feat: detect known speculative-execution free CPUs

Based on a kernel patch that has been merged to Linus' tree.
Some of the detections we did by grepping the model name
will probably no longer be needed.
This commit is contained in:
Stéphane Lesimple 2018-01-31 14:21:29 +01:00
parent bcae8824ec
commit 247b176882

View File

@ -204,7 +204,11 @@ is_cpu_vulnerable()
variant2='' variant2=''
variant3='' variant3=''
if [ "$cpu_vendor" = GenuineIntel ]; then if is_cpu_specex_free; then
variant1=immune
variant2=immune
variant3=immune
elif [ "$cpu_vendor" = GenuineIntel ]; then
# Intel # Intel
# Old Atoms are not vulnerable to spectre 2 nor meltdown # Old Atoms are not vulnerable to spectre 2 nor meltdown
# https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr # https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
@ -297,6 +301,41 @@ is_cpu_vulnerable()
return $? return $?
} }
is_cpu_specex_free()
{
# return true (0) if the CPU doesn't do speculative execution, false (1) if it does.
# if it's not in the list we know, return false (1).
# source: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/cpu/common.c#n882
# { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CEDARVIEW, X86_FEATURE_ANY },
# { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CLOVERVIEW, X86_FEATURE_ANY },
# { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_LINCROFT, X86_FEATURE_ANY },
# { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_PENWELL, X86_FEATURE_ANY },
# { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_PINEVIEW, X86_FEATURE_ANY },
# { X86_VENDOR_CENTAUR, 5 },
# { X86_VENDOR_INTEL, 5 },
# { X86_VENDOR_NSC, 5 },
# { X86_VENDOR_ANY, 4 },
set -u
if [ "$cpu_vendor" = GenuineIntel ]; then
if [ "$cpu_family" = 6 ]; then
if [ "$cpu_model" = "$INTEL_FAM6_ATOM_CEDARVIEW" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_CLOVERVIEW" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_LINCROFT" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_PENWELL" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_PINEVIEW" ]; then
set +u
return 0
fi
elif [ "$cpu_family" = 5 ]; then
set +u
return 0
fi
fi
set +u
[ "$cpu_family" -eq 4 ] && return 0
return 1
}
show_header() show_header()
{ {
_info "\033[1;34mSpectre and Meltdown mitigation detection tool v$VERSION\033[0m" _info "\033[1;34mSpectre and Meltdown mitigation detection tool v$VERSION\033[0m"