peter/spectre-meltdown-checker
peter
/
spectre-meltdown-checker
mirror of https://github.com/speed47/spectre-meltdown-checker.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

chore: more shellcheck 0.6 fixes

This commit is contained in:
Stéphane Lesimple 2019-05-05 18:34:09 +02:00
parent 7beca1ac50
commit 1264b1c7a3
1 changed files with 38 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
spectre-meltdown-checker.sh
View File

@ -31,7 +31,7 @@ exit_cleanup()
} }
# if we were git clone'd, adjust VERSION # if we were git clone'd, adjust VERSION
if [ -d "$(dirname "$0")/.git" ] && which git >/dev/null 2>&1; then if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; then
describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null) describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null)
[ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e s/^v//) [ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e s/^v//)
fi fi
@ -159,8 +159,12 @@ supported_cve_list='CVE-2017-5753 CVE-2017-5715 CVE-2017-5754 CVE-2018-3640 CVE-
# because `printf` behavior is more standard across Linux/BSD # because `printf` behavior is more standard across Linux/BSD
# we'll try to avoid using shell builtins that might not take options # we'll try to avoid using shell builtins that might not take options
echo_cmd_type='echo' echo_cmd_type='echo'
if which printf >/dev/null 2>&1; then # ignore SC2230 here because `which` ignores builtins while `command -v` doesn't, and
echo_cmd=$(which printf) # we don't want builtins here. Even if `which` is not installed, we'll fallback to the
# `echo` builtin anyway, so this is safe.
# shellcheck disable=SC2230
if command -v printf >/dev/null 2>&1; then
echo_cmd=$(command -v printf)
echo_cmd_type='printf' echo_cmd_type='printf'
elif which echo >/dev/null 2>&1; then elif which echo >/dev/null 2>&1; then
echo_cmd=$(which echo) echo_cmd=$(which echo)
@ -465,7 +469,7 @@ is_cpu_vulnerable()
[ -z "$variant3a" ] && variant3a=immune [ -z "$variant3a" ] && variant3a=immune
variant4=vuln variant4=vuln
_debug "checking cpu$i: armv8 A76 non vulnerable to variant 2, 3 & 3a" _debug "checking cpu$i: armv8 A76 non vulnerable to variant 2, 3 & 3a"
elif [ "$cpuarch" -le 7 ] || ( [ "$cpuarch" = 8 ] && [ $(( cpupart )) -lt $(( 0xd07 )) ] ) ; then elif [ "$cpuarch" -le 7 ] || { [ "$cpuarch" = 8 ] && [ $(( cpupart )) -lt $(( 0xd07 )) ]; } ; then
[ -z "$variant1" ] && variant1=immune [ -z "$variant1" ] && variant1=immune
[ -z "$variant2" ] && variant2=immune [ -z "$variant2" ] && variant2=immune
[ -z "$variant3" ] && variant3=immune [ -z "$variant3" ] && variant3=immune
@ -603,11 +607,11 @@ update_mcedb()
mcedb_tmp="$(mktemp /tmp/mcedb-XXXXXX)" mcedb_tmp="$(mktemp /tmp/mcedb-XXXXXX)"
mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db' mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
_info_nol "Fetching MCE.db from the MCExtractor project... " _info_nol "Fetching MCE.db from the MCExtractor project... "
if which wget >/dev/null 2>&1; then if command -v wget >/dev/null 2>&1; then
wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$? wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
elif which curl >/dev/null 2>&1; then elif command -v curl >/dev/null 2>&1; then
curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$? curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
elif which fetch >/dev/null 2>&1; then elif command -v fetch >/dev/null 2>&1; then
fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$? fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
else else
echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs" echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"
@ -621,7 +625,7 @@ update_mcedb()
# now extract contents using sqlite # now extract contents using sqlite
_info_nol "Extracting data... " _info_nol "Extracting data... "
if ! which sqlite3 >/dev/null 2>&1; then if ! command -v sqlite3 >/dev/null 2>&1; then
echo ERROR "please install the \`sqlite3\` program" echo ERROR "please install the \`sqlite3\` program"
return 1 return 1
fi fi
@ -888,6 +892,7 @@ pvulnstatus()
prometheus) prometheus)
prometheus_output="${prometheus_output:+$prometheus_output\n}specex_vuln_status{name=\"$aka\",cve=\"$1\",status=\"$2\",info=\"$3\"} 1" prometheus_output="${prometheus_output:+$prometheus_output\n}specex_vuln_status{name=\"$aka\",cve=\"$1\",status=\"$2\",info=\"$3\"} 1"
;; ;;
*) echo "$0: error: invalid batch format '$opt_batch_format' specified" >&2; exit 255;;
esac esac
fi fi
@ -972,7 +977,7 @@ try_decompress()
for pos in $(tr "$1\n$2" "\n$2=" < "$6" | grep -abo "^$2") for pos in $(tr "$1\n$2" "\n$2=" < "$6" | grep -abo "^$2")
do do
_debug "try_decompress: magic for $3 found at offset $pos" _debug "try_decompress: magic for $3 found at offset $pos"
if ! which "$3" >/dev/null 2>&1; then if ! command -v "$3" >/dev/null 2>&1; then
kernel_err="missing '$3' tool, please install it, usually it's in the '$5' package" kernel_err="missing '$3' tool, please install it, usually it's in the '$5' package"
return 0 return 0
fi fi
@ -1165,7 +1170,7 @@ dmesg_grep()
is_coreos() is_coreos()
{ {
which coreos-install >/dev/null 2>&1 && which toolbox >/dev/null 2>&1 && return 0 command -v coreos-install >/dev/null 2>&1 && command -v toolbox >/dev/null 2>&1 && return 0
return 1 return 1
} }
@ -1679,7 +1684,7 @@ if [ "$os" = Linux ]; then
fi fi
if [ -e "$opt_kernel" ]; then if [ -e "$opt_kernel" ]; then
if ! which "${opt_arch_prefix}readelf" >/dev/null 2>&1; then if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then
_debug "readelf not found" _debug "readelf not found"
kernel_err="missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the 'binutils' package" kernel_err="missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the 'binutils' package"
elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ]; then elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ]; then
@ -1790,11 +1795,11 @@ write_msr()
if [ ! -w /dev/cpu/"$_cpu"/msr ]; then if [ ! -w /dev/cpu/"$_cpu"/msr ]; then
ret=200 # permission error ret=200 # permission error
# if wrmsr is available, use it # if wrmsr is available, use it
elif which wrmsr >/dev/null 2>&1 && [ "$SMC_NO_WRMSR" != 1 ]; then elif command -v wrmsr >/dev/null 2>&1 && [ "$SMC_NO_WRMSR" != 1 ]; then
_debug "write_msr: using wrmsr" _debug "write_msr: using wrmsr"
wrmsr $_msr 0 2>/dev/null; ret=$? wrmsr $_msr 0 2>/dev/null; ret=$?
# or if we have perl, use it, any 5.x version will work # or if we have perl, use it, any 5.x version will work
elif which perl >/dev/null 2>&1 && [ "$SMC_NO_PERL" != 1 ]; then elif command -v perl >/dev/null 2>&1 && [ "$SMC_NO_PERL" != 1 ]; then
_debug "write_msr: using perl" _debug "write_msr: using perl"
ret=1 ret=1
perl -e "open(M,'>','/dev/cpu/$_cpu/msr') and seek(M,$_msr,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0 perl -e "open(M,'>','/dev/cpu/$_cpu/msr') and seek(M,$_msr,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0
@ -1836,11 +1841,11 @@ read_msr()
if [ ! -r /dev/cpu/"$_cpu"/msr ]; then if [ ! -r /dev/cpu/"$_cpu"/msr ]; then
return 200 # permission error return 200 # permission error
# if rdmsr is available, use it # if rdmsr is available, use it
elif which rdmsr >/dev/null 2>&1 && [ "$SMC_NO_RDMSR" != 1 ]; then elif command -v rdmsr >/dev/null 2>&1 && [ "$SMC_NO_RDMSR" != 1 ]; then
_debug "read_msr: using rdmsr" _debug "read_msr: using rdmsr"
read_msr_value=$(rdmsr -r $_msr 2>/dev/null | od -t u8 -A n) read_msr_value=$(rdmsr -r $_msr 2>/dev/null | od -t u8 -A n)
# or if we have perl, use it, any 5.x version will work # or if we have perl, use it, any 5.x version will work
elif which perl >/dev/null 2>&1 && [ "$SMC_NO_PERL" != 1 ]; then elif command -v perl >/dev/null 2>&1 && [ "$SMC_NO_PERL" != 1 ]; then
_debug "read_msr: using perl" _debug "read_msr: using perl"
read_msr_value=$(perl -e "open(M,'<','/dev/cpu/$_cpu/msr') and seek(M,$_msr,0) and read(M,\$_,8) and print" | od -t u8 -A n) read_msr_value=$(perl -e "open(M,'<','/dev/cpu/$_cpu/msr') and seek(M,$_msr,0) and read(M,\$_,8) and print" | od -t u8 -A n)
# fallback to dd if it supports skip_bytes # fallback to dd if it supports skip_bytes
@ -2376,7 +2381,7 @@ check_redhat_canonical_spectre()
# if we were already called, don't do it again # if we were already called, don't do it again
[ -n "$redhat_canonical_spectre" ] && return [ -n "$redhat_canonical_spectre" ] && return
if ! which "${opt_arch_prefix}strings" >/dev/null 2>&1; then if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
redhat_canonical_spectre=-1 redhat_canonical_spectre=-1
elif [ -n "$kernel_err" ]; then elif [ -n "$kernel_err" ]; then
redhat_canonical_spectre=-2 redhat_canonical_spectre=-2
@ -2460,7 +2465,7 @@ check_CVE_2017_5753_linux()
# http://git.arm.linux.org.uk/cgit/linux-arm.git/commit/?h=spectre&id=a78d156587931a2c3b354534aa772febf6c9e855 # http://git.arm.linux.org.uk/cgit/linux-arm.git/commit/?h=spectre&id=a78d156587931a2c3b354534aa772febf6c9e855
if [ -n "$kernel_err" ]; then if [ -n "$kernel_err" ]; then
pstatus yellow UNKNOWN "couldn't check ($kernel_err)" pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
elif ! which perl >/dev/null 2>&1; then elif ! command -v perl >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing 'perl' binary, please install it" pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
else else
perl -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$? perl -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
@ -2517,9 +2522,9 @@ check_CVE_2017_5753_linux()
pstatus yellow NO pstatus yellow NO
elif [ -n "$kernel_err" ]; then elif [ -n "$kernel_err" ]; then
pstatus yellow UNKNOWN "couldn't check ($kernel_err)" pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
elif ! which perl >/dev/null 2>&1; then elif ! command -v perl >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing 'perl' binary, please install it" pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
elif ! which "${opt_arch_prefix}objdump" >/dev/null 2>&1; then elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package" pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
else else
"${opt_arch_prefix}objdump" -d "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$? "${opt_arch_prefix}objdump" -d "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
@ -2531,14 +2536,14 @@ check_CVE_2017_5753_linux()
fi fi
fi fi
if [ "$opt_verbose" -ge 2 ] || ( [ -z "$v1_mask_nospec" ] && [ "$redhat_canonical_spectre" != 1 ] && [ "$redhat_canonical_spectre" != 2 ] ); then if [ "$opt_verbose" -ge 2 ] || { [ -z "$v1_mask_nospec" ] && [ "$redhat_canonical_spectre" != 1 ] && [ "$redhat_canonical_spectre" != 2 ]; }; then
# this is a slow heuristic and we don't need it if we already know the kernel is patched # this is a slow heuristic and we don't need it if we already know the kernel is patched
# but still show it in verbose mode # but still show it in verbose mode
_info_nol "* Checking count of LFENCE instructions following a jump in kernel... " _info_nol "* Checking count of LFENCE instructions following a jump in kernel... "
if [ -n "$kernel_err" ]; then if [ -n "$kernel_err" ]; then
pstatus yellow UNKNOWN "couldn't check ($kernel_err)" pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
else else
if ! which "${opt_arch_prefix}objdump" >/dev/null 2>&1; then if ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package" pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
else else
# here we disassemble the kernel and count the number of occurrences of the LFENCE opcode # here we disassemble the kernel and count the number of occurrences of the LFENCE opcode
@ -2577,7 +2582,7 @@ check_CVE_2017_5753_linux()
pvulnstatus $cve OK "Kernel source has been patched to mitigate the vulnerability (Red Hat/Ubuntu patch)" pvulnstatus $cve OK "Kernel source has been patched to mitigate the vulnerability (Red Hat/Ubuntu patch)"
elif [ "$v1_lfence" = 1 ]; then elif [ "$v1_lfence" = 1 ]; then
pvulnstatus $cve OK "Kernel source has PROBABLY been patched to mitigate the vulnerability (jump-then-lfence instructions heuristic)" pvulnstatus $cve OK "Kernel source has PROBABLY been patched to mitigate the vulnerability (jump-then-lfence instructions heuristic)"
elif [ "$kernel_err" ]; then elif [ -n "$kernel_err" ]; then
pvulnstatus $cve UNK "Couldn't find kernel image or tools missing to execute the checks" pvulnstatus $cve UNK "Couldn't find kernel image or tools missing to execute the checks"
explain "Re-run this script with root privileges, after installing the missing tools indicated above" explain "Re-run this script with root privileges, after installing the missing tools indicated above"
else else
@ -2722,7 +2727,7 @@ check_CVE_2017_5715_linux()
fi fi
fi fi
if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then
if ! which "${opt_arch_prefix}strings" >/dev/null 2>&1; then if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
: :
else else
ibrs_can_tell=1 ibrs_can_tell=1
@ -2743,7 +2748,7 @@ check_CVE_2017_5715_linux()
# recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat # recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat
# we can detect it directly in the image # we can detect it directly in the image
if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then
if ! which "${opt_arch_prefix}strings" >/dev/null 2>&1; then if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
: :
else else
ibpb_can_tell=1 ibpb_can_tell=1
@ -2907,7 +2912,7 @@ check_CVE_2017_5715_linux()
fi fi
elif [ -n "$kernel" ]; then elif [ -n "$kernel" ]; then
# look for the symbol # look for the symbol
if which "${opt_arch_prefix}nm" >/dev/null 2>&1; then if command -v "${opt_arch_prefix}nm" >/dev/null 2>&1; then
# the proper way: use nm and look for the symbol # the proper way: use nm and look for the symbol
if "${opt_arch_prefix}nm" "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then if "${opt_arch_prefix}nm" "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then
retpoline_compiler=1 retpoline_compiler=1
@ -2955,7 +2960,7 @@ check_CVE_2017_5715_linux()
# only for information, in verbose mode # only for information, in verbose mode
if [ "$opt_verbose" -ge 2 ]; then if [ "$opt_verbose" -ge 2 ]; then
_info_nol " * Local gcc is retpoline-aware: " _info_nol " * Local gcc is retpoline-aware: "
if which gcc >/dev/null 2>&1; then if command -v gcc >/dev/null 2>&1; then
if [ -n "$(gcc -mindirect-branch=thunk-extern --version 2>&1 >/dev/null)" ]; then if [ -n "$(gcc -mindirect-branch=thunk-extern --version 2>&1 >/dev/null)" ]; then
pstatus blue NO pstatus blue NO
else else
@ -2968,7 +2973,7 @@ check_CVE_2017_5715_linux()
if is_vulnerable_to_empty_rsb || [ "$opt_verbose" -ge 2 ]; then if is_vulnerable_to_empty_rsb || [ "$opt_verbose" -ge 2 ]; then
_info_nol " * Kernel supports RSB filling: " _info_nol " * Kernel supports RSB filling: "
if ! which "${opt_arch_prefix}strings" >/dev/null 2>&1; then if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package" pstatus yellow UNKNOWN "missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
elif [ -z "$kernel" ]; then elif [ -z "$kernel" ]; then
pstatus yellow UNKNOWN "kernel image missing" pstatus yellow UNKNOWN "kernel image missing"
@ -3048,7 +3053,7 @@ check_CVE_2017_5715_linux()
if [ "$opt_live" = 1 ] && [ "$vulnstatus" != "OK" ]; then if [ "$opt_live" = 1 ] && [ "$vulnstatus" != "OK" ]; then
_explain_hypervisor="An updated CPU microcode will have IBRS/IBPB capabilities indicated in the Hardware Check section above. If you're running under a hypervisor (KVM, Xen, VirtualBox, VMware, ...), the hypervisor needs to be up to date to be able to export the new host CPU flags to the guest. You can run this script on the host to check if the host CPU is IBRS/IBPB. If it is, and it doesn't show up in the guest, upgrade the hypervisor. You may need to reconfigure your VM to use a CPU model that has IBRS capability; in Libvirt, such CPUs are listed with an IBRS suffix." _explain_hypervisor="An updated CPU microcode will have IBRS/IBPB capabilities indicated in the Hardware Check section above. If you're running under a hypervisor (KVM, Xen, VirtualBox, VMware, ...), the hypervisor needs to be up to date to be able to export the new host CPU flags to the guest. You can run this script on the host to check if the host CPU is IBRS/IBPB. If it is, and it doesn't show up in the guest, upgrade the hypervisor. You may need to reconfigure your VM to use a CPU model that has IBRS capability; in Libvirt, such CPUs are listed with an IBRS suffix."
# IBPB (amd & intel) # IBPB (amd & intel)
if ( [ -z "$ibpb_enabled" ] || [ "$ibpb_enabled" = 0 ] ) && ( is_intel || is_amd || is_hygon); then if { [ -z "$ibpb_enabled" ] || [ "$ibpb_enabled" = 0 ]; } && { is_intel || is_amd || is_hygon; }; then
if [ -z "$cpuid_ibpb" ]; then if [ -z "$cpuid_ibpb" ]; then
explain "The microcode of your CPU needs to be upgraded to be able to use IBPB. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). $_explain_hypervisor" explain "The microcode of your CPU needs to be upgraded to be able to use IBPB. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). $_explain_hypervisor"
fi fi
@ -3073,7 +3078,7 @@ check_CVE_2017_5715_linux()
# /IBPB # /IBPB
# IBRS (amd & intel) # IBRS (amd & intel)
if ( [ -z "$ibrs_enabled" ] || [ "$ibrs_enabled" = 0 ] ) && ( is_intel || is_amd || is_hygon); then if { [ -z "$ibrs_enabled" ] || [ "$ibrs_enabled" = 0 ]; } && { is_intel || is_amd || is_hygon; }; then
if [ -z "$cpuid_ibrs" ]; then if [ -z "$cpuid_ibrs" ]; then
explain "The microcode of your CPU needs to be upgraded to be able to use IBRS. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). $_explain_hypervisor" explain "The microcode of your CPU needs to be upgraded to be able to use IBRS. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). $_explain_hypervisor"
fi fi
@ -3149,7 +3154,7 @@ check_CVE_2017_5715_bsd()
if [ -n "$kernel_err" ]; then if [ -n "$kernel_err" ]; then
pstatus yellow UNKNOWN "couldn't check ($kernel_err)" pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
else else
if ! which "${opt_arch_prefix}readelf" >/dev/null 2>&1; then if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the binutils package" pstatus yellow UNKNOWN "missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the binutils package"
else else
nb_thunks=$("${opt_arch_prefix}readelf" -s "$kernel" | grep -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_) nb_thunks=$("${opt_arch_prefix}readelf" -s "$kernel" | grep -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_)
@ -3265,7 +3270,7 @@ check_CVE_2017_5754_linux()
# nopti option that is part of the patch (kernel command line option) # nopti option that is part of the patch (kernel command line option)
# 'kpti=': arm # 'kpti=': arm
kpti_can_tell=1 kpti_can_tell=1
if ! which "${opt_arch_prefix}strings" >/dev/null 2>&1; then if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package" pstatus yellow UNKNOWN "missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
else else
kpti_support=$("${opt_arch_prefix}strings" "$kernel" | grep -w -e nopti -e kpti=) kpti_support=$("${opt_arch_prefix}strings" "$kernel" | grep -w -e nopti -e kpti=)
@ -3730,7 +3735,7 @@ check_CVE_2018_3620_linux()
fi fi
if [ "$opt_sysfs_only" != 1 ]; then if [ "$opt_sysfs_only" != 1 ]; then
_info_nol "* Kernel supports PTE inversion: " _info_nol "* Kernel supports PTE inversion: "
if ! which "${opt_arch_prefix}strings" >/dev/null 2>&1; then if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
pteinv_supported=-1 pteinv_supported=-1
else else
if "${opt_arch_prefix}strings" "$kernel" | grep -Fq 'PTE Inversion'; then if "${opt_arch_prefix}strings" "$kernel" | grep -Fq 'PTE Inversion'; then
@ -3919,7 +3924,7 @@ check_CVE_2018_3646_linux()
l1d_kernel="found flush_l1d in $procfs/cpuinfo" l1d_kernel="found flush_l1d in $procfs/cpuinfo"
fi fi
if [ -z "$l1d_kernel" ]; then if [ -z "$l1d_kernel" ]; then
if ! which "${opt_arch_prefix}strings" >/dev/null 2>&1; then if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
l1d_kernel_err="missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package" l1d_kernel_err="missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
elif [ -n "$kernel_err" ]; then elif [ -n "$kernel_err" ]; then
l1d_kernel_err="$kernel_err" l1d_kernel_err="$kernel_err"