diff --git a/src/vulns-helpers/check_mds.sh b/src/vulns-helpers/check_mds.sh index e45c27b..e6ded22 100644 --- a/src/vulns-helpers/check_mds.sh +++ b/src/vulns-helpers/check_mds.sh @@ -174,6 +174,12 @@ check_mds_linux() { if echo "$ret_sys_interface_check_fullmsg" | grep -Eq 'SMT (disabled|mitigated)'; then mds_smt_mitigated=1 pstatus green YES + elif echo "$ret_sys_interface_check_fullmsg" | grep -q 'SMT Host state unknown'; then + # The kernel appends "SMT Host state unknown" when running under + # a hypervisor (X86_FEATURE_HYPERVISOR): the host controls SMT + # scheduling, so it can't be determined from inside the guest (#343). + mds_smt_mitigated=2 + pstatus yellow UNKNOWN "running in a VM guest, the hypervisor host controls SMT" else mds_smt_mitigated=0 pstatus yellow NO @@ -200,6 +206,9 @@ check_mds_linux() { if [ "$opt_paranoid" != 1 ] || [ "$mds_smt_mitigated" = 1 ]; then mystatus=OK mymsg="Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled" + elif [ "$mds_smt_mitigated" = 2 ]; then + mystatus=UNK + mymsg="Your microcode and kernel are both up to date for this mitigation and it's enabled, but SMT (Hyper-Threading) cross-thread protection can't be verified from inside a VM guest: it depends on the hypervisor host's SMT/core-scheduling configuration" else mystatus=VULN mymsg="Your microcode and kernel are both up to date for this mitigation, but you must disable SMT (Hyper-Threading) for a complete mitigation" diff --git a/src/vulns-helpers/check_mmio.sh b/src/vulns-helpers/check_mmio.sh index 99d2fb0..5440240 100644 --- a/src/vulns-helpers/check_mmio.sh +++ b/src/vulns-helpers/check_mmio.sh @@ -216,6 +216,12 @@ check_mmio_linux() { if echo "$ret_sys_interface_check_fullmsg" | grep -Eq 'SMT (disabled|mitigated)'; then mmio_smt_mitigated=1 pstatus green YES + elif echo "$ret_sys_interface_check_fullmsg" | grep -q 'SMT Host state unknown'; then + # The kernel appends "SMT Host state unknown" when running under + # a hypervisor (X86_FEATURE_HYPERVISOR): the host controls SMT + # scheduling, so it can't be determined from inside the guest (#343). + mmio_smt_mitigated=2 + pstatus yellow UNKNOWN "running in a VM guest, the hypervisor host controls SMT" else mmio_smt_mitigated=0 pstatus yellow NO @@ -253,6 +259,9 @@ check_mmio_linux() { if [ "$opt_paranoid" != 1 ] || [ "$mmio_smt_mitigated" = 1 ]; then mystatus=OK mymsg="Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled" + elif [ "$mmio_smt_mitigated" = 2 ]; then + mystatus=UNK + mymsg="Your microcode and kernel are both up to date for this mitigation and it's enabled, but SMT (Hyper-Threading) cross-thread protection can't be verified from inside a VM guest: it depends on the hypervisor host's SMT/core-scheduling configuration" else mystatus=VULN mymsg="Your microcode and kernel are both up to date for this mitigation, but you must disable SMT (Hyper-Threading) for a complete mitigation" diff --git a/src/vulns/CVE-2019-11135.sh b/src/vulns/CVE-2019-11135.sh index 0781bd5..eb85a1a 100644 --- a/src/vulns/CVE-2019-11135.sh +++ b/src/vulns/CVE-2019-11135.sh @@ -86,6 +86,11 @@ check_CVE_2019_11135_linux() { pvulnstatus "$cve" VULN "TSX must be disabled for full mitigation" elif echo "$ret_sys_interface_check_fullmsg" | grep -qF 'SMT vulnerable'; then pvulnstatus "$cve" VULN "SMT (HyperThreading) must be disabled for full mitigation" + elif echo "$ret_sys_interface_check_fullmsg" | grep -qF 'SMT Host state unknown'; then + # The kernel appends "SMT Host state unknown" when running under a + # hypervisor (X86_FEATURE_HYPERVISOR): the host controls SMT + # scheduling, so it can't be determined from inside the guest (#343). + pvulnstatus "$cve" UNK "TAA is mitigated and TSX is disabled, but SMT (Hyper-Threading) cross-thread protection can't be verified from inside a VM guest: it depends on the hypervisor host's SMT/core-scheduling configuration" else pvulnstatus "$cve" "$status" "$msg" fi