvolume name # if /boot is a separate subvolume, the remainder of the code in this section should handle it if echo "$opt_kernel" | grep -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi -@@ -2473,7 +2473,7 @@ if [ "$opt_live" = 1 ]; then +@@ -2856,7 +2856,7 @@ if [ "$opt_live" = 1 ]; then [ -e "/boot/$opt_kernel" ] && opt_kernel="/boot/$opt_kernel" # special case for CoreOS if we're inside the toolbox [ -e "/media/root/boot/$opt_kernel" ] && opt_kernel="/media/root/boot/$opt_kernel" @@ -1403,7 +1596,7 @@ index 78ca6bd..c37c0f5 100755 # else, the full path is already there (most probably /boot/something) fi # if we didn't find a kernel, default to guessing -@@ -2551,60 +2551,60 @@ if [ "$opt_live" = 1 ]; then +@@ -2934,60 +2934,60 @@ if [ "$opt_live" = 1 ]; then opt_config="/lib/kernel/config-$(uname -r)" fi else @@ -1481,7 +1674,7 @@ index 78ca6bd..c37c0f5 100755 else # vanilla kernels have with ^Linux version # also try harder with some kernels (such as Red Hat) that don't have ^Linux version before their version string -@@ -2620,15 +2620,15 @@ else +@@ -3003,15 +3003,15 @@ else if [ -n "$kernel_version" ]; then # in live mode, check if the img we found is the correct one if [ "$opt_live" = 1 ]; then @@ -1501,7 +1694,7 @@ index 78ca6bd..c37c0f5 100755 fi fi -@@ -2657,7 +2657,7 @@ sys_interface_check() +@@ -3040,7 +3040,7 @@ sys_interface_check() _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")_RET" # shellcheck disable=SC2086,SC1083 if [ -n "$(eval echo \${$_mockvarname:-})" ]; then @@ -1510,7 +1703,7 @@ index 78ca6bd..c37c0f5 100755 mocked=1 return "$(eval echo \$$_mockvarname)" fi -@@ -2668,7 +2668,7 @@ sys_interface_check() +@@ -3051,7 +3051,7 @@ sys_interface_check() if [ -n "$(eval echo \${$_mockvarname:-})" ]; then fullmsg="$(eval echo \$$_mockvarname)" msg=$(echo "$fullmsg" | grep -Eo "$regex") @@ -1519,7 +1712,7 @@ index 78ca6bd..c37c0f5 100755 mocked=1 else fullmsg=$(cat "$file") -@@ -2678,25 +2678,25 @@ sys_interface_check() +@@ -3061,25 +3061,25 @@ sys_interface_check() if [ "$mode" = silent ]; then return 0 elif [ "$mode" = quiet ]; then @@ -1552,198 +1745,7 @@ index 78ca6bd..c37c0f5 100755 fi _debug "sys_interface_check: $file=$msg (re=$regex)" return 0 -@@ -2727,7 +2727,7 @@ write_msr() - else - # compare first core with the other ones - if [ $_first_core_ret != $ret ]; then -- write_msr_msg="result is not homogeneous between all cores, at least core 0 and $_core differ!" -+ write_msr_msg="resultado não é homogêneo entre todos os núcleos, pelo menos o núcleo 0 e $_core diferem!" - return $WRITE_MSR_RET_ERR - fi - fi -@@ -2744,13 +2744,13 @@ write_msr_one_core() - _value_dec=$(( $3 )) - _value=$(printf "0x%x" "$_value_dec") - -- write_msr_msg='unknown error' -+ write_msr_msg='erro desconhecido' - : "${msr_locked_down:=0}" - - _mockvarname="SMC_MOCK_WRMSR_${_msr}_RET" - # shellcheck disable=SC2086,SC1083 - if [ -n "$(eval echo \${$_mockvarname:-})" ]; then -- _debug "write_msr: MOCKING enabled for msr $_msr func returns $(eval echo \$$_mockvarname)" -+ _debug "write_msr: MOCKING ativado para retornos de msr $_msr func $(eval echo \$$_mockvarname)" - mocked=1 - [ "$(eval echo \$$_mockvarname)" = $WRITE_MSR_RET_LOCKDOWN ] && msr_locked_down=1 - return "$(eval echo \$$_mockvarname)" -@@ -2761,7 +2761,7 @@ write_msr_one_core() - load_msr - fi - if [ ! -e /dev/cpu/0/msr ] && [ ! -e /dev/cpuctl0 ]; then -- read_msr_msg="is msr kernel module available?" -+ read_msr_msg="o módulo do kernel msr está disponível?" - return $WRITE_MSR_RET_ERR - fi - -@@ -2772,17 +2772,17 @@ write_msr_one_core() - # for Linux - # convert to decimal - if [ ! -w /dev/cpu/"$_core"/msr ]; then -- write_msr_msg="No write permission on /dev/cpu/$_core/msr" -+ write_msr_msg="Sem permissão de gravação em /dev/cpu/$_core/msr" - return $WRITE_MSR_RET_ERR - # if wrmsr is available, use it - elif command -v wrmsr >/dev/null 2>&1 && [ "${SMC_NO_WRMSR:-}" != 1 ]; then -- _debug "write_msr: using wrmsr" -+ _debug "write_msr: usando wrmsr" - wrmsr $_msr_dec $_value_dec 2>/dev/null; ret=$? - # ret=4: msr doesn't exist, ret=127: msr.allow_writes=off - [ "$ret" = 127 ] && _write_denied=1 - # or fallback to dd if it supports seek_bytes, we prefer it over perl because we can tell the difference between EPERM and EIO - elif dd if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then -- _debug "write_msr: using dd" -+ _debug "write_msr: usando dd" - awk "BEGIN{printf \"%c\", $_value_dec}" | dd of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$? - # if it failed, inspect stderrto look for EPERM - if [ "$ret" != 0 ]; then -@@ -2792,13 +2792,13 @@ write_msr_one_core() - fi - # or if we have perl, use it, any 5.x version will work - elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then -- _debug "write_msr: using perl" -+ _debug "write_msr: usando perl" - ret=1 - perl -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack(v4,$_value_dec)))"; [ $? -eq 8 ] && ret=0 - else -- _debug "write_msr: got no wrmsr, perl or recent enough dd!" -+ _debug "write_msr: não tenho wrmsr, perl ou dd recente o suficiente!" - mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR") -- write_msr_msg="missing tool, install either msr-tools or perl" -+ write_msr_msg="ferramenta ausente, instale msr-tools ou perl" - return $WRITE_MSR_RET_ERR - fi - if [ "$ret" != 0 ]; then -@@ -2811,22 +2811,22 @@ write_msr_one_core() - # yet more recent versions of the msr module can be set to msr.allow_writes=off, in which case no dmesg message is printed, - # but the write fails - if [ "$_write_denied" = 1 ]; then -- _debug "write_msr: writing to msr has been denied" -+ _debug "write_msr: escrita para msr foi negado" - mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN") - msr_locked_down=1 -- write_msr_msg="your kernel is configured to deny writes to MSRs from user space" -+ write_msr_msg="seu kernel está configurado para negar gravações em MSRs do espaço do usuário" - return $WRITE_MSR_RET_LOCKDOWN - elif dmesg | grep -qF "msr: Direct access to MSR"; then -- _debug "write_msr: locked down kernel detected (Red Hat / Fedora)" -+ _debug "write_msr: kernel bloqueado detectado (Red Hat/Fedora)" - mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN") - msr_locked_down=1 -- write_msr_msg="your kernel is locked down (Fedora/Red Hat), please reboot without secure boot and retry" -+ write_msr_msg="seu kernel está bloqueado (Fedora/Red Hat), reinicie sem inicialização segura e tente novamente" - return $WRITE_MSR_RET_LOCKDOWN - elif dmesg | grep -qF "raw MSR access is restricted"; then -- _debug "write_msr: locked down kernel detected (vanilla)" -+ _debug "write_msr: kernel bloqueado detectado (vanilla)" - mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN") - msr_locked_down=1 -- write_msr_msg="your kernel is locked down, please reboot with lockdown=none in the kernel cmdline and retry" -+ write_msr_msg="seu kernel está bloqueado, reinicie com lockdown=none no cmdline do kernel e tente novamente" - return $WRITE_MSR_RET_LOCKDOWN - fi - unset _write_denied -@@ -2839,7 +2839,7 @@ write_msr_one_core() - else - ret=$WRITE_MSR_RET_KO - fi -- _debug "write_msr: for cpu $_core on msr $_msr, value=$_value, ret=$ret" -+ _debug "write_msr: para cpu $_core no msr $_msr, value=$_value, ret=$ret" - mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$ret") - return $ret - } -@@ -2869,7 +2869,7 @@ read_msr() - else - # compare first core with the other ones - if [ $_first_core_ret != $ret ] || [ "$_first_core_value" != "$read_msr_value" ]; then -- read_msr_msg="result is not homogeneous between all cores, at least core 0 and $_core differ!" -+ read_msr_msg="resultado não é homogêneo entre todos os núcleos, pelo menos o núcleo 0 e $_core diferem!" - return $READ_MSR_RET_ERR - fi - fi -@@ -2885,13 +2885,13 @@ read_msr_one_core() - _msr=$(printf "0x%x" "$_msr_dec") - - read_msr_value='' -- read_msr_msg='unknown error' -+ read_msr_msg='erro desconhecido' - - _mockvarname="SMC_MOCK_RDMSR_${_msr}" - # shellcheck disable=SC2086,SC1083 - if [ -n "$(eval echo \${$_mockvarname:-})" ]; then - read_msr_value="$(eval echo \$$_mockvarname)" -- _debug "read_msr: MOCKING enabled for msr $_msr, returning $read_msr_value" -+ _debug "read_msr: MOCKING ativado para msr $_msr, retornando $read_msr_value" - mocked=1 - return $READ_MSR_RET_OK - fi -@@ -2899,7 +2899,7 @@ read_msr_one_core() - _mockvarname="SMC_MOCK_RDMSR_${_msr}_RET" - # shellcheck disable=SC2086,SC1083 - if [ -n "$(eval echo \${$_mockvarname:-})" ] && [ "$(eval echo \$$_mockvarname)" -ne 0 ]; then -- _debug "read_msr: MOCKING enabled for msr $_msr func returns $(eval echo \$$_mockvarname)" -+ _debug "read_msr: MOCKING ativado para msr $_msr func retorna $(eval echo \$$_mockvarname)" - mocked=1 - return "$(eval echo \$$_mockvarname)" - fi -@@ -2909,7 +2909,7 @@ read_msr_one_core() - load_msr - fi - if [ ! -e /dev/cpu/0/msr ] && [ ! -e /dev/cpuctl0 ]; then -- read_msr_msg="is msr kernel module available?" -+ read_msr_msg="o módulo do kernel msr está disponível?" - return $READ_MSR_RET_ERR - fi - -@@ -2928,24 +2928,24 @@ read_msr_one_core() - # for Linux - if [ ! -r /dev/cpu/"$_core"/msr ]; then - mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR") -- read_msr_msg="No read permission for /dev/cpu/$_core/msr" -+ read_msr_msg="Sem permissão de leitura para /dev/cpu/$_core/msr" - return $READ_MSR_RET_ERR - # if rdmsr is available, use it - elif command -v rdmsr >/dev/null 2>&1 && [ "${SMC_NO_RDMSR:-}" != 1 ]; then -- _debug "read_msr: using rdmsr on $_msr" -+ _debug "read_msr: usando rdmsr em $_msr" - read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | od -t u8 -A n) - # or if we have perl, use it, any 5.x version will work - elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then -- _debug "read_msr: using perl on $_msr" -+ _debug "read_msr: usando perl em $_msr" - read_msr_value=$(perl -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | od -t u8 -A n) - # fallback to dd if it supports skip_bytes - elif dd if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then -- _debug "read_msr: using dd on $_msr" -+ _debug "read_msr: usando dd em $_msr" - read_msr_value=$(dd if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8 -A n) - else -- _debug "read_msr: got no rdmsr, perl or recent enough dd!" -+ _debug "read_msr: não tenho rdmsr, perl ou dd recente o suficiente!" - mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR") -- read_msr_msg='missing tool, install either msr-tools or perl' -+ read_msr_msg='ferramenta ausente, instale msr-tools ou perl' - return $READ_MSR_RET_ERR - fi - if [ -z "$read_msr_value" ]; then -@@ -2957,35 +2957,35 @@ read_msr_one_core() - read_msr_value=$(( read_msr_value )) - fi - mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_RDMSR_${_msr}='$read_msr_value'") -- _debug "read_msr: MSR=$_msr value is $read_msr_value" -+ _debug "read_msr: MSR=$_msr o valor é $read_msr_value" - return $READ_MSR_RET_OK - } +@@ -3087,29 +3087,29 @@ sys_interface_check() check_cpu() { @@ -1781,7 +1783,7 @@ index 78ca6bd..c37c0f5 100755 # from kernel src: { X86_FEATURE_SPEC_CTRL, CPUID_EDX,26, 0x00000007, 0 }, # amd: https://developer.amd.com/wp-content/resources/Architecture_Guidelines_Update_Indirect_Branch_Control.pdf # amd: 8000_0008 EBX[14]=1 -@@ -2993,179 +2993,179 @@ check_cpu() +@@ -3117,179 +3117,179 @@ check_cpu() if is_intel; then read_cpuid 0x7 0x0 $EDX 26 1 1; ret=$? if [ $ret = $READ_CPUID_RET_OK ]; then @@ -2012,7 +2014,7 @@ index 78ca6bd..c37c0f5 100755 #hygon cpuid_ssbd_virt_spec_ctrl=1 elif [ "$cpu_family" -ge 24 ]; then cpuid_ssbd='HYGON non-architectural MSR' -@@ -3173,11 +3173,11 @@ check_cpu() +@@ -3297,11 +3297,11 @@ check_cpu() fi if [ -n "${cpuid_ssbd:=}" ]; then @@ -2027,7 +2029,7 @@ index 78ca6bd..c37c0f5 100755 fi amd_ssb_no=0 -@@ -3200,35 +3200,35 @@ check_cpu() +@@ -3324,35 +3324,35 @@ check_cpu() fi fi @@ -2072,7 +2074,7 @@ index 78ca6bd..c37c0f5 100755 cpuid_l1df=-1 fi -@@ -3239,60 +3239,60 @@ check_cpu() +@@ -3363,60 +3363,60 @@ check_cpu() fi if is_intel; then @@ -2151,7 +2153,7 @@ index 78ca6bd..c37c0f5 100755 fi # make shellcheck happy while we're not yet using these new cpuid values in our checks -@@ -3300,22 +3300,22 @@ check_cpu() +@@ -3424,22 +3424,22 @@ check_cpu() fi if is_intel; then @@ -2180,7 +2182,7 @@ index 78ca6bd..c37c0f5 100755 capabilities_taa_no=-1 capabilities_mds_no=-1 capabilities_rdcl_no=-1 -@@ -3328,7 +3328,7 @@ check_cpu() +@@ -3452,7 +3452,7 @@ check_cpu() capabilities_gds_ctrl=-1 capabilities_gds_no=-1 if [ "$cpuid_arch_capabilities" = -1 ]; then @@ -2189,7 +2191,7 @@ index 78ca6bd..c37c0f5 100755 elif [ "$cpuid_arch_capabilities" != 1 ]; then capabilities_rdcl_no=0 capabilities_taa_no=0 -@@ -3341,7 +3341,7 @@ check_cpu() +@@ -3465,7 +3465,7 @@ check_cpu() capabilities_tsx_ctrl_msr=0 capabilities_gds_ctrl=0 capabilities_gds_no=0 @@ -2198,7 +2200,7 @@ index 78ca6bd..c37c0f5 100755 else # the new MSR 'ARCH_CAPABILITIES' is at offset 0x10a read_msr 0x10a; ret=$? -@@ -3359,7 +3359,7 @@ check_cpu() +@@ -3483,7 +3483,7 @@ check_cpu() if [ $ret = $READ_MSR_RET_OK ]; then capabilities=$read_msr_value # https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/arch/x86/include/asm/msr-index.h#n82 @@ -2207,7 +2209,7 @@ index 78ca6bd..c37c0f5 100755 [ $(( capabilities >> 0 & 1 )) -eq 1 ] && capabilities_rdcl_no=1 [ $(( capabilities >> 1 & 1 )) -eq 1 ] && capabilities_ibrs_all=1 [ $(( capabilities >> 2 & 1 )) -eq 1 ] && capabilities_rsba=1 -@@ -3371,89 +3371,89 @@ check_cpu() +@@ -3495,89 +3495,89 @@ check_cpu() [ $(( capabilities >> 8 & 1 )) -eq 1 ] && capabilities_taa_no=1 [ $(( capabilities >> 25 & 1 )) -eq 1 ] && capabilities_gds_ctrl=1 [ $(( capabilities >> 26 & 1 )) -eq 1 ] && capabilities_gds_no=1 @@ -2274,7 +2276,8 @@ index 78ca6bd..c37c0f5 100755 - pstatus yellow UNKNOWN + pstatus yellow DESCONHECIDO elif [ "$capabilities_rsba" = 1 ]; then - pstatus yellow YES +- pstatus yellow YES ++ pstatus yellow SIM else - pstatus blue NO + pstatus blue NÃO @@ -2333,7 +2336,7 @@ index 78ca6bd..c37c0f5 100755 fi if [ "$capabilities_tsx_ctrl_msr" = 1 ]; then -@@ -3464,32 +3464,32 @@ check_cpu() +@@ -3588,32 +3588,32 @@ check_cpu() tsx_ctrl_msr_cpuid_clear=$(( tsx_ctrl_msr >> 1 & 1 )) fi @@ -2378,7 +2381,7 @@ index 78ca6bd..c37c0f5 100755 fi mcu_opt_ctrl_gds_mitg_dis=-1 -@@ -3503,60 +3503,60 @@ check_cpu() +@@ -3627,60 +3627,60 @@ check_cpu() mcu_opt_ctrl_gds_mitg_lock=$(( mcu_opt_ctrl >> 5 & 1 )) fi @@ -2458,7 +2461,7 @@ index 78ca6bd..c37c0f5 100755 ret=$READ_CPUID_RET_KO cpuid_rtm=0 if is_intel; then -@@ -3564,31 +3564,31 @@ check_cpu() +@@ -3688,31 +3688,31 @@ check_cpu() fi if [ $ret = $READ_CPUID_RET_OK ]; then cpuid_rtm=1 @@ -2498,7 +2501,7 @@ index 78ca6bd..c37c0f5 100755 # A processor supports SRBDS if it enumerates CPUID (EAX=7H,ECX=0):EDX[9] as 1 # That means the mitigation disabling SRBDS exists ret=$READ_CPUID_RET_KO -@@ -3598,7 +3598,7 @@ check_cpu() +@@ -3722,7 +3722,7 @@ check_cpu() read_cpuid 0x7 0x0 $EDX 9 1 1; ret=$? fi if [ $ret = $READ_CPUID_RET_OK ]; then @@ -2507,7 +2510,7 @@ index 78ca6bd..c37c0f5 100755 cpuid_srbds=1 read_msr 0x123; ret=$? if [ $ret = $READ_MSR_RET_OK ]; then -@@ -3613,60 +3613,60 @@ check_cpu() +@@ -3737,60 +3737,60 @@ check_cpu() srbds_on=-1 fi elif [ $ret = $READ_CPUID_RET_KO ]; then @@ -2547,7 +2550,7 @@ index 78ca6bd..c37c0f5 100755 - _warn "The microcode your CPU is running on is known to cause instability problems," - _warn "such as intempestive reboots or random crashes." - _warn "You are advised to either revert to a previous microcode version (that might not have" -- _warn "the mitigations for Spectre), or upgrade to a newer one if available." +- _warn "the mitigations for recent vulnerabilities), or upgrade to a newer one if available." + _warn "Sabe-se que o microcódigo em que sua CPU está sendo executada causa problemas de instabilidade," + _warn "como reinicializações intempestivas ou falhas aleatórias." + _warn "Recomenda-se reverter para uma versão anterior do microcódigo (que pode não ter" @@ -2589,7 +2592,7 @@ index 78ca6bd..c37c0f5 100755 fi done } -@@ -3686,12 +3686,12 @@ check_redhat_canonical_spectre() +@@ -3810,12 +3810,12 @@ check_redhat_canonical_spectre() if "${opt_arch_prefix}strings" "$kernel" | grep -qw noibrs && "${opt_arch_prefix}strings" "$kernel" | grep -qw noibpb; then # 1) detect their specific variant2 patch. If it's present, it means # that the variant1 patch is also present (both were merged at the same time) @@ -2604,7 +2607,7 @@ index 78ca6bd..c37c0f5 100755 redhat_canonical_spectre=2 else redhat_canonical_spectre=0 -@@ -3701,7 +3701,7 @@ check_redhat_canonical_spectre() +@@ -3825,7 +3825,7 @@ check_redhat_canonical_spectre() check_has_vmm() { @@ -2613,7 +2616,7 @@ index 78ca6bd..c37c0f5 100755 has_vmm=$opt_vmm if [ "$has_vmm" = -1 ] && [ "$opt_paranoid" = 1 ]; then # In paranoid mode, if --vmm was not specified on the command-line, -@@ -3726,7 +3726,7 @@ check_has_vmm() +@@ -3850,7 +3850,7 @@ check_has_vmm() # is null, which is the case for kernel threads: ignore those to # avoid false positives (such as [kvm-irqfd-clean] under at least RHEL 7.6/7.7) if ! [ "$(readlink -m "/proc/$_pid/exe")" = "/proc/$_pid/exe" ]; then @@ -2622,7 +2625,7 @@ index 78ca6bd..c37c0f5 100755 has_vmm=1 fi done -@@ -3742,17 +3742,17 @@ check_has_vmm() +@@ -3866,17 +3866,17 @@ check_has_vmm() fi if [ "$has_vmm" = 0 ]; then if [ "$opt_vmm" != -1 ]; then @@ -2645,7 +2648,7 @@ index 78ca6bd..c37c0f5 100755 fi fi } -@@ -3764,19 +3764,19 @@ check_has_vmm() +@@ -3888,19 +3888,19 @@ check_has_vmm() check_CVE_2017_5753() { cve='CVE-2017-5753' @@ -2668,7 +2671,7 @@ index 78ca6bd..c37c0f5 100755 sys_interface_available=0 msg='' if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spectre_v1"; then -@@ -3788,7 +3788,7 @@ check_CVE_2017_5753_linux() +@@ -3912,7 +3912,7 @@ check_CVE_2017_5753_linux() fi if [ "$opt_sysfs_only" != 1 ]; then # no /sys interface (or offline mode), fallback to our own ways @@ -2677,7 +2680,7 @@ index 78ca6bd..c37c0f5 100755 # vanilla: look for the Linus' mask aka array_index_mask_nospec() # that is inlined at least in raw_copy_from_user (__get_user_X symbols) #mov PER_CPU_VAR(current_task), %_ASM_DX -@@ -3818,46 +3818,46 @@ check_CVE_2017_5753_linux() +@@ -3942,46 +3942,46 @@ check_CVE_2017_5753_linux() # http://git.arm.linux.org.uk/cgit/linux-arm.git/commit/?h=spectre&id=a78d156587931a2c3b354534aa772febf6c9e855 v1_mask_nospec='' if [ -n "$kernel_err" ]; then @@ -2737,7 +2740,7 @@ index 78ca6bd..c37c0f5 100755 #.macro mask_nospec64, idx, limit, tmp #sub \tmp, \idx, \limit #bic \tmp, \tmp, \idx -@@ -3873,24 +3873,24 @@ check_CVE_2017_5753_linux() +@@ -3997,24 +3997,24 @@ check_CVE_2017_5753_linux() # # if we have v1_mask_nospec or redhat_canonical_spectre>0, don't bother disassembling the kernel, the answer is no. if [ -n "$v1_mask_nospec" ] || [ "$redhat_canonical_spectre" -gt 0 ]; then @@ -2769,7 +2772,7 @@ index 78ca6bd..c37c0f5 100755 # in 4.19+ kernels, the mask_nospec64 asm64 macro is replaced by array_index_nospec, defined in nospec.h, and used in invoke_syscall() # ffffff8008090a4c: 2a0203e2 mov w2, w2 # ffffff8008090a50: eb0200bf cmp x5, x2 -@@ -3900,32 +3900,32 @@ check_CVE_2017_5753_linux() +@@ -4024,32 +4024,32 @@ check_CVE_2017_5753_linux() # # if we have v1_mask_nospec or redhat_canonical_spectre>0, don't bother disassembling the kernel, the answer is no. if [ -n "$v1_mask_nospec" ] || [ "$redhat_canonical_spectre" -gt 0 ]; then @@ -2811,7 +2814,7 @@ index 78ca6bd..c37c0f5 100755 else # here we disassemble the kernel and count the number of occurrences of the LFENCE opcode # in non-patched kernels, this has been empirically determined as being around 40-50 -@@ -3936,10 +3936,10 @@ check_CVE_2017_5753_linux() +@@ -4060,10 +4060,10 @@ check_CVE_2017_5753_linux() # non patched kernel have between 0 and 20 matches, patched ones have at least 40-45 nb_lfence=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence | grep -Ewc 'jmp|jne|je') if [ "$nb_lfence" -lt 30 ]; then @@ -2824,7 +2827,7 @@ index 78ca6bd..c37c0f5 100755 fi fi fi -@@ -3947,36 +3947,36 @@ check_CVE_2017_5753_linux() +@@ -4071,36 +4071,36 @@ check_CVE_2017_5753_linux() else # we have no sysfs but were asked to use it only! @@ -2874,7 +2877,7 @@ index 78ca6bd..c37c0f5 100755 fi pvulnstatus $cve "$status" "$msg" [ -n "${_explain:-}" ] && explain "$_explain" -@@ -3989,9 +3989,9 @@ check_CVE_2017_5753_bsd() +@@ -4113,9 +4113,9 @@ check_CVE_2017_5753_bsd() { if ! is_cpu_affected "$cve"; then # override status & msg in case CPU is not vulnerable after all @@ -2886,7 +2889,7 @@ index 78ca6bd..c37c0f5 100755 fi } -@@ -4002,19 +4002,19 @@ check_CVE_2017_5753_bsd() +@@ -4126,19 +4126,19 @@ check_CVE_2017_5753_bsd() check_CVE_2017_5715() { cve='CVE-2017-5715' @@ -2909,7 +2912,7 @@ index 78ca6bd..c37c0f5 100755 sys_interface_available=0 msg='' if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spectre_v2"; then -@@ -4022,7 +4022,7 @@ check_CVE_2017_5715_linux() +@@ -4146,7 +4146,7 @@ check_CVE_2017_5715_linux() sys_interface_available=1 fi if [ "$opt_sysfs_only" != 1 ]; then @@ -2918,7 +2921,7 @@ index 78ca6bd..c37c0f5 100755 ibrs_can_tell=0 ibrs_supported='' -@@ -4046,21 +4046,21 @@ check_CVE_2017_5715_linux() +@@ -4170,21 +4170,21 @@ check_CVE_2017_5715_linux() # /sys/kernel/debug/x86/ibrs_enabled: Red Hat (see https://access.redhat.com/articles/3311301) # /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed specex_knob_dir=$dir @@ -2946,7 +2949,7 @@ index 78ca6bd..c37c0f5 100755 fi done # on some newer kernels, the spec_ctrl_ibrs flag in "$procfs/cpuinfo" -@@ -4069,8 +4069,8 @@ check_CVE_2017_5715_linux() +@@ -4193,8 +4193,8 @@ check_CVE_2017_5715_linux() # as per the ibrs patch series v3 if [ -z "$ibrs_supported" ]; then if grep ^flags "$procfs/cpuinfo" | grep -qw spec_ctrl_ibrs; then @@ -2957,7 +2960,7 @@ index 78ca6bd..c37c0f5 100755 # enabled=2 -> kernel & user ibrs_enabled=2 # XXX and what about ibpb ? -@@ -4079,27 +4079,27 @@ check_CVE_2017_5715_linux() +@@ -4203,27 +4203,27 @@ check_CVE_2017_5715_linux() if [ -n "$fullmsg" ]; then # when IBPB is enabled on 4.15+, we can see it in sysfs if echo "$fullmsg" | grep -q 'IBPB'; then @@ -2992,7 +2995,7 @@ index 78ca6bd..c37c0f5 100755 # 4 isn't actually a valid value of the now extinct "ibrs_enabled" flag file, # that only went from 0 to 3, so we use 4 as "enhanced ibrs is enabled" ibrs_enabled=4 -@@ -4112,8 +4112,8 @@ check_CVE_2017_5715_linux() +@@ -4236,8 +4236,8 @@ check_CVE_2017_5715_linux() if [ -z "$ibrs_supported" ]; then check_redhat_canonical_spectre if [ "$redhat_canonical_spectre" = 1 ]; then @@ -3003,7 +3006,7 @@ index 78ca6bd..c37c0f5 100755 fi fi if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then -@@ -4123,16 +4123,16 @@ check_CVE_2017_5715_linux() +@@ -4247,16 +4247,16 @@ check_CVE_2017_5715_linux() ibrs_can_tell=1 ibrs_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1) if [ -n "$ibrs_supported" ]; then @@ -3024,7 +3027,7 @@ index 78ca6bd..c37c0f5 100755 fi fi # recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat -@@ -4144,35 +4144,35 @@ check_CVE_2017_5715_linux() +@@ -4268,35 +4268,35 @@ check_CVE_2017_5715_linux() ibpb_can_tell=1 ibpb_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1) if [ -n "$ibpb_supported" ]; then @@ -3069,7 +3072,7 @@ index 78ca6bd..c37c0f5 100755 else # 0 means disabled # 1 is enabled only for kernel space -@@ -4182,104 +4182,104 @@ check_CVE_2017_5715_linux() +@@ -4306,104 +4306,104 @@ check_CVE_2017_5715_linux() case "$ibrs_enabled" in 0) if [ "$ibrs_fw_enabled" = 1 ]; then @@ -3209,7 +3212,7 @@ index 78ca6bd..c37c0f5 100755 fi if [ "$retpoline" = 1 ]; then -@@ -4298,17 +4298,17 @@ check_CVE_2017_5715_linux() +@@ -4422,17 +4422,17 @@ check_CVE_2017_5715_linux() if echo "$fullmsg" | grep -qwi -e retpoline -e retpolines; then if echo "$fullmsg" | grep -qwi minimal; then retpoline_compiler=0 @@ -3230,7 +3233,7 @@ index 78ca6bd..c37c0f5 100755 fi elif [ -n "$kernel" ]; then # look for the symbol -@@ -4316,28 +4316,28 @@ check_CVE_2017_5715_linux() +@@ -4440,28 +4440,28 @@ check_CVE_2017_5715_linux() # the proper way: use nm and look for the symbol if "${opt_arch_prefix}nm" "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then retpoline_compiler=1 @@ -3266,7 +3269,7 @@ index 78ca6bd..c37c0f5 100755 fi fi fi -@@ -4348,50 +4348,50 @@ check_CVE_2017_5715_linux() +@@ -4472,50 +4472,50 @@ check_CVE_2017_5715_linux() if [ "$opt_live" = 1 ]; then if [ -e "$specex_knob_dir/retp_enabled" ]; then retp_enabled=$(cat "$specex_knob_dir/retp_enabled" 2>/dev/null) @@ -3330,7 +3333,7 @@ index 78ca6bd..c37c0f5 100755 fi fi fi -@@ -4399,44 +4399,44 @@ check_CVE_2017_5715_linux() +@@ -4523,44 +4523,44 @@ check_CVE_2017_5715_linux() elif [ "$sys_interface_available" = 0 ]; then # we have no sysfs but were asked to use it only! @@ -3392,7 +3395,7 @@ index 78ca6bd..c37c0f5 100755 fi fi -@@ -4444,66 +4444,66 @@ check_CVE_2017_5715_linux() +@@ -4568,66 +4568,66 @@ check_CVE_2017_5715_linux() if [ "$pvulnstatus_last_cve" != "$cve" ]; then # explain what's needed for this CPU if is_vulnerable_to_empty_rsb; then @@ -3478,7 +3481,7 @@ index 78ca6bd..c37c0f5 100755 fi fi fi -@@ -4513,11 +4513,11 @@ check_CVE_2017_5715_linux() +@@ -4637,11 +4637,11 @@ check_CVE_2017_5715_linux() # RETPOLINE (amd & intel &hygon ) if is_amd || is_intel || is_hygon; then if [ "$retpoline" = 0 ]; then @@ -3493,7 +3496,7 @@ index 78ca6bd..c37c0f5 100755 fi fi # /RETPOLINE -@@ -4546,58 +4546,58 @@ check_CVE_2017_5715_linux() +@@ -4670,58 +4670,58 @@ check_CVE_2017_5715_linux() check_CVE_2017_5715_bsd() { @@ -3574,7 +3577,7 @@ index 78ca6bd..c37c0f5 100755 fi } -@@ -4612,7 +4612,7 @@ check_CVE_2017_5715_bsd() +@@ -4736,7 +4736,7 @@ check_CVE_2017_5715_bsd() # https://groups.google.com/forum/m/#!topic/mechanical-sympathy/L9mHTbeQLNU pti_performance_check() { @@ -3583,7 +3586,7 @@ index 78ca6bd..c37c0f5 100755 if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw pcid; then cpu_pcid=1 else -@@ -4632,11 +4632,11 @@ pti_performance_check() +@@ -4756,11 +4756,11 @@ pti_performance_check() fi if [ "$cpu_invpcid" = 1 ]; then @@ -3598,7 +3601,7 @@ index 78ca6bd..c37c0f5 100755 fi } -@@ -4644,19 +4644,19 @@ pti_performance_check() +@@ -4768,19 +4768,19 @@ pti_performance_check() check_CVE_2017_5754() { cve='CVE-2017-5754' @@ -3621,7 +3624,7 @@ index 78ca6bd..c37c0f5 100755 sys_interface_available=0 msg='' if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/meltdown"; then -@@ -4664,14 +4664,14 @@ check_CVE_2017_5754_linux() +@@ -4788,14 +4788,14 @@ check_CVE_2017_5754_linux() sys_interface_available=1 fi if [ "$opt_sysfs_only" != 1 ]; then @@ -3638,7 +3641,7 @@ index 78ca6bd..c37c0f5 100755 fi fi if [ -z "$kpti_support" ] && [ -n "$opt_map" ]; then -@@ -4681,7 +4681,7 @@ check_CVE_2017_5754_linux() +@@ -4805,7 +4805,7 @@ check_CVE_2017_5754_linux() kpti_can_tell=1 kpti_support=$(grep -w -e kpti_force_enabled -e parse_kpti "$opt_map") if [ -n "$kpti_support" ]; then @@ -3647,7 +3650,7 @@ index 78ca6bd..c37c0f5 100755 fi fi if [ -z "$kpti_support" ] && [ -n "$kernel" ]; then -@@ -4690,29 +4690,29 @@ check_CVE_2017_5754_linux() +@@ -4814,29 +4814,29 @@ check_CVE_2017_5754_linux() # 'kpti=': arm kpti_can_tell=1 if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then @@ -3684,7 +3687,7 @@ index 78ca6bd..c37c0f5 100755 if [ "$opt_live" = 1 ]; then dmesg_grep="Kernel/User page tables isolation: enabled" dmesg_grep="$dmesg_grep|Kernel page table isolation enabled" -@@ -4721,11 +4721,11 @@ check_CVE_2017_5754_linux() +@@ -4845,16 +4845,16 @@ check_CVE_2017_5754_linux() dmesg_grep="$dmesg_grep|CPU features: detected( feature)?: Kernel page table isolation \(KPTI\)" if grep ^flags "$procfs/cpuinfo" | grep -qw pti; then # vanilla PTI patch sets the 'pti' flag in cpuinfo @@ -3698,7 +3701,13 @@ index 78ca6bd..c37c0f5 100755 kpti_enabled=1 elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then # Red Hat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301 -@@ -4739,34 +4739,34 @@ check_CVE_2017_5754_linux() + kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null) +- _debug "kpti_enabled: file /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled" ++ _debug "kpti_enabled: arquivo /sys/kernel/debug/x86/pti_enabled existe e diz: $kpti_enabled" + elif is_xen_dom0; then + pti_xen_pv_domU=$(xl dmesg | grep 'XPTI' | grep 'DomU enabled' | head -1) + +@@ -4863,34 +4863,34 @@ check_CVE_2017_5754_linux() if [ -z "$kpti_enabled" ]; then dmesg_grep "$dmesg_grep"; ret=$? if [ $ret -eq 0 ]; then @@ -3742,7 +3751,7 @@ index 78ca6bd..c37c0f5 100755 fi -@@ -4779,68 +4779,68 @@ check_CVE_2017_5754_linux() +@@ -4903,68 +4903,68 @@ check_CVE_2017_5754_linux() if [ "$opt_live" = 1 ]; then # checking whether we're running under Xen PV 64 bits. If yes, we are affected by variant3 # (unless we are a Dom0) @@ -3836,7 +3845,7 @@ index 78ca6bd..c37c0f5 100755 [ -n "${_explain:-}" ] && explain "$_explain" unset _explain fi -@@ -4848,41 +4848,41 @@ check_CVE_2017_5754_linux() +@@ -4972,41 +4972,41 @@ check_CVE_2017_5754_linux() # Warn the user about XSA-254 recommended mitigations if [ "$xen_pv_domo" = 1 ]; then _warn @@ -3891,7 +3900,7 @@ index 78ca6bd..c37c0f5 100755 fi } -@@ -4893,29 +4893,29 @@ check_CVE_2017_5754_bsd() +@@ -5017,29 +5017,29 @@ check_CVE_2017_5754_bsd() check_CVE_2018_3640() { cve='CVE-2018-3640' @@ -3930,7 +3939,7 @@ index 78ca6bd..c37c0f5 100755 fi } -@@ -4926,19 +4926,19 @@ check_CVE_2018_3640() +@@ -5050,19 +5050,19 @@ check_CVE_2018_3640() check_CVE_2018_3639() { cve='CVE-2018-3639' @@ -3953,7 +3962,7 @@ index 78ca6bd..c37c0f5 100755 sys_interface_available=0 msg='' if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spec_store_bypass"; then -@@ -4946,115 +4946,115 @@ check_CVE_2018_3639_linux() +@@ -5070,115 +5070,115 @@ check_CVE_2018_3639_linux() sys_interface_available=1 fi if [ "$opt_sysfs_only" != 1 ]; then @@ -4102,7 +4111,7 @@ index 78ca6bd..c37c0f5 100755 fi fi else -@@ -5064,50 +5064,50 @@ check_CVE_2018_3639_linux() +@@ -5188,50 +5188,50 @@ check_CVE_2018_3639_linux() check_CVE_2018_3639_bsd() { @@ -4171,7 +4180,7 @@ index 78ca6bd..c37c0f5 100755 fi fi fi -@@ -5120,9 +5120,9 @@ check_CVE_2018_3639_bsd() +@@ -5244,9 +5244,9 @@ check_CVE_2018_3639_bsd() check_CVE_2018_3615() { cve='CVE-2018-3615' @@ -4183,7 +4192,7 @@ index 78ca6bd..c37c0f5 100755 if { [ "$cpu_flush_cmd" = 1 ] || { [ "$msr_locked_down" = 1 ] && [ "$cpuid_l1df" = 1 ]; }; } && [ "$cpuid_sgx" = 1 ]; then # no easy way to detect a fixed SGX but we know that # microcodes that have the FLUSH_CMD MSR also have the -@@ -5132,20 +5132,20 @@ check_CVE_2018_3615() +@@ -5256,20 +5256,20 @@ check_CVE_2018_3615() # if the system we're running on is locked down (no way to write MSRs), # make the assumption that if the L1D flush CPUID bit is set, probably # that FLUSH_CMD MSR is here too @@ -4209,7 +4218,7 @@ index 78ca6bd..c37c0f5 100755 fi } -@@ -5153,19 +5153,19 @@ check_CVE_2018_3615() +@@ -5277,19 +5277,19 @@ check_CVE_2018_3615() check_CVE_2018_3620() { cve='CVE-2018-3620' @@ -4232,7 +4241,7 @@ index 78ca6bd..c37c0f5 100755 sys_interface_available=0 msg='' if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/l1tf"; then -@@ -5173,60 +5173,60 @@ check_CVE_2018_3620_linux() +@@ -5297,60 +5297,60 @@ check_CVE_2018_3620_linux() sys_interface_available=1 fi if [ "$opt_sysfs_only" != 1 ]; then @@ -4312,7 +4321,7 @@ index 78ca6bd..c37c0f5 100755 fi else pvulnstatus $cve "$status" "$msg" -@@ -5235,32 +5235,32 @@ check_CVE_2018_3620_linux() +@@ -5359,32 +5359,32 @@ check_CVE_2018_3620_linux() check_CVE_2018_3620_bsd() { @@ -4353,7 +4362,7 @@ index 78ca6bd..c37c0f5 100755 fi fi } -@@ -5269,19 +5269,19 @@ check_CVE_2018_3620_bsd() +@@ -5393,19 +5393,19 @@ check_CVE_2018_3620_bsd() check_CVE_2018_3646() { cve='CVE-2018-3646' @@ -4376,7 +4385,7 @@ index 78ca6bd..c37c0f5 100755 sys_interface_available=0 msg='' if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/l1tf" '.*' quiet; then -@@ -5292,46 +5292,46 @@ check_CVE_2018_3646_linux() +@@ -5416,46 +5416,46 @@ check_CVE_2018_3646_linux() if [ "$opt_sysfs_only" != 1 ]; then check_has_vmm @@ -4438,7 +4447,7 @@ index 78ca6bd..c37c0f5 100755 if [ "$opt_live" = 1 ]; then if [ -n "$fullmsg" ]; then # vanilla: VMX: $l1dstatus, SMT $smtstatus -@@ -5341,13 +5341,13 @@ check_CVE_2018_3646_linux() +@@ -5465,13 +5465,13 @@ check_CVE_2018_3646_linux() # can also just be "Not affected" if echo "$fullmsg" | grep -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then l1d_mode=0 @@ -4455,7 +4464,7 @@ index 78ca6bd..c37c0f5 100755 else if is_xen_dom0; then l1d_xen_hardware=$(xl dmesg | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -1) -@@ -5356,131 +5356,131 @@ check_CVE_2018_3646_linux() +@@ -5480,131 +5480,131 @@ check_CVE_2018_3646_linux() if [ -n "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n "$l1d_xen_pv_domU" ]; then l1d_mode=5 @@ -4630,7 +4639,7 @@ index 78ca6bd..c37c0f5 100755 fi fi } -@@ -5529,64 +5529,64 @@ check_CVE_2019_11091() +@@ -5653,64 +5653,64 @@ check_CVE_2019_11091() check_mds() { cve=$1 @@ -4713,7 +4722,7 @@ index 78ca6bd..c37c0f5 100755 if [ "$kernel_md_clear" = 1 ]; then kernel_mds_state=$(sysctl -n hw.mds_disable_state 2>/dev/null) else -@@ -5594,14 +5594,14 @@ check_mds_bsd() +@@ -5718,14 +5718,14 @@ check_mds_bsd() fi # https://github.com/freebsd/freebsd/blob/master/sys/x86/x86/cpu_machdep.c#L953 case "$kernel_mds_state" in @@ -4733,7 +4742,7 @@ index 78ca6bd..c37c0f5 100755 else if [ "$cpuid_md_clear" = 1 ]; then if [ "$kernel_md_clear" = 1 ]; then -@@ -5609,25 +5609,25 @@ check_mds_bsd() +@@ -5733,25 +5733,25 @@ check_mds_bsd() # mitigation must also be enabled if [ "$kernel_mds_enabled" -ge 1 ]; then if [ "$opt_paranoid" != 1 ] || [ "$kernel_smt_allowed" = 0 ]; then @@ -4767,7 +4776,7 @@ index 78ca6bd..c37c0f5 100755 fi fi fi -@@ -5635,7 +5635,7 @@ check_mds_bsd() +@@ -5759,7 +5759,7 @@ check_mds_bsd() check_mds_linux() { @@ -4776,7 +4785,7 @@ index 78ca6bd..c37c0f5 100755 sys_interface_available=0 msg='' if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/mds" '^[^;]+'; then -@@ -5643,12 +5643,12 @@ check_mds_linux() +@@ -5767,12 +5767,12 @@ check_mds_linux() fi if [ "$opt_sysfs_only" != 1 ]; then @@ -4792,7 +4801,7 @@ index 78ca6bd..c37c0f5 100755 fi if [ -z "$kernel_md_clear" ]; then if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then -@@ -5656,46 +5656,46 @@ check_mds_linux() +@@ -5780,46 +5780,46 @@ check_mds_linux() elif [ -n "$kernel_err" ]; then kernel_md_clear_can_tell=0 elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'Clear CPU buffers'; then @@ -4853,7 +4862,7 @@ index 78ca6bd..c37c0f5 100755 else if [ "$opt_sysfs_only" != 1 ]; then # compute mystatus and mymsg from our own logic -@@ -5706,30 +5706,30 @@ check_mds_linux() +@@ -5830,30 +5830,30 @@ check_mds_linux() if [ "$mds_mitigated" = 1 ]; then if [ "$opt_paranoid" != 1 ] || [ "$mds_smt_mitigated" = 1 ]; then mystatus=OK @@ -4891,7 +4900,7 @@ index 78ca6bd..c37c0f5 100755 fi fi else -@@ -5762,19 +5762,19 @@ check_mds_linux() +@@ -5886,19 +5886,19 @@ check_mds_linux() check_CVE_2019_11135() { cve='CVE-2019-11135' @@ -4914,7 +4923,7 @@ index 78ca6bd..c37c0f5 100755 sys_interface_available=0 msg='' if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/tsx_async_abort"; then -@@ -5782,63 +5782,63 @@ check_CVE_2019_11135_linux() +@@ -5906,63 +5906,63 @@ check_CVE_2019_11135_linux() sys_interface_available=1 fi if [ "$opt_sysfs_only" != 1 ]; then @@ -4998,7 +5007,7 @@ index 78ca6bd..c37c0f5 100755 else pvulnstatus $cve "$status" "$msg" fi -@@ -5852,9 +5852,9 @@ check_CVE_2019_11135_bsd() +@@ -5976,9 +5976,9 @@ check_CVE_2019_11135_bsd() { if ! is_cpu_affected "$cve" ; then # override status & msg in case CPU is not vulnerable after all @@ -5010,7 +5019,7 @@ index 78ca6bd..c37c0f5 100755 fi } -@@ -5864,19 +5864,19 @@ check_CVE_2019_11135_bsd() +@@ -5988,19 +5988,19 @@ check_CVE_2019_11135_bsd() check_CVE_2018_12207() { cve='CVE-2018-12207' @@ -5033,7 +5042,7 @@ index 78ca6bd..c37c0f5 100755 sys_interface_available=0 msg='' if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/itlb_multihit"; then -@@ -5886,57 +5886,57 @@ check_CVE_2018_12207_linux() +@@ -6010,57 +6010,57 @@ check_CVE_2018_12207_linux() if [ "$opt_sysfs_only" != 1 ]; then check_has_vmm @@ -5107,7 +5116,7 @@ index 78ca6bd..c37c0f5 100755 fi fi else -@@ -5946,31 +5946,31 @@ check_CVE_2018_12207_linux() +@@ -6070,31 +6070,31 @@ check_CVE_2018_12207_linux() check_CVE_2018_12207_bsd() { @@ -5150,7 +5159,7 @@ index 78ca6bd..c37c0f5 100755 fi } -@@ -5981,19 +5981,19 @@ check_CVE_2018_12207_bsd() +@@ -6105,19 +6105,19 @@ check_CVE_2018_12207_bsd() check_CVE_2020_0543() { cve='CVE-2020-0543' @@ -5173,7 +5182,7 @@ index 78ca6bd..c37c0f5 100755 sys_interface_available=0 msg='' if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/srbds"; then -@@ -6001,42 +6001,42 @@ check_CVE_2020_0543_linux() +@@ -6125,42 +6125,42 @@ check_CVE_2020_0543_linux() sys_interface_available=1 fi if [ "$opt_sysfs_only" != 1 ]; then @@ -5230,7 +5239,7 @@ index 78ca6bd..c37c0f5 100755 else if [ "$opt_sysfs_only" != 1 ]; then if [ "$cpuid_srbds" = 1 ]; then -@@ -6047,13 +6047,13 @@ check_CVE_2020_0543_linux() +@@ -6171,13 +6171,13 @@ check_CVE_2020_0543_linux() # if msg is empty, sysfs check didn't fill it, rely on our own test if [ "$opt_live" = 1 ]; then # if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old @@ -5247,7 +5256,7 @@ index 78ca6bd..c37c0f5 100755 fi fi elif [ "$srbds_on" = 0 ]; then -@@ -6061,22 +6061,22 @@ check_CVE_2020_0543_linux() +@@ -6185,22 +6185,22 @@ check_CVE_2020_0543_linux() if [ -z "$msg" ]; then if [ "$opt_live" = 1 ]; then # if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old @@ -5275,7 +5284,7 @@ index 78ca6bd..c37c0f5 100755 fi else # sysfs only: return the status/msg we got -@@ -6090,9 +6090,9 @@ check_CVE_2020_0543_bsd() +@@ -6214,9 +6214,9 @@ check_CVE_2020_0543_bsd() { if ! is_cpu_affected "$cve"; then # override status & msg in case CPU is not vulnerable after all @@ -5287,7 +5296,7 @@ index 78ca6bd..c37c0f5 100755 fi } -@@ -6102,38 +6102,38 @@ check_CVE_2020_0543_bsd() +@@ -6226,38 +6226,38 @@ check_CVE_2020_0543_bsd() check_CVE_2023_20593() { cve='CVE-2023-20593' @@ -5335,7 +5344,7 @@ index 78ca6bd..c37c0f5 100755 if [ "$opt_live" = 1 ]; then # read the DE_CFG MSR, we want to check the 9th bit # don't do it on non-Zen2 AMD CPUs or later, aka Family 17h, -@@ -6142,78 +6142,78 @@ check_CVE_2023_20593_linux() +@@ -6266,78 +6266,78 @@ check_CVE_2023_20593_linux() read_msr 0xc0011029; ret=$? if [ $ret = $READ_MSR_RET_OK ]; then if [ $(( read_msr_value >> 9 & 1 )) -eq 1 ]; then @@ -5439,7 +5448,7 @@ index 78ca6bd..c37c0f5 100755 fi unset zenbleed_print_vuln else -@@ -6226,17 +6226,17 @@ check_CVE_2023_20593_linux() +@@ -6350,17 +6350,17 @@ check_CVE_2023_20593_linux() check_CVE_2022_40982() { cve='CVE-2022-40982' @@ -5460,7 +5469,7 @@ index 78ca6bd..c37c0f5 100755 sys_interface_available=0 msg='' -@@ -6246,75 +6246,75 @@ check_CVE_2022_40982_linux() { +@@ -6370,75 +6370,75 @@ check_CVE_2022_40982_linux() { fi if [ "$opt_sysfs_only" != 1 ]; then @@ -5562,7 +5571,7 @@ index 78ca6bd..c37c0f5 100755 fi else pvulnstatus $cve "$status" "$msg" -@@ -6326,17 +6326,17 @@ check_CVE_2022_40982_linux() { +@@ -6450,17 +6450,17 @@ check_CVE_2022_40982_linux() { check_CVE_2023_20569() { cve='CVE-2023-20569' @@ -5583,7 +5592,7 @@ index 78ca6bd..c37c0f5 100755 sys_interface_available=0 msg='' -@@ -6346,143 +6346,143 @@ check_CVE_2023_20569_linux() { +@@ -6470,143 +6470,143 @@ check_CVE_2023_20569_linux() { fi if [ "$opt_sysfs_only" != 1 ]; then @@ -5610,8 +5619,9 @@ index 78ca6bd..c37c0f5 100755 + _info_nol "* Kernel compilado com suporte SRSO: " if [ -r "$opt_config" ]; then if grep -q '^CONFIG_CPU_SRSO=y' "$opt_config"; then - pstatus green YES +- pstatus green YES - kernel_srso="CONFIG_CPU_SRSO=y found in kernel config" ++ pstatus green SIM + kernel_srso="CONFIG_CPU_SRSO=y encontrado na configuração do kernel" else - pstatus yellow NO "required for safe RET and ibpb_on_vmexit mitigations" @@ -5771,7 +5781,44 @@ index 78ca6bd..c37c0f5 100755 fi else pvulnstatus $cve "$status" "$msg" -@@ -6508,16 +6508,16 @@ do +@@ -6618,12 +6618,12 @@ check_CVE_2023_20569_linux() { + + check_CVE_2023_23583() { + cve='CVE-2023-23583' +- _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" ++ _info "\033[1;34m$cve também conhecido como '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ] + then + check_CVE_2023_23583_linux + else +- _warn "Unsupported OS ($os)." ++ _warn "SO não suportado ($os)." + fi + } + +@@ -6636,15 +6636,15 @@ check_CVE_2023_23583_linux() { + # the mitigation is only ucode-based and there's no flag exposed, + # so most of the work has already been done by is_cpu_affected() + if ! is_cpu_affected "$cve" ; then +- pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" ++ pvulnstatus "$cve" OK "seu fornecedor de CPU relatou seu modelo de CPU como não afetado" + else +- _info_nol "* Reptar is mitigated by microcode: " ++ _info_nol "* Reptar é mitigado por microcódigo: " + if [ "$cpu_ucode" -lt "$reptar_fixed_ucode_version" ]; then +- pstatus yellow NO "You have ucode $(printf "0x%x" $cpu_ucode) and version $(printf "0x%x" $reptar_fixed_ucode_version) minimum is required" +- pvulnstatus $cve VULN "Your microcode is too old to mitigate the vulnerability" ++ pstatus yellow NÃO "Você tem ucode $(printf "0x%x" $cpu_ucode) e a versão $(printf "0x%x" $reptar_fixed_ucode_version) mínima é necessária" ++ pvulnstatus $cve VULN "Seu microcódigo é muito antigo para mitigar a vulnerabilidade" + else +- pstatus green YES "You have ucode $(printf "0x%x" $cpu_ucode) which is recent enough (>= $(printf "0x%x" $reptar_fixed_ucode_version))" +- pvulnstatus $cve OK "Your microcode mitigates the vulnerability" ++ pstatus green SIM "Você tem ucode $(printf "0x%x" $cpu_ucode) que é recente o suficiente (>= $(printf "0x%x" $reptar_fixed_ucode_version))" ++ pvulnstatus $cve OK "Seu microcódigo atenua a vulnerabilidade" + fi + fi + } +@@ -6668,16 +6668,16 @@ do done if [ -n "$final_summary" ]; then @@ -5791,7 +5838,7 @@ index 78ca6bd..c37c0f5 100755 if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then if command -v "gzip" >/dev/null 2>&1; then -@@ -6535,31 +6535,31 @@ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then +@@ -6695,31 +6695,31 @@ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then fi _info "" # shellcheck disable=SC2046 @@ -5831,7 +5878,7 @@ index 78ca6bd..c37c0f5 100755 else echo "OK" fi -@@ -6574,8 +6574,8 @@ if [ "$opt_batch" = 1 ] && [ "$opt_batch_format" = "json" ]; then +@@ -6734,8 +6734,8 @@ if [ "$opt_batch" = 1 ] && [ "$opt_batch_format" = "json" ]; then fi if [ "$opt_batch" = 1 ] && [ "$opt_batch_format" = "prometheus" ]; then |