### Start VSOCK Fuzzing Harness Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/tdx-guest-hardening.md This snippet initializes the VSOCK fuzzing harness on the guest. It mounts debugfs, sets the KAFL control path, and starts the socat listener for VSOCK communication. ```bash mount -t debugfs none /sys/kernel/debug/ KAFL_CTL=/sys/kernel/debug/kafl echo “VSOCK fuzzing harness” | hcat echo "start" > $KAFL_CTL/control socat - VSOCK-CONNECT:2:8089 echo "done" > $KAFL_CTL/control ``` -------------------------------- ### kAFL Stimulus Fuzzing Harness Setup Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/tdx-guest-hardening.md This bash script initializes the kAFL agent for stimulus fuzzing. It fetches a test binary, displays agent status, starts the agent, and executes the stimulus program, redirecting its output. ```bash #!/bin/bash KAFL_CTL=/sys/kernel/debug/kafl hget stimulus.elf # fetch test binary from host echo "[*] kAFL agent status:" grep . $KAFL_CTL/* # "start" signal initializes agent and triggers snapshot echo "start" > $KAFL_CTL/control # execute the stimulus, redirecting outputs to host hprintf log ./stimulus.elf 2>&1 |hcat ``` -------------------------------- ### Userspace Harness Script for kAFL Runtime Fuzzing Source: https://context7.com/intel/ccc-linux-guest-hardening-docs/llms.txt An example userspace harness script that runs as init in a guest VM. It signals the kAFL agent to start fuzzing and executes a stimulus program. ```bash # Example userspace harness script (runs as init in guest VM) KAFL_CTL=/sys/kernel/debug/kafl # Fetch test binary from host sharedir hget stimulus.elf echo "[*] kAFL agent status:" grep . $KAFL_CTL/* # Signal fuzzer to start - triggers VM snapshot echo "start" > $KAFL_CTL/control # Execute stimulus program, redirect output to host log ./stimulus.elf 2>&1 | hcat # Signal completion - restores snapshot for next iteration echo "done" > $KAFL_CTL/control ``` -------------------------------- ### smatch output example Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/tdx-guest-hardening.md This is an example of the output generated by smatch after running the 'check_host_input' pattern. It lists potential input points, error types, and propagation information for untrusted data read from the host. ```shell net/vmw_vsock/virtio_transport.c:305 virtio_transport_tx_work() error: {8890488479003397221} 'check_host_input' read from the host using function 'virtqueue_get_buf' to a non int type local variable 'pkt', type is struct virtio_vsock_pkt*; net/vmw_vsock/virtio_transport.c:306 virtio_transport_tx_work() error: {5556237559821482352} 'check_host_input' propagating a tainted value from the host 'pkt' into a function 'virtio_transport_free_pkt'; net/vmw_vsock/virtio_transport.c:305 virtio_transport_tx_work() warn: {8890488479003397221} 'check_host_input' potential read from the host using function 'virtqueue_get_buf'; net/vmw_vsock/virtio_transport.c:375 virtio_vsock_update_guest_cid() error: {7572251756130242} 'check_host_input' propagating a tainted value from the host 'guest_cid' into a function 'get'; net/vmw_vsock/virtio_transport.c:377 virtio_vsock_update_guest_cid() error: {16638257021812442297} 'check_host_input' propagating read value from the host 'guest_cid' into a different complex variable 'vsock->guest_cid'; net/vmw_vsock/virtio_transport.c:410 virtio_transport_event_work() error: {8890488479003397221} 'check_host_input' read from the host using function 'virtqueue_get_buf' to a non int type local variable 'event', type is struct virtio_vsock_event*; net/vmw_vsock/virtio_transport.c:412 virtio_transport_event_work() error: {8840682050757106252} 'check_host_input' propagating a tainted value from the host 'event' into a function 'virtio_vsock_event_handle'; net/vmw_vsock/virtio_transport.c:414 virtio_transport_event_work() error: {83481497696856778} 'check_host_input' propagating a tainted value from the host 'event' into a function 'virtio_vsock_event_fill_one'; net/vmw_vsock/virtio_transport.c:410 virtio_transport_event_work() warn: {8890488479003397221} 'check_host_input' potential read from the host using function 'virtqueue_get_buf'; net/vmw_vsock/virtio_transport.c:541 virtio_transport_rx_work() error: {8890488479003397230} 'check_host_input' read from the host using function 'virtqueue_get_buf' to a non int type local variable 'pkt', type is struct virtio_vsock_pkt*; net/vmw_vsock/virtio_transport.c:551 virtio_transport_rx_work() error: {5556237559821482370} 'check_host_input' propagating a tainted value from the host 'pkt' into a function 'virtio_transport_free_pkt'; net/vmw_vsock/virtio_transport.c:556 virtio_transport_rx_work() error: {5857033014461230228} 'check_host_input' propagating a tainted value from the host 'pkt' into a function 'virtio_transport_free_pkt'; net/vmw_vsock/virtio_transport.c:557 virtio_transport_rx_work() error: {8453424129492944817} 'check_host_input' propagating a tainted value from the host 'pkt' into a function 'virtio_transport_recv_pkt'; ``` -------------------------------- ### Accept VSOCK Connection on Host Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/tdx-guest-hardening.md This command accepts a VSOCK connection from the guest on the host. It's part of the VSOCK fuzzing setup. ```bash socat - vsock-accept:3:8089 ``` -------------------------------- ### Listen on Host for VSOCK Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/tdx-guest-hardening.md This command starts listening on the host for incoming VSOCK connections on port 8089. It's used in conjunction with the guest-side VSOCK harness. ```bash socat VSOCK-LISTEN:8089,fork – ``` -------------------------------- ### Run Smatch for TDX Kernel Analysis Source: https://context7.com/intel/ccc-linux-guest-hardening-docs/llms.txt Steps to install and configure Smatch for static code analysis of the TDX kernel, focusing on the 'check_host_input' pattern to identify host input consumption points. ```bash # Install and configure Smatch for TDX kernel analysis git clone https://repo.or.cz/smatch.git ~/smatch cd ~/smatch && make # Enable check_host_input pattern in check_list.h before running # Build smatch cross-function database (run 5-6 times for propagation) cd /path/to/linux-kernel ~/smatch/smatch_scripts/test_kernel.sh # Run analysis on individual driver file ~/smatch/smatch_scripts/kchecker net/vmw_vsock/virtio_transport.c > driver_results # Example output showing host input consumption points: # net/vmw_vsock/virtio_transport.c:305 virtio_transport_tx_work() error: # {8890488479003397221} read from the host using function 'virtqueue_get_buf' # to a non int type local variable 'pkt', type is struct virtio_vsock_pkt*; # Filter results for TDX-relevant code using process_smatch_output.py python3 process_smatch_output.py smatch_warns.txt > filtered_audit.txt ``` -------------------------------- ### Example Patch Adding Virtio-VSock to TDX Filter Source: https://context7.com/intel/ccc-linux-guest-hardening-docs/llms.txt A diff example showing how to add the virtio-vsock PCI device ID to the TDX filter allow list in the kernel source code. ```diff # Example patch adding virtio-vsock to TDX filter diff --git a/arch/x86/kernel/tdx-filter.c b/arch/x86/kernel/tdx-filter.c --- a/arch/x86/kernel/tdx-filter.c +++ b/arch/x86/kernel/tdx-filter.c @@ -64,6 +64,7 @@ struct pci_device_id pci_allow_ids[] = { { PCI_DEVICE(PCI_VENDOR_ID_REDHAT_QUMRANET, VIRTIO1_ID_BLOCK) }, { PCI_DEVICE(PCI_VENDOR_ID_REDHAT_QUMRANET, VIRTIO1_ID_CONSOLE) }, { PCI_DEVICE(PCI_VENDOR_ID_REDHAT_QUMRANET, VIRTIO1_ID_9P) }, + { PCI_DEVICE(PCI_VENDOR_ID_REDHAT_QUMRANET, VIRTIO1_ID_VSOCK) }, { 0, }, }; ``` -------------------------------- ### Enable EARLYBOOT Harness Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/tdx-guest-hardening.md To enable the EARLYBOOT harness, set the kernel build configuration parameter CONFIG_TDX_FUZZ_HARNESS_EARLYBOOT to 'y'. This ensures the kernel executes tdx_fuzz_enable() at the start and a corresponding end call, allowing kAFL to manage snapshots for fuzzing. ```bash CONFIG_TDX_FUZZ_HARNESS_EARLYBOOT=y ``` -------------------------------- ### Run Fuzzing Campaign Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/tdx-guest-hardening.md Initiates a fuzzing campaign using the provided fuzz.sh script. Ensure the guest kernel with the kAFL agent is checked out in ~/tdx/linux-guest. This command starts a campaign with default settings specified in fuzz.sh. ```bash ./fuzz.sh full ./linux-guest/ ``` -------------------------------- ### VSOCK Driver Fuzzing Harness Source: https://context7.com/intel/ccc-linux-guest-hardening-docs/llms.txt A bash script demonstrating a VSOCK driver fuzzing harness. It establishes a VSOCK connection to trigger driver code paths and requires specific host-side setup. ```bash # VSOCK driver fuzzing harness example #!/bin/bash mount -t debugfs none /sys/kernel/debug/ KAFL_CTL=/sys/kernel/debug/kafl echo "VSOCK fuzzing harness" | hcat echo "start" > $KAFL_CTL/control # Establish VSOCK connection to trigger driver code paths socat - VSOCK-CONNECT:2:8089 echo "done" > $KAFL_CTL/control # Host-side setup for VSOCK fuzzing: # modprobe vhost_vsock # chmod 0666 /dev/vhost-vsock # QEMU flag: -device vhost-vsock-pci,id=vhost-vsock-pci0,guest-cid=3 # Listen: socat VSOCK-LISTEN:8089,fork - ``` -------------------------------- ### Test socat vsock support Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/tdx-guest-hardening.md Verify if the installed socat utility supports vsock functionality by attempting to listen on a specific port. This is crucial for establishing connections for vsock fuzzing. ```bash socat VSOCK-LISTEN:8089,fork ``` -------------------------------- ### Configure ACPI Table Allow List for TDX Guest Source: https://context7.com/intel/ccc-linux-guest-hardening-docs/llms.txt Lists default allowed ACPI tables for TDX guest kernels and provides an example of how to add additional tables via command line for debugging purposes. ```c // Default allowed ACPI tables for TDX guest kernel: // XSDT - Extended System Description Table // FACP - Fixed ACPI Description Table // DSDT - Differentiated System Description Table // FACS - Firmware ACPI Control Structure // APIC - Multiple APIC Description Table // SVKL - Storage Volume Key Location Table // Adding additional ACPI tables via command line (debug only): // tdx_allow_acpi=MCFG - Allow MCFG table (not recommended for production) ``` -------------------------------- ### Enable vhost-vsock device in QEMU Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/tdx-guest-hardening.md Append the necessary device string to QEMU options to enable the vhost-vsock device for the guest VM. Ensure a unique guest-cid is used for each QEMU instance when fuzzing with multiple workers. ```bash qemu: -device vhost-vsock-pci,id=vhost-vsock-pci0,guest-cid=3 ``` -------------------------------- ### Load vhost_vsock module and set permissions Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/tdx-guest-hardening.md Load the vhost_vsock kernel module and set read/write permissions on the /dev/vhost-vsock device to allow QEMU access. This is a prerequisite for enabling virtio-vsock fuzzing. ```bash modprobe vhost_vsock chmod 0666 /dev/vhost-vsock ``` -------------------------------- ### Connect to VSOCK on Guest Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/tdx-guest-hardening.md This command establishes a VSOCK connection from the guest to the host on port 8089. It's a crucial step for VSOCK fuzzing. ```bash socat - VSOCK-CONNECT:2:8089 ``` -------------------------------- ### TDX Fuzz Event Hook Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/tdx-guest-hardening.md The tdx_fuzz_event() function is used to report error conditions to the fuzzer. This is an example of an exit and reporting hook. ```c tdx_fuzz_event() ``` -------------------------------- ### Configure kAFL for TDX Guest Fuzzing Source: https://context7.com/intel/ccc-linux-guest-hardening-docs/llms.txt Instructions for configuring the Linux kernel with a kAFL agent and harness to enable feedback-driven fuzzing of TDX guest boot phases. ```bash # Configure kernel with kAFL agent and harness ``` -------------------------------- ### Run smatch on a driver file Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/tdx-guest-hardening.md Use this command to run smatch on a specific driver source file. Ensure your smatch instance with the 'check_host_input' pattern is set up correctly and invoke the command from the kernel source tree root. The output will be redirected to 'driver_results'. ```bash ~/smatch_scripts/kchecker net/vmw_vsock/virtio_transport.c > driver_results ``` -------------------------------- ### Run kAFL Fuzzing Campaign Source: https://context7.com/intel/ccc-linux-guest-hardening-docs/llms.txt Execute a kAFL fuzzing campaign using the provided script. The 'full' argument indicates a complete boot fuzzing. ```bash # Run kAFL fuzzing campaign ./fuzz.sh full ./linux-guest/ ``` -------------------------------- ### Control Fuzzer Events in TDX Agent Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/tdx-guest-hardening.md The tdg_fuzz_event() function is used to control the fuzzer agent, accepting commands to start, stop, or pause input injection, or to report an error event. This function is part of the core agent logic. ```c tdg_fuzz_event() ``` -------------------------------- ### Run Smatch Analysis on Driver Source Source: https://context7.com/intel/ccc-linux-guest-hardening-docs/llms.txt Perform static analysis on a driver's source code using Smatch to identify potential issues before fuzzing. This step is crucial for auditing new drivers. ```bash # Step 1: Run Smatch analysis on driver source ~/smatch/smatch_scripts/kchecker drivers/virtio/virtio_ring.c > driver_audit.txt ``` -------------------------------- ### Enable Host Data Analysis for Spectre V1 Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/security-spec.md Set this environment variable before running smatch to analyze potential Spectre V1 gadgets influenced by the untrusted host/VMM. To revert, unset the variable. ```bash export ANALYZE_HOST_DATA="" ``` ```bash unset ANALYZE_HOST_DATA ``` -------------------------------- ### Sample Smatch Output for check_host_input Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/tdx-guest-hardening.md This output demonstrates how the check_host_input Smatch pattern identifies tainted data propagation from the host. It highlights reads from host functions and subsequent use of that data. ```shell arch/x86/pci/irq.c:1201 pirq_enable_irq() warn: {9123410094849481700}read from the host using function 'pci_read_config_byte' to an int type local variable 'pin', type is uchar; arch/x86/pci/irq.c:1216 pirq_enable_irq() error: {11769853683657473858}Propagating an expression containing a tainted value from the host 'pin - 1' into a function 'IO_APIC_get_PCI_irq_vector'; arch/x86/pci/irq.c:1228 pirq_enable_irq() error: {15187152360757797804}Propagating a tainted value from the host 'pin' into a function 'pci_swizzle_interrupt_pin'; arch/x86/pci/irq.c:1229 pirq_enable_irq() error: {8593519367775469163}Propagating an expression containing a tainted value from the host 'pin - 1' into a function 'IO_APIC_get_PCI_irq_vector'; arch/x86/pci/irq.c:1233 pirq_enable_irq() warn: {3245640912980979571}Propagating an expression containing a tainted value from the host '65 + pin - 1' into a function '_dev_warn'; arch/x86/pci/irq.c:1243 pirq_enable_irq() warn: {11844818720957432302}Propagating an expression containing a tainted value from the host '65 + pin - 1' into a function '_dev_info'; arch/x86/pci/irq.c:1262 pirq_enable_irq() warn: {14811741117821484023}Propagating an expression containing a tainted value from the host '65 + pin - 1' into a function '_dev_warn'; ``` -------------------------------- ### Configure kAFL for vhost-vsock fuzzing Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/tdx-guest-hardening.md Modify the kAFL configuration file to dynamically assign unique guest-CID values to each QEMU worker instance. This ensures proper connection establishment from the guest to the host. ```yaml -device vhost-vsock-pci,id=vhost-vsock-pci0,guest-cid={QEMU_ID + 3} ``` -------------------------------- ### Configure Kernel for TDX Fuzzing Source: https://context7.com/intel/ccc-linux-guest-hardening-docs/llms.txt Enable TDX fuzzing options in the kernel .config file. Select the desired harness type for init calls. ```bash # In kernel .config: CONFIG_TDX_FUZZ=y CONFIG_TDX_FUZZ_KAFL=y CONFIG_TDX_FUZZ_HARNESS_DOINITCALLS_LEVEL_4=y # Select harness type ``` -------------------------------- ### Enable New Driver Harness in Kernel Config Source: https://context7.com/intel/ccc-linux-guest-hardening-docs/llms.txt Add a kernel configuration option to enable a specific harness for a new driver's initialization function. This prepares the kernel for fuzzing the driver's probe function. ```bash # Step 3: Create kAFL harness for driver initialization # In kernel source, add harness for driver probe function CONFIG_TDX_FUZZ_HARNESS_VIRTIO_DRIVER_INIT=y ``` -------------------------------- ### Use Ghidra for Inlined Function Coverage Source: https://context7.com/intel/ccc-linux-guest-hardening-docs/llms.txt Enable Ghidra integration for analyzing inlined function coverage during the Smatch analysis phase of kAFL. ```bash USE_GHIDRA=1 ./fuzz.sh smatch /dev/shm/$USER_tdfl ``` -------------------------------- ### TDX Emulation Implementation Notes Source: https://context7.com/intel/ccc-linux-guest-hardening-docs/llms.txt This C code comment outlines the supported exit reasons and the types of exceptions injected by the TDX emulation. It emphasizes that the emulation is not secure and should only be used for development and fuzzing. ```c // TDX emulation implemented in arch/x86/kvm/vmx/seam.c // Supported exit reasons: // - EXIT_REASON_TDCALL // - EXIT_REASON_CPUID // - EXIT_REASON_EPT_VIOLATION // Emulation injects #VE exceptions for: // - MSR read/write operations // - CPUID leaf accesses (>0x1f or outside 0x80000000-0x80000008) // - Port IO operations // - MMIO accesses // - EPT violations // Note: Emulation is NOT secure - guest runs under full VMM control // Use only for development and fuzzing, not production ``` -------------------------------- ### Interpreting Smatch Spectre V1 Warnings Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/security-spec.md Smatch output lists potential Spectre V1 gadgets. Each entry requires manual analysis to confirm if it's a vulnerability or a false positive. The format includes the file, line number, function, and a description of the potential issue. ```bash arch/x86/kernel/tsc_msr.c:191 cpu_khz_from_msr() warn: potential spectre issue 'freq_desc->muldiv' [r] arch/x86/kernel/tsc_msr.c:206 cpu_khz_from_msr() warn: potential spectre issue 'freq_desc->freqs' [r] arch/x86/kernel/tsc_msr.c:207 cpu_khz_from_msr() warn: possible spectre second half. 'freq' arch/x86/kernel/tsc_msr.c:210 cpu_khz_from_msr() warn: possible spectre second half. 'freq' ``` -------------------------------- ### Kernel Configuration for DMA Fuzzing Source: https://context7.com/intel/ccc-linux-guest-hardening-docs/llms.txt Kernel configuration options required for KF/x DMA memory fuzzing. Enabling frame pointers is crucial for call stack tracking. ```bash # Kernel configuration for DMA fuzzing: # Enable frame pointers for call stack tracking CONFIG_FRAME_POINTER=y CONFIG_KASAN=y # Kernel Address Sanitizer CONFIG_UBSAN=y # Undefined Behavior Sanitizer ``` -------------------------------- ### Match kAFL Coverage with Smatch Report Source: https://context7.com/intel/ccc-linux-guest-hardening-docs/llms.txt Compare the extracted coverage data against a Smatch report to identify potential issues or verify fixes. ```bash # Match coverage against Smatch report ./fuzz.sh smatch /dev/shm/$USER_tdfl ``` -------------------------------- ### Monitor kAFL Campaign Progress Source: https://context7.com/intel/ccc-linux-guest-hardening-docs/llms.txt Use the kafl_gui.py script to monitor the progress of an ongoing kAFL fuzzing campaign. Specify the shared memory directory. ```bash # Monitor campaign progress kafl_gui.py /dev/shm/$USER_tdfl ``` -------------------------------- ### Configure Default PCI Allow List for TDX Guest Source: https://context7.com/intel/ccc-linux-guest-hardening-docs/llms.txt Defines the default PCI devices allowed in a TDX guest kernel. Essential virtio drivers are included by default. ```c // Example: Default PCI allow list in arch/x86/kernel/tdx-filter.c struct pci_device_id pci_allow_ids[] = { { PCI_DEVICE(PCI_VENDOR_ID_REDHAT_QUMRANET, VIRTIO1_ID_NET) }, { PCI_DEVICE(PCI_VENDOR_ID_REDHAT_QUMRANET, VIRTIO1_ID_BLOCK) }, { PCI_DEVICE(PCI_VENDOR_ID_REDHAT_QUMRANET, VIRTIO1_ID_CONSOLE) }, { PCI_DEVICE(PCI_VENDOR_ID_REDHAT_QUMRANET, VIRTIO1_ID_9P) }, { PCI_DEVICE(PCI_VENDOR_ID_REDHAT_QUMRANET, VIRTIO1_ID_VSOCK) }, { 0, }, }; // Kernel command line options for TDX filter configuration: // tdx_disable_filter - Completely disable the TDX device filter (INSECURE) // authorize_allow_devs=pci: - Add additional allowed PCI devices // tdx_allow_acpi= - Add additional allowed ACPI tables ``` -------------------------------- ### Register Virtio Driver Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/tdx-guest-hardening.md This C code snippet demonstrates the registration of a virtio driver using the `register_virtio_driver()` function. It's typically found in kernel modules that interact with virtio devices. ```c register_virtio_driver() ``` -------------------------------- ### Initialize TDX Fuzzer Agent Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/tdx-guest-hardening.md The tdg_fuzz_enable() function is used to initialize the fuzzer agent. This is part of the core agent logic for fuzzing the Linux bootstrapping phase. ```c tdg_fuzz_enable() ``` -------------------------------- ### Configure Port IO Filter for TDX Guest Source: https://context7.com/intel/ccc-linux-guest-hardening-docs/llms.txt Specifies allowed Port IO ranges for TDX guest kernels to restrict host/VMM communication. Includes recommended kernel command line options for a secure TDX guest. ```c // Allowed Port IO ranges for TDX guest kernel // Port range | Intended user | Comments // 0x70-0x71 | MC146818 RTC | Real-time clock // 0xcf8-0xcff | PCI config space | PCI configuration access // 0x600-0x62f | ACPI ports | ACPI PM1a_EVT_BLK, PM1a_CNT_BLK, PM_TMR, GPE0_BLK // 0x3f8-0x3fd | COM1 serial | Only in debug mode // Example: Recommended kernel command line for secure TDX guest CMDLINE="mce=off oops=panic pci=noearly pci=nommconf no-kvmclock \ random.trust_cpu=y random.trust_bootloader=n" ``` -------------------------------- ### Match Coverage Against Smatch Report Source: https://github.com/intel/ccc-linux-guest-hardening-docs/blob/master/source/tdx-guest-hardening.md Analyzes the obtained line coverage against the Smatch report to identify reachable lines from the Smatch report. This generates a file (traces/smatch_match.lst) with the matched lines. ```bash ./fuzz.sh smatch /dev/shm/$USER_tdfl ```