Browse Source

chore: fix indentation

pull/365/head
Stéphane Lesimple 2 years ago
parent
commit
2f2c160a79
  1. 208
      spectre-meltdown-checker.sh

208
spectre-meltdown-checker.sh

@ -1,5 +1,6 @@ @@ -1,5 +1,6 @@
#! /bin/sh
# SPDX-License-Identifier: GPL-3.0-only
# vim: set ts=8 sw=8 sts=4 noet:
#
# Spectre & Meltdown checker
#
@ -719,7 +720,10 @@ is_cpu_srbds_free() @@ -719,7 +720,10 @@ is_cpu_srbds_free()
# source: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/cpu/common.c
#
# A processor is affected by SRBDS if its Family_Model and stepping is in the
# following list:
# following list, with the exception of the listed processors
# exporting MDS_NO while Intel TSX is available yet not enabled. The
# latter class of processors are only affected when Intel TSX is enabled
# by software using TSX_CTRL_MSR otherwise they are not affected.
#
# ============= ============ ========
# common name Family_Model Stepping
@ -741,16 +745,16 @@ is_cpu_srbds_free() @@ -741,16 +745,16 @@ is_cpu_srbds_free()
# Kabylake 06_9EH <=0xD (MDS_NO) (INTEL_FAM6_KABYLAKE)
# ============= ============ ========
parse_cpu_details
if is_intel; then
if [ "$cpu_family" = 6 ]; then
if [ "$cpu_model" = "$INTEL_FAM6_IVYBRIDGE" ] || \
[ "$cpu_model" = "$INTEL_FAM6_HASWELL" ] || \
[ "$cpu_model" = "$INTEL_FAM6_HASWELL_L" ] || \
[ "$cpu_model" = "$INTEL_FAM6_HASWELL_G" ] || \
[ "$cpu_model" = "$INTEL_FAM6_BROADWELL_G" ] || \
[ "$cpu_model" = "$INTEL_FAM6_BROADWELL" ] || \
[ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_L" ] || \
[ "$cpu_model" = "$INTEL_FAM6_SKYLAKE" ]; then
if is_intel; then
if [ "$cpu_family" = 6 ]; then
if [ "$cpu_model" = "$INTEL_FAM6_IVYBRIDGE" ] || \
[ "$cpu_model" = "$INTEL_FAM6_HASWELL" ] || \
[ "$cpu_model" = "$INTEL_FAM6_HASWELL_L" ] || \
[ "$cpu_model" = "$INTEL_FAM6_HASWELL_G" ] || \
[ "$cpu_model" = "$INTEL_FAM6_BROADWELL_G" ] || \
[ "$cpu_model" = "$INTEL_FAM6_BROADWELL" ] || \
[ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_L" ] || \
[ "$cpu_model" = "$INTEL_FAM6_SKYLAKE" ]; then
return 1
elif [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE_L" ] && [ "$cpu_stepping" -le 12 ] || \
[ "$cpu_model" = "$INTEL_FAM6_KABYLAKE" ] && [ "$cpu_stepping" -le 13 ]; then
@ -5363,97 +5367,97 @@ check_CVE_2020_0543() @@ -5363,97 +5367,97 @@ check_CVE_2020_0543()
check_CVE_2020_0543_linux()
{
status=UNK
sys_interface_available=0
msg=''
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/srbds"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
fi
if [ "$opt_sysfs_only" != 1 ]; then
_info_nol "* SRBDS mitigation control is supported by the kernel: "
kernel_srbds=''
if [ -n "$kernel_err" ]; then
kernel_srbds_err="$kernel_err"
elif grep -q 'Dependent on hypervisor' "$kernel"; then
kernel_srbds="found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation"
fi
if [ -n "$kernel_srbds" ]; then
pstatus green YES "$kernel_srbds"
elif [ -n "$kernel_srbds_err" ]; then
pstatus yellow UNKNOWN "$kernel_srbds_err"
else
pstatus yellow NO
fi
_info_nol "* SRBDS mitigation control is enabled and active: "
if [ "$opt_live" = 1 ]; then
if [ -n "$fullmsg" ]; then
if echo "$fullmsg" | grep -qE '^Mitigation'; then
pstatus green YES "$fullmsg"
else
pstatus yellow NO
fi
else
pstatus yellow NO "SRBDS not found in sysfs hierarchy"
fi
else
pstatus blue N/A "not testable in offline mode"
fi
elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!"
status=UNK
fi
if ! is_cpu_vulnerable "$cve" ; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not vulnerable"
else
if [ "$opt_sysfs_only" != 1 ]; then
if [ "$cpuid_srbds" = 1 ]; then
# SRBDS mitigation control exists
if [ "$srbds_on" = 1 ]; then
# SRBDS mitigation control is enabled
if [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_live" = 1 ]; then
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
pvulnstatus "$cve" OK "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated"
fi
else
if [ -n "$kernel_srbds" ]; then
pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for SRBDS mitigation control. Mitigation is enabled"
else
pvulnstatus "$cve" OK "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated"
fi
fi
elif [ "$srbds_on" = 0 ]; then
# SRBDS mitigation control is disabled
if [ -z "$msg" ]; then
if [ "$opt_live" = 1 ]; then
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
pvulnstatus "$cve" VULN "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated. Mitigation is disabled"
fi
else
if [ -n "$kernel_srbds" ]; then
pvulnstatus "$cve" VULN "Your microcode and kernel are both up to date for SRBDS mitigation control. Mitigation is disabled"
else
pvulnstatus "$cve" VULN "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated. Mitigation is disabled"
fi
fi
else
# rdmsr: CPU 0 cannot read MSR 0x00000123
pvulnstatus "$cve" UNK "Not able to enumerate MSR for SRBDS mitigation control"
fi
else
# [ $cpuid_srbds != 1 ]
pvulnstatus "$cve" VULN "Your CPU microcode may need to be updated to mitigate the vulnerability"
fi
else
# sysfs only: return the status/msg we got
pvulnstatus "$cve" "$status" "$fullmsg"
return
fi
fi
status=UNK
sys_interface_available=0
msg=''
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/srbds"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
fi
if [ "$opt_sysfs_only" != 1 ]; then
_info_nol "* SRBDS mitigation control is supported by the kernel: "
kernel_srbds=''
if [ -n "$kernel_err" ]; then
kernel_srbds_err="$kernel_err"
elif grep -q 'Dependent on hypervisor' "$kernel"; then
kernel_srbds="found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation"
fi
if [ -n "$kernel_srbds" ]; then
pstatus green YES "$kernel_srbds"
elif [ -n "$kernel_srbds_err" ]; then
pstatus yellow UNKNOWN "$kernel_srbds_err"
else
pstatus yellow NO
fi
_info_nol "* SRBDS mitigation control is enabled and active: "
if [ "$opt_live" = 1 ]; then
if [ -n "$fullmsg" ]; then
if echo "$fullmsg" | grep -qE '^Mitigation'; then
pstatus green YES "$fullmsg"
else
pstatus yellow NO
fi
else
pstatus yellow NO "SRBDS not found in sysfs hierarchy"
fi
else
pstatus blue N/A "not testable in offline mode"
fi
elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!"
status=UNK
fi
if ! is_cpu_vulnerable "$cve" ; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not vulnerable"
else
if [ "$opt_sysfs_only" != 1 ]; then
if [ "$cpuid_srbds" = 1 ]; then
# SRBDS mitigation control exists
if [ "$srbds_on" = 1 ]; then
# SRBDS mitigation control is enabled
if [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_live" = 1 ]; then
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
pvulnstatus "$cve" OK "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated"
fi
else
if [ -n "$kernel_srbds" ]; then
pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for SRBDS mitigation control. Mitigation is enabled"
else
pvulnstatus "$cve" OK "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated"
fi
fi
elif [ "$srbds_on" = 0 ]; then
# SRBDS mitigation control is disabled
if [ -z "$msg" ]; then
if [ "$opt_live" = 1 ]; then
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
pvulnstatus "$cve" VULN "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated. Mitigation is disabled"
fi
else
if [ -n "$kernel_srbds" ]; then
pvulnstatus "$cve" VULN "Your microcode and kernel are both up to date for SRBDS mitigation control. Mitigation is disabled"
else
pvulnstatus "$cve" VULN "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated. Mitigation is disabled"
fi
fi
else
# rdmsr: CPU 0 cannot read MSR 0x00000123
pvulnstatus "$cve" UNK "Not able to enumerate MSR for SRBDS mitigation control"
fi
else
# [ $cpuid_srbds != 1 ]
pvulnstatus "$cve" VULN "Your CPU microcode may need to be updated to mitigate the vulnerability"
fi
else
# sysfs only: return the status/msg we got
pvulnstatus "$cve" "$status" "$fullmsg"
return
fi
fi
}
#######################

Loading…
Cancel
Save