From 0cd7e1164f1ebcbcc13484fe1b1218f1154ecbb2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= <speed47_github@speed47.net>
Date: Fri, 6 Dec 2019 23:03:36 +0100
Subject: [PATCH] feat: detect vanilla 5.4+ locked down mode

---
 spectre-meltdown-checker.sh | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
index d40137b..72ae48f 100755
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -2255,16 +2255,24 @@ write_msr()
 			mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=201")
 			return 201 # missing tool error
 		fi
-		if [ "$ret" = 1 ]; then
-			# Fedora (and probably Red Hat) have a "kernel lock down" feature that prevents us to write to MSRs
+		if [ "$ret" != 0 ]; then
+			# * Fedora (and probably Red Hat) have a "kernel lock down" feature that prevents us to write to MSRs
 			# when this mode is enabled and EFI secure boot is enabled (see issue #303)
 			# https://src.fedoraproject.org/rpms/kernel/blob/master/f/efi-lockdown.patch
 			# when this happens, any write will fail and dmesg will have a msg printed "msr: Direct access to MSR"
-			# we don't use dmesg_grep() because we don't care if dmesg is truncated here, as the message has just been printed
+			# * A version of this patch also made it to vanilla in 5.4+, in that case the message is: 'raw MSR access is restricted'
+			# * we don't use dmesg_grep() because we don't care if dmesg is truncated here, as the message has just been printed
 			if dmesg | grep -qF "msr: Direct access to MSR"; then
-				_debug "write_msr: locked down kernel detected"
+				_debug "write_msr: locked down kernel detected (Red Hat / Fedora)"
 				mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=202")
 				msr_locked_down=1
+				msr_locked_down_msg="your kernel is locked down (Fedora/Red Hat), please reboot without secure boot and retry"
+				return 202 # lockdown error
+			elif dmesg | grep -qF "raw MSR access is restricted"; then
+				_debug "write_msr: locked down kernel detected (vanilla)"
+				mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=202")
+				msr_locked_down=1
+				msr_locked_down_msg="your kernel is locked down, please reboot with lockdown=none in the kernel cmdline and retry"
 				return 202 # lockdown error
 			fi
 		fi
@@ -2405,7 +2413,7 @@ check_cpu()
 			pstatus yellow UNKNOWN "missing tool, install either msr-tools or perl"
 			spec_ctrl_msr=-1
 		elif [ $val -eq 202 ]; then
-			pstatus yellow UNKNOWN "your kernel is locked down (Fedora/Red Hat), please reboot without secure boot and retry"
+			pstatus yellow UNKNOWN "$msr_locked_down_msg"
 			spec_ctrl_msr=-1
 		else
 			spec_ctrl_msr=0
@@ -2498,7 +2506,7 @@ check_cpu()
 		elif [ $val -eq 201 ]; then
 			pstatus yellow UNKNOWN "missing tool, install either msr-tools or perl"
 		elif [ $val -eq 202 ]; then
-			pstatus yellow UNKNOWN "your kernel is locked down (Fedora/Red Hat), please reboot without secure boot and retry"
+			pstatus yellow UNKNOWN "$msr_locked_down_msg"
 		else
 			pstatus yellow NO
 		fi
@@ -2680,7 +2688,7 @@ check_cpu()
 		elif [ $val -eq 201 ]; then
 			pstatus yellow UNKNOWN "missing tool, install either msr-tools or perl"
 		elif [ $val -eq 202 ]; then
-			pstatus yellow UNKNOWN "your kernel is locked down (Fedora/Red Hat), please reboot without secure boot and retry"
+			pstatus yellow UNKNOWN "$msr_locked_down_msg"
 		else
 			pstatus yellow NO
 		fi
@@ -2813,7 +2821,7 @@ check_cpu()
 			elif [ $val -eq 201 ]; then
 				pstatus yellow UNKNOWN "missing tool, install either msr-tools or perl"
 			elif [ $val -eq 202 ]; then
-				pstatus yellow UNKNOWN "your kernel is locked down (Fedora/Red Hat), please reboot without secure boot and retry"
+				pstatus yellow UNKNOWN "$msr_locked_down_msg"
 			else
 				pstatus yellow NO
 			fi