peter/spectre-meltdown-checker
peter
/
spectre-meltdown-checker
mirror of https://github.com/speed47/spectre-meltdown-checker.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Enhanced IBRS capabilities 

There are two flavors of IBRS: plain and enhanced. This patch tells which flavor of IBRS is in use.
This commit is contained in:
Agata Gruza 2019-07-29 16:56:54 -07:00 committed by Stéphane Lesimple
parent 91d0699029
commit 482d6c200a
1 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
spectre-meltdown-checker.sh
View File

@ -2939,6 +2939,8 @@ check_CVE_2017_5715_linux()
ibpb_can_tell=0
ibpb_supported=''
ibpb_enabled=''
need_enhanced_ibrs=0
enhanced_ibrs=''
if [ "$opt_live" = 1 ]; then
# in live mode, we can check for the ibrs_enabled file in debugfs
@ -3004,6 +3006,11 @@ check_CVE_2017_5715_linux()
[ -z "$ibrs_supported" ] && ibrs_supported='found IBRS in sysfs'
[ -z "$ibrs_enabled" ] && ibrs_enabled=3
fi
# checking for 'Enhanced IBRS' in sysfs
if echo "$fullmsg" | grep -q -e 'Enhanced IBRS'; then
need_enhanced_ibrs=1
enhanced_ibrs="Enhanced"
fi
fi
# in live mode, if ibrs or ibpb is supported and we didn't find these are enabled, then they are not
[ -n "$ibrs_supported" ] && [ -z "$ibrs_enabled" ] && ibrs_enabled=0
@ -3049,7 +3056,7 @@ check_CVE_2017_5715_linux()
fi
fi
fi
_info_nol " * Kernel is compiled with IBRS support: "
if [ -z "$ibrs_supported" ]; then
if [ "$ibrs_can_tell" = 1 ]; then
@ -3066,7 +3073,11 @@ check_CVE_2017_5715_linux()
fi
fi
_info_nol " * IBRS enabled and active: "
if [ "$need_enhanced_ibrs" = 1 ]; then
_info_nol " * $enhanced_ibrs IBRS enabled and active: "
else
_info_nol " * IBRS enabled and active: "
fi
if [ "$opt_live" = 1 ]; then
if [ "$ibpb_enabled" = 2 ]; then
# if ibpb=2, ibrs is forcefully=0
@ -3298,6 +3309,11 @@ check_CVE_2017_5715_linux()
fi
elif [ -n "$ibrs_enabled" ] && [ -n "$ibpb_enabled" ] && [ "$ibrs_enabled" -ge 1 ] && [ "$ibpb_enabled" -ge 1 ]; then
pvulnstatus $cve OK "IBRS + IBPB are mitigating the vulnerability"
if [ "$need_enhanced_ibrs" = 1 ]; then
pvulnstatus $cve OK "$enhanced_ibrs IBRS + IBPB are mitigating the vulnerability"
else
pvulnstatus $cve OK "IBRS + IBPB are mitigating the vulnerability"
fi
elif [ "$ibpb_enabled" = 2 ] && ! is_cpu_smt_enabled; then
pvulnstatus $cve OK "Full IBPB is mitigating the vulnerability"
elif [ -n "$bp_harden" ]; then