From 53d6a44754c98fcb694401ac5d3a7f1ac69591e5 Mon Sep 17 00:00:00 2001
From: Michael Lass <bevan@bi-co.net>
Date: Sat, 29 Sep 2018 11:35:10 +0200
Subject: [PATCH 01/11] Fix detection of CVE-2018-3615 (L1TF_SGX) (#253)

* Add another location of Arch Linux ARM kernel

* Fix detection of CVE-2018-3615

We change the value of variantl1tf in the line directly before so its
value will never be "immune". Instead we can directly use the value of
variantl1tf to initialize variantl1tf_sgx.
---
 spectre-meltdown-checker.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
index 52f931e..05853e1 100755
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -484,7 +484,7 @@ is_cpu_vulnerable()
 	[ "$variant3a"   = "immune" ] && variant3a=1   || variant3a=0
 	[ "$variant4"    = "immune" ] && variant4=1    || variant4=0
 	[ "$variantl1tf" = "immune" ] && variantl1tf=1 || variantl1tf=0
-	[ "$variantl1tf" = "immune" ] && variantl1tf_sgx=1 || variantl1tf_sgx=0
+	variantl1tf_sgx="$variantl1tf"
 	# even if we are vulnerable to L1TF, if there's no SGX, we're safe for the original foreshadow
 	[ "$cpuid_sgx" = 0 ] && variantl1tf_sgx=1
 	_debug "is_cpu_vulnerable: final results are <$variant1> <$variant2> <$variant3> <$variant3a> <$variant4> <$variantl1tf> <$variantl1tf_sgx>"
@@ -1503,6 +1503,8 @@ if [ "$opt_live" = 1 ]; then
 		[ -e "/boot/Image"               ] && opt_kernel="/boot/Image"
 		# Arch armv5/armv7:
 		[ -e "/boot/zImage"              ] && opt_kernel="/boot/zImage"
+		# Arch arm7:
+		[ -e "/boot/kernel7.img"         ] && opt_kernel="/boot/kernel7.img"
 		# Linux-Libre:
 		[ -e "/boot/vmlinuz-linux-libre" ] && opt_kernel="/boot/vmlinuz-linux-libre"
 		# pine64

From 90c2ae5de2506dad72064df66fd4963c0c343657 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= <speed47_github@speed47.net>
Date: Sun, 23 Sep 2018 17:29:14 +0200
Subject: [PATCH 02/11] feat: use the MCExtractor DB as the reference for the
 microcode versions

Use platomav's MCExtractor DB as the reference to decide whether our CPU microcode is the latest or not.
We have a builtin version of the DB in the script, but an updated version can be fetched and stored locally with --update-mcedb
---
 spectre-meltdown-checker.sh | 481 ++++++++++++++++++++++++++++++++----
 1 file changed, 436 insertions(+), 45 deletions(-)

diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
index 05853e1..ecf1042 100755
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -21,6 +21,7 @@ exit_cleanup()
 	[ -n "$dumped_config" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"
 	[ -n "$kerneltmp"     ] && [ -f "$kerneltmp"     ] && rm -f "$kerneltmp"
 	[ -n "$kerneltmp2"    ] && [ -f "$kerneltmp2"    ] && rm -f "$kerneltmp2"
+	[ -n "$mcedb_tmp"     ] && [ -f "$mcedb_tmp"     ] && rm -f "$mcedb_tmp"
 	[ "$mounted_debugfs" = 1 ] && umount /sys/kernel/debug 2>/dev/null
 	[ "$mounted_procfs"  = 1 ] && umount "$procfs" 2>/dev/null
 	[ "$insmod_cpuid"    = 1 ] && rmmod cpuid 2>/dev/null
@@ -80,6 +81,7 @@ show_usage()
 		--hw-only		only check for CPU information, don't check for any variant
 		--no-hw			skip CPU information and checks, if you're inspecting a kernel not to be run on this host
 		--vmm [auto,yes,no]	override the detection of the presence of an hypervisor (for CVE-2018-3646), default: auto
+		--update-mcedb		update our local copy of the CPU microcodes versions database (from the awesome MCExtractor project)
 
 	Return codes:
 		0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error)
@@ -576,6 +578,65 @@ show_header()
 	_info
 }
 
+if [ -n "$HOME" ]; then
+	mcedb_cache="$HOME/.mcedb"
+else
+	mcedb_cache="$(getent passwd "$(whoami)" | cut -d: -f6)/.mcedb"
+fi
+update_mcedb()
+{
+	# We're using MCE.db from the excellent platomav's MCExtractor project
+	show_header
+
+	if [ -r "$mcedb_cache" ]; then
+		previous_mcedb_revision=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+	fi
+
+	# first download the database
+	mcedb_tmp="$(mktemp /tmp/mcedb-XXXXXX)"
+	mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+	_info_nol "Fetching MCE.db from the MCExtractor project... "
+	if which wget >/dev/null 2>&1; then
+		wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
+	elif which curl >/dev/null 2>&1; then
+		curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+	elif which fetch >/dev/null 2>&1; then
+		fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+	else
+		echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"
+		return 1
+	fi
+	if [ "$ret" != 0 ]; then
+		echo ERROR "error $ret while downloading MCE.db"
+		return $ret
+	fi
+	echo DONE
+
+	# now extract contents using sqlite
+	_info_nol "Extracting data... "
+	if ! which sqlite3 >/dev/null 2>&1; then
+		echo ERROR "please install the \`sqlite3\` program"
+		return 1
+	fi
+	mcedb_revision=$(sqlite3 "$mcedb_tmp" "select revision from MCE")
+	mcedb_date=$(sqlite3 "$mcedb_tmp" "select strftime('%Y/%m/%d', date, 'unixepoch') from MCE")
+	if [ -z "$mcedb_revision" ]; then
+		echo ERROR "downloaded file seems invalid"
+		return 1
+	fi
+	echo OK "MCExtractor database revision $mcedb_revision dated $mcedb_date"
+	if [ -n "$previous_mcedb_revision" ]; then
+		if [ "$previous_mcedb_revision" = "v$mcedb_revision" ]; then
+			echo "We already have this version locally, no update needed"
+			return 0
+		fi
+	fi
+	echo "# Spectre & Meltdown Checker" > "$mcedb_cache"
+	echo "# %%% MCEDB v$mcedb_revision - $mcedb_date" >> "$mcedb_cache"
+	sqlite3 "$mcedb_tmp" "select '# I,0x'||cpuid||',0x'||version||','||max(yyyymmdd) from Intel group by cpuid order by cpuid asc; select '# A,0x'||cpuid||',0x'||version||','||max(yyyymmdd) from AMD group by cpuid order by cpuid asc" >> "$mcedb_cache"
+	echo OK "local version updated"
+}
+
 parse_opt_file()
 {
 	# parse_opt_file option_name option_value
@@ -654,6 +715,9 @@ while [ -n "$1" ]; do
 		# deprecated, kept for compatibility
 		opt_explain=0
 		shift
+	elif [ "$1" = "--update-mcedb" ]; then
+		update_mcedb
+		exit $?
 	elif [ "$1" = "--explain" ]; then
 		opt_explain=1
 		shift
@@ -1329,58 +1393,38 @@ is_zen_cpu()
 	return 1
 }
 
+if [ -r "$mcedb_cache" ]; then
+	mcedb_source="$mcedb_cache"
+	mcedb_info="local MCExtractor DB "$(grep -E '^# %%% MCEDB ' "$mcedb_source" | cut -c13-)
+else
+	mcedb_source="$0"
+	mcedb_info="builtin MCExtractor DB "$(grep -E '^# %%% MCEDB ' "$mcedb_source" | cut -c13-)
+fi
+read_mcedb()
+{
+	awk '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"
+}
+
 is_latest_known_ucode()
 {
 	# 0: yes, 1: no, 2: unknown
 	parse_cpu_details
 	ucode_latest="latest microcode version for your CPU model is unknown"
-	is_intel || return 2
-	# https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdf
-	# ps2txt sa00115-microcode-update-guidance.ps | grep -Eo '[0-9A-F]+ [0-9A-F]+ [^ ]+ Production 0x[A-F0-9]+ 0x[^ ]+' | awk '{print "0x"$1","$6" \\"}' | uniq
-	# cpuid,ucode
-	for tuple in \
-		0x106A5,0x1D \
-		0x106E5,0x0A \
-		0x20652,0x11 \
-		0x20655,0x7 \
-		0x206A7,0x2E \
-		0x206C2,0x1F \
-		0x206D6,0x61D \
-		0x206D7,0x714 \
-		0x206E6,0x0D \
-		0x206F2,0x3B \
-		0x306A9,0x20 \
-		0x306C3,0x25 \
-		0x306D4,0x2B \
-		0x306E4,0x42D \
-		0x306E7,0x714 \
-		0x306F2,0x3D \
-		0x306F4,0x12 \
-		0x40651,0x24 \
-		0x40661,0x1A \
-		0x40671,0x1E \
-		0x406E3,0xC6 \
-		0x406F1,0xB00002E \
-		0x50654,0x200004D \
-		0x50662,0x17 \
-		0x50663,0x7000013 \
-		0x50664,0xF000012 \
-		0x50665,0xE00000A \
-		0x506C2,0x14 \
-		0x506E3,0xC6 \
-		0x506F1,0x24 \
-		0x706A1,0x28 \
-		0x806E9,0x8E \
-		0x806EA,0x96 \
-		0x906E9,0x8E \
-		0x906EA,0x96 \
-		0x906EB,0x8E
+	if ! is_intel && ! is_amd; then
+		return 2
+	fi
+	# cpuid,version,date
+	for tuple in $(read_mcedb)
 	do
-		cpuid_decimal=$(( $(echo "$tuple" | cut -d, -f1) ))
-		ucode_decimal=$(( $(echo "$tuple" | cut -d, -f2) ))
+		cpu_brand=$(        echo "$tuple" | cut -d, -f1)
+		is_intel && [ "$cpu_brand" != I ] && continue
+		is_amd   && [ "$cpu_brand" != A ] && continue
+		cpuid_decimal=$(( $(echo "$tuple" | cut -d, -f2) ))
+		ucode_decimal=$(( $(echo "$tuple" | cut -d, -f3) ))
+		ucode_date=$(       echo "$tuple" | cut -d, -f4)
 		if [ "$cpuid_decimal" = "$cpu_cpuid" ]; then
-			_debug "is_latest_known_ucode: with cpuid $cpu_cpuid has ucode $cpu_ucode, last known is $cpuid_decimal"
-			ucode_latest=$(printf "latest known version is 0x%x according to Intel Microcode Guidance, August 8 2018" "$ucode_decimal")
+			_debug "is_latest_known_ucode: with cpuid $cpu_cpuid has ucode $cpu_ucode, last known is $cpuid_decimal from $ucode_date"
+			ucode_latest=$(printf "latest version is 0x%x dated $ucode_date according to $mcedb_info" "$ucode_decimal")
 			if [ "$cpu_ucode" -ge "$ucode_decimal" ]; then
 				return 0
 			else
@@ -3891,3 +3935,350 @@ fi
 [ "$global_critical" = 1 ] && exit 2  # critical
 [ "$global_unknown"  = 1 ] && exit 3  # unknown
 exit 0  # ok
+
+# We're using MCE.db from the excellent platomav's MCExtractor project
+# The builtin version follows, the user can update it with --update-mcedb
+
+# wget https://github.com/platomav/MCExtractor/raw/master/MCE.db
+# sqlite3 MCE.db "select '%%% MCEDB v'||revision||' - '||strftime('%Y/%m/%d', date, 'unixepoch') from MCE; select '# I,0x'||cpuid||',0x'||version||','||max(yyyymmdd) from Intel group by cpuid order by cpuid asc; select '# A,0x'||cpuid||',0x'||version||','||max(yyyymmdd) from AMD group by cpuid order by cpuid asc"
+# %%% MCEDB v83 - 2018/09/21
+# I,0x00000611,0x00000B27,19961218
+# I,0x00000612,0x000000C6,19961210
+# I,0x00000616,0x000000C6,19961210
+# I,0x00000617,0x000000C6,19961210
+# I,0x00000619,0x000000D2,19980218
+# I,0x00000630,0x00000013,19960827
+# I,0x00000632,0x00000020,19960903
+# I,0x00000633,0x00000036,19980923
+# I,0x00000634,0x00000037,19980923
+# I,0x00000650,0x00000040,19990525
+# I,0x00000651,0x00000040,19990525
+# I,0x00000652,0x0000002D,19990518
+# I,0x00000653,0x00000010,19990628
+# I,0x00000660,0x0000000A,19990505
+# I,0x00000665,0x00000003,19990505
+# I,0x0000066A,0x0000000C,19990505
+# I,0x0000066D,0x00000007,19990505
+# I,0x00000670,0x00000007,19980602
+# I,0x00000671,0x00000003,19980811
+# I,0x00000672,0x00000010,19990922
+# I,0x00000673,0x0000000E,19990910
+# I,0x00000680,0x00000014,19990610
+# I,0x00000681,0x00000014,19991209
+# I,0x00000683,0x00000013,20010206
+# I,0x00000686,0x00000007,20000505
+# I,0x0000068A,0x00000004,20001207
+# I,0x00000690,0x00000004,20000206
+# I,0x00000691,0x00000001,20020527
+# I,0x00000692,0x00000001,20020620
+# I,0x00000694,0x00000002,20020926
+# I,0x00000695,0x00000007,20041109
+# I,0x00000696,0x00000001,20000707
+# I,0x000006A0,0x00000003,20000110
+# I,0x000006A1,0x00000001,20000306
+# I,0x000006A4,0x00000001,20000616
+# I,0x000006B0,0x0000001A,20010129
+# I,0x000006B1,0x0000001D,20010220
+# I,0x000006B4,0x00000002,20020111
+# I,0x000006D0,0x00000006,20030522
+# I,0x000006D1,0x00000009,20030709
+# I,0x000006D2,0x00000010,20030814
+# I,0x000006D6,0x00000018,20041017
+# I,0x000006D8,0x00000021,20060831
+# I,0x000006E0,0x00000008,20050215
+# I,0x000006E1,0x0000000C,20050413
+# I,0x000006E4,0x00000026,20050816
+# I,0x000006E8,0x0000003C,20060208
+# I,0x000006EC,0x0000005B,20070208
+# I,0x000006F0,0x00000005,20050818
+# I,0x000006F1,0x00000012,20051129
+# I,0x000006F2,0x0000005D,20101002
+# I,0x000006F4,0x00000028,20060417
+# I,0x000006F5,0x00000039,20060727
+# I,0x000006F6,0x000000D2,20101001
+# I,0x000006F7,0x0000006A,20101002
+# I,0x000006F9,0x00000084,20061012
+# I,0x000006FA,0x00000095,20101002
+# I,0x000006FB,0x000000C1,20111004
+# I,0x000006FD,0x000000A4,20101002
+# I,0x00000F00,0xFFFF0001,20000130
+# I,0x00000F01,0xFFFF0007,20000404
+# I,0x00000F02,0xFFFF000B,20000518
+# I,0x00000F03,0xFFFF0001,20000518
+# I,0x00000F04,0xFFFF0010,20000803
+# I,0x00000F05,0x0000000B,20000824
+# I,0x00000F06,0x00000004,20000911
+# I,0x00000F07,0x00000012,20020716
+# I,0x00000F08,0x00000008,20001101
+# I,0x00000F09,0x00000008,20010104
+# I,0x00000F0A,0x00000015,20020821
+# I,0x00000F11,0x0000000A,20030729
+# I,0x00000F12,0x0000002D,20030502
+# I,0x00000F13,0x00000005,20030508
+# I,0x00000F20,0x00000001,20010423
+# I,0x00000F21,0x00000002,20010529
+# I,0x00000F22,0x00000005,20030729
+# I,0x00000F23,0x0000000D,20010817
+# I,0x00000F24,0x00000021,20030610
+# I,0x00000F25,0x0000002C,20040826
+# I,0x00000F26,0x00000010,20040805
+# I,0x00000F27,0x00000038,20030604
+# I,0x00000F29,0x0000002D,20040811
+# I,0x00000F30,0x00000013,20030815
+# I,0x00000F31,0x0000000B,20031021
+# I,0x00000F32,0x0000000A,20040511
+# I,0x00000F33,0x0000000C,20050421
+# I,0x00000F34,0x00000017,20050421
+# I,0x00000F36,0x00000007,20040309
+# I,0x00000F37,0x00000003,20031218
+# I,0x00000F40,0x00000006,20040318
+# I,0x00000F41,0x00000017,20050422
+# I,0x00000F42,0x00000003,20050421
+# I,0x00000F43,0x00000005,20050421
+# I,0x00000F44,0x00000006,20050421
+# I,0x00000F46,0x00000004,20050411
+# I,0x00000F47,0x00000003,20050421
+# I,0x00000F48,0x0000000E,20080115
+# I,0x00000F49,0x00000003,20050421
+# I,0x00000F4A,0x00000004,20051214
+# I,0x00000F60,0x00000005,20050124
+# I,0x00000F61,0x00000008,20050610
+# I,0x00000F62,0x0000000F,20051215
+# I,0x00000F63,0x00000005,20051010
+# I,0x00000F64,0x00000004,20051223
+# I,0x00000F65,0x0000000B,20070510
+# I,0x00000F66,0x0000001B,20060310
+# I,0x00000F68,0x00000009,20060714
+# I,0x00001632,0x00000002,19980610
+# I,0x00010650,0x00000002,20060513
+# I,0x00010660,0x00000004,20060612
+# I,0x00010661,0x00000043,20101004
+# I,0x00010670,0x00000005,20070209
+# I,0x00010671,0x00000106,20070329
+# I,0x00010674,0x84050100,20070726
+# I,0x00010676,0x00000612,20150802
+# I,0x00010677,0x0000070D,20150802
+# I,0x0001067A,0x00000A0E,20150729
+# I,0x000106A0,0xFFFF001A,20071128
+# I,0x000106A1,0xFFFF000B,20080220
+# I,0x000106A2,0xFFFF0019,20080714
+# I,0x000106A4,0x00000013,20150630
+# I,0x000106A5,0x0000001D,20180511
+# I,0x000106C0,0x00000007,20070824
+# I,0x000106C1,0x00000109,20071203
+# I,0x000106C2,0x00000217,20090410
+# I,0x000106C9,0x00000007,20090213
+# I,0x000106CA,0x00000107,20090825
+# I,0x000106D0,0x00000005,20071204
+# I,0x000106D1,0x0000002A,20150803
+# I,0x000106E0,0xFFFF0022,20090116
+# I,0x000106E1,0xFFFF000D,20090206
+# I,0x000106E3,0xFFFF0011,20090512
+# I,0x000106E4,0x00000003,20130701
+# I,0x000106E5,0x0000000A,20180508
+# I,0x000106F0,0xFFFF0009,20090210
+# I,0x000106F1,0xFFFF0007,20090210
+# I,0x00020650,0xFFFF0008,20090218
+# I,0x00020651,0xFFFF0018,20090818
+# I,0x00020652,0x00000011,20180508
+# I,0x00020654,0xFFFF0007,20091124
+# I,0x00020655,0x00000007,20180423
+# I,0x00020661,0x00000105,20110718
+# I,0x000206A0,0x00000029,20091102
+# I,0x000206A1,0x00000007,20091223
+# I,0x000206A2,0x00000027,20100502
+# I,0x000206A3,0x00000009,20100609
+# I,0x000206A4,0x00000022,20100414
+# I,0x000206A5,0x00000007,20100722
+# I,0x000206A6,0x90030028,20100924
+# I,0x000206A7,0x0000002E,20180410
+# I,0x000206C0,0xFFFF001C,20091214
+# I,0x000206C1,0x00000006,20091222
+# I,0x000206C2,0x0000001F,20180508
+# I,0x000206D0,0x80000006,20100816
+# I,0x000206D1,0x80000106,20101201
+# I,0x000206D2,0x9584020C,20110622
+# I,0x000206D3,0x80000304,20110420
+# I,0x000206D5,0x00000513,20111013
+# I,0x000206D6,0x0000061D,20180508
+# I,0x000206D7,0x00000714,20180508
+# I,0x000206E0,0xE3493401,20090108
+# I,0x000206E1,0xE3493402,20090224
+# I,0x000206E2,0xFFFF0004,20081001
+# I,0x000206E3,0xE4486547,20090701
+# I,0x000206E4,0xFFFF0008,20090619
+# I,0x000206E5,0xFFFF0018,20091215
+# I,0x000206E6,0x0000000D,20180515
+# I,0x000206F0,0x00000004,20100630
+# I,0x000206F1,0x00000008,20101013
+# I,0x000206F2,0x0000003B,20180516
+# I,0x00030650,0x00000009,20120118
+# I,0x00030651,0x00000110,20131014
+# I,0x00030660,0x00000003,20101103
+# I,0x00030661,0x0000010F,20150721
+# I,0x00030669,0x0000010D,20130515
+# I,0x00030671,0x00000117,20130410
+# I,0x00030672,0x0000022E,20140401
+# I,0x00030673,0x00000326,20180110
+# I,0x00030678,0x00000837,20180125
+# I,0x00030679,0x0000090A,20180110
+# I,0x000306A0,0x00000007,20110407
+# I,0x000306A2,0x0000000C,20110725
+# I,0x000306A4,0x00000007,20110908
+# I,0x000306A5,0x00000009,20111110
+# I,0x000306A6,0x00000004,20111114
+# I,0x000306A8,0x00000010,20120220
+# I,0x000306A9,0x00000020,20180410
+# I,0x000306C0,0xFFFF0013,20111110
+# I,0x000306C1,0xFFFF0014,20120725
+# I,0x000306C2,0xFFFF0006,20121017
+# I,0x000306C3,0x00000025,20180402
+# I,0x000306D1,0xFFFF0009,20131015
+# I,0x000306D2,0xFFFF0009,20131219
+# I,0x000306D3,0xE3121338,20140825
+# I,0x000306D4,0x0000002B,20180322
+# I,0x000306E0,0x00000008,20120726
+# I,0x000306E2,0x0000020D,20130321
+# I,0x000306E3,0x00000308,20130321
+# I,0x000306E4,0x0000042D,20180425
+# I,0x000306E6,0x00000600,20130619
+# I,0x000306E7,0x00000714,20180425
+# I,0x000306F0,0xFFFF0017,20130730
+# I,0x000306F1,0x00000014,20140110
+# I,0x000306F2,0x0000003D,20180420
+# I,0x000306F3,0x0000000D,20160211
+# I,0x000306F4,0x00000012,20180420
+# I,0x00040650,0xFFFF000B,20121206
+# I,0x00040651,0x00000024,20180402
+# I,0x00040660,0xFFFF0011,20121012
+# I,0x00040661,0x0000001A,20180402
+# I,0x00040670,0xFFFF0006,20140304
+# I,0x00040671,0x0000001E,20180403
+# I,0x000406A0,0x80124001,20130521
+# I,0x000406A8,0x0000081F,20140812
+# I,0x000406A9,0x0000081F,20140812
+# I,0x000406C1,0x0000010B,20140814
+# I,0x000406C2,0x00000221,20150218
+# I,0x000406C3,0x00000367,20171225
+# I,0x000406C4,0x00000410,20180104
+# I,0x000406D0,0x0000000E,20130612
+# I,0x000406D8,0x0000012A,20180104
+# I,0x000406E1,0x00000020,20141111
+# I,0x000406E2,0x0000002C,20150521
+# I,0x000406E3,0x000000C6,20180417
+# I,0x000406E8,0x00000026,20160414
+# I,0x000406F0,0x00000014,20150702
+# I,0x000406F1,0x0B00002E,20180419
+# I,0x00050650,0x8000002B,20160208
+# I,0x00050651,0x8000002B,20160208
+# I,0x00050652,0x80000037,20170502
+# I,0x00050653,0x01000144,20180420
+# I,0x00050654,0x0200004D,20180515
+# I,0x00050655,0x0300000B,20180427
+# I,0x00050661,0xF1000008,20150130
+# I,0x00050662,0x00000017,20180525
+# I,0x00050663,0x07000013,20180420
+# I,0x00050664,0x0F000012,20180420
+# I,0x00050665,0x0E00000A,20180420
+# I,0x00050670,0xFFFF0030,20151113
+# I,0x00050671,0x000001B6,20180108
+# I,0x000506A0,0x00000038,20150112
+# I,0x000506C2,0x00000014,20180511
+# I,0x000506C8,0x90011010,20160323
+# I,0x000506C9,0x00000032,20180511
+# I,0x000506CA,0x0000000C,20180511
+# I,0x000506D1,0x00000102,20150605
+# I,0x000506E0,0x00000018,20141119
+# I,0x000506E1,0x0000002A,20150602
+# I,0x000506E2,0x0000002E,20150815
+# I,0x000506E3,0x000000C6,20180417
+# I,0x000506E8,0x00000034,20160710
+# I,0x000506F1,0x00000024,20180511
+# I,0x00060660,0x0000000C,20160821
+# I,0x00060661,0x0000000E,20170128
+# I,0x00060662,0x00000022,20171129
+# I,0x00060663,0x0000002A,20180417
+# I,0x000706A0,0x00000026,20170712
+# I,0x000706A1,0x0000002A,20180725
+# I,0x00080650,0x00000018,20180108
+# I,0x000806E9,0x00000098,20180626
+# I,0x000806EA,0x00000096,20180515
+# I,0x000806EB,0x00000098,20180530
+# I,0x000906E9,0x0000008E,20180324
+# I,0x000906EA,0x00000096,20180502
+# I,0x000906EB,0x0000008E,20180324
+# I,0x000906EC,0x0000009E,20180826
+# A,0x00000F00,0x02000008,20070614
+# A,0x00000F01,0x0000001C,20021031
+# A,0x00000F10,0x00000003,20020325
+# A,0x00000F11,0x0000001F,20030220
+# A,0x00000F48,0x00000046,20040719
+# A,0x00000F4A,0x00000047,20040719
+# A,0x00000F50,0x00000024,20021212
+# A,0x00000F51,0x00000025,20030115
+# A,0x00010F50,0x00000041,20040225
+# A,0x00020F10,0x0000004D,20050428
+# A,0x00040F01,0xC0012102,20050916
+# A,0x00040F0A,0x00000068,20060920
+# A,0x00040F13,0x0000007A,20080508
+# A,0x00040F14,0x00000062,20060127
+# A,0x00040F1B,0x0000006D,20060920
+# A,0x00040F33,0x0000007B,20080514
+# A,0x00060F80,0x00000083,20060929
+# A,0x000C0F1B,0x0000006E,20060921
+# A,0x000F0F00,0x00000005,20020627
+# A,0x000F0F01,0x00000015,20020627
+# A,0x00100F00,0x01000020,20070326
+# A,0x00100F20,0x010000CA,20100331
+# A,0x00100F22,0x010000C9,20100331
+# A,0x00100F40,0x01000085,20080501
+# A,0x00100F41,0x010000DB,20111024
+# A,0x00100F42,0x01000092,20081021
+# A,0x00100F43,0x010000C8,20100311
+# A,0x00100F62,0x010000C7,20100311
+# A,0x00100F80,0x010000DA,20111024
+# A,0x00100F81,0x010000D9,20111012
+# A,0x00100FA0,0x010000DC,20111024
+# A,0x00120F00,0x03000002,20100324
+# A,0x00200F30,0x02000018,20070921
+# A,0x00200F31,0x02000057,20080502
+# A,0x00200F32,0x02000034,20080307
+# A,0x00300F01,0x0300000E,20101004
+# A,0x00300F10,0x03000027,20111309
+# A,0x00500F00,0x0500000B,20100601
+# A,0x00500F01,0x0500001A,20100908
+# A,0x00500F10,0x05000029,20130121
+# A,0x00500F20,0x05000119,20130118
+# A,0x00580F00,0x0500000B,20100601
+# A,0x00580F01,0x0500001A,20100908
+# A,0x00580F10,0x05000028,20101124
+# A,0x00580F20,0x05000101,20110406
+# A,0x00600F00,0x06000017,20101029
+# A,0x00600F01,0x0600011F,20110227
+# A,0x00600F10,0x06000425,20110408
+# A,0x00600F11,0x0600050D,20110627
+# A,0x00600F12,0x0600063E,20180207
+# A,0x00600F20,0x06000852,20180206
+# A,0x00610F00,0x0600100E,20111102
+# A,0x00610F01,0x0600111F,20180305
+# A,0x00630F00,0x0600301C,20130817
+# A,0x00630F01,0x06003109,20180227
+# A,0x00660F00,0x06006012,20141014
+# A,0x00660F01,0x0600611A,20180126
+# A,0x00670F00,0x06006705,20180220
+# A,0x00680F00,0x06000017,20101029
+# A,0x00680F01,0x0600011F,20110227
+# A,0x00680F10,0x06000410,20110314
+# A,0x00700F00,0x0700002A,20121218
+# A,0x00700F01,0x07000110,20180209
+# A,0x00730F00,0x07030009,20131206
+# A,0x00730F01,0x07030106,20180209
+# A,0x00800F00,0x0800002A,20161006
+# A,0x00800F10,0x0800100C,20170131
+# A,0x00800F11,0x08001137,20180214
+# A,0x00800F12,0x08001227,20180209
+# A,0x00800F82,0x0800820B,20180620
+# A,0x00810F00,0x08100004,20161120
+# A,0x00810F10,0x0810100B,20180212
+# A,0x00810F80,0x08108002,20180605
+# A,0x00820F00,0x08200002,20180214

From dc5402b349fb49a879c481b2be1466fd42e17c9a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= <speed47_github@speed47.net>
Date: Mon, 24 Sep 2018 20:05:41 +0200
Subject: [PATCH 03/11] chore: speed optimization of hw check and indentation
 fixes

---
 spectre-meltdown-checker.sh | 43 +++++++++++++++++--------------------
 1 file changed, 20 insertions(+), 23 deletions(-)

diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
index ecf1042..82a2020 100755
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -851,7 +851,7 @@ pvulnstatus()
 
 		case "$opt_batch_format" in
 			text) _echo 0 "$1: $2 ($3)";;
-            short) short_output="${short_output}$1 ";;
+			short) short_output="${short_output}$1 ";;
 			json)
 				case "$2" in
 					UNK)  is_vuln="null";;
@@ -1334,10 +1334,9 @@ is_ucode_blacklisted()
 	do
 		model=$(echo $tuple | cut -d, -f1)
 		stepping=$(( $(echo $tuple | cut -d, -f2) ))
-		ucode=$(echo $tuple | cut -d, -f3)
-		echo "$ucode" | grep -q ^0x && ucode_decimal=$(( ucode ))
 		if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" = "$stepping" ]; then
-			if [ "$cpu_ucode" = "$ucode_decimal" ] || [ "$cpu_ucode" = "$ucode" ]; then
+			ucode=$(( $(echo $tuple | cut -d, -f3) ))
+			if [ "$cpu_ucode" = "$ucode" ]; then
 				_debug "is_ucode_blacklisted: we have a match! ($cpu_model/$cpu_stepping/$cpu_ucode)"
 				return 0
 			fi
@@ -1352,7 +1351,7 @@ is_skylake_cpu()
 	# is this a skylake cpu?
 	# return 0 if yes, 1 otherwise
 	#if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL &&
-	#	    boot_cpu_data.x86 == 6) {
+	#		boot_cpu_data.x86 == 6) {
 	#		switch (boot_cpu_data.x86_model) {
 	#		case INTEL_FAM6_SKYLAKE_MOBILE:
 	#		case INTEL_FAM6_SKYLAKE_DESKTOP:
@@ -1410,26 +1409,24 @@ is_latest_known_ucode()
 	# 0: yes, 1: no, 2: unknown
 	parse_cpu_details
 	ucode_latest="latest microcode version for your CPU model is unknown"
-	if ! is_intel && ! is_amd; then
+	# cpuid,version,date
+	if is_intel; then
+		cpu_brand_prefix=I
+	elif is_amd; then
+		cpu_brand_prefix=A
+	else
 		return 2
 	fi
-	# cpuid,version,date
-	for tuple in $(read_mcedb)
+	for tuple in $(read_mcedb | grep "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
 	do
-		cpu_brand=$(        echo "$tuple" | cut -d, -f1)
-		is_intel && [ "$cpu_brand" != I ] && continue
-		is_amd   && [ "$cpu_brand" != A ] && continue
-		cpuid_decimal=$(( $(echo "$tuple" | cut -d, -f2) ))
-		ucode_decimal=$(( $(echo "$tuple" | cut -d, -f3) ))
-		ucode_date=$(       echo "$tuple" | cut -d, -f4)
-		if [ "$cpuid_decimal" = "$cpu_cpuid" ]; then
-			_debug "is_latest_known_ucode: with cpuid $cpu_cpuid has ucode $cpu_ucode, last known is $cpuid_decimal from $ucode_date"
-			ucode_latest=$(printf "latest version is 0x%x dated $ucode_date according to $mcedb_info" "$ucode_decimal")
-			if [ "$cpu_ucode" -ge "$ucode_decimal" ]; then
-				return 0
-			else
-				return 1
-			fi
+		ucode=$((  $(echo "$tuple" | cut -d, -f3) ))
+		ucode_date=$(echo "$tuple" | cut -d, -f4 | sed -r 's=(....)(..)(..)=\1/\2/\3=')
+		_debug "is_latest_known_ucode: with cpuid $cpu_cpuid has ucode $cpu_ucode, last known is $ucode from $ucode_date"
+		ucode_latest=$(printf "latest version is 0x%x dated $ucode_date according to $mcedb_info" "$ucode")
+		if [ "$cpu_ucode" -ge "$ucode" ]; then
+			return 0
+		else
+			return 1
 		fi
 	done
 	_debug "is_latest_known_ucode: this cpuid is not referenced ($cpu_cpuid)"
@@ -1637,7 +1634,7 @@ if [ -e "$opt_kernel" ]; then
 	if ! which "${opt_arch_prefix}readelf" >/dev/null 2>&1; then
 		_debug "readelf not found"
 		kernel_err="missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the 'binutils' package"
-	elif [ "$opt_sysfs_only" = 1 ]; then
+	elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ]; then
 		kernel_err='kernel image decompression skipped'
 	else
 		extract_kernel "$opt_kernel"

From 299103a3ae79244dbe47264761a60e094f61405a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= <speed47_github@speed47.net>
Date: Mon, 24 Sep 2018 20:25:52 +0200
Subject: [PATCH 04/11] some fixes when script is not started as root

---
 spectre-meltdown-checker.sh | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
index 82a2020..28a4d21 100755
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -1072,6 +1072,9 @@ read_cpuid()
 
 	if [ -e /dev/cpu/0/cpuid ]; then
 		# Linux
+		if [ ! -r /dev/cpu/0/cpuid ]; then
+			return 2
+		fi
 		# on some kernel versions, /dev/cpu/0/cpuid doesn't imply that the cpuid module is loaded, in that case dd returns an error
 		dd if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1 || load_cpuid
 		# we need _leaf to be converted to decimal for dd
@@ -1083,6 +1086,9 @@ read_cpuid()
 		_cpuid=$(dd if=/dev/cpu/0/cpuid bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | od -j $((_odskip * 16)) -A n -t u4)
 	elif [ -e /dev/cpuctl0 ]; then
 		# BSD
+		if [ ! -r /dev/cpuctl0 ]; then
+			return 2
+		fi
 		_cpuid=$(cpucontrol -i "$_leaf" /dev/cpuctl0 2>/dev/null | awk '{print $4,$5,$6,$7}')
 		# cpuid level 0x1: 0x000306d4 0x00100800 0x4dfaebbf 0xbfebfbff
 	else
@@ -1176,6 +1182,8 @@ parse_cpu_details()
 	# get raw cpuid, it's always useful (referenced in the Intel doc for firmware updates for example)
 	if read_cpuid 0x1 $EAX 0 0xFFFFFFFF; then
 		cpu_cpuid="$read_cpuid_value"
+	else
+		cpu_cpuid=0
 	fi
 
 	# under BSD, linprocfs often doesn't export ucode information, so fetch it ourselves the good old way
@@ -1408,8 +1416,11 @@ is_latest_known_ucode()
 {
 	# 0: yes, 1: no, 2: unknown
 	parse_cpu_details
+	if [ "$cpu_cpuid" = 0 ]; then
+		ucode_latest="couldn't get your cpuid"
+		return 2
+	fi
 	ucode_latest="latest microcode version for your CPU model is unknown"
-	# cpuid,version,date
 	if is_intel; then
 		cpu_brand_prefix=I
 	elif is_amd; then
@@ -1924,6 +1935,8 @@ check_cpu()
 	_info_nol "    * PRED_CMD MSR is available: "
 	if [ ! -e /dev/cpu/0/msr ] && [ ! -e /dev/cpuctl0 ]; then
 		pstatus yellow UNKNOWN "is msr kernel module available?"
+	elif [ ! -r /dev/cpu/0/msr ] && [ ! -w /dev/cpuctl0 ]; then
+		pstatus yellow UNKNOWN "are you root?"
 	else
 		# the new MSR 'PRED_CTRL' is at offset 0x49, write-only
 		# we test if of all cpus
@@ -2031,8 +2044,8 @@ check_cpu()
 	if is_intel; then
 		_info     "  * Speculative Store Bypass Disable (SSBD)"
 		_info_nol "    * CPU indicates SSBD capability: "
-		read_cpuid 0x7 $EDX 31 1 1; ret=$?
-		if [ $ret -eq 0 ]; then
+		read_cpuid 0x7 $EDX 31 1 1; ret24=$?; ret25=$ret24
+		if [ $ret24 -eq 0 ]; then
 			cpuid_ssbd='Intel SSBD'
 		fi
 	elif is_amd; then
@@ -2071,6 +2084,8 @@ check_cpu()
 	_info_nol "    * FLUSH_CMD MSR is available: "
 	if [ ! -e /dev/cpu/0/msr ] && [ ! -e /dev/cpuctl0 ]; then
 		pstatus yellow UNKNOWN "is msr kernel module available?"
+	elif [ ! -r /dev/cpu/0/msr ] && [ ! -w /dev/cpuctl0 ]; then
+		pstatus yellow UNKNOWN "are you root?"
 	else
 		# the new MSR 'FLUSH_CMD' is at offset 0x10b, write-only
 		# we test if of all cpus

From cbb18cb6b6bb550fc8e7bcb1448452116ef03638 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= <speed47_github@speed47.net>
Date: Sat, 29 Sep 2018 13:00:42 +0200
Subject: [PATCH 05/11] fix(l1tf): properly detect status under Red Hat/CentOS
 kernels

---
 spectre-meltdown-checker.sh | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
index 28a4d21..7224ce1 100755
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -3780,13 +3780,17 @@ check_CVE_2018_3646_linux()
 		_info_nol "  * L1D flush enabled: "
 		if [ "$opt_live" = 1 ]; then
 			if [ -r "/sys/devices/system/cpu/vulnerabilities/l1tf" ]; then
-				if grep -Eq 'VMX: (L1D )?vulnerable' "/sys/devices/system/cpu/vulnerabilities/l1tf"; then
+				# vanilla: VMX: $l1dstatus, SMT $smtstatus
+				# Red Hat: VMX: SMT $smtstatus, L1D $l1dstatus
+				# $l1dstatus is one of (auto|vulnerable|conditional cache flushes|cache flushes|EPT disabled|flush not necessary)
+				# $smtstatus is one of (vulnerable|disabled)
+				if grep -Eq '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)' "/sys/devices/system/cpu/vulnerabilities/l1tf"; then
 					l1d_mode=0
 					pstatus yellow NO
-				elif grep -Eq 'VMX: (L1D )?conditional cache flushes' "/sys/devices/system/cpu/vulnerabilities/l1tf"; then
+				elif grep -Eq '(VMX:|L1D) conditional cache flushes' "/sys/devices/system/cpu/vulnerabilities/l1tf"; then
 					l1d_mode=1
 					pstatus green YES "conditional flushes"
-				elif grep -Eq 'VMX: (L1D )?cache flushes' "/sys/devices/system/cpu/vulnerabilities/l1tf"; then
+				elif grep -Eq '(VMX:|L1D) cache flushes' "/sys/devices/system/cpu/vulnerabilities/l1tf"; then
 					l1d_mode=2
 					pstatus green YES "unconditional flushes"
 				else

From 3b2d5296549a5d8eb2c1af734b1a29525f50c81e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= <speed47_github@speed47.net>
Date: Sat, 29 Sep 2018 13:16:07 +0200
Subject: [PATCH 06/11] feat(l1tf): read & report ARCH_CAPABILITIES bit 3
 (SKIP_VMENTRY_L1DFLUSH)

---
 spectre-meltdown-checker.sh | 53 +++++++++++++++++++++++--------------
 1 file changed, 33 insertions(+), 20 deletions(-)

diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
index 7224ce1..2e43cb0 100755
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -2148,15 +2148,17 @@ check_cpu()
 		_info_nol "    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: "
 		capabilities_rdcl_no=-1
 		capabilities_ibrs_all=-1
-		capabilities_ssb_no=-1
 		capabilities_rsba=-1
+		capabilities_l1dflush_no=-1
+		capabilities_ssb_no=-1
 		if [ "$cpuid_arch_capabilities" = -1 ]; then
 			pstatus yellow UNKNOWN
 		elif [ "$cpuid_arch_capabilities" != 1 ]; then
 			capabilities_rdcl_no=0
 			capabilities_ibrs_all=0
-			capabilities_ssb_no=0
 			capabilities_rsba=0
+			capabilities_l1dflush_no=0
+			capabilities_ssb_no=0
 			pstatus yellow NO
 		elif [ ! -e /dev/cpu/0/msr ] && [ ! -e /dev/cpuctl0 ]; then
 			spec_ctrl_msr=-1
@@ -2185,15 +2187,17 @@ check_cpu()
 			capabilities=$val_cap_msr
 			capabilities_rdcl_no=0
 			capabilities_ibrs_all=0
-			capabilities_ssb_no=0
 			capabilities_rsba=0
+			capabilities_l1dflush_no=0
+			capabilities_ssb_no=0
 			if [ $val -eq 0 ]; then
 				_debug "capabilities MSR is $capabilities (decimal)"
 				[ $(( capabilities >> 0 & 1 )) -eq 1 ] && capabilities_rdcl_no=1
 				[ $(( capabilities >> 1 & 1 )) -eq 1 ] && capabilities_ibrs_all=1
 				[ $(( capabilities >> 2 & 1 )) -eq 1 ] && capabilities_rsba=1
+				[ $(( capabilities >> 3 & 1 )) -eq 1 ] && capabilities_l1dflush_no=1
 				[ $(( capabilities >> 4 & 1 )) -eq 1 ] && capabilities_ssb_no=1
-				_debug "capabilities says rdcl_no=$capabilities_rdcl_no ibrs_all=$capabilities_ibrs_all ssb_no=$capabilities_ssb_no rsba=$capabilities_rsba"
+				_debug "capabilities says rdcl_no=$capabilities_rdcl_no ibrs_all=$capabilities_ibrs_all rsba=$capabilities_rsba l1dflush_no=$capabilities_l1dflush_no ssb_no=$capabilities_ssb_no"
 				if [ "$capabilities_ibrs_all" = 1 ]; then
 					if [ $cpu_mismatch -eq 0 ]; then
 						pstatus green YES
@@ -2220,24 +2224,33 @@ check_cpu()
 		else
 			pstatus yellow NO
 		fi
-	fi
 
-	_info_nol "  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): "
-	if [ "$capabilities_ssb_no" = -1 ]; then
-		pstatus yellow UNKNOWN
-	elif [ "$capabilities_ssb_no" = 1 ] || [ "$amd_ssb_no" = 1 ]; then
-		pstatus green YES
-	else
-		pstatus yellow NO
-	fi
+		_info_nol "  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): "
+		if [ "$capabilities_ssb_no" = -1 ]; then
+			pstatus yellow UNKNOWN
+		elif [ "$capabilities_ssb_no" = 1 ] || [ "$amd_ssb_no" = 1 ]; then
+			pstatus green YES
+		else
+			pstatus yellow NO
+		fi
 
-	_info_nol "  * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): "
-	if [ "$capabilities_rsba" = -1 ]; then
-		pstatus yellow UNKNOWN
-	elif [ "$capabilities_rsba" = 1 ]; then
-		pstatus yellow YES
-	else
-		pstatus blue NO
+		_info_nol "  * CPU/Hypervisor indicates L1D flushing is not necessary on this system: "
+		if [ "$capabilities_l1dflush_no" = -1 ]; then
+			pstatus yellow UNKNOWN
+		elif [ "$capabilities_l1dflush_no" = 1 ]; then
+			pstatus green YES
+		else
+			pstatus yellow NO
+		fi
+
+		_info_nol "  * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): "
+		if [ "$capabilities_rsba" = -1 ]; then
+			pstatus yellow UNKNOWN
+		elif [ "$capabilities_rsba" = 1 ]; then
+			pstatus yellow YES
+		else
+			pstatus blue NO
+		fi
 	fi
 
 	_info_nol "  * CPU supports Software Guard Extensions (SGX): "

From 68289dae1eefabd3c2d86d3023b0c28a31665bf0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= <speed47_github@speed47.net>
Date: Sun, 30 Sep 2018 16:56:58 +0200
Subject: [PATCH 07/11] feat: add --update-builtin-mcedb to update the DB
 inside the script

---
 spectre-meltdown-checker.sh | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
index 2e43cb0..ae5dd78 100755
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -82,6 +82,7 @@ show_usage()
 		--no-hw			skip CPU information and checks, if you're inspecting a kernel not to be run on this host
 		--vmm [auto,yes,no]	override the detection of the presence of an hypervisor (for CVE-2018-3646), default: auto
 		--update-mcedb		update our local copy of the CPU microcodes versions database (from the awesome MCExtractor project)
+		--update-builtin-mcedb	same as --update-mcedb but update builtin DB inside the script itself
 
 	Return codes:
 		0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error)
@@ -578,11 +579,8 @@ show_header()
 	_info
 }
 
-if [ -n "$HOME" ]; then
-	mcedb_cache="$HOME/.mcedb"
-else
-	mcedb_cache="$(getent passwd "$(whoami)" | cut -d: -f6)/.mcedb"
-fi
+[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
+mcedb_cache="$HOME/.mcedb"
 update_mcedb()
 {
 	# We're using MCE.db from the excellent platomav's MCExtractor project
@@ -628,13 +626,21 @@ update_mcedb()
 	if [ -n "$previous_mcedb_revision" ]; then
 		if [ "$previous_mcedb_revision" = "v$mcedb_revision" ]; then
 			echo "We already have this version locally, no update needed"
-			return 0
+			[ "$1" != builtin ] && return 0
 		fi
 	fi
 	echo "# Spectre & Meltdown Checker" > "$mcedb_cache"
 	echo "# %%% MCEDB v$mcedb_revision - $mcedb_date" >> "$mcedb_cache"
-	sqlite3 "$mcedb_tmp" "select '# I,0x'||cpuid||',0x'||version||','||max(yyyymmdd) from Intel group by cpuid order by cpuid asc; select '# A,0x'||cpuid||',0x'||version||','||max(yyyymmdd) from AMD group by cpuid order by cpuid asc" >> "$mcedb_cache"
+	sqlite3 "$mcedb_tmp" "select '# I,0x'||cpuid||',0x'||version||','||max(yyyymmdd) from Intel group by cpuid order by cpuid asc; select '# A,0x'||cpuid||',0x'||version||','||max(yyyymmdd) from AMD group by cpuid order by cpuid asc" | grep -v '^# .,0x00000000,' >> "$mcedb_cache"
 	echo OK "local version updated"
+
+	if [ "$1" = builtin ]; then
+		newfile=$(mktemp /tmp/smc-XXXXXX)
+		awk '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
+		awk '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
+		cat "$newfile" > "$0"
+		rm -f "$newfile"
+	fi
 }
 
 parse_opt_file()
@@ -718,6 +724,9 @@ while [ -n "$1" ]; do
 	elif [ "$1" = "--update-mcedb" ]; then
 		update_mcedb
 		exit $?
+	elif [ "$1" = "--update-builtin-mcedb" ]; then
+		update_mcedb builtin
+		exit $?
 	elif [ "$1" = "--explain" ]; then
 		opt_explain=1
 		shift

From f5106b3c02838818d0b76d90c74cb70ca0083444 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= <speed47_github@speed47.net>
Date: Sun, 30 Sep 2018 16:57:35 +0200
Subject: [PATCH 08/11] update MCEDB from v83 to v84 (no actual change)

---
 spectre-meltdown-checker.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
index ae5dd78..ebd63b1 100755
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -3979,7 +3979,7 @@ exit 0  # ok
 
 # wget https://github.com/platomav/MCExtractor/raw/master/MCE.db
 # sqlite3 MCE.db "select '%%% MCEDB v'||revision||' - '||strftime('%Y/%m/%d', date, 'unixepoch') from MCE; select '# I,0x'||cpuid||',0x'||version||','||max(yyyymmdd) from Intel group by cpuid order by cpuid asc; select '# A,0x'||cpuid||',0x'||version||','||max(yyyymmdd) from AMD group by cpuid order by cpuid asc"
-# %%% MCEDB v83 - 2018/09/21
+# %%% MCEDB v84 - 2018/09/27
 # I,0x00000611,0x00000B27,19961218
 # I,0x00000612,0x000000C6,19961210
 # I,0x00000616,0x000000C6,19961210

From 55120839ddb24b480b03dd4258b330d001d03278 Mon Sep 17 00:00:00 2001
From: Stanislav Kholmanskikh <stanislav.kholmanskikh@oracle.com>
Date: Tue, 28 Aug 2018 04:35:44 -0700
Subject: [PATCH 09/11] Fix a typo in check_variant3_linux()

Signed-off-by: Stanislav Kholmanskikh <stanislav.kholmanskikh@oracle.com>
---
 spectre-meltdown-checker.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
index ebd63b1..a159d3e 100755
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -3335,7 +3335,7 @@ check_CVE_2017_5754_linux()
 				if [ -n "$kpti_support" ]; then
 					if [ -e "/sys/kernel/debug/x86/pti_enabled" ]; then
 						explain "Your kernel supports PTI but it's disabled, you can enable it with \`echo 1 > /sys/kernel/debug/x86/pti_enabled\`"
-					elif grep -q -w nopti -w pti=off "$procfs/cmdline"; then
+					elif grep -q -w -e nopti -e pti=off "$procfs/cmdline"; then
 						explain "Your kernel supports PTI but it has been disabled on command-line, remove the nopti or pti=off option from your bootloader configuration"
 					else
 						explain "Your kernel supports PTI but it has been disabled, check \`dmesg\` right after boot to find clues why the system disabled it"

From 401ccd4b14ffa81936f5e843e6d7afdd72326d9d Mon Sep 17 00:00:00 2001
From: Stanislav Kholmanskikh <stanislav.kholmanskikh@oracle.com>
Date: Wed, 29 Aug 2018 05:40:52 -0700
Subject: [PATCH 10/11] Correct aarch64 KPTI dmesg message

As it's seen in unmap_kernel_at_el0 (both the function definition
and its usage in arm64_features[]) from arch/arm64/kernel/cpufeature.c
the kernel reports this string:

CPU features: detected: Kernel page table isolation (KPTI)

or (before commit e0f6429dc1c0 ("arm64: cpufeature: Remove redundant "feature"
in reports")):

CPU features: detected feature: Kernel page table isolation (KPTI)

if KPTI is enabled on the system.

So on let's adjust check_variant3_linux() to make it grep these
strings if executed on an aarch64 platform.

Tested on a Cavium ThunderX2 machine.

Signed-off-by: Stanislav Kholmanskikh <stanislav.kholmanskikh@oracle.com>
---
 spectre-meltdown-checker.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
index a159d3e..6856fd0 100755
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -3237,6 +3237,8 @@ check_CVE_2017_5754_linux()
 			dmesg_grep="Kernel/User page tables isolation: enabled"
 			dmesg_grep="$dmesg_grep|Kernel page table isolation enabled"
 			dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
+			# aarch64
+			dmesg_grep="$dmesg_grep|CPU features: detected( feature)?: Kernel page table isolation \(KPTI\)"
 			if grep ^flags "$procfs/cpuinfo" | grep -qw pti; then
 				# vanilla PTI patch sets the 'pti' flag in cpuinfo
 				_debug "kpti_enabled: found 'pti' flag in $procfs/cpuinfo"

From c705afe764d104cb23d952d8b08ada1b658f58ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= <speed47_github@speed47.net>
Date: Wed, 3 Oct 2018 20:56:46 +0200
Subject: [PATCH 11/11] bump to v0.40

---
 spectre-meltdown-checker.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
index 6856fd0..be32420 100755
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -11,7 +11,7 @@
 #
 # Stephane Lesimple
 #
-VERSION='0.39+'
+VERSION='0.40'
 
 trap 'exit_cleanup' EXIT
 trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT