add some debug
This commit is contained in:
Stéphane Lesimple
parent
6a0242eea3
commit
bfe5a3b840
|
|
@ -144,7 +144,7 @@ _verbose()
|
||||||
|
|
||||||
_debug()
|
_debug()
|
||||||
{
|
{
|
||||||
_echo 3 "(debug) $@"
|
_echo 3 "\033[34m(debug) $@\033[0m"
|
||||||
}
|
}
|
||||||
|
|
||||||
is_cpu_vulnerable()
|
is_cpu_vulnerable()
|
||||||
|
|
@ -574,6 +574,7 @@ sys_interface_check()
|
||||||
pstatus yellow UNKNOWN "unknown value reported by kernel"
|
pstatus yellow UNKNOWN "unknown value reported by kernel"
|
||||||
fi
|
fi
|
||||||
msg=$(cat "$1")
|
msg=$(cat "$1")
|
||||||
|
_debug "sys_interface_check: $1=$msg"
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -650,6 +651,7 @@ check_variant2()
|
||||||
if [ ! -e /dev/cpu/0/msr ]; then
|
if [ ! -e /dev/cpu/0/msr ]; then
|
||||||
# try to load the module ourselves (and remember it so we can rmmod it afterwards)
|
# try to load the module ourselves (and remember it so we can rmmod it afterwards)
|
||||||
modprobe msr 2>/dev/null && insmod_msr=1
|
modprobe msr 2>/dev/null && insmod_msr=1
|
||||||
|
_debug "attempted to load module msr, ret=$insmod_msr"
|
||||||
fi
|
fi
|
||||||
if [ ! -e /dev/cpu/0/msr ]; then
|
if [ ! -e /dev/cpu/0/msr ]; then
|
||||||
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?"
|
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?"
|
||||||
|
|
@ -668,6 +670,7 @@ check_variant2()
|
||||||
if [ "$insmod_msr" = 1 ]; then
|
if [ "$insmod_msr" = 1 ]; then
|
||||||
# if we used modprobe ourselves, rmmod the module
|
# if we used modprobe ourselves, rmmod the module
|
||||||
rmmod msr 2>/dev/null
|
rmmod msr 2>/dev/null
|
||||||
|
_debug "attempted to unload module msr, ret=$?"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
_info_nol "* Kernel support for IBRS: "
|
_info_nol "* Kernel support for IBRS: "
|
||||||
|
|
@ -685,7 +688,10 @@ check_variant2()
|
||||||
pstatus green YES
|
pstatus green YES
|
||||||
ibrs_supported=1
|
ibrs_supported=1
|
||||||
ibrs_enabled=$(cat "$ibrs_file" 2>/dev/null)
|
ibrs_enabled=$(cat "$ibrs_file" 2>/dev/null)
|
||||||
|
_debug "ibrs: found $ibrs_file=$ibrs_enabled"
|
||||||
break
|
break
|
||||||
|
else
|
||||||
|
_debug "ibrs: file $ibrs_file doesn't exist"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
@ -693,6 +699,7 @@ check_variant2()
|
||||||
if grep -q spec_ctrl "$opt_map"; then
|
if grep -q spec_ctrl "$opt_map"; then
|
||||||
pstatus green YES
|
pstatus green YES
|
||||||
ibrs_supported=1
|
ibrs_supported=1
|
||||||
|
_debug "ibrs: found '*spec_ctrl*' symbol in $opt_map"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ "$ibrs_supported" != 1 ]; then
|
if [ "$ibrs_supported" != 1 ]; then
|
||||||
|
|
@ -733,6 +740,7 @@ check_variant2()
|
||||||
if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
|
if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
|
||||||
pstatus green YES
|
pstatus green YES
|
||||||
retpoline=1
|
retpoline=1
|
||||||
|
_debug "retpoline: found "$(grep '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
|
||||||
else
|
else
|
||||||
pstatus red NO
|
pstatus red NO
|
||||||
fi
|
fi
|
||||||
|
|
@ -822,6 +830,7 @@ check_variant3()
|
||||||
if [ -n "$opt_config" ]; then
|
if [ -n "$opt_config" ]; then
|
||||||
kpti_can_tell=1
|
kpti_can_tell=1
|
||||||
if grep -Eq '^(CONFIG_PAGE_TABLE_ISOLATION|CONFIG_KAISER)=y' "$opt_config"; then
|
if grep -Eq '^(CONFIG_PAGE_TABLE_ISOLATION|CONFIG_KAISER)=y' "$opt_config"; then
|
||||||
|
_debug "kpti_support: found option "$(grep -E '^(CONFIG_PAGE_TABLE_ISOLATION|CONFIG_KAISER)=y' "$opt_config")" in $opt_config"
|
||||||
kpti_support=1
|
kpti_support=1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
@ -830,6 +839,7 @@ check_variant3()
|
||||||
# so we try to find an exported symbol that is part of the PTI patch in System.map
|
# so we try to find an exported symbol that is part of the PTI patch in System.map
|
||||||
kpti_can_tell=1
|
kpti_can_tell=1
|
||||||
if grep -qw kpti_force_enabled "$opt_map"; then
|
if grep -qw kpti_force_enabled "$opt_map"; then
|
||||||
|
_debug "kpti_support: found kpti_force_enabled in $opt_map"
|
||||||
kpti_support=1
|
kpti_support=1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
@ -841,6 +851,7 @@ check_variant3()
|
||||||
pstatus yellow UNKNOWN "missing 'strings' tool, please install it, usually it's in the binutils package"
|
pstatus yellow UNKNOWN "missing 'strings' tool, please install it, usually it's in the binutils package"
|
||||||
else
|
else
|
||||||
if strings "$vmlinux" | grep -qw nopti; then
|
if strings "$vmlinux" | grep -qw nopti; then
|
||||||
|
_debug "kpti_support: found nopti string in $vmlinux"
|
||||||
kpti_support=1
|
kpti_support=1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
@ -862,20 +873,26 @@ check_variant3()
|
||||||
dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
|
dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
|
||||||
if grep ^flags /proc/cpuinfo | grep -qw pti; then
|
if grep ^flags /proc/cpuinfo | grep -qw pti; then
|
||||||
# vanilla PTI patch sets the 'pti' flag in cpuinfo
|
# vanilla PTI patch sets the 'pti' flag in cpuinfo
|
||||||
|
_debug "kpti_enabled: found 'pti' flag in /proc/cpuinfo"
|
||||||
kpti_enabled=1
|
kpti_enabled=1
|
||||||
elif grep ^flags /proc/cpuinfo | grep -qw kaiser; then
|
elif grep ^flags /proc/cpuinfo | grep -qw kaiser; then
|
||||||
# kernel line 4.9 sets the 'kaiser' flag in cpuinfo
|
# kernel line 4.9 sets the 'kaiser' flag in cpuinfo
|
||||||
|
_debug "kpti_enabled: found 'kaiser' flag in /proc/cpuinfo"
|
||||||
kpti_enabled=1
|
kpti_enabled=1
|
||||||
elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then
|
elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then
|
||||||
# RedHat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301
|
# RedHat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301
|
||||||
kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
|
kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
|
||||||
|
_debug "kpti_enabled: file /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled"
|
||||||
elif dmesg | grep -Eq "$dmesg_grep"; then
|
elif dmesg | grep -Eq "$dmesg_grep"; then
|
||||||
# if we can't find the flag, grep dmesg output
|
# if we can't find the flag, grep dmesg output
|
||||||
|
_debug "kpti_enabled: found hint in dmesg: "$(dmesg | grep -E "$dmesg_grep")
|
||||||
kpti_enabled=1
|
kpti_enabled=1
|
||||||
elif [ -r /var/log/dmesg ] && grep -Eq "$dmesg_grep" /var/log/dmesg; then
|
elif [ -r /var/log/dmesg ] && grep -Eq "$dmesg_grep" /var/log/dmesg; then
|
||||||
# if we can't find the flag in dmesg output, grep in /var/log/dmesg when readable
|
# if we can't find the flag in dmesg output, grep in /var/log/dmesg when readable
|
||||||
|
_debug "kpti_enabled: found hint in /var/log/dmesg: "$(grep -E "$dmesg_grep" /var/log/dmesg)
|
||||||
kpti_enabled=1
|
kpti_enabled=1
|
||||||
else
|
else
|
||||||
|
_debug "kpti_enabled: couldn't find any hint that PTI is enabled"
|
||||||
kpti_enabled=0
|
kpti_enabled=0
|
||||||
fi
|
fi
|
||||||
if [ "$kpti_enabled" = 1 ]; then
|
if [ "$kpti_enabled" = 1 ]; then
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue