Merge pull request #1 from speed47/master

merge
This commit is contained in:
Rob Gill 2018-06-18 20:35:40 +10:00 committed by GitHub
commit 66835c75f3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 56 additions and 41 deletions

7
Dockerfile Normal file
View File

@ -0,0 +1,7 @@
FROM alpine:3.7
RUN apk --update --no-cache add kmod binutils grep perl
COPY . /check
ENTRYPOINT ["/check/spectre-meltdown-checker.sh"]

View File

@ -44,6 +44,13 @@ chmod +x spectre-meltdown-checker.sh
sudo ./spectre-meltdown-checker.sh
```
### Run the script in a docker container
```shell
docker build -t spectre-meltdown-checker .
docker run --rm --privileged -v /boot:/boot:ro -v /lib/modules:/lib/modules:ro -v /dev/cpu:/dev/cpu:ro spectre-meltdown-checker
```
## Example of script output
- Intel Haswell CPU running under Ubuntu 16.04 LTS

View File

@ -345,58 +345,59 @@ is_cpu_vulnerable()
# part ? ? 0xc09 0xc0f 0xc0e 0xd07 0xd08 0xd09 0xd0a
# arch 7? 7? 7 7 7 8 8 8 8
#
# variant 1 & variant 2
if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -Eq '^0x(c09|c0f|c0e)$'; then
# armv7 vulnerable chips
_debug "checking cpu$i: this armv7 vulnerable to spectre 1 & 2"
# Whitelist identified non-vulnerable processors, use vulnerability information from
# https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
#
# Maintain cumulative check of vulnerabilities -
# if at least one of the cpu is vulnerable, then the system is vulnerable
if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -Eq '^0x(c0[89ce])$'; then
variant1=vuln
variant2=vuln
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(d07|d08|d09|d0a)$'; then
# armv8 vulnerable chips
_debug "checking cpu$i: this armv8 vulnerable to spectre 1 & 2"
variant1=vuln
variant2=vuln
else
_debug "checking cpu$i: this arm non vulnerable to 1 & 2"
# others are not vulnerable
[ -z "$variant1" ] && variant1=immune
[ -z "$variant2" ] && variant2=immune
fi
# for variant3, only A75 is vulnerable
if [ "$cpuarch" = 8 ] && [ "$cpupart" = 0xd0a ]; then
_debug "checking cpu$i: arm A75 vulnerable to meltdown"
variant3=vuln
else
_debug "checking cpu$i: this arm non vulnerable to meltdown"
[ -z "$variant3" ] && variant3=immune
fi
# for variant3a, only A15/A57/A72 are vulnerable
if [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(c0f|d07|d0a)$'; then
_debug "checking cpu$i: arm A15-A57-A72 vulnerable to variant3a"
variant3a=vuln
else
_debug "checking cpu$i: this arm non vulnerable to variant3a"
[ -z "$variant3a" ] && variant3a=immune
fi
# for variant4, only A57-72-73-75 are vulnerable
if [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0xd0[789a]$'; then
_debug "checking cpu$i: arm A57-A72-A73-A75 vulnerable to variant4"
variant4=vuln
else
_debug "checking cpu$i: this arm non vulnerable to variant4"
[ -z "$variant4" ] && variant4=immune
_debug "checking cpu$i: this armv7 non vulnerable to variants 3, 3a & 4"
elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -Eq '^0x(c0f)$'; then
variant1=vuln
variant2=vuln
[ -z "$variant3" ] && variant3=immune
variant3=vuln
[ -z "$variant4" ] && variant4=immune
_debug "checking cpu$i: this armv7 non vulnerable to variants 3 & 4"
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(d07|d08)$'; then
variant1=vuln
variant2=vuln
variant3=vuln
[ -z "$variant3a" ] && variant3a=immune
[ -z "$variant4" ] && variant4=immune
_debug "checking cpu$i: this armv7 non vulnerable to variants 3a & 4"
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(d09|d0b)$'; then
variant1=vuln
variant2=vuln
[ -z "$variant3" ] && variant3=immune
[ -z "$variant3a" ] && variant3a=immune
variant4=vuln
_debug "checking cpu$i: this armv8 non vulnerable to variants 3 & 3a"
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(c0a)$'; then
variant1=vuln
variant2=vuln
variant3=vuln
[ -z "$variant3a" ] && variant3a=immune
variant4=vuln
_debug "checking cpu$i: this armv8 non vulnerable to variant 3a"
else
variant1=vuln
variant2=vuln
variant3=vuln
variant3a=vuln
variant4=vuln
_debug "checking cpu$i: this arm unknown"
fi
fi
_debug "is_cpu_vulnerable: for cpu$i and so far, we have <$variant1> <$variant2> <$variant3> <$variant3a> <$variant4>"
done
fi
# from the information we have for now, it seems that CPUs that are vulnerable to variant1 are also vulnerable to variant4
[ -z "$variant4" ] && variant4=$variant1
_debug "is_cpu_vulnerable: temp results are <$variant1> <$variant2> <$variant3> <$variant3a> <$variant4>"
# if at least one of the cpu is vulnerable, then the system is vulnerable
[ "$variant1" = "immune" ] && variant1=1 || variant1=0
[ "$variant2" = "immune" ] && variant2=1 || variant2=0
[ "$variant3" = "immune" ] && variant3=1 || variant3=0