update: added debugs to is_hardened() logic

kernelwernel · kernelwernel · commit df8b82954ab4 · 2026-03-01T06:42:22.000Z
diff --git a/src/vmaware.hpp b/src/vmaware.hpp
@@ -12697,6 +12697,7 @@ struct VM {
             // rule 1: if VM::FIRMWARE is detected, so should VM::HYPERVISOR_BIT or VM::HYPERVISOR_STR
             const enum brand_enum firmware_brand = detected_brand(VM::FIRMWARE);
             if (firmware_brand != brand_enum::NULL_BRAND && !hv_present) {
+                debug("is_hardened(): firmware and hypervisor bit/str are not detected together");
                 return true;
             }
 
@@ -12705,6 +12706,7 @@ struct VM {
             if (firmware_brand == brand_enum::QEMU || firmware_brand == brand_enum::VBOX) {
                 const enum brand_enum cvendor_brand = detected_brand(VM::CVENDOR);
                 if (firmware_brand != cvendor_brand) {
+                    debug("is_hardened(): firmware and chassis vendor brands do not match");
                     return true;
                 }
             }
@@ -12714,11 +12716,13 @@ struct VM {
             // rule 3: if VM::ACPI_SIGNATURE (QEMU) is detected, so should VM::FIRMWARE (QEMU)
             const enum brand_enum acpi_brand = detected_brand(VM::ACPI_SIGNATURE);
             if (acpi_brand == brand_enum::QEMU && firmware_brand != brand_enum::QEMU) {
+                debug("is_hardened(): firmware and ACPI signature are not detected together");
                 return true;
             }
 
             // rule 4: if VM::TRAP or VM::NVRAM is detected, so should VM::HYPERVISOR_BIT or VM::HYPERVISOR_STR
             if ((check(VM::TRAP) || check(VM::NVRAM)) && !hv_present) {
+                debug("is_hardened(): trap/NVRAM and hypervisor bit/str are not detected together");
                 return true;
             }
         #endif

Original file line number	Diff line number	Diff line change
`@@ -12697,6 +12697,7 @@ struct VM {`
`12697`	`12697`	`// rule 1: if VM::FIRMWARE is detected, so should VM::HYPERVISOR_BIT or VM::HYPERVISOR_STR`
`12698`	`12698`	`const enum brand_enum firmware_brand = detected_brand(VM::FIRMWARE);`
`12699`	`12699`	`if (firmware_brand != brand_enum::NULL_BRAND && !hv_present) {`
	`12700`	`+ debug("is_hardened(): firmware and hypervisor bit/str are not detected together");`
`12700`	`12701`	`return true;`
`12701`	`12702`	`}`
`12702`	`12703`
`@@ -12705,6 +12706,7 @@ struct VM {`
`12705`	`12706`	`if (firmware_brand == brand_enum::QEMU \|\| firmware_brand == brand_enum::VBOX) {`
`12706`	`12707`	`const enum brand_enum cvendor_brand = detected_brand(VM::CVENDOR);`
`12707`	`12708`	`if (firmware_brand != cvendor_brand) {`
	`12709`	`+ debug("is_hardened(): firmware and chassis vendor brands do not match");`
`12708`	`12710`	`return true;`
`12709`	`12711`	`}`
`12710`	`12712`	`}`
`@@ -12714,11 +12716,13 @@ struct VM {`
`12714`	`12716`	`// rule 3: if VM::ACPI_SIGNATURE (QEMU) is detected, so should VM::FIRMWARE (QEMU)`
`12715`	`12717`	`const enum brand_enum acpi_brand = detected_brand(VM::ACPI_SIGNATURE);`
`12716`	`12718`	`if (acpi_brand == brand_enum::QEMU && firmware_brand != brand_enum::QEMU) {`
	`12719`	`+ debug("is_hardened(): firmware and ACPI signature are not detected together");`
`12717`	`12720`	`return true;`
`12718`	`12721`	`}`
`12719`	`12722`
`12720`	`12723`	`// rule 4: if VM::TRAP or VM::NVRAM is detected, so should VM::HYPERVISOR_BIT or VM::HYPERVISOR_STR`
`12721`	`12724`	`if ((check(VM::TRAP) \|\| check(VM::NVRAM)) && !hv_present) {`
	`12725`	`+ debug("is_hardened(): trap/NVRAM and hypervisor bit/str are not detected together");`
`12722`	`12726`	`return true;`
`12723`	`12727`	`}`
`12724`	`12728`	`#endif`