mirror of
https://github.com/speed47/spectre-meltdown-checker.git
synced 2026-05-03 05:53:20 +02:00
enh: --no-runtime and --no-hw modes replacing --live and implicit 'offline' mode
This commit is contained in:
Stéphane Lesimple
@@ -265,7 +265,7 @@ check_CVE_2017_5715_linux() {
|
||||
g_ibpb_supported=''
|
||||
g_ibpb_enabled=''
|
||||
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
# in live mode, we can check for the ibrs_enabled file in debugfs
|
||||
# all versions of the patches have it (NOT the case of IBPB or KPTI)
|
||||
g_ibrs_can_tell=1
|
||||
@@ -416,7 +416,7 @@ check_CVE_2017_5715_linux() {
|
||||
fi
|
||||
|
||||
pr_info_nol " * IBRS enabled and active: "
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if [ "$g_ibpb_enabled" = 2 ]; then
|
||||
# if ibpb=2, ibrs is forcefully=0
|
||||
pstatus blue NO "IBPB used instead of IBRS in all kernel entrypoints"
|
||||
@@ -447,7 +447,7 @@ check_CVE_2017_5715_linux() {
|
||||
esac
|
||||
fi
|
||||
else
|
||||
pstatus blue N/A "not testable in offline mode"
|
||||
pstatus blue N/A "not testable in no-runtime mode"
|
||||
fi
|
||||
|
||||
pr_info_nol " * Kernel is compiled with IBPB support: "
|
||||
@@ -455,8 +455,8 @@ check_CVE_2017_5715_linux() {
|
||||
if [ "$g_ibpb_can_tell" = 1 ]; then
|
||||
pstatus yellow NO
|
||||
else
|
||||
# if we're in offline mode without System.map, we can't really know
|
||||
pstatus yellow UNKNOWN "in offline mode, we need the kernel image to be able to tell"
|
||||
# if we're in no-runtime mode without System.map, we can't really know
|
||||
pstatus yellow UNKNOWN "in no-runtime mode, we need the kernel image to be able to tell"
|
||||
fi
|
||||
else
|
||||
if [ "$opt_verbose" -ge 2 ]; then
|
||||
@@ -467,7 +467,7 @@ check_CVE_2017_5715_linux() {
|
||||
fi
|
||||
|
||||
pr_info_nol " * IBPB enabled and active: "
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
case "$g_ibpb_enabled" in
|
||||
"")
|
||||
if [ "$g_ibrs_supported" = 1 ]; then
|
||||
@@ -484,7 +484,7 @@ check_CVE_2017_5715_linux() {
|
||||
*) pstatus yellow UNKNOWN ;;
|
||||
esac
|
||||
else
|
||||
pstatus blue N/A "not testable in offline mode"
|
||||
pstatus blue N/A "not testable in no-runtime mode"
|
||||
fi
|
||||
|
||||
pr_info "* Mitigation 2"
|
||||
@@ -544,7 +544,7 @@ check_CVE_2017_5715_linux() {
|
||||
#
|
||||
# since 5.15.28, this is now "Retpolines" as the implementation was switched to a generic one,
|
||||
# so we look for both "retpoline" and "retpolines"
|
||||
if [ "$opt_live" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then
|
||||
if [ "$opt_runtime" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then
|
||||
if echo "$ret_sys_interface_check_fullmsg" | grep -qwi -e retpoline -e retpolines; then
|
||||
if echo "$ret_sys_interface_check_fullmsg" | grep -qwi minimal; then
|
||||
retpoline_compiler=0
|
||||
@@ -595,7 +595,7 @@ check_CVE_2017_5715_linux() {
|
||||
|
||||
# only Red Hat has a tunable to disable it on runtime
|
||||
retp_enabled=-1
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if [ -e "$g_specex_knob_dir/retp_enabled" ]; then
|
||||
retp_enabled=$(cat "$g_specex_knob_dir/retp_enabled" 2>/dev/null)
|
||||
pr_debug "retpoline: found $g_specex_knob_dir/retp_enabled=$retp_enabled"
|
||||
@@ -625,7 +625,7 @@ check_CVE_2017_5715_linux() {
|
||||
if is_vulnerable_to_empty_rsb || [ "$opt_verbose" -ge 2 ]; then
|
||||
pr_info_nol " * Kernel supports RSB filling: "
|
||||
rsb_filling=0
|
||||
if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then
|
||||
if [ "$opt_runtime" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then
|
||||
# if we're live and we aren't denied looking into /sys, let's do it
|
||||
if echo "$ret_sys_interface_check_fullmsg" | grep -qw RSB; then
|
||||
rsb_filling=1
|
||||
@@ -718,7 +718,7 @@ check_CVE_2017_5715_linux() {
|
||||
*", IBPB"* | *"; IBPB"*) v2_ibpb_mode=conditional ;;
|
||||
*) v2_ibpb_mode=disabled ;;
|
||||
esac
|
||||
elif [ "$opt_live" = 1 ]; then
|
||||
elif [ "$opt_runtime" = 1 ]; then
|
||||
case "$g_ibpb_enabled" in
|
||||
2) v2_ibpb_mode=always-on ;;
|
||||
1) v2_ibpb_mode=conditional ;;
|
||||
@@ -816,7 +816,7 @@ check_CVE_2017_5715_linux() {
|
||||
*"PBRSB-eIBRS: Vulnerable"*) v2_pbrsb_status=vulnerable ;;
|
||||
*) v2_pbrsb_status=unknown ;;
|
||||
esac
|
||||
elif [ "$opt_live" != 1 ] && [ -n "$g_kernel" ]; then
|
||||
elif [ "$opt_runtime" != 1 ] && [ -n "$g_kernel" ]; then
|
||||
if grep -q 'PBRSB-eIBRS' "$g_kernel" 2>/dev/null; then
|
||||
v2_pbrsb_status=sw-sequence
|
||||
else
|
||||
@@ -847,7 +847,7 @@ check_CVE_2017_5715_linux() {
|
||||
*"BHI: Vulnerable"*) v2_bhi_status=vulnerable ;;
|
||||
*) v2_bhi_status=unknown ;;
|
||||
esac
|
||||
elif [ "$opt_live" != 1 ] && [ -n "$opt_config" ] && [ -r "$opt_config" ]; then
|
||||
elif [ "$opt_runtime" != 1 ] && [ -n "$opt_config" ] && [ -r "$opt_config" ]; then
|
||||
if grep -q '^CONFIG_\(MITIGATION_\)\?SPECTRE_BHI' "$opt_config"; then
|
||||
if [ "$cap_bhi" = 1 ]; then
|
||||
v2_bhi_status=bhi_dis_s
|
||||
@@ -871,7 +871,7 @@ check_CVE_2017_5715_linux() {
|
||||
esac
|
||||
|
||||
# --- v2_vuln_module ---
|
||||
if [ "$opt_live" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then
|
||||
if [ "$opt_runtime" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then
|
||||
pr_info_nol " * Non-retpoline module loaded: "
|
||||
if echo "$ret_sys_interface_check_fullmsg" | grep -q 'vulnerable module loaded'; then
|
||||
v2_vuln_module=1
|
||||
@@ -970,7 +970,7 @@ check_CVE_2017_5715_linux() {
|
||||
if [ -n "${SMC_MOCK_UNPRIVILEGED_BPF_DISABLED:-}" ]; then
|
||||
_ebpf_disabled="$SMC_MOCK_UNPRIVILEGED_BPF_DISABLED"
|
||||
g_mocked=1
|
||||
elif [ "$opt_live" = 1 ] && [ -r "$g_procfs/sys/kernel/unprivileged_bpf_disabled" ]; then
|
||||
elif [ "$opt_runtime" = 1 ] && [ -r "$g_procfs/sys/kernel/unprivileged_bpf_disabled" ]; then
|
||||
_ebpf_disabled=$(cat "$g_procfs/sys/kernel/unprivileged_bpf_disabled" 2>/dev/null)
|
||||
g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_UNPRIVILEGED_BPF_DISABLED='$_ebpf_disabled'")
|
||||
fi
|
||||
@@ -1158,18 +1158,18 @@ check_CVE_2017_5715_linux() {
|
||||
pvulnstatus "$cve" OK "Full IBPB is mitigating the vulnerability"
|
||||
|
||||
# Offline mode fallback
|
||||
elif [ "$opt_live" != 1 ]; then
|
||||
elif [ "$opt_runtime" != 1 ]; then
|
||||
if [ "$retpoline" = 1 ] && [ -n "$g_ibpb_supported" ]; then
|
||||
pvulnstatus "$cve" OK "offline mode: kernel supports retpoline + IBPB to mitigate the vulnerability"
|
||||
pvulnstatus "$cve" OK "no-runtime mode: kernel supports retpoline + IBPB to mitigate the vulnerability"
|
||||
elif [ -n "$g_ibrs_supported" ] && [ -n "$g_ibpb_supported" ]; then
|
||||
pvulnstatus "$cve" OK "offline mode: kernel supports IBRS + IBPB to mitigate the vulnerability"
|
||||
pvulnstatus "$cve" OK "no-runtime mode: kernel supports IBRS + IBPB to mitigate the vulnerability"
|
||||
elif [ "$cap_ibrs_all" = 1 ] || [ "$cap_autoibrs" = 1 ]; then
|
||||
pvulnstatus "$cve" OK "offline mode: CPU supports Enhanced / Automatic IBRS"
|
||||
pvulnstatus "$cve" OK "no-runtime mode: CPU supports Enhanced / Automatic IBRS"
|
||||
# CONFIG_MITIGATION_SPECTRE_V2 (v6.12+): top-level on/off for all Spectre V2 mitigations
|
||||
elif [ -n "$opt_config" ] && [ -r "$opt_config" ] && grep -q '^CONFIG_MITIGATION_SPECTRE_V2=y' "$opt_config"; then
|
||||
pvulnstatus "$cve" OK "offline mode: kernel has Spectre V2 mitigation framework enabled (CONFIG_MITIGATION_SPECTRE_V2)"
|
||||
pvulnstatus "$cve" OK "no-runtime mode: kernel has Spectre V2 mitigation framework enabled (CONFIG_MITIGATION_SPECTRE_V2)"
|
||||
elif [ "$g_ibrs_can_tell" != 1 ]; then
|
||||
pvulnstatus "$cve" UNK "offline mode: not enough information"
|
||||
pvulnstatus "$cve" UNK "no-runtime mode: not enough information"
|
||||
explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect."
|
||||
fi
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user