enh(l1tf): in paranoid mode, assume we're running a hypervisor unless stated otherwise

This change ensures we check for SMT and advise the user to disable it for maximum security. Doing this, we'll help users mitigate a whole range of vulnerabilities taking advantage of SMT to attack purely from userland other userland processes, as seen in CVE-2018-5407 (also see #261)
2024-12-05 02:38:04 +01:00 · 2019-04-21 14:03:48 +02:00 · 2019-04-21 14:03:48 +02:00 · bfa4de96e6
commit bfa4de96e6
parent b022b27a51
1 changed files with 8 additions and 1 deletions
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@ -3835,7 +3835,12 @@ check_CVE_2018_3646_linux()
 	if [ "$opt_sysfs_only" != 1 ]; then
 		_info_nol "* This system is a host running a hypervisor: "
 		has_vmm=$opt_vmm
-		if [ "$has_vmm" = -1 ]; then
+		if [ "$has_vmm" = -1 ] && [ "$opt_paranoid" = 1 ]; then
+			# In paranoid mode, if --vmm was not specified on the command-line,
+			# we want to be secure before everything else, so assume we're running
+			# a hypervisor, as this requires more mitigations
+			has_vmm=2
+		elif [ "$has_vmm" = -1 ]; then
 			# Assumed to be running on bare metal unless evidence of vm is found.
 			has_vmm=0
 			# test for presence of hypervisor flag - definitive if set
@ -3878,6 +3883,8 @@ check_CVE_2018_3646_linux()
 		else
 			if [ "$opt_vmm" != -1 ]; then
 				pstatus blue YES "forced from command line"
+			elif [ "$has_vmm" = 2 ]; then
+				pstatus blue YES "paranoid mode"
 			else
 				pstatus blue YES
 			fi