variant4 from common.c::cpu_no_spec_store_bypass
Variant 4 - Add function to 'whitelist' the hand-full of CPUs unaffected by speculative store bypass. This would allow improved determination of variant 4 status ( #189 ) of immune CPUs while waiting for the 4.17/stable patches to be backported to distro kernels. Source of cpu list : https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/cpu/common.c#n945) Modeled after is_cpu_specex_free()
This commit is contained in:
parent
1c793775ba
commit
2475482a98
|
@ -306,6 +306,10 @@ is_cpu_vulnerable()
|
||||||
variant4=immune
|
variant4=immune
|
||||||
_debug "is_cpu_vulnerable: SSB_NO is set so not vuln to variant4"
|
_debug "is_cpu_vulnerable: SSB_NO is set so not vuln to variant4"
|
||||||
fi
|
fi
|
||||||
|
if is_cpu_ssb_free; then
|
||||||
|
[ -z "$variant4" ] && variant4=immune
|
||||||
|
_debug "is_cpu_vulnerable: cpu not affected by speculative store bypass so not vuln to variant4"
|
||||||
|
fi
|
||||||
elif is_amd; then
|
elif is_amd; then
|
||||||
# AMD revised their statement about variant2 => vulnerable
|
# AMD revised their statement about variant2 => vulnerable
|
||||||
# https://www.amd.com/en/corporate/speculative-execution
|
# https://www.amd.com/en/corporate/speculative-execution
|
||||||
|
@ -315,6 +319,10 @@ is_cpu_vulnerable()
|
||||||
# https://www.amd.com/en/corporate/security-updates
|
# https://www.amd.com/en/corporate/security-updates
|
||||||
# "We have not identified any AMD x86 products susceptible to the Variant 3a vulnerability in our analysis to-date."
|
# "We have not identified any AMD x86 products susceptible to the Variant 3a vulnerability in our analysis to-date."
|
||||||
[ -z "$variant3a" ] && variant3a=immune
|
[ -z "$variant3a" ] && variant3a=immune
|
||||||
|
if is_cpu_ssb_free; then
|
||||||
|
[ -z "$variant4" ] && variant4=immune
|
||||||
|
_debug "is_cpu_vulnerable: cpu not affected by speculative store bypass so not vuln to variant4"
|
||||||
|
fi
|
||||||
elif [ "$cpu_vendor" = ARM ]; then
|
elif [ "$cpu_vendor" = ARM ]; then
|
||||||
# ARM
|
# ARM
|
||||||
# reference: https://developer.arm.com/support/security-update
|
# reference: https://developer.arm.com/support/security-update
|
||||||
|
@ -432,6 +440,67 @@ is_cpu_specex_free()
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
is_cpu_ssb_free()
|
||||||
|
{
|
||||||
|
# return true (0) if the CPU isn't affected by speculative store bypass, false (1) if it does.
|
||||||
|
# if it's not in the list we know, return false (1).
|
||||||
|
# source: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/cpu/common.c#n945
|
||||||
|
#{ X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_PINEVIEW },
|
||||||
|
#{ X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_LINCROFT },
|
||||||
|
#{ X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_PENWELL },
|
||||||
|
#{ X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CLOVERVIEW },
|
||||||
|
#{ X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CEDARVIEW },
|
||||||
|
#{ X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT1 },
|
||||||
|
#{ X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_AIRMONT },
|
||||||
|
#{ X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT2 },
|
||||||
|
#{ X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_MERRIFIELD },
|
||||||
|
#{ X86_VENDOR_INTEL, 6, INTEL_FAM6_CORE_YONAH },
|
||||||
|
#{ X86_VENDOR_INTEL, 6, INTEL_FAM6_XEON_PHI_KNL },
|
||||||
|
#{ X86_VENDOR_INTEL, 6, INTEL_FAM6_XEON_PHI_KNM },
|
||||||
|
#{ X86_VENDOR_CENTAUR, 5, },
|
||||||
|
#{ X86_VENDOR_INTEL, 5, },
|
||||||
|
#{ X86_VENDOR_NSC, 5, },
|
||||||
|
#{ X86_VENDOR_AMD, 0x12, },
|
||||||
|
#{ X86_VENDOR_AMD, 0x11, },
|
||||||
|
#{ X86_VENDOR_AMD, 0x10, },
|
||||||
|
#{ X86_VENDOR_AMD, 0xf, },
|
||||||
|
#{ X86_VENDOR_ANY, 4, },
|
||||||
|
parse_cpu_details
|
||||||
|
if is_intel; then
|
||||||
|
if [ "$cpu_family" = 6 ]; then
|
||||||
|
if [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT" ] || \
|
||||||
|
[ "$cpu_model" = "$INTEL_FAM6_ATOM_CEDARVIEW" ] || \
|
||||||
|
[ "$cpu_model" = "$INTEL_FAM6_ATOM_CLOVERVIEW" ] || \
|
||||||
|
[ "$cpu_model" = "$INTEL_FAM6_ATOM_LINCROFT" ] || \
|
||||||
|
[ "$cpu_model" = "$INTEL_FAM6_ATOM_MERRIFIELD" ]; then
|
||||||
|
return 0
|
||||||
|
elif [ "$cpu_model" = "$INTEL_FAM6_ATOM_PENWELL" ] || \
|
||||||
|
[ "$cpu_model" = "$INTEL_FAM6_ATOM_PINEVIEW" ] || \
|
||||||
|
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT1" ] || \
|
||||||
|
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT2" ] || \
|
||||||
|
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT1" ]; then
|
||||||
|
return 0
|
||||||
|
elif [ "$cpu_model" = "$INTEL_FAM6_CORE_YONAH" ] || \
|
||||||
|
[ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] || \
|
||||||
|
[ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
elif [ "$cpu_family" = 5 ]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if is_amd; then
|
||||||
|
if [ "$cpu_family" = "0x12" ] || \
|
||||||
|
[ "$cpu_family" = "0x11" ] || \
|
||||||
|
[ "$cpu_family" = "0x10" ] || \
|
||||||
|
[ "$cpu_family" = "0xf" ]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
[ "$cpu_family" = 4 ] && return 0
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
show_header()
|
show_header()
|
||||||
{
|
{
|
||||||
_info "Spectre and Meltdown mitigation detection tool v$VERSION"
|
_info "Spectre and Meltdown mitigation detection tool v$VERSION"
|
||||||
|
|
Loading…
Reference in New Issue