peter/spectre-meltdown-checker
peter
/
spectre-meltdown-checker
mirror of https://github.com/speed47/spectre-meltdown-checker.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

add --variant to specify what check we want to run

This commit is contained in:
Stéphane Lesimple 2018-01-10 12:24:16 +01:00
parent 5389ac6844
commit 74bc7ba637
1 changed files with 309 additions and 252 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

251
spectre-meltdown-checker.sh
View File

@ -8,7 +8,7 @@
# #
# Stephane Lesimple # Stephane Lesimple
# #
VERSION=0.21 VERSION=0.22
# Script configuration # Script configuration
show_usage() show_usage()
@ -34,8 +34,10 @@ show_usage()
Options: Options:
--no-color Don't use color codes --no-color Don't use color codes
-v, --verbose Increase verbosity level -v, --verbose Increase verbosity level
--batch Produce machine readable output --batch text Produce machine readable output, this is the default if --batch is specified alone
--batch nrpe Produce machine readable output formatted for NRPE --batch nrpe Produce machine readable output formatted for NRPE
--variant [1,2,3] Specify which variant you'd like to check, by default all variants are checked
Can be specified multiple times (e.g. --variant 2 --variant 3)
IMPORTANT: IMPORTANT:
A false sense of security is worse than no security at all. A false sense of security is worse than no security at all.
@ -79,6 +81,10 @@ opt_no_color=0
opt_batch=0 opt_batch=0
opt_batch_format="text" opt_batch_format="text"
opt_verbose=1 opt_verbose=1
opt_variant1=0
opt_variant2=0
opt_variant3=0
opt_allvariants=1
nrpe_critical=0 nrpe_critical=0
nrpe_unknown=0 nrpe_unknown=0
@ -255,6 +261,20 @@ while [ -n "$1" ]; do
elif [ "$1" = "-v" -o "$1" = "--verbose" ]; then elif [ "$1" = "-v" -o "$1" = "--verbose" ]; then
opt_verbose=$(expr $opt_verbose + 1) opt_verbose=$(expr $opt_verbose + 1)
shift shift
elif [ "$1" = "--variant" ]; then
if [ -z "$2" ]; then
echo "$0: error: option --variant expects a parameter (1, 2 or 3)" >&2
exit 1
fi
case "$2" in
1) opt_variant1=1; opt_allvariants=0;;
2) opt_variant2=1; opt_allvariants=0;;
3) opt_variant3=1; opt_allvariants=0;;
*)
echo "$0: error: invalid parameter '$2' for --variant, expected either 1, 2 or 3" >&2;
exit 1;;
esac
shift 2
elif [ "$1" = "-h" -o "$1" = "--help" ]; then elif [ "$1" = "-h" -o "$1" = "--help" ]; then
show_header show_header
show_usage show_usage
@ -467,15 +487,38 @@ fi
_info _info
########### # end of header stuff
# SPECTRE 1
_info "\033[1;34mCVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'\033[0m"
_info_nol "* Checking count of LFENCE opcodes in kernel: "
status=0 # now we define some util functions and the check_*() funcs, as
if [ -n "$vmlinux_err" ]; then # the user can choose to execute only some of those
mount_debugfs()
{
if [ ! -e /sys/kernel/debug/sched_features ]; then
# try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
fi
}
umount_debugfs()
{
if [ "$mounted_debugfs" = 1 ]; then
# umount debugfs if we did mount it ourselves
umount /sys/kernel/debug
fi
}
###################
# SPECTRE VARIANT 1
check_variant1()
{
_info "\033[1;34mCVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'\033[0m"
_info_nol "* Checking count of LFENCE opcodes in kernel: "
status=0
if [ -n "$vmlinux_err" ]; then
pstatus yellow UNKNOWN "$vmlinux_err" pstatus yellow UNKNOWN "$vmlinux_err"
else else
if ! which objdump >/dev/null 2>&1; then if ! which objdump >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing 'objdump' tool, please install it, usually it's in the binutils package" pstatus yellow UNKNOWN "missing 'objdump' tool, please install it, usually it's in the binutils package"
else else
@ -494,31 +537,33 @@ else
status=2 status=2
fi fi
fi fi
fi fi
if ! is_cpu_vulnerable 1; then if ! is_cpu_vulnerable 1; then
pvulnstatus CVE-2017-5753 OK "your CPU vendor reported your CPU model as not vulnerable" pvulnstatus CVE-2017-5753 OK "your CPU vendor reported your CPU model as not vulnerable"
else else
case "$status" in case "$status" in
0) pvulnstatus CVE-2017-5753 UNK "impossible to check ${vmlinux}";; 0) pvulnstatus CVE-2017-5753 UNK "impossible to check ${vmlinux}";;
1) pvulnstatus CVE-2017-5753 VULN 'heuristic to be improved when official patches become available';; 1) pvulnstatus CVE-2017-5753 VULN 'heuristic to be improved when official patches become available';;
2) pvulnstatus CVE-2017-5753 OK 'heuristic to be improved when official patches become available';; 2) pvulnstatus CVE-2017-5753 OK 'heuristic to be improved when official patches become available';;
esac esac
fi fi
}
########### ###################
# VARIANT 2 # SPECTRE VARIANT 2
_info check_variant2()
_info "\033[1;34mCVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'\033[0m" {
_info "* Mitigation 1" _info "\033[1;34mCVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'\033[0m"
_info_nol "* Hardware (CPU microcode) support for mitigation: " _info "* Mitigation 1"
if [ ! -e /dev/cpu/0/msr ]; then _info_nol "* Hardware (CPU microcode) support for mitigation: "
if [ ! -e /dev/cpu/0/msr ]; then
# try to load the module ourselves (and remember it so we can rmmod it afterwards) # try to load the module ourselves (and remember it so we can rmmod it afterwards)
modprobe msr 2>/dev/null && insmod_msr=1 modprobe msr 2>/dev/null && insmod_msr=1
fi fi
if [ ! -e /dev/cpu/0/msr ]; then if [ ! -e /dev/cpu/0/msr ]; then
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?" pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?"
else else
# the new MSR 'SPEC_CTRL' is at offset 0x48 # the new MSR 'SPEC_CTRL' is at offset 0x48
# here we use dd, it's the same as using 'rdmsr 0x48' but without needing the rdmsr tool # here we use dd, it's the same as using 'rdmsr 0x48' but without needing the rdmsr tool
# if we get a read error, the MSR is not there # if we get a read error, the MSR is not there
@ -528,19 +573,16 @@ else
else else
pstatus red NO pstatus red NO
fi fi
fi fi
if [ "$insmod_msr" = 1 ]; then if [ "$insmod_msr" = 1 ]; then
# if we used modprobe ourselves, rmmod the module # if we used modprobe ourselves, rmmod the module
rmmod msr 2>/dev/null rmmod msr 2>/dev/null
fi
_info_nol "* Kernel support for IBRS: "
if [ "$opt_live" = 1 ]; then
if [ ! -e /sys/kernel/debug/sched_features ]; then
# try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
fi fi
_info_nol "* Kernel support for IBRS: "
if [ "$opt_live" = 1 ]; then
mount_debugfs
if [ -e /sys/kernel/debug/ibrs_enabled ]; then if [ -e /sys/kernel/debug/ibrs_enabled ]; then
# if the file is there, we have IBRS compiled-in # if the file is there, we have IBRS compiled-in
pstatus green YES pstatus green YES
@ -552,19 +594,19 @@ if [ "$opt_live" = 1 ]; then
ibrs_supported=1 ibrs_supported=1
ibrs_enabled=$(cat /sys/kernel/debug/x86/ibrs_enabled 2>/dev/null) ibrs_enabled=$(cat /sys/kernel/debug/x86/ibrs_enabled 2>/dev/null)
fi fi
fi fi
if [ "$ibrs_supported" != 1 -a -n "$opt_map" ]; then if [ "$ibrs_supported" != 1 -a -n "$opt_map" ]; then
if grep -q spec_ctrl "$opt_map"; then if grep -q spec_ctrl "$opt_map"; then
pstatus green YES pstatus green YES
ibrs_supported=1 ibrs_supported=1
fi fi
fi fi
if [ "$ibrs_supported" != 1 ]; then if [ "$ibrs_supported" != 1 ]; then
pstatus red NO pstatus red NO
fi fi
_info_nol "* IBRS enabled for Kernel space: " _info_nol "* IBRS enabled for Kernel space: "
if [ "$opt_live" = 1 ]; then if [ "$opt_live" = 1 ]; then
# 0 means disabled # 0 means disabled
# 1 is enabled only for kernel space # 1 is enabled only for kernel space
# 2 is enabled for kernel and user space # 2 is enabled for kernel and user space
@ -574,43 +616,43 @@ if [ "$opt_live" = 1 ]; then
1 | 2) pstatus green YES;; 1 | 2) pstatus green YES;;
*) pstatus yellow UNKNOWN;; *) pstatus yellow UNKNOWN;;
esac esac
else else
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in offline mode"
fi fi
_info_nol "* IBRS enabled for User space: " _info_nol "* IBRS enabled for User space: "
if [ "$opt_live" = 1 ]; then if [ "$opt_live" = 1 ]; then
case "$ibrs_enabled" in case "$ibrs_enabled" in
"") [ "$ibrs_supported" = 1 ] && pstatus yellow UNKNOWN || pstatus red NO;; "") [ "$ibrs_supported" = 1 ] && pstatus yellow UNKNOWN || pstatus red NO;;
0 | 1) pstatus red NO;; 0 | 1) pstatus red NO;;
2) pstatus green YES;; 2) pstatus green YES;;
*) pstatus yellow UNKNOWN;; *) pstatus yellow UNKNOWN;;
esac esac
else else
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in offline mode"
fi fi
_info "* Mitigation 2" _info "* Mitigation 2"
_info_nol "* Kernel compiled with retpoline option: " _info_nol "* Kernel compiled with retpoline option: "
# We check the RETPOLINE kernel options # We check the RETPOLINE kernel options
if [ -r "$opt_config" ]; then if [ -r "$opt_config" ]; then
if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
pstatus green YES pstatus green YES
retpoline=1 retpoline=1
else else
pstatus red NO pstatus red NO
fi fi
else else
pstatus yellow UNKNOWN "couldn't read your kernel configuration" pstatus yellow UNKNOWN "couldn't read your kernel configuration"
fi fi
_info_nol "* Kernel compiled with a retpoline-aware compiler: " _info_nol "* Kernel compiled with a retpoline-aware compiler: "
# Now check if the compiler used to compile the kernel knows how to insert retpolines in generated asm # Now check if the compiler used to compile the kernel knows how to insert retpolines in generated asm
# For gcc, this is -mindirect-branch=thunk-extern (detected by the kernel makefiles) # For gcc, this is -mindirect-branch=thunk-extern (detected by the kernel makefiles)
# See gcc commit https://github.com/hjl-tools/gcc/commit/23b517d4a67c02d3ef80b6109218f2aadad7bd79 # See gcc commit https://github.com/hjl-tools/gcc/commit/23b517d4a67c02d3ef80b6109218f2aadad7bd79
# In latest retpoline LKML patches, the noretpoline_setup symbol exists only if CONFIG_RETPOLINE is set # In latest retpoline LKML patches, the noretpoline_setup symbol exists only if CONFIG_RETPOLINE is set
# *AND* if the compiler is retpoline-compliant, so look for that symbol # *AND* if the compiler is retpoline-compliant, so look for that symbol
if [ -n "$opt_map" ]; then if [ -n "$opt_map" ]; then
# look for the symbol # look for the symbol
if grep -qw noretpoline_setup "$opt_map"; then if grep -qw noretpoline_setup "$opt_map"; then
retpoline_compiler=1 retpoline_compiler=1
@ -618,7 +660,7 @@ if [ -n "$opt_map" ]; then
else else
pstatus red NO pstatus red NO
fi fi
elif [ -n "$vmlinux" ]; then elif [ -n "$vmlinux" ]; then
# look for the symbol # look for the symbol
if which nm >/dev/null 2>&1; then if which nm >/dev/null 2>&1; then
# the proper way: use nm and look for the symbol # the proper way: use nm and look for the symbol
@ -636,50 +678,52 @@ elif [ -n "$vmlinux" ]; then
else else
pstatus red NO pstatus red NO
fi fi
else else
pstatus yellow UNKNOWN "couldn't find your kernel image or System.map" pstatus yellow UNKNOWN "couldn't find your kernel image or System.map"
fi fi
if ! is_cpu_vulnerable 2; then if ! is_cpu_vulnerable 2; then
pvulnstatus CVE-2017-5715 OK "your CPU vendor reported your CPU model as not vulnerable" pvulnstatus CVE-2017-5715 OK "your CPU vendor reported your CPU model as not vulnerable"
elif [ "$retpoline" = 1 -a "$retpoline_compiler" = 1 ]; then elif [ "$retpoline" = 1 -a "$retpoline_compiler" = 1 ]; then
pvulnstatus CVE-2017-5715 OK "retpoline mitigate the vulnerability" pvulnstatus CVE-2017-5715 OK "retpoline mitigate the vulnerability"
elif [ "$opt_live" = 1 ]; then elif [ "$opt_live" = 1 ]; then
if [ "$ibrs_enabled" = 1 -o "$ibrs_enabled" = 2 ]; then if [ "$ibrs_enabled" = 1 -o "$ibrs_enabled" = 2 ]; then
pvulnstatus CVE-2017-5715 OK "IBRS mitigates the vulnerability" pvulnstatus CVE-2017-5715 OK "IBRS mitigates the vulnerability"
else else
pvulnstatus CVE-2017-5715 VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability" pvulnstatus CVE-2017-5715 VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability"
fi fi
else else
if [ "$ibrs_supported" = 1 ]; then if [ "$ibrs_supported" = 1 ]; then
pvulnstatus CVE-2017-5715 OK "offline mode: IBRS will mitigate the vulnerability if enabled at runtime" pvulnstatus CVE-2017-5715 OK "offline mode: IBRS will mitigate the vulnerability if enabled at runtime"
else else
pvulnstatus CVE-2017-5715 VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability" pvulnstatus CVE-2017-5715 VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability"
fi fi
fi fi
}
########## ########################
# MELTDOWN # MELTDOWN aka VARIANT 3
_info check_variant3()
_info "\033[1;34mCVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'\033[0m" {
_info_nol "* Kernel supports Page Table Isolation (PTI): " _info "\033[1;34mCVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'\033[0m"
kpti_support=0 _info_nol "* Kernel supports Page Table Isolation (PTI): "
kpti_can_tell=0 kpti_support=0
if [ -n "$opt_config" ]; then kpti_can_tell=0
if [ -n "$opt_config" ]; then
kpti_can_tell=1 kpti_can_tell=1
if grep -Eq '^(CONFIG_PAGE_TABLE_ISOLATION|CONFIG_KAISER)=y' "$opt_config"; then if grep -Eq '^(CONFIG_PAGE_TABLE_ISOLATION|CONFIG_KAISER)=y' "$opt_config"; then
kpti_support=1 kpti_support=1
fi fi
fi fi
if [ "$kpti_support" = 0 -a -n "$opt_map" ]; then if [ "$kpti_support" = 0 -a -n "$opt_map" ]; then
# it's not an elif: some backports don't have the PTI config but still include the patch # it's not an elif: some backports don't have the PTI config but still include the patch
# so we try to find an exported symbol that is part of the PTI patch in System.map # so we try to find an exported symbol that is part of the PTI patch in System.map
kpti_can_tell=1 kpti_can_tell=1
if grep -qw kpti_force_enabled "$opt_map"; then if grep -qw kpti_force_enabled "$opt_map"; then
kpti_support=1 kpti_support=1
fi fi
fi fi
if [ "$kpti_support" = 0 -a -n "$vmlinux" ]; then if [ "$kpti_support" = 0 -a -n "$vmlinux" ]; then
# same as above but in case we don't have System.map and only vmlinux, look for the # same as above but in case we don't have System.map and only vmlinux, look for the
# nopti option that is part of the patch (kernel command line option) # nopti option that is part of the patch (kernel command line option)
kpti_can_tell=1 kpti_can_tell=1
@ -690,18 +734,19 @@ if [ "$kpti_support" = 0 -a -n "$vmlinux" ]; then
kpti_support=1 kpti_support=1
fi fi
fi fi
fi fi
if [ "$kpti_support" = 1 ]; then if [ "$kpti_support" = 1 ]; then
pstatus green YES pstatus green YES
elif [ "$kpti_can_tell" = 1 ]; then elif [ "$kpti_can_tell" = 1 ]; then
pstatus red NO pstatus red NO
else else
pstatus yellow UNKNOWN "couldn't read your kernel configuration nor System.map file" pstatus yellow UNKNOWN "couldn't read your kernel configuration nor System.map file"
fi fi
_info_nol "* PTI enabled and active: " mount_debugfs
if [ "$opt_live" = 1 ]; then _info_nol "* PTI enabled and active: "
if [ "$opt_live" = 1 ]; then
if grep ^flags /proc/cpuinfo | grep -qw pti; then if grep ^flags /proc/cpuinfo | grep -qw pti; then
# vanilla PTI patch sets the 'pti' flag in cpuinfo # vanilla PTI patch sets the 'pti' flag in cpuinfo
kpti_enabled=1 kpti_enabled=1
@ -725,35 +770,47 @@ if [ "$opt_live" = 1 ]; then
else else
pstatus red NO pstatus red NO
fi fi
else else
pstatus blue N/A "can't verify if PTI is enabled in offline mode" pstatus blue N/A "can't verify if PTI is enabled in offline mode"
fi fi
if [ "$mounted_debugfs" = 1 ]; then if ! is_cpu_vulnerable 3; then
# umount debugfs if we did mount it ourselves
umount /sys/kernel/debug
fi
if ! is_cpu_vulnerable 3; then
pvulnstatus CVE-2017-5754 OK "your CPU vendor reported your CPU model as not vulnerable" pvulnstatus CVE-2017-5754 OK "your CPU vendor reported your CPU model as not vulnerable"
elif [ "$opt_live" = 1 ]; then elif [ "$opt_live" = 1 ]; then
if [ "$kpti_enabled" = 1 ]; then if [ "$kpti_enabled" = 1 ]; then
pvulnstatus CVE-2017-5754 OK "PTI mitigates the vulnerability" pvulnstatus CVE-2017-5754 OK "PTI mitigates the vulnerability"
else else
pvulnstatus CVE-2017-5754 VULN "PTI is needed to mitigate the vulnerability" pvulnstatus CVE-2017-5754 VULN "PTI is needed to mitigate the vulnerability"
fi fi
else else
if [ "$kpti_support" = 1 ]; then if [ "$kpti_support" = 1 ]; then
pvulnstatus CVE-2017-5754 OK "offline mode: PTI will mitigate the vulnerability if enabled at runtime" pvulnstatus CVE-2017-5754 OK "offline mode: PTI will mitigate the vulnerability if enabled at runtime"
else else
pvulnstatus CVE-2017-5754 VULN "PTI is needed to mitigate the vulnerability" pvulnstatus CVE-2017-5754 VULN "PTI is needed to mitigate the vulnerability"
fi fi
fi fi
}
_info # now run the checks the user asked for
if [ "$opt_variant1" = 1 -o "$opt_allvariants" = 1 ]; then
check_variant1
_info
fi
if [ "$opt_variant2" = 1 -o "$opt_allvariants" = 1 ]; then
check_variant2
_info
fi
if [ "$opt_variant3" = 1 -o "$opt_allvariants" = 1 ]; then
check_variant3
_info
fi
_info "A false sense of security is worse than no security at all, see --disclaimer" _info "A false sense of security is worse than no security at all, see --disclaimer"
# this'll umount only if we mounted debugfs ourselves
umount_debugfs
# cleanup the temp decompressed config
[ -n "$dumped_config" ] && rm -f "$dumped_config" [ -n "$dumped_config" ] && rm -f "$dumped_config"
if [ "$opt_batch" = 1 -a "$opt_batch_format" = "nrpe" ]; then if [ "$opt_batch" = 1 -a "$opt_batch_format" = "nrpe" ]; then