mirror of
https://github.com/speed47/spectre-meltdown-checker.git
synced 2026-04-09 10:13:18 +02:00
enh: --no-runtime and --no-hw modes replacing --live and implicit 'offline' mode
This commit is contained in:
Stéphane Lesimple
@@ -265,7 +265,7 @@ check_CVE_2017_5715_linux() {
|
||||
g_ibpb_supported=''
|
||||
g_ibpb_enabled=''
|
||||
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
# in live mode, we can check for the ibrs_enabled file in debugfs
|
||||
# all versions of the patches have it (NOT the case of IBPB or KPTI)
|
||||
g_ibrs_can_tell=1
|
||||
@@ -416,7 +416,7 @@ check_CVE_2017_5715_linux() {
|
||||
fi
|
||||
|
||||
pr_info_nol " * IBRS enabled and active: "
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if [ "$g_ibpb_enabled" = 2 ]; then
|
||||
# if ibpb=2, ibrs is forcefully=0
|
||||
pstatus blue NO "IBPB used instead of IBRS in all kernel entrypoints"
|
||||
@@ -447,7 +447,7 @@ check_CVE_2017_5715_linux() {
|
||||
esac
|
||||
fi
|
||||
else
|
||||
pstatus blue N/A "not testable in offline mode"
|
||||
pstatus blue N/A "not testable in no-runtime mode"
|
||||
fi
|
||||
|
||||
pr_info_nol " * Kernel is compiled with IBPB support: "
|
||||
@@ -455,8 +455,8 @@ check_CVE_2017_5715_linux() {
|
||||
if [ "$g_ibpb_can_tell" = 1 ]; then
|
||||
pstatus yellow NO
|
||||
else
|
||||
# if we're in offline mode without System.map, we can't really know
|
||||
pstatus yellow UNKNOWN "in offline mode, we need the kernel image to be able to tell"
|
||||
# if we're in no-runtime mode without System.map, we can't really know
|
||||
pstatus yellow UNKNOWN "in no-runtime mode, we need the kernel image to be able to tell"
|
||||
fi
|
||||
else
|
||||
if [ "$opt_verbose" -ge 2 ]; then
|
||||
@@ -467,7 +467,7 @@ check_CVE_2017_5715_linux() {
|
||||
fi
|
||||
|
||||
pr_info_nol " * IBPB enabled and active: "
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
case "$g_ibpb_enabled" in
|
||||
"")
|
||||
if [ "$g_ibrs_supported" = 1 ]; then
|
||||
@@ -484,7 +484,7 @@ check_CVE_2017_5715_linux() {
|
||||
*) pstatus yellow UNKNOWN ;;
|
||||
esac
|
||||
else
|
||||
pstatus blue N/A "not testable in offline mode"
|
||||
pstatus blue N/A "not testable in no-runtime mode"
|
||||
fi
|
||||
|
||||
pr_info "* Mitigation 2"
|
||||
@@ -544,7 +544,7 @@ check_CVE_2017_5715_linux() {
|
||||
#
|
||||
# since 5.15.28, this is now "Retpolines" as the implementation was switched to a generic one,
|
||||
# so we look for both "retpoline" and "retpolines"
|
||||
if [ "$opt_live" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then
|
||||
if [ "$opt_runtime" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then
|
||||
if echo "$ret_sys_interface_check_fullmsg" | grep -qwi -e retpoline -e retpolines; then
|
||||
if echo "$ret_sys_interface_check_fullmsg" | grep -qwi minimal; then
|
||||
retpoline_compiler=0
|
||||
@@ -595,7 +595,7 @@ check_CVE_2017_5715_linux() {
|
||||
|
||||
# only Red Hat has a tunable to disable it on runtime
|
||||
retp_enabled=-1
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if [ -e "$g_specex_knob_dir/retp_enabled" ]; then
|
||||
retp_enabled=$(cat "$g_specex_knob_dir/retp_enabled" 2>/dev/null)
|
||||
pr_debug "retpoline: found $g_specex_knob_dir/retp_enabled=$retp_enabled"
|
||||
@@ -625,7 +625,7 @@ check_CVE_2017_5715_linux() {
|
||||
if is_vulnerable_to_empty_rsb || [ "$opt_verbose" -ge 2 ]; then
|
||||
pr_info_nol " * Kernel supports RSB filling: "
|
||||
rsb_filling=0
|
||||
if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then
|
||||
# if we're live and we aren't denied looking into /sys, let's do it
|
||||
if echo "$ret_sys_interface_check_fullmsg" | grep -qw RSB; then
|
||||
rsb_filling=1
|
||||
@@ -718,7 +718,7 @@ check_CVE_2017_5715_linux() {
|
||||
*", IBPB"* | *"; IBPB"*) v2_ibpb_mode=conditional ;;
|
||||
*) v2_ibpb_mode=disabled ;;
|
||||
esac
|
||||
elif [ "$opt_live" = 1 ]; then
|
||||
elif [ "$opt_runtime" = 1 ]; then
|
||||
case "$g_ibpb_enabled" in
|
||||
2) v2_ibpb_mode=always-on ;;
|
||||
1) v2_ibpb_mode=conditional ;;
|
||||
@@ -816,7 +816,7 @@ check_CVE_2017_5715_linux() {
|
||||
*"PBRSB-eIBRS: Vulnerable"*) v2_pbrsb_status=vulnerable ;;
|
||||
*) v2_pbrsb_status=unknown ;;
|
||||
esac
|
||||
elif [ "$opt_live" != 1 ] && [ -n "$g_kernel" ]; then
|
||||
elif [ "$opt_runtime" != 1 ] && [ -n "$g_kernel" ]; then
|
||||
if grep -q 'PBRSB-eIBRS' "$g_kernel" 2>/dev/null; then
|
||||
v2_pbrsb_status=sw-sequence
|
||||
else
|
||||
@@ -847,7 +847,7 @@ check_CVE_2017_5715_linux() {
|
||||
*"BHI: Vulnerable"*) v2_bhi_status=vulnerable ;;
|
||||
*) v2_bhi_status=unknown ;;
|
||||
esac
|
||||
elif [ "$opt_live" != 1 ] && [ -n "$opt_config" ] && [ -r "$opt_config" ]; then
|
||||
elif [ "$opt_runtime" != 1 ] && [ -n "$opt_config" ] && [ -r "$opt_config" ]; then
|
||||
if grep -q '^CONFIG_\(MITIGATION_\)\?SPECTRE_BHI' "$opt_config"; then
|
||||
if [ "$cap_bhi" = 1 ]; then
|
||||
v2_bhi_status=bhi_dis_s
|
||||
@@ -871,7 +871,7 @@ check_CVE_2017_5715_linux() {
|
||||
esac
|
||||
|
||||
# --- v2_vuln_module ---
|
||||
if [ "$opt_live" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then
|
||||
if [ "$opt_runtime" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then
|
||||
pr_info_nol " * Non-retpoline module loaded: "
|
||||
if echo "$ret_sys_interface_check_fullmsg" | grep -q 'vulnerable module loaded'; then
|
||||
v2_vuln_module=1
|
||||
@@ -970,7 +970,7 @@ check_CVE_2017_5715_linux() {
|
||||
if [ -n "${SMC_MOCK_UNPRIVILEGED_BPF_DISABLED:-}" ]; then
|
||||
_ebpf_disabled="$SMC_MOCK_UNPRIVILEGED_BPF_DISABLED"
|
||||
g_mocked=1
|
||||
elif [ "$opt_live" = 1 ] && [ -r "$g_procfs/sys/kernel/unprivileged_bpf_disabled" ]; then
|
||||
elif [ "$opt_runtime" = 1 ] && [ -r "$g_procfs/sys/kernel/unprivileged_bpf_disabled" ]; then
|
||||
_ebpf_disabled=$(cat "$g_procfs/sys/kernel/unprivileged_bpf_disabled" 2>/dev/null)
|
||||
g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_UNPRIVILEGED_BPF_DISABLED='$_ebpf_disabled'")
|
||||
fi
|
||||
@@ -1158,18 +1158,18 @@ check_CVE_2017_5715_linux() {
|
||||
pvulnstatus "$cve" OK "Full IBPB is mitigating the vulnerability"
|
||||
|
||||
# Offline mode fallback
|
||||
elif [ "$opt_live" != 1 ]; then
|
||||
elif [ "$opt_runtime" != 1 ]; then
|
||||
if [ "$retpoline" = 1 ] && [ -n "$g_ibpb_supported" ]; then
|
||||
pvulnstatus "$cve" OK "offline mode: kernel supports retpoline + IBPB to mitigate the vulnerability"
|
||||
pvulnstatus "$cve" OK "no-runtime mode: kernel supports retpoline + IBPB to mitigate the vulnerability"
|
||||
elif [ -n "$g_ibrs_supported" ] && [ -n "$g_ibpb_supported" ]; then
|
||||
pvulnstatus "$cve" OK "offline mode: kernel supports IBRS + IBPB to mitigate the vulnerability"
|
||||
pvulnstatus "$cve" OK "no-runtime mode: kernel supports IBRS + IBPB to mitigate the vulnerability"
|
||||
elif [ "$cap_ibrs_all" = 1 ] || [ "$cap_autoibrs" = 1 ]; then
|
||||
pvulnstatus "$cve" OK "offline mode: CPU supports Enhanced / Automatic IBRS"
|
||||
pvulnstatus "$cve" OK "no-runtime mode: CPU supports Enhanced / Automatic IBRS"
|
||||
# CONFIG_MITIGATION_SPECTRE_V2 (v6.12+): top-level on/off for all Spectre V2 mitigations
|
||||
elif [ -n "$opt_config" ] && [ -r "$opt_config" ] && grep -q '^CONFIG_MITIGATION_SPECTRE_V2=y' "$opt_config"; then
|
||||
pvulnstatus "$cve" OK "offline mode: kernel has Spectre V2 mitigation framework enabled (CONFIG_MITIGATION_SPECTRE_V2)"
|
||||
pvulnstatus "$cve" OK "no-runtime mode: kernel has Spectre V2 mitigation framework enabled (CONFIG_MITIGATION_SPECTRE_V2)"
|
||||
elif [ "$g_ibrs_can_tell" != 1 ]; then
|
||||
pvulnstatus "$cve" UNK "offline mode: not enough information"
|
||||
pvulnstatus "$cve" UNK "no-runtime mode: not enough information"
|
||||
explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect."
|
||||
fi
|
||||
fi
|
||||
|
||||
@@ -57,7 +57,7 @@ check_CVE_2017_5753_linux() {
|
||||
status=$ret_sys_interface_check_status
|
||||
fi
|
||||
if [ "$opt_sysfs_only" != 1 ]; then
|
||||
# no /sys interface (or offline mode), fallback to our own ways
|
||||
# no /sys interface (or no-runtime mode), fallback to our own ways
|
||||
|
||||
# Primary detection: grep for sysfs mitigation strings in the kernel binary.
|
||||
# The string "__user pointer sanitization" is present in all kernel versions
|
||||
|
||||
@@ -104,7 +104,7 @@ check_CVE_2017_5754_linux() {
|
||||
|
||||
mount_debugfs
|
||||
pr_info_nol " * PTI enabled and active: "
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
dmesg_grep="Kernel/User page tables isolation: enabled"
|
||||
dmesg_grep="$dmesg_grep|Kernel page table isolation enabled"
|
||||
dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
|
||||
@@ -150,7 +150,7 @@ check_CVE_2017_5754_linux() {
|
||||
pstatus yellow NO
|
||||
fi
|
||||
else
|
||||
pstatus blue N/A "not testable in offline mode"
|
||||
pstatus blue N/A "not testable in no-runtime mode"
|
||||
fi
|
||||
|
||||
pti_performance_check
|
||||
@@ -167,7 +167,7 @@ check_CVE_2017_5754_linux() {
|
||||
is_xen_dom0 && xen_pv_domo=1
|
||||
is_xen_domU && xen_pv_domu=1
|
||||
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
# checking whether we're running under Xen PV 64 bits. If yes, we are affected by affected_variant3
|
||||
# (unless we are a Dom0)
|
||||
pr_info_nol "* Running as a Xen PV DomU: "
|
||||
@@ -183,7 +183,7 @@ check_CVE_2017_5754_linux() {
|
||||
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
|
||||
elif [ -z "$msg" ]; then
|
||||
# if msg is empty, sysfs check didn't fill it, rely on our own test
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if [ "$kpti_enabled" = 1 ]; then
|
||||
pvulnstatus "$cve" OK "PTI mitigates the vulnerability"
|
||||
elif [ "$xen_pv_domo" = 1 ]; then
|
||||
@@ -209,12 +209,12 @@ check_CVE_2017_5754_linux() {
|
||||
fi
|
||||
else
|
||||
if [ -n "$kpti_support" ]; then
|
||||
pvulnstatus "$cve" OK "offline mode: PTI will mitigate the vulnerability if enabled at runtime"
|
||||
pvulnstatus "$cve" OK "no-runtime mode: PTI will mitigate the vulnerability if enabled at runtime"
|
||||
elif [ "$kpti_can_tell" = 1 ]; then
|
||||
pvulnstatus "$cve" VULN "PTI is needed to mitigate the vulnerability"
|
||||
explain "If you're using a distro kernel, upgrade your distro to get the latest kernel available. Otherwise, recompile the kernel with the CONFIG_(MITIGATION_)PAGE_TABLE_ISOLATION option (named CONFIG_KAISER for some kernels), or the CONFIG_UNMAP_KERNEL_AT_EL0 option (for ARM64)"
|
||||
else
|
||||
pvulnstatus "$cve" UNK "offline mode: not enough information"
|
||||
pvulnstatus "$cve" UNK "no-runtime mode: not enough information"
|
||||
explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect."
|
||||
fi
|
||||
fi
|
||||
|
||||
@@ -36,7 +36,7 @@ check_CVE_2018_12207_linux() {
|
||||
fi
|
||||
|
||||
pr_info_nol "* iTLB Multihit mitigation enabled and active: "
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if [ -n "$ret_sys_interface_check_fullmsg" ]; then
|
||||
if echo "$ret_sys_interface_check_fullmsg" | grep -qF 'Mitigation'; then
|
||||
pstatus green YES "$ret_sys_interface_check_fullmsg"
|
||||
@@ -47,7 +47,7 @@ check_CVE_2018_12207_linux() {
|
||||
pstatus yellow NO "itlb_multihit not found in sysfs hierarchy"
|
||||
fi
|
||||
else
|
||||
pstatus blue N/A "not testable in offline mode"
|
||||
pstatus blue N/A "not testable in no-runtime mode"
|
||||
fi
|
||||
elif [ "$sys_interface_available" = 0 ]; then
|
||||
# we have no sysfs but were asked to use it only!
|
||||
@@ -63,7 +63,7 @@ check_CVE_2018_12207_linux() {
|
||||
elif [ -z "$msg" ]; then
|
||||
# if msg is empty, sysfs check didn't fill it, rely on our own test
|
||||
if [ "$opt_sysfs_only" != 1 ]; then
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
|
||||
pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
|
||||
else
|
||||
|
||||
@@ -37,7 +37,7 @@ check_CVE_2018_3620_linux() {
|
||||
fi
|
||||
|
||||
pr_info_nol "* PTE inversion enabled and active: "
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if [ -n "$ret_sys_interface_check_fullmsg" ]; then
|
||||
if echo "$ret_sys_interface_check_fullmsg" | grep -q 'Mitigation: PTE Inversion'; then
|
||||
pstatus green YES
|
||||
@@ -51,7 +51,7 @@ check_CVE_2018_3620_linux() {
|
||||
pteinv_active=-1
|
||||
fi
|
||||
else
|
||||
pstatus blue N/A "not testable in offline mode"
|
||||
pstatus blue N/A "not testable in no-runtime mode"
|
||||
fi
|
||||
elif [ "$sys_interface_available" = 0 ]; then
|
||||
# we have no sysfs but were asked to use it only!
|
||||
@@ -66,7 +66,7 @@ check_CVE_2018_3620_linux() {
|
||||
# if msg is empty, sysfs check didn't fill it, rely on our own test
|
||||
if [ "$opt_sysfs_only" != 1 ]; then
|
||||
if [ "$pteinv_supported" = 1 ]; then
|
||||
if [ "$pteinv_active" = 1 ] || [ "$opt_live" != 1 ]; then
|
||||
if [ "$pteinv_active" = 1 ] || [ "$opt_runtime" != 1 ]; then
|
||||
pvulnstatus "$cve" OK "PTE inversion mitigates the vulnerability"
|
||||
else
|
||||
pvulnstatus "$cve" VULN "Your kernel supports PTE inversion but it doesn't seem to be enabled"
|
||||
|
||||
@@ -18,7 +18,7 @@ check_CVE_2018_3639_linux() {
|
||||
fi
|
||||
if [ "$opt_sysfs_only" != 1 ]; then
|
||||
pr_info_nol "* Kernel supports disabling speculative store bypass (SSB): "
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if grep -Eq 'Speculation.?Store.?Bypass:' "$g_procfs/self/status" 2>/dev/null; then
|
||||
kernel_ssb="found in $g_procfs/self/status"
|
||||
pr_debug "found Speculation.Store.Bypass: in $g_procfs/self/status"
|
||||
@@ -57,7 +57,7 @@ check_CVE_2018_3639_linux() {
|
||||
fi
|
||||
|
||||
kernel_ssbd_enabled=-1
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
# https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340
|
||||
pr_info_nol "* SSB mitigation is enabled and active: "
|
||||
if grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$g_procfs/self/status" 2>/dev/null; then
|
||||
@@ -106,7 +106,7 @@ check_CVE_2018_3639_linux() {
|
||||
# if msg is empty, sysfs check didn't fill it, rely on our own test
|
||||
if [ -n "$cap_ssbd" ]; then
|
||||
if [ -n "$kernel_ssb" ]; then
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if [ "$kernel_ssbd_enabled" -gt 0 ]; then
|
||||
pvulnstatus "$cve" OK "your CPU and kernel both support SSBD and mitigation is enabled"
|
||||
else
|
||||
|
||||
@@ -11,7 +11,7 @@ check_CVE_2018_3640() {
|
||||
sys_interface_available=0
|
||||
msg=''
|
||||
|
||||
# Detect whether the target kernel is ARM64, for both live and offline modes.
|
||||
# Detect whether the target kernel is ARM64, for both live and no-runtime modes.
|
||||
# In offline cross-inspection (x86 host, ARM kernel), cpu_vendor reflects the host,
|
||||
# so also check for arm64_sys_ symbols (same pattern used in CVE-2018-3639).
|
||||
is_arm64_kernel=0
|
||||
|
||||
@@ -69,7 +69,7 @@ check_CVE_2018_3646_linux() {
|
||||
pr_info "* Mitigation 1 (KVM)"
|
||||
pr_info_nol " * EPT is disabled: "
|
||||
ept_disabled=-1
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if ! [ -r "$SYS_MODULE_BASE/kvm_intel/parameters/ept" ]; then
|
||||
pstatus blue N/A "the kvm_intel module is not loaded"
|
||||
elif [ "$(cat "$SYS_MODULE_BASE/kvm_intel/parameters/ept")" = N ]; then
|
||||
@@ -79,12 +79,12 @@ check_CVE_2018_3646_linux() {
|
||||
pstatus yellow NO
|
||||
fi
|
||||
else
|
||||
pstatus blue N/A "not testable in offline mode"
|
||||
pstatus blue N/A "not testable in no-runtime mode"
|
||||
fi
|
||||
|
||||
pr_info "* Mitigation 2"
|
||||
pr_info_nol " * L1D flush is supported by kernel: "
|
||||
if [ "$opt_live" = 1 ] && grep -qw flush_l1d "$g_procfs/cpuinfo"; then
|
||||
if [ "$opt_runtime" = 1 ] && grep -qw flush_l1d "$g_procfs/cpuinfo"; then
|
||||
l1d_kernel="found flush_l1d in $g_procfs/cpuinfo"
|
||||
fi
|
||||
if [ -z "$l1d_kernel" ]; then
|
||||
@@ -106,7 +106,7 @@ check_CVE_2018_3646_linux() {
|
||||
fi
|
||||
|
||||
pr_info_nol " * L1D flush enabled: "
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if [ -n "$ret_sys_interface_check_fullmsg" ]; then
|
||||
# vanilla: VMX: $l1dstatus, SMT $smtstatus
|
||||
# Red Hat: VMX: SMT $smtstatus, L1D $l1dstatus
|
||||
@@ -152,18 +152,18 @@ check_CVE_2018_3646_linux() {
|
||||
fi
|
||||
else
|
||||
l1d_mode=-1
|
||||
pstatus blue N/A "not testable in offline mode"
|
||||
pstatus blue N/A "not testable in no-runtime mode"
|
||||
fi
|
||||
|
||||
pr_info_nol " * Hardware-backed L1D flush supported: "
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if grep -qw flush_l1d "$g_procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then
|
||||
pstatus green YES "performance impact of the mitigation will be greatly reduced"
|
||||
else
|
||||
pstatus blue NO "flush will be done in software, this is slower"
|
||||
fi
|
||||
else
|
||||
pstatus blue N/A "not testable in offline mode"
|
||||
pstatus blue N/A "not testable in no-runtime mode"
|
||||
fi
|
||||
|
||||
pr_info_nol " * Hyper-Threading (SMT) is enabled: "
|
||||
|
||||
@@ -33,7 +33,7 @@ check_CVE_2019_11135_linux() {
|
||||
fi
|
||||
|
||||
pr_info_nol "* TAA mitigation enabled and active: "
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if [ -n "$ret_sys_interface_check_fullmsg" ]; then
|
||||
if echo "$ret_sys_interface_check_fullmsg" | grep -qE '^Mitigation'; then
|
||||
pstatus green YES "$ret_sys_interface_check_fullmsg"
|
||||
@@ -44,7 +44,7 @@ check_CVE_2019_11135_linux() {
|
||||
pstatus yellow NO "tsx_async_abort not found in sysfs hierarchy"
|
||||
fi
|
||||
else
|
||||
pstatus blue N/A "not testable in offline mode"
|
||||
pstatus blue N/A "not testable in no-runtime mode"
|
||||
fi
|
||||
elif [ "$sys_interface_available" = 0 ]; then
|
||||
# we have no sysfs but were asked to use it only!
|
||||
@@ -57,7 +57,7 @@ check_CVE_2019_11135_linux() {
|
||||
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
|
||||
elif [ -z "$msg" ]; then
|
||||
# if msg is empty, sysfs check didn't fill it, rely on our own test
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
|
||||
pvulnstatus "$cve" VULN "Your kernel doesn't support TAA mitigation, update it"
|
||||
else
|
||||
|
||||
@@ -32,7 +32,7 @@ check_CVE_2020_0543_linux() {
|
||||
pstatus yellow NO
|
||||
fi
|
||||
pr_info_nol "* SRBDS mitigation control is enabled and active: "
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if [ -n "$ret_sys_interface_check_fullmsg" ]; then
|
||||
if echo "$ret_sys_interface_check_fullmsg" | grep -qE '^Mitigation'; then
|
||||
pstatus green YES "$ret_sys_interface_check_fullmsg"
|
||||
@@ -43,7 +43,7 @@ check_CVE_2020_0543_linux() {
|
||||
pstatus yellow NO "SRBDS not found in sysfs hierarchy"
|
||||
fi
|
||||
else
|
||||
pstatus blue N/A "not testable in offline mode"
|
||||
pstatus blue N/A "not testable in no-runtime mode"
|
||||
fi
|
||||
elif [ "$sys_interface_available" = 0 ]; then
|
||||
# we have no sysfs but were asked to use it only!
|
||||
@@ -61,7 +61,7 @@ check_CVE_2020_0543_linux() {
|
||||
# SRBDS mitigation control is enabled
|
||||
if [ -z "$msg" ]; then
|
||||
# if msg is empty, sysfs check didn't fill it, rely on our own test
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
|
||||
pvulnstatus "$cve" OK "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated"
|
||||
fi
|
||||
@@ -75,7 +75,7 @@ check_CVE_2020_0543_linux() {
|
||||
elif [ "$cap_srbds_on" = 0 ]; then
|
||||
# SRBDS mitigation control is disabled
|
||||
if [ -z "$msg" ]; then
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
|
||||
pvulnstatus "$cve" VULN "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated. Mitigation is disabled"
|
||||
fi
|
||||
|
||||
@@ -174,14 +174,14 @@ check_CVE_2022_29900_linux() {
|
||||
# Zen/Zen+/Zen2: check IBPB microcode support and SMT
|
||||
if [ "$cpu_family" = $((0x17)) ]; then
|
||||
pr_info_nol "* CPU supports IBPB: "
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if [ -n "$cap_ibpb" ]; then
|
||||
pstatus green YES "$cap_ibpb"
|
||||
else
|
||||
pstatus yellow NO
|
||||
fi
|
||||
else
|
||||
pstatus blue N/A "not testable in offline mode"
|
||||
pstatus blue N/A "not testable in no-runtime mode"
|
||||
fi
|
||||
|
||||
pr_info_nol "* Hyper-Threading (SMT) is enabled: "
|
||||
@@ -217,7 +217,7 @@ check_CVE_2022_29900_linux() {
|
||||
"doesn't fully protect cross-thread speculation."
|
||||
elif [ -z "$kernel_unret" ] && [ -z "$kernel_ibpb_entry" ]; then
|
||||
pvulnstatus "$cve" VULN "Your kernel doesn't have either UNRET_ENTRY or IBPB_ENTRY compiled-in"
|
||||
elif [ "$smt_enabled" = 0 ] && [ -z "$cap_ibpb" ] && [ "$opt_live" = 1 ]; then
|
||||
elif [ "$smt_enabled" = 0 ] && [ -z "$cap_ibpb" ] && [ "$opt_runtime" = 1 ]; then
|
||||
pvulnstatus "$cve" VULN "SMT is enabled and your microcode doesn't support IBPB"
|
||||
explain "Update your CPU microcode to get IBPB support, or disable SMT by adding\n" \
|
||||
"\`nosmt\` to your kernel command line."
|
||||
|
||||
@@ -84,7 +84,7 @@ check_CVE_2022_29901_linux() {
|
||||
fi
|
||||
|
||||
pr_info_nol "* CPU supports Enhanced IBRS (IBRS_ALL): "
|
||||
if [ "$opt_live" = 1 ] || [ "$cap_ibrs_all" != -1 ]; then
|
||||
if [ "$opt_runtime" = 1 ] || [ "$cap_ibrs_all" != -1 ]; then
|
||||
if [ "$cap_ibrs_all" = 1 ]; then
|
||||
pstatus green YES
|
||||
elif [ "$cap_ibrs_all" = 0 ]; then
|
||||
@@ -93,11 +93,11 @@ check_CVE_2022_29901_linux() {
|
||||
pstatus yellow UNKNOWN
|
||||
fi
|
||||
else
|
||||
pstatus blue N/A "not testable in offline mode"
|
||||
pstatus blue N/A "not testable in no-runtime mode"
|
||||
fi
|
||||
|
||||
pr_info_nol "* CPU has RSB Alternate Behavior (RSBA): "
|
||||
if [ "$opt_live" = 1 ] || [ "$cap_rsba" != -1 ]; then
|
||||
if [ "$opt_runtime" = 1 ] || [ "$cap_rsba" != -1 ]; then
|
||||
if [ "$cap_rsba" = 1 ]; then
|
||||
pstatus yellow YES "this CPU is affected by RSB underflow"
|
||||
elif [ "$cap_rsba" = 0 ]; then
|
||||
@@ -106,7 +106,7 @@ check_CVE_2022_29901_linux() {
|
||||
pstatus yellow UNKNOWN
|
||||
fi
|
||||
else
|
||||
pstatus blue N/A "not testable in offline mode"
|
||||
pstatus blue N/A "not testable in no-runtime mode"
|
||||
fi
|
||||
|
||||
elif [ "$sys_interface_available" = 0 ]; then
|
||||
|
||||
@@ -145,7 +145,7 @@ check_CVE_2022_40982_linux() {
|
||||
if [ -n "$kernel_gds" ]; then
|
||||
pr_info_nol "* Kernel has disabled AVX as a mitigation: "
|
||||
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
# Check dmesg message to see whether AVX has been disabled
|
||||
dmesg_grep 'Microcode update needed! Disabling AVX as mitigation'
|
||||
dmesgret=$?
|
||||
@@ -172,7 +172,7 @@ check_CVE_2022_40982_linux() {
|
||||
pstatus yellow NO "AVX support is enabled"
|
||||
fi
|
||||
else
|
||||
pstatus blue N/A "not testable in offline mode"
|
||||
pstatus blue N/A "not testable in no-runtime mode"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
@@ -101,7 +101,7 @@ check_CVE_2023_20588_linux() {
|
||||
pr_info_nol "* DIV0 mitigation enabled and active: "
|
||||
cpuinfo_div0=''
|
||||
dmesg_div0=''
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if [ -e "$g_procfs/cpuinfo" ] && grep -qw 'div0' "$g_procfs/cpuinfo" 2>/dev/null; then
|
||||
cpuinfo_div0=1
|
||||
pstatus green YES "div0 found in $g_procfs/cpuinfo bug flags"
|
||||
@@ -119,7 +119,7 @@ check_CVE_2023_20588_linux() {
|
||||
fi
|
||||
fi
|
||||
else
|
||||
pstatus blue N/A "not testable in offline mode"
|
||||
pstatus blue N/A "not testable in no-runtime mode"
|
||||
fi
|
||||
|
||||
pr_info_nol "* SMT (Simultaneous Multi-Threading) status: "
|
||||
@@ -133,7 +133,7 @@ check_CVE_2023_20588_linux() {
|
||||
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
|
||||
elif [ -z "$msg" ]; then
|
||||
if [ "$opt_sysfs_only" != 1 ]; then
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
# live mode: cpuinfo div0 flag is the strongest proof the mitigation is active
|
||||
if [ "$cpuinfo_div0" = 1 ] || [ "$dmesg_div0" = 1 ]; then
|
||||
_cve_2023_20588_pvulnstatus_smt
|
||||
@@ -145,7 +145,7 @@ check_CVE_2023_20588_linux() {
|
||||
_cve_2023_20588_pvulnstatus_no_kernel
|
||||
fi
|
||||
else
|
||||
# offline mode: only kernel image / System.map evidence is available
|
||||
# no-runtime mode: only kernel image / System.map evidence is available
|
||||
if [ -n "$kernel_mitigated" ]; then
|
||||
pvulnstatus "$cve" OK "Mitigation: amd_clear_divider found in kernel image"
|
||||
else
|
||||
|
||||
@@ -28,7 +28,7 @@ check_CVE_2023_20593_linux() {
|
||||
pstatus yellow NO
|
||||
fi
|
||||
pr_info_nol "* Zenbleed kernel mitigation enabled and active: "
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
# read the DE_CFG MSR, we want to check the 9th bit
|
||||
# don't do it on non-Zen2 AMD CPUs or later, aka Family 17h,
|
||||
# as the behavior could be unknown on others
|
||||
@@ -53,7 +53,7 @@ check_CVE_2023_20593_linux() {
|
||||
pstatus blue N/A "CPU is incompatible"
|
||||
fi
|
||||
else
|
||||
pstatus blue N/A "not testable in offline mode"
|
||||
pstatus blue N/A "not testable in no-runtime mode"
|
||||
fi
|
||||
|
||||
pr_info_nol "* Zenbleed mitigation is supported by CPU microcode: "
|
||||
@@ -82,7 +82,7 @@ check_CVE_2023_20593_linux() {
|
||||
elif [ -z "$msg" ]; then
|
||||
# if msg is empty, sysfs check didn't fill it, rely on our own test
|
||||
zenbleed_print_vuln=0
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if [ "$fp_backup_fix" = 1 ] && [ "$ucode_zenbleed" = 1 ]; then
|
||||
# this should never happen, but if it does, it's interesting to know
|
||||
pvulnstatus "$cve" OK "Both your CPU microcode and kernel are mitigating Zenbleed"
|
||||
|
||||
@@ -106,7 +106,7 @@ check_CVE_2023_28746_linux() {
|
||||
pstatus yellow NO
|
||||
fi
|
||||
|
||||
if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ] && [ "$sys_interface_available" = 1 ]; then
|
||||
pr_info_nol "* RFDS mitigation is enabled and active: "
|
||||
if echo "$ret_sys_interface_check_fullmsg" | grep -qi '^Mitigation'; then
|
||||
rfds_mitigated=1
|
||||
@@ -129,7 +129,7 @@ check_CVE_2023_28746_linux() {
|
||||
if [ "$opt_sysfs_only" != 1 ]; then
|
||||
if [ "$cap_rfds_clear" = 1 ]; then
|
||||
if [ -n "$kernel_rfds" ]; then
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if [ "$rfds_mitigated" = 1 ]; then
|
||||
pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled"
|
||||
else
|
||||
|
||||
Reference in New Issue
Block a user