From bfa4de96e6527776436b931d97a935d92411391d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= <speed47_github@speed47.net>
Date: Sun, 21 Apr 2019 14:03:48 +0200
Subject: [PATCH] enh(l1tf): in paranoid mode, assume we're running a
 hypervisor unless stated otherwise

This change ensures we check for SMT and advise the user to disable it for maximum security.
Doing this, we'll help users mitigate a whole range of vulnerabilities taking advantage of SMT to attack purely from userland other userland processes, as seen in CVE-2018-5407 (also see #261)
---
 spectre-meltdown-checker.sh | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
index 6af210d..7c6df13 100755
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -3835,7 +3835,12 @@ check_CVE_2018_3646_linux()
 	if [ "$opt_sysfs_only" != 1 ]; then
 		_info_nol "* This system is a host running a hypervisor: "
 		has_vmm=$opt_vmm
-		if [ "$has_vmm" = -1 ]; then
+		if [ "$has_vmm" = -1 ] && [ "$opt_paranoid" = 1 ]; then
+			# In paranoid mode, if --vmm was not specified on the command-line,
+			# we want to be secure before everything else, so assume we're running
+			# a hypervisor, as this requires more mitigations
+			has_vmm=2
+		elif [ "$has_vmm" = -1 ]; then
 			# Assumed to be running on bare metal unless evidence of vm is found.
 			has_vmm=0
 			# test for presence of hypervisor flag - definitive if set
@@ -3878,6 +3883,8 @@ check_CVE_2018_3646_linux()
 		else
 			if [ "$opt_vmm" != -1 ]; then
 				pstatus blue YES "forced from command line"
+			elif [ "$has_vmm" = 2 ]; then
+				pstatus blue YES "paranoid mode"
 			else
 				pstatus blue YES
 			fi