From 7f0d80b305d05ec423d068bd3b85f42d744b08f6 Mon Sep 17 00:00:00 2001 From: Matthieu Cerda Date: Wed, 24 Jan 2018 17:14:04 +0100 Subject: [PATCH] xen: detect if the host is a Xen Dom0 or PV DomU (fixes #83) --- spectre-meltdown-checker.sh | 71 +++++++++++++++++++++++++------------ 1 file changed, 49 insertions(+), 22 deletions(-) diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index cdde101..dafbd82 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -1456,31 +1456,39 @@ check_variant3() pstatus blue NO 'no security impact but performance will be degraded with PTI' fi fi - - if [ "$opt_live" = 1 ]; then - # checking whether we're running under Xen PV 64 bits. If yes, we're not affected by variant3 - _info_nol "* Running under Xen PV (64 bits): " - if [ "$(uname -m)" = "x86_64" ]; then - # XXX do we have a better way that relying on dmesg? - dmesg_grep 'Booting paravirtualized kernel on Xen$'; ret=$? - if [ $ret -eq 0 ]; then - pstatus green YES 'Xen PV is not vulnerable' - xen_pv=1 - elif [ $ret -eq 2 ]; then - pstatus yellow UNKNOWN "dmesg truncated, please reboot and relaunch this script" - else - pstatus blue NO - fi - else - pstatus blue NO - fi - fi elif [ "$sys_interface_available" = 0 ]; then # we have no sysfs but were asked to use it only! msg="/sys vulnerability interface use forced, but it's not available!" status=UNK fi + + # Test if the current host is a Xen PV Dom0 / DomU + if [ -d "/proc/xen" ]; then + # XXX do we have a better way that relying on dmesg? + dmesg_grep 'Booting paravirtualized kernel on Xen$'; ret=$? + if [ $ret -eq 2 ]; then + _warn "dmesg truncated, Xen detection will be unreliable. Please reboot and relaunch this script" + elif [ $ret -eq 0 ]; then + if [ -e /proc/xen/capabilities ] && grep -q "control_d" /proc/xen/capabilities; then + xen_pv_domo=1 + else + xen_pv_domu=1 + fi + fi + fi + + if [ "$opt_live" = 1 ]; then + # checking whether we're running under Xen PV 64 bits. If yes, we are affected by variant3 + # (unless we are a Dom0) + _info_nol "* Running as a Xen PV DomU: " + if [ "$xen_pv_domu" = 1 ]; then + pstatus red YES + else + pstatus green NO + fi + fi + cve='CVE-2017-5754' if ! is_cpu_vulnerable 3; then # override status & msg in case CPU is not vulnerable after all @@ -1490,8 +1498,10 @@ check_variant3() if [ "$opt_live" = 1 ]; then if [ "$kpti_enabled" = 1 ]; then pvulnstatus $cve OK "PTI mitigates the vulnerability" - elif [ "$xen_pv" = 1 ]; then - pvulnstatus $cve OK "Xen PV 64 bits is not vulnerable" + elif [ "$xen_pv_domo" = 1 ]; then + pvulnstatus $cve OK "Xen Dom0s are safe and do not require PTI" + elif [ "$xen_pv_domu" = 1 ]; then + pvulnstatus $cve VULN "Xen PV DomUs are vulnerable and need to be run in HVM, PVHVM or PVH mode" else pvulnstatus $cve VULN "PTI is needed to mitigate the vulnerability" fi @@ -1505,9 +1515,26 @@ check_variant3() fi fi else - [ "$msg" = "Vulnerable" ] && msg="PTI is needed to mitigate the vulnerability" + if [ "$xen_pv_domo" = 1 ]; then + msg="Xen Dom0s are safe and do not require PTI" + status="OK" + elif [ "$xen_pv_domu" = 1 ]; then + msg="Xen PV DomUs are vulnerable and need to be run in HVM, PVHVM or PVH mode" + status="VULN" + elif [ "$msg" = "Vulnerable" ]; then + msg="PTI is needed to mitigate the vulnerability" + fi pvulnstatus $cve "$status" "$msg" fi + + # Warn the user about XSA-254 recommended mitigations + if [ "$xen_pv_domo" = 1 ]; then + _warn + _warn "This host is a Xen Dom0. Please make sure that you are running your DomUs" + _warn "in HVM, PVHVM or PVH mode to prevent any guest-to-host / host-to-guest attacks." + _warn + _warn "See https://blog.xenproject.org/2018/01/22/xen-project-spectre-meltdown-faq-jan-22-update/ and XSA-254 for details." + fi } check_cpu