mirror of
https://github.com/speed47/spectre-meltdown-checker.git
synced 2025-01-10 03:10:26 +01:00
feat(ssbd): add detection of proper CPUID bits on AMD
This commit is contained in:
parent
f4d51e7e53
commit
2cde6e4649
@ -1672,16 +1672,41 @@ check_cpu()
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# variant 4
|
# variant 4
|
||||||
_info " * Speculative Store Bypass Disable (SSBD)"
|
if is_intel; then
|
||||||
_info_nol " * CPU indicates SSBD capability: "
|
_info " * Speculative Store Bypass Disable (SSBD)"
|
||||||
read_cpuid 0x7 $EDX 31 1 1; ret=$?
|
_info_nol " * CPU indicates SSBD capability: "
|
||||||
if [ $ret -eq 0 ]; then
|
read_cpuid 0x7 $EDX 31 1 1; ret=$?
|
||||||
cpuid_ssbd=1
|
if [ $ret -eq 0 ]; then
|
||||||
pstatus green YES "SSBD feature bit"
|
cpuid_ssbd='Intel SSBD'
|
||||||
elif [ $ret -eq 1 ]; then
|
fi
|
||||||
pstatus yellow NO
|
elif is_amd; then
|
||||||
else
|
_info " * Speculative Store Bypass Disable (SSBD)"
|
||||||
|
_info_nol " * CPU indicates SSBD capability: "
|
||||||
|
read_cpuid 0x80000008 $EBX 24 1 1; ret24=$?
|
||||||
|
read_cpuid 0x80000008 $EBX 25 1 1; ret25=$?
|
||||||
|
if [ $ret24 -eq 0 ]; then
|
||||||
|
cpuid_ssbd='AMD SSBD in SPEC_CTRL'
|
||||||
|
#cpuid_ssbd_spec_ctrl=1
|
||||||
|
elif [ $ret25 -eq 0 ]; then
|
||||||
|
cpuid_ssbd='AMD SSBD in VIRT_SPEC_CTRL'
|
||||||
|
#cpuid_ssbd_virt_spec_ctrl=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$cpuid_ssbd" ]; then
|
||||||
|
pstatus green YES "$cpuid_ssbd"
|
||||||
|
elif [ "$ret24" = 2 ] && [ "$ret25" = 2 ]; then
|
||||||
pstatus yellow UNKNOWN "is cpuid kernel module available?"
|
pstatus yellow UNKNOWN "is cpuid kernel module available?"
|
||||||
|
else
|
||||||
|
pstatus yellow NO
|
||||||
|
fi
|
||||||
|
|
||||||
|
if is_amd; then
|
||||||
|
# similar to SSB_NO for intel
|
||||||
|
read_cpuid 0x80000008 $EBX 26 1 1; ret=$?
|
||||||
|
if [ $ret -eq 0 ]; then
|
||||||
|
amd_ssb_no=1
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if is_intel; then
|
if is_intel; then
|
||||||
@ -1768,15 +1793,15 @@ check_cpu()
|
|||||||
else
|
else
|
||||||
pstatus yellow NO
|
pstatus yellow NO
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
_info_nol " * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): "
|
_info_nol " * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): "
|
||||||
if [ "$capabilities_ssb_no" = -1 ]; then
|
if [ "$capabilities_ssb_no" = -1 ]; then
|
||||||
pstatus yellow UNKNOWN
|
pstatus yellow UNKNOWN
|
||||||
elif [ "$capabilities_ssb_no" = 1 ]; then
|
elif [ "$capabilities_ssb_no" = 1 ] || [ "$amd_ssb_no" = 1 ]; then
|
||||||
pstatus green YES
|
pstatus green YES
|
||||||
else
|
else
|
||||||
pstatus yellow NO
|
pstatus yellow NO
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
_info_nol " * CPU microcode is known to cause stability problems: "
|
_info_nol " * CPU microcode is known to cause stability problems: "
|
||||||
@ -2894,7 +2919,7 @@ check_variant3a()
|
|||||||
msg=''
|
msg=''
|
||||||
|
|
||||||
_info_nol " * CPU microcode mitigates the vulnerability: "
|
_info_nol " * CPU microcode mitigates the vulnerability: "
|
||||||
if [ "$cpuid_ssbd" = 1 ]; then
|
if [ -n "$cpuid_ssbd" ]; then
|
||||||
# microcodes that ship with SSBD are known to also fix variant3a
|
# microcodes that ship with SSBD are known to also fix variant3a
|
||||||
# there is no specific cpuid bit as far as we know
|
# there is no specific cpuid bit as far as we know
|
||||||
pstatus green YES
|
pstatus green YES
|
||||||
@ -2906,7 +2931,7 @@ check_variant3a()
|
|||||||
if ! is_cpu_vulnerable 3a; then
|
if ! is_cpu_vulnerable 3a; then
|
||||||
# override status & msg in case CPU is not vulnerable after all
|
# override status & msg in case CPU is not vulnerable after all
|
||||||
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
|
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
|
||||||
elif [ "$cpuid_ssbd" = 1 ]; then
|
elif [ -n "$cpuid_ssbd" ]; then
|
||||||
pvulnstatus $cve OK "your CPU microcode mitigates the vulnerability"
|
pvulnstatus $cve OK "your CPU microcode mitigates the vulnerability"
|
||||||
else
|
else
|
||||||
pvulnstatus $cve VULN "an up-to-date CPU microcode is needed to mitigate this vulnerability"
|
pvulnstatus $cve VULN "an up-to-date CPU microcode is needed to mitigate this vulnerability"
|
||||||
@ -2960,7 +2985,7 @@ check_variant4()
|
|||||||
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
|
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
|
||||||
elif [ -z "$msg" ] || [ "$msg" = "Vulnerable" ]; then
|
elif [ -z "$msg" ] || [ "$msg" = "Vulnerable" ]; then
|
||||||
# if msg is empty, sysfs check didn't fill it, rely on our own test
|
# if msg is empty, sysfs check didn't fill it, rely on our own test
|
||||||
if [ "$cpuid_ssbd" = 1 ]; then
|
if [ -n "$cpuid_ssbd" ]; then
|
||||||
if [ -n "$kernel_ssb" ]; then
|
if [ -n "$kernel_ssb" ]; then
|
||||||
pvulnstatus $cve OK "your system provides the necessary tools for software mitigation"
|
pvulnstatus $cve OK "your system provides the necessary tools for software mitigation"
|
||||||
else
|
else
|
||||||
|
Loading…
Reference in New Issue
Block a user