mirror of
				https://github.com/speed47/spectre-meltdown-checker.git
				synced 2025-10-26 01:10:51 +02:00 
			
		
		
		
	adjust README
This commit is contained in:
		
							
								
								
									
										26
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										26
									
								
								README.md
									
									
									
									
									
								
							| @@ -10,10 +10,10 @@ A shell script to tell if your system is vulnerable against the several "specula | |||||||
| - CVE-2018-3615 [L1 terminal fault] aka 'Foreshadow (SGX)' | - CVE-2018-3615 [L1 terminal fault] aka 'Foreshadow (SGX)' | ||||||
| - CVE-2018-3620 [L1 terminal fault] aka 'Foreshadow-NG (OS)' | - CVE-2018-3620 [L1 terminal fault] aka 'Foreshadow-NG (OS)' | ||||||
| - CVE-2018-3646 [L1 terminal fault] aka 'Foreshadow-NG (VMM)' | - CVE-2018-3646 [L1 terminal fault] aka 'Foreshadow-NG (VMM)' | ||||||
| - CVE-2018-12126 [MSBDS] Microarchitectural Store Buffer Data Sampling  | - CVE-2018-12126 [microarchitectural store buffer data sampling (MSBDS)] aka 'Fallout' | ||||||
| - CVE-2018-12130 [MFBDS] Microarchitectural Fill Buffer Data Sampling  | - CVE-2018-12130 [microarchitectural fill buffer data sampling (MFBDS)] aka 'RIDL' | ||||||
| - CVE-2018-12127 [MLPDS] Microarchitectural Load Port Data Sampling  | - CVE-2018-12127 [microarchitectural load port data sampling (MLPDS)] aka 'RIDL' | ||||||
| - CVE-2019-11091 [MDSUM] Microarchitectural Data Sampling Uncacheable Memory  | - CVE-2019-11091 [microarchitectural data sampling uncacheable memory (MDSUM)] aka 'RIDL' | ||||||
|  |  | ||||||
| Supported operating systems: | Supported operating systems: | ||||||
| - Linux (all versions, flavors and distros) | - Linux (all versions, flavors and distros) | ||||||
| @@ -125,21 +125,25 @@ docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/m | |||||||
|    - Impact: Kernel & System management mode |    - Impact: Kernel & System management mode | ||||||
|    - Mitigation: updated kernel (with PTE inversion) |    - Mitigation: updated kernel (with PTE inversion) | ||||||
|    - Performance impact of the mitigation: negligible |    - Performance impact of the mitigation: negligible | ||||||
|     |  | ||||||
| **CVE-2018-3646** l1 terminal fault (Foreshadow-NG VMM) | **CVE-2018-3646** l1 terminal fault (Foreshadow-NG VMM) | ||||||
|  |  | ||||||
|    - Impact: Virtualization software and Virtual Machine Monitors |    - Impact: Virtualization software and Virtual Machine Monitors | ||||||
|    - Mitigation: disable ept (extended page tables), disable hyper-threading (SMT), or |    - Mitigation: disable ept (extended page tables), disable hyper-threading (SMT), or updated kernel (with L1d flush) | ||||||
|                  updated kernel (with L1d flush) |  | ||||||
|    - Performance impact of the mitigation: low to significant |    - Performance impact of the mitigation: low to significant | ||||||
|  |  | ||||||
| **CVE-2018-12126** [MSBDS] Microarchitectural Store Buffer Data Sampling  | **CVE-2018-12126** [MSBDS] Microarchitectural Store Buffer Data Sampling (Fallout) | ||||||
| **CVE-2018-12130** [MFBDS] Microarchitectural Fill Buffer Data Sampling  |  | ||||||
| **CVE-2018-12127** [MLPDS] Microarchitectural Load Port Data Sampling  | **CVE-2018-12130** [MFBDS] Microarchitectural Fill Buffer Data Sampling (RIDL) | ||||||
| **CVE-2019-11091** [MDSUM] Microarchitectural Data Sampling Uncacheable Memory  |  | ||||||
|  | **CVE-2018-12127** [MLPDS] Microarchitectural Load Port Data Sampling (RIDL) | ||||||
|  |  | ||||||
|  | **CVE-2019-11091** [MDSUM] Microarchitectural Data Sampling Uncacheable Memory (RIDL) | ||||||
|  |  | ||||||
|    - Impact: Kernel |    - Impact: Kernel | ||||||
|    - Mitigation: microcode update + kernel update making possible to protect various CPU internal buffers from unprivilaged speculative access to data |    - Mitigation: microcode update + kernel update making possible to protect various CPU internal buffers from unprivilaged speculative access to data | ||||||
|  |    - Performance impact of the mitigation: TBC | ||||||
|  |    - Note: These 4 CVEs are similar and collectively named "MDS" vulnerabilities, the mitigation is identical same for all | ||||||
|  |  | ||||||
| ## Understanding what this script does and doesn't | ## Understanding what this script does and doesn't | ||||||
|  |  | ||||||
|   | |||||||
| @@ -2354,7 +2354,6 @@ check_cpu() | |||||||
| 		fi | 		fi | ||||||
|  |  | ||||||
| 		_info_nol "    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: " | 		_info_nol "    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: " | ||||||
| 		mds_no=-1 |  | ||||||
| 		capabilities_mds_no=-1 | 		capabilities_mds_no=-1 | ||||||
| 		capabilities_rdcl_no=-1 | 		capabilities_rdcl_no=-1 | ||||||
| 		capabilities_ibrs_all=-1 | 		capabilities_ibrs_all=-1 | ||||||
| @@ -4269,13 +4268,13 @@ check_mds() | |||||||
|  |  | ||||||
| 	if [ "$opt_live" != 1 ]; then | 	if [ "$opt_live" != 1 ]; then | ||||||
| 		pstatus blue N/A "not testable in offline mode" | 		pstatus blue N/A "not testable in offline mode" | ||||||
| 		pvulnstatus $cve UNK | 		pvulnstatus "$cve" UNK | ||||||
| 		return | 		return | ||||||
| 	fi | 	fi | ||||||
|  |  | ||||||
| 	if ! is_cpu_vulnerable "$cve" ; then | 	if ! is_cpu_vulnerable "$cve" ; then | ||||||
| 		# override status & msg in case CPU is not vulnerable after all | 		# override status & msg in case CPU is not vulnerable after all | ||||||
| 		pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable" | 		pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not vulnerable" | ||||||
| 		return | 		return | ||||||
| 	fi | 	fi | ||||||
|  |  | ||||||
| @@ -4312,11 +4311,11 @@ check_mds() | |||||||
| 	fi | 	fi | ||||||
|  |  | ||||||
| 	if [ $mds_mitigated = 0 ];then | 	if [ $mds_mitigated = 0 ];then | ||||||
| 		pvulnstatus $cve VULN | 		pvulnstatus "$cve" VULN | ||||||
| 	elif [ $mds_mitigated = 1 ]; then | 	elif [ $mds_mitigated = 1 ]; then | ||||||
| 		pvulnstatus $cve OK | 		pvulnstatus "$cve" OK | ||||||
| 	else | 	else | ||||||
| 		pvulnstatus $cve UNK "further action may be needed to mitigate this vulnerability. For more info check Linux kernel Documentation/admin-guide/hw-vuln/mds.rst" | 		pvulnstatus "$cve" UNK "further action may be needed to mitigate this vulnerability. For more info check Linux kernel Documentation/admin-guide/hw-vuln/mds.rst" | ||||||
| 	fi | 	fi | ||||||
| } | } | ||||||
|  |  | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user