Merge pull request #1 from speed47/master

merge

Dockerfile

@@ -0,0 +1,7 @@
+FROM alpine:3.7
+
+RUN apk --update --no-cache add kmod binutils grep perl
+
+COPY . /check
+
+ENTRYPOINT ["/check/spectre-meltdown-checker.sh"]

README.md

@@ -44,6 +44,13 @@ chmod +x spectre-meltdown-checker.sh
 sudo ./spectre-meltdown-checker.sh
 ```
 
+### Run the script in a docker container
+
+```shell
+docker build -t spectre-meltdown-checker .
+docker run --rm --privileged -v /boot:/boot:ro -v /lib/modules:/lib/modules:ro -v /dev/cpu:/dev/cpu:ro spectre-meltdown-checker
+```
+
 ## Example of script output
 
 - Intel Haswell CPU running under Ubuntu 16.04 LTS

spectre-meltdown-checker.sh

@@ -345,58 +345,59 @@ is_cpu_vulnerable()
 				# part   ?  ? 0xc09 0xc0f 0xc0e 0xd07 0xd08  0xd09  0xd0a
 				# arch  7? 7? 7     7     7     8     8      8      8
 				#
-				# variant 1 & variant 2
-				if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -Eq '^0x(c09|c0f|c0e)$'; then
-					# armv7 vulnerable chips
-					_debug "checking cpu$i: this armv7 vulnerable to spectre 1 & 2"
+				# Whitelist identified non-vulnerable processors, use vulnerability information from 
+				# https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
+				#
+				# Maintain cumulative check of vulnerabilities -
+				# if at least one of the cpu is vulnerable, then the system is vulnerable
+				if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -Eq '^0x(c0[89ce])$'; then
 					variant1=vuln
 					variant2=vuln
-				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(d07|d08|d09|d0a)$'; then
-					# armv8 vulnerable chips
-					_debug "checking cpu$i: this armv8 vulnerable to spectre 1 & 2"
-					variant1=vuln
-					variant2=vuln
-				else
-					_debug "checking cpu$i: this arm non vulnerable to 1 & 2"
-					# others are not vulnerable
-					[ -z "$variant1" ] && variant1=immune
-					[ -z "$variant2" ] && variant2=immune
-				fi
-
-				# for variant3, only A75 is vulnerable
-				if [ "$cpuarch" = 8 ] && [ "$cpupart" = 0xd0a ]; then
-					_debug "checking cpu$i: arm A75 vulnerable to meltdown"
-					variant3=vuln
-				else
-					_debug "checking cpu$i: this arm non vulnerable to meltdown"
 					[ -z "$variant3" ] && variant3=immune
-				fi
-
-				# for variant3a, only A15/A57/A72 are vulnerable
-				if [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(c0f|d07|d0a)$'; then
-					_debug "checking cpu$i: arm A15-A57-A72 vulnerable to variant3a"
-					variant3a=vuln
-				else
-					_debug "checking cpu$i: this arm non vulnerable to variant3a"
 					[ -z "$variant3a" ] && variant3a=immune
-				fi
-
-				# for variant4, only A57-72-73-75 are vulnerable
-				if [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0xd0[789a]$'; then
-					_debug "checking cpu$i: arm A57-A72-A73-A75 vulnerable to variant4"
-					variant4=vuln
-				else
-					_debug "checking cpu$i: this arm non vulnerable to variant4"
 					[ -z "$variant4" ] && variant4=immune
+					_debug "checking cpu$i: this armv7 non vulnerable to variants 3, 3a & 4"
+				elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -Eq '^0x(c0f)$'; then
+					variant1=vuln
+					variant2=vuln
+					[ -z "$variant3" ] && variant3=immune
+					variant3=vuln
+					[ -z "$variant4" ] && variant4=immune
+					_debug "checking cpu$i: this armv7 non vulnerable to variants 3 & 4"
+				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(d07|d08)$'; then
+					variant1=vuln
+					variant2=vuln
+					variant3=vuln
+					[ -z "$variant3a" ] && variant3a=immune
+					[ -z "$variant4" ] && variant4=immune
+					_debug "checking cpu$i: this armv7 non vulnerable to variants 3a & 4"
+				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(d09|d0b)$'; then
+					variant1=vuln
+					variant2=vuln
+					[ -z "$variant3" ] && variant3=immune
+					[ -z "$variant3a" ] && variant3a=immune
+					variant4=vuln
+					_debug "checking cpu$i: this armv8 non vulnerable to variants 3 & 3a"
+				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(c0a)$'; then
+					variant1=vuln
+					variant2=vuln
+					variant3=vuln
+					[ -z "$variant3a" ] && variant3a=immune
+					variant4=vuln
+					_debug "checking cpu$i: this armv8 non vulnerable to variant 3a"
+				else
+					variant1=vuln
+					variant2=vuln
+					variant3=vuln
+					variant3a=vuln
+					variant4=vuln
+					_debug "checking cpu$i: this arm unknown"
 				fi
 			fi
 			_debug "is_cpu_vulnerable: for cpu$i and so far, we have <$variant1> <$variant2> <$variant3> <$variant3a> <$variant4>"
 		done
 	fi
-	# from the information we have for now, it seems that CPUs that are vulnerable to variant1 are also vulnerable to variant4
-	[ -z "$variant4" ] && variant4=$variant1
 	_debug "is_cpu_vulnerable: temp results are <$variant1> <$variant2> <$variant3> <$variant3a> <$variant4>"
-	# if at least one of the cpu is vulnerable, then the system is vulnerable
 	[ "$variant1"  = "immune" ] && variant1=1  || variant1=0
 	[ "$variant2"  = "immune" ] && variant2=1  || variant2=0
 	[ "$variant3"  = "immune" ] && variant3=1  || variant3=0