peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2025-10-25 08:50:50 +02:00
Code Issues Projects Releases Wiki Activity

L1TF/Linux: fix Mitigtion 2 against --sysfs options

Browse Source 
Info about 2nd mitigation to L1TF are gathered in various ways.

Some are available under /sys, and hence should be checked when
we're invoked without parameters, and with `--sysfs-only`, while
they should be ignored when we are invoked with `--no-sysfs`.

Some others use other sources, and hence should be ignored if
we are invoked with `--sysfs-only`.
This commit is contained in:
Dario Faggioli
2019-04-18 18:18:40 +02:00
parent 5e35f0a711
commit 26a5fe018a
1 changed files with 31 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
spectre-meltdown-checker.sh
View File

@@ -3783,7 +3783,6 @@ check_CVE_2018_3646_linux()
status=UNK status=UNK
sys_interface_available=0 sys_interface_available=0
msg='' msg=''
l1d_mode=-1
has_vmm=$opt_vmm has_vmm=$opt_vmm
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/l1tf" 'VMX:.*' silent; then if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/l1tf" 'VMX:.*' silent; then
@@ -3864,7 +3863,6 @@ check_CVE_2018_3646_linux()
fi fi
fi fi
if [ "$opt_sysfs_only" != 1 ]; then
_info "* Mitigation 2" _info "* Mitigation 2"
_info_nol " * L1D flush is supported by kernel: " _info_nol " * L1D flush is supported by kernel: "
if [ "$opt_live" = 1 ] && grep -qw flush_l1d "$procfs/cpuinfo"; then if [ "$opt_live" = 1 ] && grep -qw flush_l1d "$procfs/cpuinfo"; then
@@ -3879,7 +3877,6 @@ check_CVE_2018_3646_linux()
l1d_kernel='found flush_l1d in kernel image' l1d_kernel='found flush_l1d in kernel image'
fi fi
fi fi
if [ -n "$l1d_kernel" ]; then if [ -n "$l1d_kernel" ]; then
pstatus green YES "$l1d_kernel" pstatus green YES "$l1d_kernel"
elif [ -n "$l1d_kernel_err" ]; then elif [ -n "$l1d_kernel_err" ]; then
@@ -3888,6 +3885,8 @@ check_CVE_2018_3646_linux()
pstatus yellow NO pstatus yellow NO
fi fi
l1d_mode=-1
if [ "$opt_sysfs_only" != 1 ]; then
_info_nol " * L1D flush enabled: " _info_nol " * L1D flush enabled: "
if [ "$opt_live" = 1 ]; then if [ "$opt_live" = 1 ]; then
if [ -r "/sys/devices/system/cpu/vulnerabilities/l1tf" ]; then if [ -r "/sys/devices/system/cpu/vulnerabilities/l1tf" ]; then
@@ -3916,7 +3915,10 @@ check_CVE_2018_3646_linux()
l1d_mode=-1 l1d_mode=-1
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in offline mode"
fi fi
fi
if [ "$opt_no_sysfs" != 1 ]; then
_info_nol " * Hardware-backed L1D flush supported: " _info_nol " * Hardware-backed L1D flush supported: "
if [ "$opt_live" = 1 ]; then if [ "$opt_live" = 1 ]; then
if grep -qw flush_l1d "$procfs/cpuinfo"; then if grep -qw flush_l1d "$procfs/cpuinfo"; then
@@ -3927,7 +3929,10 @@ check_CVE_2018_3646_linux()
else else
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in offline mode"
fi fi
fi
smt_enabled=-1
if [ "$opt_sysfs_only" != 1 ]; then
_info_nol " * Hyper-Threading (SMT) is enabled: " _info_nol " * Hyper-Threading (SMT) is enabled: "
is_cpu_smt_enabled; smt_enabled=$? is_cpu_smt_enabled; smt_enabled=$?
if [ "$smt_enabled" = 0 ]; then if [ "$smt_enabled" = 0 ]; then
@@ -3952,6 +3957,8 @@ check_CVE_2018_3646_linux()
else else
pvulnstatus $cve VULN "disable EPT or enabled L1D flushing to mitigate the vulnerability" pvulnstatus $cve VULN "disable EPT or enabled L1D flushing to mitigate the vulnerability"
fi fi
elif [ "$smt_enabled" = -1 ]; then
pvulnstatus $cve UNK "could not figure out whether SMT is enabled or not"
else else
if [ "$l1d_mode" -ge 2 ]; then if [ "$l1d_mode" -ge 2 ]; then
if [ "$smt_enabled" = 1 ]; then if [ "$smt_enabled" = 1 ]; then