L1TF/Linux: More fixes to /sys based hypervisor detection
We are now able to figure out whether or not we are running an hypervisor (at least potentially) via /sys, so let's actually use that information. This commit makes sure that, both when running with no options and with `--sysfs-only`, finding 'VMX' inside the L1TF sysfs vulnerability file is enough for calling the system a virtualization host.
This commit is contained in:
parent
e819a27939
commit
0421aea53f
|
@ -3792,60 +3792,60 @@ check_CVE_2018_3646_linux()
|
||||||
has_vmm=1;
|
has_vmm=1;
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ "$opt_sysfs_only" != 1 ]; then
|
_info_nol "* This system is a host running a hypervisor: "
|
||||||
_info_nol "* This system is a host running a hypervisor: "
|
if [ "$has_vmm" = -1 ] && [ "$opt_sysfs_only" != 1 ]; then
|
||||||
if [ "$has_vmm" = -1 ]; then
|
# Assumed to be running on bare metal unless evidence of vm is found.
|
||||||
# Assumed to be running on bare metal unless evidence of vm is found.
|
has_vmm=0
|
||||||
has_vmm=0
|
# if we have the 'kvm_intel' module loaded, well, we defintely can run VMs!
|
||||||
# if we have the 'kvm_intel' module loaded, well, we defintely can run VMs!
|
if lsmod | grep -q kvm_intel; then
|
||||||
if lsmod | grep -q kvm_intel; then
|
has_vmm=1
|
||||||
has_vmm=1
|
fi
|
||||||
fi
|
# test for presence of hypervisor flag - definitive if set
|
||||||
# test for presence of hypervisor flag - definitive if set
|
if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw hypervisor; then
|
||||||
if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw hypervisor; then
|
has_vmm=1
|
||||||
has_vmm=1
|
_debug "hypervisor: present - hypervisor flag set in $procfs/cpuinfo"
|
||||||
_debug "hypervisor: present - hypervisor flag set in $procfs/cpuinfo"
|
else
|
||||||
else
|
_debug "hypervisor: unknown - hypervisor flag not set in $procfs/cpuinfo"
|
||||||
_debug "hypervisor: unknown - hypervisor flag not set in $procfs/cpuinfo"
|
fi
|
||||||
fi
|
# test for kernel detected hypervisor
|
||||||
# test for kernel detected hypervisor
|
dmesg_grep "Hypervisor detected:" ; ret=$?
|
||||||
dmesg_grep "Hypervisor detected:" ; ret=$?
|
if [ $ret -eq 0 ]; then
|
||||||
|
_debug "hypervisor: present - found in dmesg: $dmesg_grepped"
|
||||||
|
has_vmm=1
|
||||||
|
elif [ $ret -eq 2 ]; then
|
||||||
|
_debug "hypervisor: dmesg truncated"
|
||||||
|
fi
|
||||||
|
# test for kernel detected paravirtualization
|
||||||
|
dmesg_grep "Booting paravirtualized kernel on bare hardware" ; ret=$?
|
||||||
|
if [ $ret -eq 0 ]; then
|
||||||
|
_debug "hypervisor: not present (bare hardware)- found in dmesg: $dmesg_grepped"
|
||||||
|
elif [ $ret -eq 2 ]; then
|
||||||
|
_debug "hypervisor: dmesg truncated"
|
||||||
|
else
|
||||||
|
dmesg_grep "Booting paravirtualized kernel on" ; ret=$?
|
||||||
if [ $ret -eq 0 ]; then
|
if [ $ret -eq 0 ]; then
|
||||||
_debug "hypervisor: present - found in dmesg: $dmesg_grepped"
|
_debug "hypervisor: present - found in dmesg: $dmesg_grepped"
|
||||||
has_vmm=1
|
has_vmm=1
|
||||||
elif [ $ret -eq 2 ]; then
|
elif [ $ret -eq 2 ]; then
|
||||||
_debug "hypervisor: dmesg truncated"
|
_debug "hypervisor: dmesg truncated"
|
||||||
fi
|
fi
|
||||||
# test for kernel detected paravirtualization
|
|
||||||
dmesg_grep "Booting paravirtualized kernel on bare hardware" ; ret=$?
|
|
||||||
if [ $ret -eq 0 ]; then
|
|
||||||
_debug "hypervisor: not present (bare hardware)- found in dmesg: $dmesg_grepped"
|
|
||||||
elif [ $ret -eq 2 ]; then
|
|
||||||
_debug "hypervisor: dmesg truncated"
|
|
||||||
else
|
|
||||||
dmesg_grep "Booting paravirtualized kernel on" ; ret=$?
|
|
||||||
if [ $ret -eq 0 ]; then
|
|
||||||
_debug "hypervisor: present - found in dmesg: $dmesg_grepped"
|
|
||||||
has_vmm=1
|
|
||||||
elif [ $ret -eq 2 ]; then
|
|
||||||
_debug "hypervisor: dmesg truncated"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
if [ "$has_vmm" = 0 ]; then
|
fi
|
||||||
if [ "$opt_vmm" != -1 ]; then
|
if [ "$has_vmm" = 0 ]; then
|
||||||
pstatus green NO "forced from command line"
|
if [ "$opt_vmm" != -1 ]; then
|
||||||
else
|
pstatus green NO "forced from command line"
|
||||||
pstatus green NO
|
|
||||||
fi
|
|
||||||
else
|
else
|
||||||
if [ "$opt_vmm" != -1 ]; then
|
pstatus green NO
|
||||||
pstatus blue YES "forced from command line"
|
|
||||||
else
|
|
||||||
pstatus blue YES
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
else
|
||||||
|
if [ "$opt_vmm" != -1 ]; then
|
||||||
|
pstatus blue YES "forced from command line"
|
||||||
|
else
|
||||||
|
pstatus blue YES
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$opt_sysfs_only" != 1 ]; then
|
||||||
_info "* Mitigation 1 (KVM)"
|
_info "* Mitigation 1 (KVM)"
|
||||||
_info_nol " * EPT is disabled: "
|
_info_nol " * EPT is disabled: "
|
||||||
if [ "$opt_live" = 1 ]; then
|
if [ "$opt_live" = 1 ]; then
|
||||||
|
|
Loading…
Reference in New Issue