From a266165bad2e34ebe45ea5220807c3a4e699591e Mon Sep 17 00:00:00 2001 From: Hans-Joachim Kliemeck Date: Sat, 15 Dec 2018 20:45:37 +0100 Subject: [PATCH] add mitigation detection for l1tf for xen based systems --- spectre-meltdown-checker.sh | 103 +++++++++++++++++++++++++++++------- 1 file changed, 83 insertions(+), 20 deletions(-) diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index 9c1aa71..df70c3c 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -1414,6 +1414,57 @@ is_zen_cpu() return 1 } +# Test if the current host is a Xen PV Dom0 / DomU +is_xen() { + if [ ! -d "$procfs/xen" ]; then + return 0 + fi + + # XXX do we have a better way that relying on dmesg? + dmesg_grep 'Booting paravirtualized kernel on Xen$'; ret=$? + if [ $ret -eq 2 ]; then + _warn "dmesg truncated, Xen detection will be unreliable. Please reboot and relaunch this script" + return 0 + elif [ $ret -eq 0 ]; then + return 1 + else + return 0 + fi +} + +is_xen_dom0() +{ + if [ $((is_xen)) -ne 1 ]; then + return 0 + fi + + if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d" "$procfs/xen/capabilities"; then + return 1 + else + return 0 + fi +} + +is_xen_domU() +{ + if [ $((is_xen)) -ne 1 ]; then + return 0 + fi + + # PVHVM guests also print 'Booting paravirtualized kernel', so we need this check. + dmesg_grep 'Xen HVM callback vector for event delivery is enabled$'; ret=$? + if [ $ret -eq 0 ]; then + return 0 + fi + + if [ $((is_xen_dom0)) -eq 0 ]; then + return 1 + else + return 0 + fi +} + + if [ -r "$mcedb_cache" ]; then mcedb_source="$mcedb_cache" mcedb_info="local MCExtractor DB "$(grep -E '^# %%% MCEDB ' "$mcedb_source" | cut -c13-) @@ -3292,24 +3343,8 @@ check_CVE_2017_5754_linux() # Test if the current host is a Xen PV Dom0 / DomU - if [ -d "$procfs/xen" ]; then - # XXX do we have a better way that relying on dmesg? - dmesg_grep 'Booting paravirtualized kernel on Xen$'; ret=$? - if [ $ret -eq 2 ]; then - _warn "dmesg truncated, Xen detection will be unreliable. Please reboot and relaunch this script" - elif [ $ret -eq 0 ]; then - if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d" "$procfs/xen/capabilities"; then - xen_pv_domo=1 - else - xen_pv_domu=1 - fi - # PVHVM guests also print 'Booting paravirtualized kernel', so we need this check. - dmesg_grep 'Xen HVM callback vector for event delivery is enabled$'; ret=$? - if [ $ret -eq 0 ]; then - xen_pv_domu=0 - fi - fi - fi + xen_pv_domo=$((is_xen_dom0)) + xen_pv_domu=$((is_xen_domU)) if [ "$opt_live" = 1 ]; then # checking whether we're running under Xen PV 64 bits. If yes, we are affected by variant3 @@ -3851,8 +3886,28 @@ check_CVE_2018_3646_linux() l1d_mode=2 pstatus green YES "unconditional flushes" else - l1d_mode=-1 - pstatus yellow UNKNOWN "unrecognized mode" + if [ $((is_xen_dom0)) -eq 1 ]; then + l1d_xen_hardware=$(xl dmesg | grep -Eq 'Hardware features:' | grep -Eq 'L1D_FLUSH' | head -1) + l1d_xen_hypervisor=$(xl dmesg | grep -Eq 'Xen settings:' | grep -Eq 'L1D_FLUSH' | head -1) + l1d_xen_pv_domU=$(xl dmesg | grep -Eq 'PV L1TF shadowing:' | grep -Eq 'DomU enabled' | head -1) + + if [ -z "$l1d_xen_hardware" ] && [ -z "$l1d_xen_hypervisor" ] && [ -z "$l1d_xen_pv_domU" ]; then + l1d_mode=5 + pstatus green YES "for XEN guests" + elif [ -z "$l1d_xen_hardware" ] && [ -z "$l1d_xen_hypervisor" ]; then + l1d_mode=4 + pstatus green YES "for XEN guests (HVM only)" + elif [ -z "$l1d_xen_pv_domU" ]; then + l1d_mode=3 + pstatus green YES "for XEN guests (PV only)" + else + l1d_mode=0 + pstatus yellow NO "for XEN guests" + fi + else + l1d_mode=-1 + pstatus yellow UNKNOWN "unrecognized mode" + fi fi else l1d_mode=-1 @@ -3920,6 +3975,14 @@ check_CVE_2018_3646_linux() fi fi fi + + if [ $l1d_mode -gt 3 ]; then + _warn + _warn "This host is a Xen Dom0. Please make sure that you are running your DomUs" + _warn "with a kernel which contains CVE-2018-3646 mitigations." + _warn + _warn "See https://www.suse.com/support/kb/doc/?id=7023078 and XSA-273 for details." + fi fi }