mirror of
https://github.com/speed47/spectre-meltdown-checker.git
synced 2024-12-05 02:38:04 +01:00
Slightly improved Docker configuration (#230)
* Listed the required volumes in the Dockerfile. * Added docker-compose.yml for convenience as users won't need to manually specify volumes and stuff when running through docker-compose. Adjusted README.md to reflect this change.
This commit is contained in:
parent
afb36c519d
commit
42a3a61f1d
@ -5,3 +5,7 @@ RUN apk --update --no-cache add kmod binutils grep perl
|
||||
COPY . /check
|
||||
|
||||
ENTRYPOINT ["/check/spectre-meltdown-checker.sh"]
|
||||
|
||||
VOLUME /boot
|
||||
VOLUME /dev/cpu
|
||||
VOLUME /lib/modules
|
||||
|
36
README.md
36
README.md
@ -2,14 +2,11 @@ Spectre & Meltdown Checker
|
||||
==========================
|
||||
|
||||
A shell script to tell if your system is vulnerable against the several "speculative execution" CVEs that were made public in 2018.
|
||||
- CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
|
||||
- CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
|
||||
- CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
|
||||
- CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
|
||||
- CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
|
||||
- CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 [L1 terminal fault] aka 'Foreshadow & Foreshadow-NG'
|
||||
|
||||
**2018-08-15: Foreshadow support is being worked on, vulnerable/immune CPUs are already detected, and kernel-reported vulnerability status is checked, but manual mitigation detection is currently being implemented, will be available in the next few days**
|
||||
- CVE-2017-5753 aka Spectre Variant 1
|
||||
- CVE-2017-5715 aka Spectre Variant 2
|
||||
- CVE-2017-5754 aka Meltdown or Variant 3
|
||||
- CVE-2018-3640 aka Variant 3a
|
||||
- CVE-2018-3639 aka Variant 4
|
||||
|
||||
Supported operating systems:
|
||||
- Linux (all versions, flavors and distros)
|
||||
@ -49,9 +46,18 @@ sudo ./spectre-meltdown-checker.sh
|
||||
|
||||
### Run the script in a docker container
|
||||
|
||||
#### With docker-compose
|
||||
|
||||
```shell
|
||||
docker-compose build
|
||||
docker-compose run --rm spectre-meltdown-checker
|
||||
```
|
||||
|
||||
#### Without docker-compose
|
||||
|
||||
```shell
|
||||
docker build -t spectre-meltdown-checker .
|
||||
docker run --rm --privileged -v /boot:/boot:ro -v /lib/modules:/lib/modules:ro -v /dev/cpu:/dev/cpu:ro spectre-meltdown-checker
|
||||
docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker
|
||||
```
|
||||
|
||||
## Example of script output
|
||||
@ -101,18 +107,6 @@ docker run --rm --privileged -v /boot:/boot:ro -v /lib/modules:/lib/modules:ro -
|
||||
- Mitigation: microcode update + kernel update making possible for affected software to protect itself
|
||||
- Performance impact of the mitigation: low to medium
|
||||
|
||||
**CVE-2018-3615** l1 terminal fault (Foreshadow)
|
||||
|
||||
- TBC
|
||||
|
||||
**CVE-2018-3620** l1 terminal fault (Foreshadow-NG)
|
||||
|
||||
- TBC
|
||||
|
||||
**CVE-2018-3646** l1 terminal fault (Foreshadow-NG)
|
||||
|
||||
- TBC
|
||||
|
||||
## Understanding what this script does and doesn't
|
||||
|
||||
This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the collectively named "speculative execution" vulnerabilities. It doesn't attempt to run any kind of exploit, and can't guarantee that your system is secure, but rather helps you verifying whether your system has the known correct mitigations in place.
|
||||
|
15
docker-compose.yml
Normal file
15
docker-compose.yml
Normal file
@ -0,0 +1,15 @@
|
||||
version: '2'
|
||||
|
||||
services:
|
||||
spectre-meltdown-checker:
|
||||
build:
|
||||
context: ./
|
||||
dockerfile: ./Dockerfile
|
||||
image: spectre-meltdown-checker:latest
|
||||
container_name: spectre-meltdown-checker
|
||||
privileged: true
|
||||
network_mode: none
|
||||
volumes:
|
||||
- /boot:/boot:ro
|
||||
- /dev/cpu:/dev/cpu:ro
|
||||
- /lib/modules:/lib/modules:ro
|
Loading…
Reference in New Issue
Block a user