feat(ssbd): add detection of proper CPUID bits on AMD

This commit is contained in:
Stéphane Lesimple 2018-05-23 22:50:52 +02:00
parent f4d51e7e53
commit 2cde6e4649

View File

@ -1672,16 +1672,41 @@ check_cpu()
fi fi
# variant 4 # variant 4
if is_intel; then
_info " * Speculative Store Bypass Disable (SSBD)" _info " * Speculative Store Bypass Disable (SSBD)"
_info_nol " * CPU indicates SSBD capability: " _info_nol " * CPU indicates SSBD capability: "
read_cpuid 0x7 $EDX 31 1 1; ret=$? read_cpuid 0x7 $EDX 31 1 1; ret=$?
if [ $ret -eq 0 ]; then if [ $ret -eq 0 ]; then
cpuid_ssbd=1 cpuid_ssbd='Intel SSBD'
pstatus green YES "SSBD feature bit" fi
elif [ $ret -eq 1 ]; then elif is_amd; then
pstatus yellow NO _info " * Speculative Store Bypass Disable (SSBD)"
else _info_nol " * CPU indicates SSBD capability: "
read_cpuid 0x80000008 $EBX 24 1 1; ret24=$?
read_cpuid 0x80000008 $EBX 25 1 1; ret25=$?
if [ $ret24 -eq 0 ]; then
cpuid_ssbd='AMD SSBD in SPEC_CTRL'
#cpuid_ssbd_spec_ctrl=1
elif [ $ret25 -eq 0 ]; then
cpuid_ssbd='AMD SSBD in VIRT_SPEC_CTRL'
#cpuid_ssbd_virt_spec_ctrl=1
fi
fi
if [ -n "$cpuid_ssbd" ]; then
pstatus green YES "$cpuid_ssbd"
elif [ "$ret24" = 2 ] && [ "$ret25" = 2 ]; then
pstatus yellow UNKNOWN "is cpuid kernel module available?" pstatus yellow UNKNOWN "is cpuid kernel module available?"
else
pstatus yellow NO
fi
if is_amd; then
# similar to SSB_NO for intel
read_cpuid 0x80000008 $EBX 26 1 1; ret=$?
if [ $ret -eq 0 ]; then
amd_ssb_no=1
fi
fi fi
if is_intel; then if is_intel; then
@ -1768,16 +1793,16 @@ check_cpu()
else else
pstatus yellow NO pstatus yellow NO
fi fi
fi
_info_nol " * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): " _info_nol " * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): "
if [ "$capabilities_ssb_no" = -1 ]; then if [ "$capabilities_ssb_no" = -1 ]; then
pstatus yellow UNKNOWN pstatus yellow UNKNOWN
elif [ "$capabilities_ssb_no" = 1 ]; then elif [ "$capabilities_ssb_no" = 1 ] || [ "$amd_ssb_no" = 1 ]; then
pstatus green YES pstatus green YES
else else
pstatus yellow NO pstatus yellow NO
fi fi
fi
_info_nol " * CPU microcode is known to cause stability problems: " _info_nol " * CPU microcode is known to cause stability problems: "
if is_ucode_blacklisted; then if is_ucode_blacklisted; then
@ -2894,7 +2919,7 @@ check_variant3a()
msg='' msg=''
_info_nol " * CPU microcode mitigates the vulnerability: " _info_nol " * CPU microcode mitigates the vulnerability: "
if [ "$cpuid_ssbd" = 1 ]; then if [ -n "$cpuid_ssbd" ]; then
# microcodes that ship with SSBD are known to also fix variant3a # microcodes that ship with SSBD are known to also fix variant3a
# there is no specific cpuid bit as far as we know # there is no specific cpuid bit as far as we know
pstatus green YES pstatus green YES
@ -2906,7 +2931,7 @@ check_variant3a()
if ! is_cpu_vulnerable 3a; then if ! is_cpu_vulnerable 3a; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable" pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
elif [ "$cpuid_ssbd" = 1 ]; then elif [ -n "$cpuid_ssbd" ]; then
pvulnstatus $cve OK "your CPU microcode mitigates the vulnerability" pvulnstatus $cve OK "your CPU microcode mitigates the vulnerability"
else else
pvulnstatus $cve VULN "an up-to-date CPU microcode is needed to mitigate this vulnerability" pvulnstatus $cve VULN "an up-to-date CPU microcode is needed to mitigate this vulnerability"
@ -2960,7 +2985,7 @@ check_variant4()
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable" pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
elif [ -z "$msg" ] || [ "$msg" = "Vulnerable" ]; then elif [ -z "$msg" ] || [ "$msg" = "Vulnerable" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test # if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$cpuid_ssbd" = 1 ]; then if [ -n "$cpuid_ssbd" ]; then
if [ -n "$kernel_ssb" ]; then if [ -n "$kernel_ssb" ]; then
pvulnstatus $cve OK "your system provides the necessary tools for software mitigation" pvulnstatus $cve OK "your system provides the necessary tools for software mitigation"
else else