peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2026-04-09 10:13:18 +02:00
Code Issues Projects Releases Wiki Activity

enh: --no-runtime and --no-hw modes replacing --live and implicit 'offline' mode

Browse Source
This commit is contained in:
Stéphane Lesimple
2026-04-08 20:53:00 +02:00
parent 3f7e0a11f7
commit b9c203120b
23 changed files with 135 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
src/libs/002_core_globals.sh
View File

@@ -4,26 +4,29 @@ show_usage() {
# shellcheck disable=SC2086 # shellcheck disable=SC2086
cat <<EOF cat <<EOF
Usage: Usage:
Live mode (auto): $(basename $0) [options] Live mode: $(basename $0) [options] [--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]
Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live No-runtime: $(basename $0) [options] --no-runtime <--kernel <kimage>> [--config <kconfig>] [--map <mapfile>]
Offline mode: $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> No-hw: $(basename $0) [options] --no-hw <--kernel <kimage>> [--config <kconfig>] [--map <mapfile>]
Modes: Modes:
Two modes are available. Three modes are available.
First mode is the "live" mode (default), it does its best to find information about the currently running kernel. First mode is the "live" mode (default), it does its best to find information about the currently
To run under this mode, just start the script without any option (you can also use --live explicitly) running kernel. To run under this mode, just start the script without any option.
You can optionally specify --kernel, --config, or --map to help the script locate files it
Second mode is the "offline" mode, where you can inspect a non-running kernel. couldn't auto-detect, without changing the mode.
This mode is automatically enabled when you specify the location of the kernel file, config and System.map files:
--kernel kernel_file specify a (possibly compressed) Linux or BSD kernel file --kernel kernel_file specify a (possibly compressed) Linux or BSD kernel file
--config kernel_config specify a kernel config file (Linux only) --config kernel_config specify a kernel config file (Linux only)
--map kernel_map_file specify a kernel System.map file (Linux only) --map kernel_map_file specify a kernel System.map file (Linux only)
If you want to use live mode while specifying the location of the kernel, config or map file yourself, Second mode is "no-runtime" (--no-runtime), where the script inspects the local CPU hardware
you can add --live to the above options, to tell the script to run in live mode instead of the offline mode, but skips all running-kernel artifacts (/sys, /proc, dmesg). Use this when you have a kernel
which is enabled by default when at least one file is specified on the command line. image from another system but want to check it against this CPU.
Third mode is "no-hw" (--no-hw), where the script skips both CPU hardware inspection and
running-kernel artifacts. Use this for pure static analysis of a kernel image, for example
when inspecting an embedded kernel from a different architecture.
Options: Options:
--no-color don't use color codes --no-color don't use color codes
@@ -55,7 +58,8 @@ show_usage() {
--cve CVE specify which CVE you'd like to check, by default all supported CVEs are checked --cve CVE specify which CVE you'd like to check, by default all supported CVEs are checked
can be used multiple times (e.g. --cve CVE-2017-5753 --cve CVE-2020-0543) can be used multiple times (e.g. --cve CVE-2017-5753 --cve CVE-2020-0543)
--hw-only only check for CPU information, don't check for any variant --hw-only only check for CPU information, don't check for any variant
--no-hw skip CPU information and checks, if you're inspecting a kernel not to be run on this host --no-runtime skip running-kernel checks (/sys, /proc, dmesg), still inspect local CPU hardware
--no-hw skip CPU information and running-kernel checks (implies --no-runtime)
--vmm [auto,yes,no] override the detection of the presence of a hypervisor, default: auto --vmm [auto,yes,no] override the detection of the presence of a hypervisor, default: auto
--no-intel-db don't use the builtin Intel DB of affected processors --no-intel-db don't use the builtin Intel DB of affected processors
--allow-msr-write allow probing for write-only MSRs, this might produce kernel logs or be blocked by your system --allow-msr-write allow probing for write-only MSRs, this might produce kernel logs or be blocked by your system
@@ -114,7 +118,7 @@ g_os=$(uname -s)
opt_kernel='' opt_kernel=''
opt_config='' opt_config=''
opt_map='' opt_map=''
opt_live=-1 opt_runtime=1
opt_no_color=0 opt_no_color=0
opt_batch=0 opt_batch=0
opt_batch_format='text' opt_batch_format='text'

20
src/libs/230_util_optparse.sh
View File

@@ -47,7 +47,7 @@ while [ -n "${1:-}" ]; do
opt_arch_prefix="$2" opt_arch_prefix="$2"
shift 2 shift 2
elif [ "$1" = "--live" ]; then elif [ "$1" = "--live" ]; then
opt_live=1 # deprecated, kept for backward compatibility (live is now the default)
shift shift
elif [ "$1" = "--no-color" ]; then elif [ "$1" = "--no-color" ]; then
opt_no_color=1 opt_no_color=1
@@ -74,8 +74,12 @@ while [ -n "${1:-}" ]; do
elif [ "$1" = "--hw-only" ]; then elif [ "$1" = "--hw-only" ]; then
opt_hw_only=1 opt_hw_only=1
shift shift
elif [ "$1" = "--no-runtime" ]; then
opt_runtime=0
shift
elif [ "$1" = "--no-hw" ]; then elif [ "$1" = "--no-hw" ]; then
opt_no_hw=1 opt_no_hw=1
opt_runtime=0
shift shift
elif [ "$1" = "--allow-msr-write" ]; then elif [ "$1" = "--allow-msr-write" ]; then
opt_allow_msr_write=1 opt_allow_msr_write=1
@@ -334,11 +338,13 @@ if [ "$opt_no_hw" = 1 ] && [ "$opt_hw_only" = 1 ]; then
exit 255 exit 255
fi fi
if [ "$opt_live" = -1 ]; then if [ "$opt_runtime" = 0 ] && [ "$opt_sysfs_only" = 1 ]; then
if [ -n "$opt_kernel" ] || [ -n "$opt_config" ] || [ -n "$opt_map" ]; then pr_warn "Incompatible options specified (--no-runtime and --sysfs-only), aborting"
# no --live specified and we have a least one of the kernel/config/map files on the cmdline: offline mode exit 255
opt_live=0
else
opt_live=1
fi fi
if [ "$opt_runtime" = 0 ] && [ -z "$opt_kernel" ] && [ -z "$opt_config" ] && [ -z "$opt_map" ]; then
pr_warn "Option --no-runtime requires at least one of --kernel, --config, or --map"
exit 255
fi fi

12
src/libs/250_output_emitters.sh
View File

@@ -68,10 +68,12 @@ _json_bool() {
_build_json_meta() { _build_json_meta() {
local timestamp mode local timestamp mode
timestamp=$(date -u '+%Y-%m-%dT%H:%M:%SZ' 2>/dev/null || echo "unknown") timestamp=$(date -u '+%Y-%m-%dT%H:%M:%SZ' 2>/dev/null || echo "unknown")
if [ "$opt_live" = 1 ]; then if [ "$opt_no_hw" = 1 ]; then
mode="live" mode="no-hw"
elif [ "$opt_runtime" = 0 ]; then
mode="no-runtime"
else else
mode="offline" mode="live"
fi fi
local run_as_root local run_as_root
if [ "$(id -u)" -eq 0 ]; then if [ "$(id -u)" -eq 0 ]; then
@@ -97,7 +99,7 @@ _build_json_meta() {
# shellcheck disable=SC2034 # shellcheck disable=SC2034
_build_json_system() { _build_json_system() {
local kernel_release kernel_version kernel_arch smt_val local kernel_release kernel_version kernel_arch smt_val
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
kernel_release=$(uname -r) kernel_release=$(uname -r)
kernel_version=$(uname -v) kernel_version=$(uname -v)
kernel_arch=$(uname -m) kernel_arch=$(uname -m)
@@ -383,7 +385,7 @@ _emit_prometheus() {
# shellcheck disable=SC2034 # shellcheck disable=SC2034
_build_prometheus_system_info() { _build_prometheus_system_info() {
local kernel_release kernel_arch hypervisor_host sys_labels local kernel_release kernel_arch hypervisor_host sys_labels
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
kernel_release=$(uname -r 2>/dev/null || true) kernel_release=$(uname -r 2>/dev/null || true)
kernel_arch=$(uname -m 2>/dev/null || true) kernel_arch=$(uname -m 2>/dev/null || true)
else else

22
src/libs/400_hw_check.sh
View File

@@ -89,7 +89,7 @@ if [ "$opt_cpu" != all ] && [ "$opt_cpu" -gt "$g_max_core_id" ]; then
exit 255 exit 255
fi fi
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
pr_info "Checking for vulnerabilities on current system" pr_info "Checking for vulnerabilities on current system"
# try to find the image of the current running kernel # try to find the image of the current running kernel
@@ -251,7 +251,7 @@ else
fi fi
if [ -n "$g_kernel_version" ]; then if [ -n "$g_kernel_version" ]; then
# in live mode, check if the img we found is the correct one # in live mode, check if the img we found is the correct one
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
pr_verbose "Kernel image is \033[35m$g_kernel_version" pr_verbose "Kernel image is \033[35m$g_kernel_version"
if ! echo "$g_kernel_version" | grep -qF "$(uname -r)"; then if ! echo "$g_kernel_version" | grep -qF "$(uname -r)"; then
pr_warn "Possible discrepancy between your running kernel '$(uname -r)' and the image '$g_kernel_version' we found ($opt_kernel), results might be incorrect" pr_warn "Possible discrepancy between your running kernel '$(uname -r)' and the image '$g_kernel_version' we found ($opt_kernel), results might be incorrect"
@@ -283,7 +283,7 @@ sys_interface_check() {
msg='' msg=''
ret_sys_interface_check_fullmsg='' ret_sys_interface_check_fullmsg=''
if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r "$file" ]; then if [ "$opt_runtime" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r "$file" ]; then
: :
else else
g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_SYSFS_$(basename "$file")_RET=1") g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_SYSFS_$(basename "$file")_RET=1")
@@ -352,7 +352,7 @@ sys_interface_check() {
check_kernel_info() { check_kernel_info() {
local config_display local config_display
pr_info "\033[1;34mKernel information\033[0m" pr_info "\033[1;34mKernel information\033[0m"
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
pr_info "* Kernel is \033[35m$g_os $(uname -r) $(uname -v) $(uname -m)\033[0m" pr_info "* Kernel is \033[35m$g_os $(uname -r) $(uname -v) $(uname -m)\033[0m"
elif [ -n "$g_kernel_version" ]; then elif [ -n "$g_kernel_version" ]; then
pr_info "* Kernel is \033[35m$g_kernel_version\033[0m" pr_info "* Kernel is \033[35m$g_kernel_version\033[0m"
@@ -456,7 +456,7 @@ check_cpu() {
ret=invalid ret=invalid
pstatus yellow NO "unknown CPU" pstatus yellow NO "unknown CPU"
fi fi
if [ -z "$cap_ibrs" ] && [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ]; then if [ -z "$cap_ibrs" ] && [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ]; then
# CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo
if grep ^flags "$g_procfs/cpuinfo" | grep -qw ibrs; then if grep ^flags "$g_procfs/cpuinfo" | grep -qw ibrs; then
cap_ibrs='IBRS (cpuinfo)' cap_ibrs='IBRS (cpuinfo)'
@@ -533,7 +533,7 @@ check_cpu() {
if [ $ret = $READ_CPUID_RET_OK ]; then if [ $ret = $READ_CPUID_RET_OK ]; then
cap_ibpb='IBPB_SUPPORT' cap_ibpb='IBPB_SUPPORT'
pstatus green YES "IBPB_SUPPORT feature bit" pstatus green YES "IBPB_SUPPORT feature bit"
elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw ibpb; then elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw ibpb; then
# CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo
cap_ibpb='IBPB (cpuinfo)' cap_ibpb='IBPB (cpuinfo)'
pstatus green YES "ibpb flag in $g_procfs/cpuinfo" pstatus green YES "ibpb flag in $g_procfs/cpuinfo"
@@ -604,7 +604,7 @@ check_cpu() {
ret=invalid ret=invalid
pstatus yellow UNKNOWN "unknown CPU" pstatus yellow UNKNOWN "unknown CPU"
fi fi
if [ -z "$cap_stibp" ] && [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ]; then if [ -z "$cap_stibp" ] && [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ]; then
# CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo
if grep ^flags "$g_procfs/cpuinfo" | grep -qw stibp; then if grep ^flags "$g_procfs/cpuinfo" | grep -qw stibp; then
cap_stibp='STIBP (cpuinfo)' cap_stibp='STIBP (cpuinfo)'
@@ -676,7 +676,7 @@ check_cpu() {
fi fi
fi fi
if [ -z "$cap_ssbd" ] && [ "$ret24" = $READ_CPUID_RET_ERR ] && [ "$ret25" = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ]; then if [ -z "$cap_ssbd" ] && [ "$ret24" = $READ_CPUID_RET_ERR ] && [ "$ret25" = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ]; then
# CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo
if grep ^flags "$g_procfs/cpuinfo" | grep -qw ssbd; then if grep ^flags "$g_procfs/cpuinfo" | grep -qw ssbd; then
cap_ssbd='SSBD (cpuinfo)' cap_ssbd='SSBD (cpuinfo)'
@@ -740,7 +740,7 @@ check_cpu() {
if [ $ret = $READ_CPUID_RET_OK ]; then if [ $ret = $READ_CPUID_RET_OK ]; then
pstatus green YES "L1D flush feature bit" pstatus green YES "L1D flush feature bit"
cap_l1df=1 cap_l1df=1
elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw flush_l1d; then elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw flush_l1d; then
# CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo
pstatus green YES "flush_l1d flag in $g_procfs/cpuinfo" pstatus green YES "flush_l1d flag in $g_procfs/cpuinfo"
cap_l1df=1 cap_l1df=1
@@ -760,7 +760,7 @@ check_cpu() {
if [ $ret = $READ_CPUID_RET_OK ]; then if [ $ret = $READ_CPUID_RET_OK ]; then
cap_md_clear=1 cap_md_clear=1
pstatus green YES "MD_CLEAR feature bit" pstatus green YES "MD_CLEAR feature bit"
elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw md_clear; then elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw md_clear; then
# CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo
cap_md_clear=1 cap_md_clear=1
pstatus green YES "md_clear flag in $g_procfs/cpuinfo" pstatus green YES "md_clear flag in $g_procfs/cpuinfo"
@@ -830,7 +830,7 @@ check_cpu() {
if [ $ret = $READ_CPUID_RET_OK ]; then if [ $ret = $READ_CPUID_RET_OK ]; then
pstatus green YES pstatus green YES
cap_arch_capabilities=1 cap_arch_capabilities=1
elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_live" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw arch_capabilities; then elif [ $ret = $READ_CPUID_RET_ERR ] && [ "$opt_runtime" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw arch_capabilities; then
# CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo # CPUID device unavailable (e.g. in a VM): fall back to /proc/cpuinfo
pstatus green YES "arch_capabilities flag in $g_procfs/cpuinfo" pstatus green YES "arch_capabilities flag in $g_procfs/cpuinfo"
cap_arch_capabilities=1 cap_arch_capabilities=1

9
src/main.sh
View File

@@ -172,8 +172,13 @@ fi
if [ "$opt_batch" = 1 ] && [ "$opt_batch_format" = "prometheus" ]; then if [ "$opt_batch" = 1 ] && [ "$opt_batch_format" = "prometheus" ]; then
prom_run_as_root='false' prom_run_as_root='false'
[ "$(id -u)" -eq 0 ] && prom_run_as_root='true' [ "$(id -u)" -eq 0 ] && prom_run_as_root='true'
prom_mode='offline' if [ "$opt_no_hw" = 1 ]; then
[ "$opt_live" = 1 ] && prom_mode='live' prom_mode='no-hw'
elif [ "$opt_runtime" = 0 ]; then
prom_mode='no-runtime'
else
prom_mode='live'
fi
prom_paranoid='false' prom_paranoid='false'
[ "$opt_paranoid" = 1 ] && prom_paranoid='true' [ "$opt_paranoid" = 1 ] && prom_paranoid='true'
prom_sysfs_only='false' prom_sysfs_only='false'

12
src/vulns-helpers/check_mds.sh
View File

@@ -3,7 +3,7 @@
check_mds_bsd() { check_mds_bsd() {
local kernel_md_clear kernel_smt_allowed kernel_mds_enabled kernel_mds_state local kernel_md_clear kernel_smt_allowed kernel_mds_enabled kernel_mds_state
pr_info_nol "* Kernel supports using MD_CLEAR mitigation: " pr_info_nol "* Kernel supports using MD_CLEAR mitigation: "
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
if sysctl hw.mds_disable >/dev/null 2>&1; then if sysctl hw.mds_disable >/dev/null 2>&1; then
pstatus green YES pstatus green YES
kernel_md_clear=1 kernel_md_clear=1
@@ -76,7 +76,7 @@ check_mds_bsd() {
else else
if [ "$cap_md_clear" = 1 ]; then if [ "$cap_md_clear" = 1 ]; then
if [ "$kernel_md_clear" = 1 ]; then if [ "$kernel_md_clear" = 1 ]; then
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
# mitigation must also be enabled # mitigation must also be enabled
if [ "$kernel_mds_enabled" -ge 1 ]; then if [ "$kernel_mds_enabled" -ge 1 ]; then
if [ "$opt_paranoid" != 1 ] || [ "$kernel_smt_allowed" = 0 ]; then if [ "$opt_paranoid" != 1 ] || [ "$kernel_smt_allowed" = 0 ]; then
@@ -95,7 +95,7 @@ check_mds_bsd() {
pvulnstatus "$cve" VULN "Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability" pvulnstatus "$cve" VULN "Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability"
fi fi
else else
if [ "$kernel_md_clear" = 1 ] && [ "$opt_live" = 1 ]; then if [ "$kernel_md_clear" = 1 ] && [ "$opt_runtime" = 1 ]; then
# no MD_CLEAR in microcode, but FreeBSD may still have software-only mitigation active # no MD_CLEAR in microcode, but FreeBSD may still have software-only mitigation active
case "$kernel_mds_state" in case "$kernel_mds_state" in
software*) software*)
@@ -135,7 +135,7 @@ check_mds_linux() {
pr_info_nol "* Kernel supports using MD_CLEAR mitigation: " pr_info_nol "* Kernel supports using MD_CLEAR mitigation: "
kernel_md_clear='' kernel_md_clear=''
kernel_md_clear_can_tell=1 kernel_md_clear_can_tell=1
if [ "$opt_live" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw md_clear; then if [ "$opt_runtime" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw md_clear; then
kernel_md_clear="md_clear found in $g_procfs/cpuinfo" kernel_md_clear="md_clear found in $g_procfs/cpuinfo"
pstatus green YES "$kernel_md_clear" pstatus green YES "$kernel_md_clear"
fi fi
@@ -158,7 +158,7 @@ check_mds_linux() {
fi fi
fi fi
if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then if [ "$opt_runtime" = 1 ] && [ "$sys_interface_available" = 1 ]; then
pr_info_nol "* Kernel mitigation is enabled and active: " pr_info_nol "* Kernel mitigation is enabled and active: "
if echo "$ret_sys_interface_check_fullmsg" | grep -qi ^mitigation; then if echo "$ret_sys_interface_check_fullmsg" | grep -qi ^mitigation; then
mds_mitigated=1 mds_mitigated=1
@@ -190,7 +190,7 @@ check_mds_linux() {
# compute mystatus and mymsg from our own logic # compute mystatus and mymsg from our own logic
if [ "$cap_md_clear" = 1 ]; then if [ "$cap_md_clear" = 1 ]; then
if [ -n "$kernel_md_clear" ]; then if [ -n "$kernel_md_clear" ]; then
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
# mitigation must also be enabled # mitigation must also be enabled
if [ "$mds_mitigated" = 1 ]; then if [ "$mds_mitigated" = 1 ]; then
if [ "$opt_paranoid" != 1 ] || [ "$mds_smt_mitigated" = 1 ]; then if [ "$opt_paranoid" != 1 ] || [ "$mds_smt_mitigated" = 1 ]; then

4
src/vulns-helpers/check_mmio.sh
View File

@@ -162,7 +162,7 @@ check_mmio_linux() {
pstatus yellow NO pstatus yellow NO
fi fi
if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then if [ "$opt_runtime" = 1 ] && [ "$sys_interface_available" = 1 ]; then
pr_info_nol "* Kernel mitigation is enabled and active: " pr_info_nol "* Kernel mitigation is enabled and active: "
if echo "$ret_sys_interface_check_fullmsg" | grep -qi ^mitigation; then if echo "$ret_sys_interface_check_fullmsg" | grep -qi ^mitigation; then
mmio_mitigated=1 mmio_mitigated=1
@@ -194,7 +194,7 @@ check_mmio_linux() {
# compute mystatus and mymsg from our own logic # compute mystatus and mymsg from our own logic
if [ "$cap_fb_clear" = 1 ]; then if [ "$cap_fb_clear" = 1 ]; then
if [ -n "$kernel_mmio" ]; then if [ -n "$kernel_mmio" ]; then
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
# mitigation must also be enabled # mitigation must also be enabled
if [ "$mmio_mitigated" = 1 ]; then if [ "$mmio_mitigated" = 1 ]; then
if [ "$opt_paranoid" != 1 ] || [ "$mmio_smt_mitigated" = 1 ]; then if [ "$opt_paranoid" != 1 ] || [ "$mmio_smt_mitigated" = 1 ]; then

42
src/vulns/CVE-2017-5715.sh
View File

@@ -265,7 +265,7 @@ check_CVE_2017_5715_linux() {
g_ibpb_supported='' g_ibpb_supported=''
g_ibpb_enabled='' g_ibpb_enabled=''
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
# in live mode, we can check for the ibrs_enabled file in debugfs # in live mode, we can check for the ibrs_enabled file in debugfs
# all versions of the patches have it (NOT the case of IBPB or KPTI) # all versions of the patches have it (NOT the case of IBPB or KPTI)
g_ibrs_can_tell=1 g_ibrs_can_tell=1
@@ -416,7 +416,7 @@ check_CVE_2017_5715_linux() {
fi fi
pr_info_nol " * IBRS enabled and active: " pr_info_nol " * IBRS enabled and active: "
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
if [ "$g_ibpb_enabled" = 2 ]; then if [ "$g_ibpb_enabled" = 2 ]; then
# if ibpb=2, ibrs is forcefully=0 # if ibpb=2, ibrs is forcefully=0
pstatus blue NO "IBPB used instead of IBRS in all kernel entrypoints" pstatus blue NO "IBPB used instead of IBRS in all kernel entrypoints"
@@ -447,7 +447,7 @@ check_CVE_2017_5715_linux() {
esac esac
fi fi
else else
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in no-runtime mode"
fi fi
pr_info_nol " * Kernel is compiled with IBPB support: " pr_info_nol " * Kernel is compiled with IBPB support: "
@@ -455,8 +455,8 @@ check_CVE_2017_5715_linux() {
if [ "$g_ibpb_can_tell" = 1 ]; then if [ "$g_ibpb_can_tell" = 1 ]; then
pstatus yellow NO pstatus yellow NO
else else
# if we're in offline mode without System.map, we can't really know # if we're in no-runtime mode without System.map, we can't really know
pstatus yellow UNKNOWN "in offline mode, we need the kernel image to be able to tell" pstatus yellow UNKNOWN "in no-runtime mode, we need the kernel image to be able to tell"
fi fi
else else
if [ "$opt_verbose" -ge 2 ]; then if [ "$opt_verbose" -ge 2 ]; then
@@ -467,7 +467,7 @@ check_CVE_2017_5715_linux() {
fi fi
pr_info_nol " * IBPB enabled and active: " pr_info_nol " * IBPB enabled and active: "
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
case "$g_ibpb_enabled" in case "$g_ibpb_enabled" in
"") "")
if [ "$g_ibrs_supported" = 1 ]; then if [ "$g_ibrs_supported" = 1 ]; then
@@ -484,7 +484,7 @@ check_CVE_2017_5715_linux() {
*) pstatus yellow UNKNOWN ;; *) pstatus yellow UNKNOWN ;;
esac esac
else else
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in no-runtime mode"
fi fi
pr_info "* Mitigation 2" pr_info "* Mitigation 2"
@@ -544,7 +544,7 @@ check_CVE_2017_5715_linux() {
# #
# since 5.15.28, this is now "Retpolines" as the implementation was switched to a generic one, # since 5.15.28, this is now "Retpolines" as the implementation was switched to a generic one,
# so we look for both "retpoline" and "retpolines" # so we look for both "retpoline" and "retpolines"
if [ "$opt_live" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then if [ "$opt_runtime" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then
if echo "$ret_sys_interface_check_fullmsg" | grep -qwi -e retpoline -e retpolines; then if echo "$ret_sys_interface_check_fullmsg" | grep -qwi -e retpoline -e retpolines; then
if echo "$ret_sys_interface_check_fullmsg" | grep -qwi minimal; then if echo "$ret_sys_interface_check_fullmsg" | grep -qwi minimal; then
retpoline_compiler=0 retpoline_compiler=0
@@ -595,7 +595,7 @@ check_CVE_2017_5715_linux() {
# only Red Hat has a tunable to disable it on runtime # only Red Hat has a tunable to disable it on runtime
retp_enabled=-1 retp_enabled=-1
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
if [ -e "$g_specex_knob_dir/retp_enabled" ]; then if [ -e "$g_specex_knob_dir/retp_enabled" ]; then
retp_enabled=$(cat "$g_specex_knob_dir/retp_enabled" 2>/dev/null) retp_enabled=$(cat "$g_specex_knob_dir/retp_enabled" 2>/dev/null)
pr_debug "retpoline: found $g_specex_knob_dir/retp_enabled=$retp_enabled" pr_debug "retpoline: found $g_specex_knob_dir/retp_enabled=$retp_enabled"
@@ -625,7 +625,7 @@ check_CVE_2017_5715_linux() {
if is_vulnerable_to_empty_rsb || [ "$opt_verbose" -ge 2 ]; then if is_vulnerable_to_empty_rsb || [ "$opt_verbose" -ge 2 ]; then
pr_info_nol " * Kernel supports RSB filling: " pr_info_nol " * Kernel supports RSB filling: "
rsb_filling=0 rsb_filling=0
if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then if [ "$opt_runtime" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then
# if we're live and we aren't denied looking into /sys, let's do it # if we're live and we aren't denied looking into /sys, let's do it
if echo "$ret_sys_interface_check_fullmsg" | grep -qw RSB; then if echo "$ret_sys_interface_check_fullmsg" | grep -qw RSB; then
rsb_filling=1 rsb_filling=1
@@ -718,7 +718,7 @@ check_CVE_2017_5715_linux() {
*", IBPB"* | *"; IBPB"*) v2_ibpb_mode=conditional ;; *", IBPB"* | *"; IBPB"*) v2_ibpb_mode=conditional ;;
*) v2_ibpb_mode=disabled ;; *) v2_ibpb_mode=disabled ;;
esac esac
elif [ "$opt_live" = 1 ]; then elif [ "$opt_runtime" = 1 ]; then
case "$g_ibpb_enabled" in case "$g_ibpb_enabled" in
2) v2_ibpb_mode=always-on ;; 2) v2_ibpb_mode=always-on ;;
1) v2_ibpb_mode=conditional ;; 1) v2_ibpb_mode=conditional ;;
@@ -816,7 +816,7 @@ check_CVE_2017_5715_linux() {
*"PBRSB-eIBRS: Vulnerable"*) v2_pbrsb_status=vulnerable ;; *"PBRSB-eIBRS: Vulnerable"*) v2_pbrsb_status=vulnerable ;;
*) v2_pbrsb_status=unknown ;; *) v2_pbrsb_status=unknown ;;
esac esac
elif [ "$opt_live" != 1 ] && [ -n "$g_kernel" ]; then elif [ "$opt_runtime" != 1 ] && [ -n "$g_kernel" ]; then
if grep -q 'PBRSB-eIBRS' "$g_kernel" 2>/dev/null; then if grep -q 'PBRSB-eIBRS' "$g_kernel" 2>/dev/null; then
v2_pbrsb_status=sw-sequence v2_pbrsb_status=sw-sequence
else else
@@ -847,7 +847,7 @@ check_CVE_2017_5715_linux() {
*"BHI: Vulnerable"*) v2_bhi_status=vulnerable ;; *"BHI: Vulnerable"*) v2_bhi_status=vulnerable ;;
*) v2_bhi_status=unknown ;; *) v2_bhi_status=unknown ;;
esac esac
elif [ "$opt_live" != 1 ] && [ -n "$opt_config" ] && [ -r "$opt_config" ]; then elif [ "$opt_runtime" != 1 ] && [ -n "$opt_config" ] && [ -r "$opt_config" ]; then
if grep -q '^CONFIG_\(MITIGATION_\)\?SPECTRE_BHI' "$opt_config"; then if grep -q '^CONFIG_\(MITIGATION_\)\?SPECTRE_BHI' "$opt_config"; then
if [ "$cap_bhi" = 1 ]; then if [ "$cap_bhi" = 1 ]; then
v2_bhi_status=bhi_dis_s v2_bhi_status=bhi_dis_s
@@ -871,7 +871,7 @@ check_CVE_2017_5715_linux() {
esac esac
# --- v2_vuln_module --- # --- v2_vuln_module ---
if [ "$opt_live" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then if [ "$opt_runtime" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then
pr_info_nol " * Non-retpoline module loaded: " pr_info_nol " * Non-retpoline module loaded: "
if echo "$ret_sys_interface_check_fullmsg" | grep -q 'vulnerable module loaded'; then if echo "$ret_sys_interface_check_fullmsg" | grep -q 'vulnerable module loaded'; then
v2_vuln_module=1 v2_vuln_module=1
@@ -970,7 +970,7 @@ check_CVE_2017_5715_linux() {
if [ -n "${SMC_MOCK_UNPRIVILEGED_BPF_DISABLED:-}" ]; then if [ -n "${SMC_MOCK_UNPRIVILEGED_BPF_DISABLED:-}" ]; then
_ebpf_disabled="$SMC_MOCK_UNPRIVILEGED_BPF_DISABLED" _ebpf_disabled="$SMC_MOCK_UNPRIVILEGED_BPF_DISABLED"
g_mocked=1 g_mocked=1
elif [ "$opt_live" = 1 ] && [ -r "$g_procfs/sys/kernel/unprivileged_bpf_disabled" ]; then elif [ "$opt_runtime" = 1 ] && [ -r "$g_procfs/sys/kernel/unprivileged_bpf_disabled" ]; then
_ebpf_disabled=$(cat "$g_procfs/sys/kernel/unprivileged_bpf_disabled" 2>/dev/null) _ebpf_disabled=$(cat "$g_procfs/sys/kernel/unprivileged_bpf_disabled" 2>/dev/null)
g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_UNPRIVILEGED_BPF_DISABLED='$_ebpf_disabled'") g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_UNPRIVILEGED_BPF_DISABLED='$_ebpf_disabled'")
fi fi
@@ -1158,18 +1158,18 @@ check_CVE_2017_5715_linux() {
pvulnstatus "$cve" OK "Full IBPB is mitigating the vulnerability" pvulnstatus "$cve" OK "Full IBPB is mitigating the vulnerability"
# Offline mode fallback # Offline mode fallback
elif [ "$opt_live" != 1 ]; then elif [ "$opt_runtime" != 1 ]; then
if [ "$retpoline" = 1 ] && [ -n "$g_ibpb_supported" ]; then if [ "$retpoline" = 1 ] && [ -n "$g_ibpb_supported" ]; then
pvulnstatus "$cve" OK "offline mode: kernel supports retpoline + IBPB to mitigate the vulnerability" pvulnstatus "$cve" OK "no-runtime mode: kernel supports retpoline + IBPB to mitigate the vulnerability"
elif [ -n "$g_ibrs_supported" ] && [ -n "$g_ibpb_supported" ]; then elif [ -n "$g_ibrs_supported" ] && [ -n "$g_ibpb_supported" ]; then
pvulnstatus "$cve" OK "offline mode: kernel supports IBRS + IBPB to mitigate the vulnerability" pvulnstatus "$cve" OK "no-runtime mode: kernel supports IBRS + IBPB to mitigate the vulnerability"
elif [ "$cap_ibrs_all" = 1 ] || [ "$cap_autoibrs" = 1 ]; then elif [ "$cap_ibrs_all" = 1 ] || [ "$cap_autoibrs" = 1 ]; then
pvulnstatus "$cve" OK "offline mode: CPU supports Enhanced / Automatic IBRS" pvulnstatus "$cve" OK "no-runtime mode: CPU supports Enhanced / Automatic IBRS"
# CONFIG_MITIGATION_SPECTRE_V2 (v6.12+): top-level on/off for all Spectre V2 mitigations # CONFIG_MITIGATION_SPECTRE_V2 (v6.12+): top-level on/off for all Spectre V2 mitigations
elif [ -n "$opt_config" ] && [ -r "$opt_config" ] && grep -q '^CONFIG_MITIGATION_SPECTRE_V2=y' "$opt_config"; then elif [ -n "$opt_config" ] && [ -r "$opt_config" ] && grep -q '^CONFIG_MITIGATION_SPECTRE_V2=y' "$opt_config"; then
pvulnstatus "$cve" OK "offline mode: kernel has Spectre V2 mitigation framework enabled (CONFIG_MITIGATION_SPECTRE_V2)" pvulnstatus "$cve" OK "no-runtime mode: kernel has Spectre V2 mitigation framework enabled (CONFIG_MITIGATION_SPECTRE_V2)"
elif [ "$g_ibrs_can_tell" != 1 ]; then elif [ "$g_ibrs_can_tell" != 1 ]; then
pvulnstatus "$cve" UNK "offline mode: not enough information" pvulnstatus "$cve" UNK "no-runtime mode: not enough information"
explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect." explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect."
fi fi
fi fi

2
src/vulns/CVE-2017-5753.sh
View File

@@ -57,7 +57,7 @@ check_CVE_2017_5753_linux() {
status=$ret_sys_interface_check_status status=$ret_sys_interface_check_status
fi fi
if [ "$opt_sysfs_only" != 1 ]; then if [ "$opt_sysfs_only" != 1 ]; then
# no /sys interface (or offline mode), fallback to our own ways # no /sys interface (or no-runtime mode), fallback to our own ways
# Primary detection: grep for sysfs mitigation strings in the kernel binary. # Primary detection: grep for sysfs mitigation strings in the kernel binary.
# The string "__user pointer sanitization" is present in all kernel versions # The string "__user pointer sanitization" is present in all kernel versions

12
src/vulns/CVE-2017-5754.sh
View File

@@ -104,7 +104,7 @@ check_CVE_2017_5754_linux() {
mount_debugfs mount_debugfs
pr_info_nol " * PTI enabled and active: " pr_info_nol " * PTI enabled and active: "
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
dmesg_grep="Kernel/User page tables isolation: enabled" dmesg_grep="Kernel/User page tables isolation: enabled"
dmesg_grep="$dmesg_grep|Kernel page table isolation enabled" dmesg_grep="$dmesg_grep|Kernel page table isolation enabled"
dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace" dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
@@ -150,7 +150,7 @@ check_CVE_2017_5754_linux() {
pstatus yellow NO pstatus yellow NO
fi fi
else else
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in no-runtime mode"
fi fi
pti_performance_check pti_performance_check
@@ -167,7 +167,7 @@ check_CVE_2017_5754_linux() {
is_xen_dom0 && xen_pv_domo=1 is_xen_dom0 && xen_pv_domo=1
is_xen_domU && xen_pv_domu=1 is_xen_domU && xen_pv_domu=1
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
# checking whether we're running under Xen PV 64 bits. If yes, we are affected by affected_variant3 # checking whether we're running under Xen PV 64 bits. If yes, we are affected by affected_variant3
# (unless we are a Dom0) # (unless we are a Dom0)
pr_info_nol "* Running as a Xen PV DomU: " pr_info_nol "* Running as a Xen PV DomU: "
@@ -183,7 +183,7 @@ check_CVE_2017_5754_linux() {
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$msg" ]; then elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test # if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
if [ "$kpti_enabled" = 1 ]; then if [ "$kpti_enabled" = 1 ]; then
pvulnstatus "$cve" OK "PTI mitigates the vulnerability" pvulnstatus "$cve" OK "PTI mitigates the vulnerability"
elif [ "$xen_pv_domo" = 1 ]; then elif [ "$xen_pv_domo" = 1 ]; then
@@ -209,12 +209,12 @@ check_CVE_2017_5754_linux() {
fi fi
else else
if [ -n "$kpti_support" ]; then if [ -n "$kpti_support" ]; then
pvulnstatus "$cve" OK "offline mode: PTI will mitigate the vulnerability if enabled at runtime" pvulnstatus "$cve" OK "no-runtime mode: PTI will mitigate the vulnerability if enabled at runtime"
elif [ "$kpti_can_tell" = 1 ]; then elif [ "$kpti_can_tell" = 1 ]; then
pvulnstatus "$cve" VULN "PTI is needed to mitigate the vulnerability" pvulnstatus "$cve" VULN "PTI is needed to mitigate the vulnerability"
explain "If you're using a distro kernel, upgrade your distro to get the latest kernel available. Otherwise, recompile the kernel with the CONFIG_(MITIGATION_)PAGE_TABLE_ISOLATION option (named CONFIG_KAISER for some kernels), or the CONFIG_UNMAP_KERNEL_AT_EL0 option (for ARM64)" explain "If you're using a distro kernel, upgrade your distro to get the latest kernel available. Otherwise, recompile the kernel with the CONFIG_(MITIGATION_)PAGE_TABLE_ISOLATION option (named CONFIG_KAISER for some kernels), or the CONFIG_UNMAP_KERNEL_AT_EL0 option (for ARM64)"
else else
pvulnstatus "$cve" UNK "offline mode: not enough information" pvulnstatus "$cve" UNK "no-runtime mode: not enough information"
explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect." explain "Re-run this script with root privileges, and give it the kernel image (--kernel), the kernel configuration (--config) and the System.map file (--map) corresponding to the kernel you would like to inspect."
fi fi
fi fi

6
src/vulns/CVE-2018-12207.sh
View File

@@ -36,7 +36,7 @@ check_CVE_2018_12207_linux() {
fi fi
pr_info_nol "* iTLB Multihit mitigation enabled and active: " pr_info_nol "* iTLB Multihit mitigation enabled and active: "
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
if [ -n "$ret_sys_interface_check_fullmsg" ]; then if [ -n "$ret_sys_interface_check_fullmsg" ]; then
if echo "$ret_sys_interface_check_fullmsg" | grep -qF 'Mitigation'; then if echo "$ret_sys_interface_check_fullmsg" | grep -qF 'Mitigation'; then
pstatus green YES "$ret_sys_interface_check_fullmsg" pstatus green YES "$ret_sys_interface_check_fullmsg"
@@ -47,7 +47,7 @@ check_CVE_2018_12207_linux() {
pstatus yellow NO "itlb_multihit not found in sysfs hierarchy" pstatus yellow NO "itlb_multihit not found in sysfs hierarchy"
fi fi
else else
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in no-runtime mode"
fi fi
elif [ "$sys_interface_available" = 0 ]; then elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only! # we have no sysfs but were asked to use it only!
@@ -63,7 +63,7 @@ check_CVE_2018_12207_linux() {
elif [ -z "$msg" ]; then elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test # if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_sysfs_only" != 1 ]; then if [ "$opt_sysfs_only" != 1 ]; then
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old # if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it" pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
else else

6
src/vulns/CVE-2018-3620.sh
View File

@@ -37,7 +37,7 @@ check_CVE_2018_3620_linux() {
fi fi
pr_info_nol "* PTE inversion enabled and active: " pr_info_nol "* PTE inversion enabled and active: "
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
if [ -n "$ret_sys_interface_check_fullmsg" ]; then if [ -n "$ret_sys_interface_check_fullmsg" ]; then
if echo "$ret_sys_interface_check_fullmsg" | grep -q 'Mitigation: PTE Inversion'; then if echo "$ret_sys_interface_check_fullmsg" | grep -q 'Mitigation: PTE Inversion'; then
pstatus green YES pstatus green YES
@@ -51,7 +51,7 @@ check_CVE_2018_3620_linux() {
pteinv_active=-1 pteinv_active=-1
fi fi
else else
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in no-runtime mode"
fi fi
elif [ "$sys_interface_available" = 0 ]; then elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only! # we have no sysfs but were asked to use it only!
@@ -66,7 +66,7 @@ check_CVE_2018_3620_linux() {
# if msg is empty, sysfs check didn't fill it, rely on our own test # if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_sysfs_only" != 1 ]; then if [ "$opt_sysfs_only" != 1 ]; then
if [ "$pteinv_supported" = 1 ]; then if [ "$pteinv_supported" = 1 ]; then
if [ "$pteinv_active" = 1 ] || [ "$opt_live" != 1 ]; then if [ "$pteinv_active" = 1 ] || [ "$opt_runtime" != 1 ]; then
pvulnstatus "$cve" OK "PTE inversion mitigates the vulnerability" pvulnstatus "$cve" OK "PTE inversion mitigates the vulnerability"
else else
pvulnstatus "$cve" VULN "Your kernel supports PTE inversion but it doesn't seem to be enabled" pvulnstatus "$cve" VULN "Your kernel supports PTE inversion but it doesn't seem to be enabled"

6
src/vulns/CVE-2018-3639.sh
View File

@@ -18,7 +18,7 @@ check_CVE_2018_3639_linux() {
fi fi
if [ "$opt_sysfs_only" != 1 ]; then if [ "$opt_sysfs_only" != 1 ]; then
pr_info_nol "* Kernel supports disabling speculative store bypass (SSB): " pr_info_nol "* Kernel supports disabling speculative store bypass (SSB): "
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
if grep -Eq 'Speculation.?Store.?Bypass:' "$g_procfs/self/status" 2>/dev/null; then if grep -Eq 'Speculation.?Store.?Bypass:' "$g_procfs/self/status" 2>/dev/null; then
kernel_ssb="found in $g_procfs/self/status" kernel_ssb="found in $g_procfs/self/status"
pr_debug "found Speculation.Store.Bypass: in $g_procfs/self/status" pr_debug "found Speculation.Store.Bypass: in $g_procfs/self/status"
@@ -57,7 +57,7 @@ check_CVE_2018_3639_linux() {
fi fi
kernel_ssbd_enabled=-1 kernel_ssbd_enabled=-1
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
# https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340 # https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340
pr_info_nol "* SSB mitigation is enabled and active: " pr_info_nol "* SSB mitigation is enabled and active: "
if grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$g_procfs/self/status" 2>/dev/null; then if grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$g_procfs/self/status" 2>/dev/null; then
@@ -106,7 +106,7 @@ check_CVE_2018_3639_linux() {
# if msg is empty, sysfs check didn't fill it, rely on our own test # if msg is empty, sysfs check didn't fill it, rely on our own test
if [ -n "$cap_ssbd" ]; then if [ -n "$cap_ssbd" ]; then
if [ -n "$kernel_ssb" ]; then if [ -n "$kernel_ssb" ]; then
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
if [ "$kernel_ssbd_enabled" -gt 0 ]; then if [ "$kernel_ssbd_enabled" -gt 0 ]; then
pvulnstatus "$cve" OK "your CPU and kernel both support SSBD and mitigation is enabled" pvulnstatus "$cve" OK "your CPU and kernel both support SSBD and mitigation is enabled"
else else

2
src/vulns/CVE-2018-3640.sh
View File

@@ -11,7 +11,7 @@ check_CVE_2018_3640() {
sys_interface_available=0 sys_interface_available=0
msg='' msg=''
# Detect whether the target kernel is ARM64, for both live and offline modes. # Detect whether the target kernel is ARM64, for both live and no-runtime modes.
# In offline cross-inspection (x86 host, ARM kernel), cpu_vendor reflects the host, # In offline cross-inspection (x86 host, ARM kernel), cpu_vendor reflects the host,
# so also check for arm64_sys_ symbols (same pattern used in CVE-2018-3639). # so also check for arm64_sys_ symbols (same pattern used in CVE-2018-3639).
is_arm64_kernel=0 is_arm64_kernel=0

14
src/vulns/CVE-2018-3646.sh
View File

@@ -69,7 +69,7 @@ check_CVE_2018_3646_linux() {
pr_info "* Mitigation 1 (KVM)" pr_info "* Mitigation 1 (KVM)"
pr_info_nol " * EPT is disabled: " pr_info_nol " * EPT is disabled: "
ept_disabled=-1 ept_disabled=-1
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
if ! [ -r "$SYS_MODULE_BASE/kvm_intel/parameters/ept" ]; then if ! [ -r "$SYS_MODULE_BASE/kvm_intel/parameters/ept" ]; then
pstatus blue N/A "the kvm_intel module is not loaded" pstatus blue N/A "the kvm_intel module is not loaded"
elif [ "$(cat "$SYS_MODULE_BASE/kvm_intel/parameters/ept")" = N ]; then elif [ "$(cat "$SYS_MODULE_BASE/kvm_intel/parameters/ept")" = N ]; then
@@ -79,12 +79,12 @@ check_CVE_2018_3646_linux() {
pstatus yellow NO pstatus yellow NO
fi fi
else else
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in no-runtime mode"
fi fi
pr_info "* Mitigation 2" pr_info "* Mitigation 2"
pr_info_nol " * L1D flush is supported by kernel: " pr_info_nol " * L1D flush is supported by kernel: "
if [ "$opt_live" = 1 ] && grep -qw flush_l1d "$g_procfs/cpuinfo"; then if [ "$opt_runtime" = 1 ] && grep -qw flush_l1d "$g_procfs/cpuinfo"; then
l1d_kernel="found flush_l1d in $g_procfs/cpuinfo" l1d_kernel="found flush_l1d in $g_procfs/cpuinfo"
fi fi
if [ -z "$l1d_kernel" ]; then if [ -z "$l1d_kernel" ]; then
@@ -106,7 +106,7 @@ check_CVE_2018_3646_linux() {
fi fi
pr_info_nol " * L1D flush enabled: " pr_info_nol " * L1D flush enabled: "
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
if [ -n "$ret_sys_interface_check_fullmsg" ]; then if [ -n "$ret_sys_interface_check_fullmsg" ]; then
# vanilla: VMX: $l1dstatus, SMT $smtstatus # vanilla: VMX: $l1dstatus, SMT $smtstatus
# Red Hat: VMX: SMT $smtstatus, L1D $l1dstatus # Red Hat: VMX: SMT $smtstatus, L1D $l1dstatus
@@ -152,18 +152,18 @@ check_CVE_2018_3646_linux() {
fi fi
else else
l1d_mode=-1 l1d_mode=-1
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in no-runtime mode"
fi fi
pr_info_nol " * Hardware-backed L1D flush supported: " pr_info_nol " * Hardware-backed L1D flush supported: "
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
if grep -qw flush_l1d "$g_procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then if grep -qw flush_l1d "$g_procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then
pstatus green YES "performance impact of the mitigation will be greatly reduced" pstatus green YES "performance impact of the mitigation will be greatly reduced"
else else
pstatus blue NO "flush will be done in software, this is slower" pstatus blue NO "flush will be done in software, this is slower"
fi fi
else else
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in no-runtime mode"
fi fi
pr_info_nol " * Hyper-Threading (SMT) is enabled: " pr_info_nol " * Hyper-Threading (SMT) is enabled: "

6
src/vulns/CVE-2019-11135.sh
View File

@@ -33,7 +33,7 @@ check_CVE_2019_11135_linux() {
fi fi
pr_info_nol "* TAA mitigation enabled and active: " pr_info_nol "* TAA mitigation enabled and active: "
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
if [ -n "$ret_sys_interface_check_fullmsg" ]; then if [ -n "$ret_sys_interface_check_fullmsg" ]; then
if echo "$ret_sys_interface_check_fullmsg" | grep -qE '^Mitigation'; then if echo "$ret_sys_interface_check_fullmsg" | grep -qE '^Mitigation'; then
pstatus green YES "$ret_sys_interface_check_fullmsg" pstatus green YES "$ret_sys_interface_check_fullmsg"
@@ -44,7 +44,7 @@ check_CVE_2019_11135_linux() {
pstatus yellow NO "tsx_async_abort not found in sysfs hierarchy" pstatus yellow NO "tsx_async_abort not found in sysfs hierarchy"
fi fi
else else
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in no-runtime mode"
fi fi
elif [ "$sys_interface_available" = 0 ]; then elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only! # we have no sysfs but were asked to use it only!
@@ -57,7 +57,7 @@ check_CVE_2019_11135_linux() {
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$msg" ]; then elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test # if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old # if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
pvulnstatus "$cve" VULN "Your kernel doesn't support TAA mitigation, update it" pvulnstatus "$cve" VULN "Your kernel doesn't support TAA mitigation, update it"
else else

8
src/vulns/CVE-2020-0543.sh
View File

@@ -32,7 +32,7 @@ check_CVE_2020_0543_linux() {
pstatus yellow NO pstatus yellow NO
fi fi
pr_info_nol "* SRBDS mitigation control is enabled and active: " pr_info_nol "* SRBDS mitigation control is enabled and active: "
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
if [ -n "$ret_sys_interface_check_fullmsg" ]; then if [ -n "$ret_sys_interface_check_fullmsg" ]; then
if echo "$ret_sys_interface_check_fullmsg" | grep -qE '^Mitigation'; then if echo "$ret_sys_interface_check_fullmsg" | grep -qE '^Mitigation'; then
pstatus green YES "$ret_sys_interface_check_fullmsg" pstatus green YES "$ret_sys_interface_check_fullmsg"
@@ -43,7 +43,7 @@ check_CVE_2020_0543_linux() {
pstatus yellow NO "SRBDS not found in sysfs hierarchy" pstatus yellow NO "SRBDS not found in sysfs hierarchy"
fi fi
else else
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in no-runtime mode"
fi fi
elif [ "$sys_interface_available" = 0 ]; then elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only! # we have no sysfs but were asked to use it only!
@@ -61,7 +61,7 @@ check_CVE_2020_0543_linux() {
# SRBDS mitigation control is enabled # SRBDS mitigation control is enabled
if [ -z "$msg" ]; then if [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test # if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old # if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
pvulnstatus "$cve" OK "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated" pvulnstatus "$cve" OK "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated"
fi fi
@@ -75,7 +75,7 @@ check_CVE_2020_0543_linux() {
elif [ "$cap_srbds_on" = 0 ]; then elif [ "$cap_srbds_on" = 0 ]; then
# SRBDS mitigation control is disabled # SRBDS mitigation control is disabled
if [ -z "$msg" ]; then if [ -z "$msg" ]; then
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old # if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
pvulnstatus "$cve" VULN "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated. Mitigation is disabled" pvulnstatus "$cve" VULN "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated. Mitigation is disabled"
fi fi

6
src/vulns/CVE-2022-29900.sh
View File

@@ -174,14 +174,14 @@ check_CVE_2022_29900_linux() {
# Zen/Zen+/Zen2: check IBPB microcode support and SMT # Zen/Zen+/Zen2: check IBPB microcode support and SMT
if [ "$cpu_family" = $((0x17)) ]; then if [ "$cpu_family" = $((0x17)) ]; then
pr_info_nol "* CPU supports IBPB: " pr_info_nol "* CPU supports IBPB: "
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
if [ -n "$cap_ibpb" ]; then if [ -n "$cap_ibpb" ]; then
pstatus green YES "$cap_ibpb" pstatus green YES "$cap_ibpb"
else else
pstatus yellow NO pstatus yellow NO
fi fi
else else
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in no-runtime mode"
fi fi
pr_info_nol "* Hyper-Threading (SMT) is enabled: " pr_info_nol "* Hyper-Threading (SMT) is enabled: "
@@ -217,7 +217,7 @@ check_CVE_2022_29900_linux() {
"doesn't fully protect cross-thread speculation." "doesn't fully protect cross-thread speculation."
elif [ -z "$kernel_unret" ] && [ -z "$kernel_ibpb_entry" ]; then elif [ -z "$kernel_unret" ] && [ -z "$kernel_ibpb_entry" ]; then
pvulnstatus "$cve" VULN "Your kernel doesn't have either UNRET_ENTRY or IBPB_ENTRY compiled-in" pvulnstatus "$cve" VULN "Your kernel doesn't have either UNRET_ENTRY or IBPB_ENTRY compiled-in"
elif [ "$smt_enabled" = 0 ] && [ -z "$cap_ibpb" ] && [ "$opt_live" = 1 ]; then elif [ "$smt_enabled" = 0 ] && [ -z "$cap_ibpb" ] && [ "$opt_runtime" = 1 ]; then
pvulnstatus "$cve" VULN "SMT is enabled and your microcode doesn't support IBPB" pvulnstatus "$cve" VULN "SMT is enabled and your microcode doesn't support IBPB"
explain "Update your CPU microcode to get IBPB support, or disable SMT by adding\n" \ explain "Update your CPU microcode to get IBPB support, or disable SMT by adding\n" \
"\`nosmt\` to your kernel command line." "\`nosmt\` to your kernel command line."

8
src/vulns/CVE-2022-29901.sh
View File

@@ -84,7 +84,7 @@ check_CVE_2022_29901_linux() {
fi fi
pr_info_nol "* CPU supports Enhanced IBRS (IBRS_ALL): " pr_info_nol "* CPU supports Enhanced IBRS (IBRS_ALL): "
if [ "$opt_live" = 1 ] || [ "$cap_ibrs_all" != -1 ]; then if [ "$opt_runtime" = 1 ] || [ "$cap_ibrs_all" != -1 ]; then
if [ "$cap_ibrs_all" = 1 ]; then if [ "$cap_ibrs_all" = 1 ]; then
pstatus green YES pstatus green YES
elif [ "$cap_ibrs_all" = 0 ]; then elif [ "$cap_ibrs_all" = 0 ]; then
@@ -93,11 +93,11 @@ check_CVE_2022_29901_linux() {
pstatus yellow UNKNOWN pstatus yellow UNKNOWN
fi fi
else else
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in no-runtime mode"
fi fi
pr_info_nol "* CPU has RSB Alternate Behavior (RSBA): " pr_info_nol "* CPU has RSB Alternate Behavior (RSBA): "
if [ "$opt_live" = 1 ] || [ "$cap_rsba" != -1 ]; then if [ "$opt_runtime" = 1 ] || [ "$cap_rsba" != -1 ]; then
if [ "$cap_rsba" = 1 ]; then if [ "$cap_rsba" = 1 ]; then
pstatus yellow YES "this CPU is affected by RSB underflow" pstatus yellow YES "this CPU is affected by RSB underflow"
elif [ "$cap_rsba" = 0 ]; then elif [ "$cap_rsba" = 0 ]; then
@@ -106,7 +106,7 @@ check_CVE_2022_29901_linux() {
pstatus yellow UNKNOWN pstatus yellow UNKNOWN
fi fi
else else
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in no-runtime mode"
fi fi
elif [ "$sys_interface_available" = 0 ]; then elif [ "$sys_interface_available" = 0 ]; then

4
src/vulns/CVE-2022-40982.sh
View File

@@ -145,7 +145,7 @@ check_CVE_2022_40982_linux() {
if [ -n "$kernel_gds" ]; then if [ -n "$kernel_gds" ]; then
pr_info_nol "* Kernel has disabled AVX as a mitigation: " pr_info_nol "* Kernel has disabled AVX as a mitigation: "
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
# Check dmesg message to see whether AVX has been disabled # Check dmesg message to see whether AVX has been disabled
dmesg_grep 'Microcode update needed! Disabling AVX as mitigation' dmesg_grep 'Microcode update needed! Disabling AVX as mitigation'
dmesgret=$? dmesgret=$?
@@ -172,7 +172,7 @@ check_CVE_2022_40982_linux() {
pstatus yellow NO "AVX support is enabled" pstatus yellow NO "AVX support is enabled"
fi fi
else else
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in no-runtime mode"
fi fi
fi fi

8
src/vulns/CVE-2023-20588.sh
View File

@@ -101,7 +101,7 @@ check_CVE_2023_20588_linux() {
pr_info_nol "* DIV0 mitigation enabled and active: " pr_info_nol "* DIV0 mitigation enabled and active: "
cpuinfo_div0='' cpuinfo_div0=''
dmesg_div0='' dmesg_div0=''
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
if [ -e "$g_procfs/cpuinfo" ] && grep -qw 'div0' "$g_procfs/cpuinfo" 2>/dev/null; then if [ -e "$g_procfs/cpuinfo" ] && grep -qw 'div0' "$g_procfs/cpuinfo" 2>/dev/null; then
cpuinfo_div0=1 cpuinfo_div0=1
pstatus green YES "div0 found in $g_procfs/cpuinfo bug flags" pstatus green YES "div0 found in $g_procfs/cpuinfo bug flags"
@@ -119,7 +119,7 @@ check_CVE_2023_20588_linux() {
fi fi
fi fi
else else
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in no-runtime mode"
fi fi
pr_info_nol "* SMT (Simultaneous Multi-Threading) status: " pr_info_nol "* SMT (Simultaneous Multi-Threading) status: "
@@ -133,7 +133,7 @@ check_CVE_2023_20588_linux() {
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
elif [ -z "$msg" ]; then elif [ -z "$msg" ]; then
if [ "$opt_sysfs_only" != 1 ]; then if [ "$opt_sysfs_only" != 1 ]; then
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
# live mode: cpuinfo div0 flag is the strongest proof the mitigation is active # live mode: cpuinfo div0 flag is the strongest proof the mitigation is active
if [ "$cpuinfo_div0" = 1 ] || [ "$dmesg_div0" = 1 ]; then if [ "$cpuinfo_div0" = 1 ] || [ "$dmesg_div0" = 1 ]; then
_cve_2023_20588_pvulnstatus_smt _cve_2023_20588_pvulnstatus_smt
@@ -145,7 +145,7 @@ check_CVE_2023_20588_linux() {
_cve_2023_20588_pvulnstatus_no_kernel _cve_2023_20588_pvulnstatus_no_kernel
fi fi
else else
# offline mode: only kernel image / System.map evidence is available # no-runtime mode: only kernel image / System.map evidence is available
if [ -n "$kernel_mitigated" ]; then if [ -n "$kernel_mitigated" ]; then
pvulnstatus "$cve" OK "Mitigation: amd_clear_divider found in kernel image" pvulnstatus "$cve" OK "Mitigation: amd_clear_divider found in kernel image"
else else

6
src/vulns/CVE-2023-20593.sh
View File

@@ -28,7 +28,7 @@ check_CVE_2023_20593_linux() {
pstatus yellow NO pstatus yellow NO
fi fi
pr_info_nol "* Zenbleed kernel mitigation enabled and active: " pr_info_nol "* Zenbleed kernel mitigation enabled and active: "
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
# read the DE_CFG MSR, we want to check the 9th bit # read the DE_CFG MSR, we want to check the 9th bit
# don't do it on non-Zen2 AMD CPUs or later, aka Family 17h, # don't do it on non-Zen2 AMD CPUs or later, aka Family 17h,
# as the behavior could be unknown on others # as the behavior could be unknown on others
@@ -53,7 +53,7 @@ check_CVE_2023_20593_linux() {
pstatus blue N/A "CPU is incompatible" pstatus blue N/A "CPU is incompatible"
fi fi
else else
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in no-runtime mode"
fi fi
pr_info_nol "* Zenbleed mitigation is supported by CPU microcode: " pr_info_nol "* Zenbleed mitigation is supported by CPU microcode: "
@@ -82,7 +82,7 @@ check_CVE_2023_20593_linux() {
elif [ -z "$msg" ]; then elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test # if msg is empty, sysfs check didn't fill it, rely on our own test
zenbleed_print_vuln=0 zenbleed_print_vuln=0
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
if [ "$fp_backup_fix" = 1 ] && [ "$ucode_zenbleed" = 1 ]; then if [ "$fp_backup_fix" = 1 ] && [ "$ucode_zenbleed" = 1 ]; then
# this should never happen, but if it does, it's interesting to know # this should never happen, but if it does, it's interesting to know
pvulnstatus "$cve" OK "Both your CPU microcode and kernel are mitigating Zenbleed" pvulnstatus "$cve" OK "Both your CPU microcode and kernel are mitigating Zenbleed"

4
src/vulns/CVE-2023-28746.sh
View File

@@ -106,7 +106,7 @@ check_CVE_2023_28746_linux() {
pstatus yellow NO pstatus yellow NO
fi fi
if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then if [ "$opt_runtime" = 1 ] && [ "$sys_interface_available" = 1 ]; then
pr_info_nol "* RFDS mitigation is enabled and active: " pr_info_nol "* RFDS mitigation is enabled and active: "
if echo "$ret_sys_interface_check_fullmsg" | grep -qi '^Mitigation'; then if echo "$ret_sys_interface_check_fullmsg" | grep -qi '^Mitigation'; then
rfds_mitigated=1 rfds_mitigated=1
@@ -129,7 +129,7 @@ check_CVE_2023_28746_linux() {
if [ "$opt_sysfs_only" != 1 ]; then if [ "$opt_sysfs_only" != 1 ]; then
if [ "$cap_rfds_clear" = 1 ]; then if [ "$cap_rfds_clear" = 1 ]; then
if [ -n "$kernel_rfds" ]; then if [ -n "$kernel_rfds" ]; then
if [ "$opt_live" = 1 ]; then if [ "$opt_runtime" = 1 ]; then
if [ "$rfds_mitigated" = 1 ]; then if [ "$rfds_mitigated" = 1 ]; then
pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled" pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled"
else else