L1TF/Linux: Fix "running an hypervisor" detection via sysfs
If we can look in `/sys/devices/system/cpu/vulnerabilities/l1tf`, and we find 'VMX' in it, it means we can run KVM guests, and hence we are running as an hypervisor. Right now, on a system with VMX enabled, with KVM guests running, and booted with "l1tf=off", I see this: ` CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault' * Information from the /sys interface: VMX: vulnerable * This system is a host running a hypervisor: NO ... ... ... * L1D flush enabled: NO > STATUS: NOT VULNERABLE (this system is not running a hypervisor) ` Which is wrong. In fact, as said, guests are running, so we are an hypervisor, and with "l1tf=off" (and hence L1D flush disabled) we are vulnerable.
This commit is contained in:
parent
2cfae92cb0
commit
5e83e2cfa4
|
@ -3785,9 +3785,15 @@ check_CVE_2018_3646_linux()
|
||||||
msg=''
|
msg=''
|
||||||
l1d_mode=-1
|
l1d_mode=-1
|
||||||
|
|
||||||
|
has_vmm=$opt_vmm
|
||||||
|
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/l1tf" 'VMX:.*' silent; then
|
||||||
|
# if we can use /sys, and it has 'VMX', we are can run VMs
|
||||||
|
if [ "$opt_vmm" != 0 ]; then
|
||||||
|
has_vmm=1;
|
||||||
|
fi
|
||||||
|
fi
|
||||||
if [ "$opt_sysfs_only" != 1 ]; then
|
if [ "$opt_sysfs_only" != 1 ]; then
|
||||||
_info_nol "* This system is a host running a hypervisor: "
|
_info_nol "* This system is a host running a hypervisor: "
|
||||||
has_vmm=$opt_vmm
|
|
||||||
if [ "$has_vmm" = -1 ]; then
|
if [ "$has_vmm" = -1 ]; then
|
||||||
# Assumed to be running on bare metal unless evidence of vm is found.
|
# Assumed to be running on bare metal unless evidence of vm is found.
|
||||||
has_vmm=0
|
has_vmm=0
|
||||||
|
|
Loading…
Reference in New Issue