mirror of
https://github.com/speed47/spectre-meltdown-checker.git
synced 2024-11-14 01:28:02 +01:00
commit
66835c75f3
7
Dockerfile
Normal file
7
Dockerfile
Normal file
@ -0,0 +1,7 @@
|
||||
FROM alpine:3.7
|
||||
|
||||
RUN apk --update --no-cache add kmod binutils grep perl
|
||||
|
||||
COPY . /check
|
||||
|
||||
ENTRYPOINT ["/check/spectre-meltdown-checker.sh"]
|
@ -44,6 +44,13 @@ chmod +x spectre-meltdown-checker.sh
|
||||
sudo ./spectre-meltdown-checker.sh
|
||||
```
|
||||
|
||||
### Run the script in a docker container
|
||||
|
||||
```shell
|
||||
docker build -t spectre-meltdown-checker .
|
||||
docker run --rm --privileged -v /boot:/boot:ro -v /lib/modules:/lib/modules:ro -v /dev/cpu:/dev/cpu:ro spectre-meltdown-checker
|
||||
```
|
||||
|
||||
## Example of script output
|
||||
|
||||
- Intel Haswell CPU running under Ubuntu 16.04 LTS
|
||||
|
@ -345,58 +345,59 @@ is_cpu_vulnerable()
|
||||
# part ? ? 0xc09 0xc0f 0xc0e 0xd07 0xd08 0xd09 0xd0a
|
||||
# arch 7? 7? 7 7 7 8 8 8 8
|
||||
#
|
||||
# variant 1 & variant 2
|
||||
if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -Eq '^0x(c09|c0f|c0e)$'; then
|
||||
# armv7 vulnerable chips
|
||||
_debug "checking cpu$i: this armv7 vulnerable to spectre 1 & 2"
|
||||
# Whitelist identified non-vulnerable processors, use vulnerability information from
|
||||
# https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
|
||||
#
|
||||
# Maintain cumulative check of vulnerabilities -
|
||||
# if at least one of the cpu is vulnerable, then the system is vulnerable
|
||||
if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -Eq '^0x(c0[89ce])$'; then
|
||||
variant1=vuln
|
||||
variant2=vuln
|
||||
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(d07|d08|d09|d0a)$'; then
|
||||
# armv8 vulnerable chips
|
||||
_debug "checking cpu$i: this armv8 vulnerable to spectre 1 & 2"
|
||||
variant1=vuln
|
||||
variant2=vuln
|
||||
else
|
||||
_debug "checking cpu$i: this arm non vulnerable to 1 & 2"
|
||||
# others are not vulnerable
|
||||
[ -z "$variant1" ] && variant1=immune
|
||||
[ -z "$variant2" ] && variant2=immune
|
||||
fi
|
||||
|
||||
# for variant3, only A75 is vulnerable
|
||||
if [ "$cpuarch" = 8 ] && [ "$cpupart" = 0xd0a ]; then
|
||||
_debug "checking cpu$i: arm A75 vulnerable to meltdown"
|
||||
variant3=vuln
|
||||
else
|
||||
_debug "checking cpu$i: this arm non vulnerable to meltdown"
|
||||
[ -z "$variant3" ] && variant3=immune
|
||||
fi
|
||||
|
||||
# for variant3a, only A15/A57/A72 are vulnerable
|
||||
if [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(c0f|d07|d0a)$'; then
|
||||
_debug "checking cpu$i: arm A15-A57-A72 vulnerable to variant3a"
|
||||
variant3a=vuln
|
||||
else
|
||||
_debug "checking cpu$i: this arm non vulnerable to variant3a"
|
||||
[ -z "$variant3a" ] && variant3a=immune
|
||||
fi
|
||||
|
||||
# for variant4, only A57-72-73-75 are vulnerable
|
||||
if [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0xd0[789a]$'; then
|
||||
_debug "checking cpu$i: arm A57-A72-A73-A75 vulnerable to variant4"
|
||||
variant4=vuln
|
||||
else
|
||||
_debug "checking cpu$i: this arm non vulnerable to variant4"
|
||||
[ -z "$variant4" ] && variant4=immune
|
||||
_debug "checking cpu$i: this armv7 non vulnerable to variants 3, 3a & 4"
|
||||
elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -Eq '^0x(c0f)$'; then
|
||||
variant1=vuln
|
||||
variant2=vuln
|
||||
[ -z "$variant3" ] && variant3=immune
|
||||
variant3=vuln
|
||||
[ -z "$variant4" ] && variant4=immune
|
||||
_debug "checking cpu$i: this armv7 non vulnerable to variants 3 & 4"
|
||||
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(d07|d08)$'; then
|
||||
variant1=vuln
|
||||
variant2=vuln
|
||||
variant3=vuln
|
||||
[ -z "$variant3a" ] && variant3a=immune
|
||||
[ -z "$variant4" ] && variant4=immune
|
||||
_debug "checking cpu$i: this armv7 non vulnerable to variants 3a & 4"
|
||||
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(d09|d0b)$'; then
|
||||
variant1=vuln
|
||||
variant2=vuln
|
||||
[ -z "$variant3" ] && variant3=immune
|
||||
[ -z "$variant3a" ] && variant3a=immune
|
||||
variant4=vuln
|
||||
_debug "checking cpu$i: this armv8 non vulnerable to variants 3 & 3a"
|
||||
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(c0a)$'; then
|
||||
variant1=vuln
|
||||
variant2=vuln
|
||||
variant3=vuln
|
||||
[ -z "$variant3a" ] && variant3a=immune
|
||||
variant4=vuln
|
||||
_debug "checking cpu$i: this armv8 non vulnerable to variant 3a"
|
||||
else
|
||||
variant1=vuln
|
||||
variant2=vuln
|
||||
variant3=vuln
|
||||
variant3a=vuln
|
||||
variant4=vuln
|
||||
_debug "checking cpu$i: this arm unknown"
|
||||
fi
|
||||
fi
|
||||
_debug "is_cpu_vulnerable: for cpu$i and so far, we have <$variant1> <$variant2> <$variant3> <$variant3a> <$variant4>"
|
||||
done
|
||||
fi
|
||||
# from the information we have for now, it seems that CPUs that are vulnerable to variant1 are also vulnerable to variant4
|
||||
[ -z "$variant4" ] && variant4=$variant1
|
||||
_debug "is_cpu_vulnerable: temp results are <$variant1> <$variant2> <$variant3> <$variant3a> <$variant4>"
|
||||
# if at least one of the cpu is vulnerable, then the system is vulnerable
|
||||
[ "$variant1" = "immune" ] && variant1=1 || variant1=0
|
||||
[ "$variant2" = "immune" ] && variant2=1 || variant2=0
|
||||
[ "$variant3" = "immune" ] && variant3=1 || variant3=0
|
||||
|
Loading…
Reference in New Issue
Block a user