From c1c1ac4dbb4270781a04384e3c4126581d9fd637 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20M=C3=A9riot?= Date: Thu, 10 Aug 2023 09:05:44 +0000 Subject: [PATCH] feat(downfall): detection of the kernel mitigation relying on dmesg --- spectre-meltdown-checker.sh | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index 09e15b6..66afb8d 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -6222,7 +6222,7 @@ check_CVE_2022_40982_linux() { pstatus yellow NO fi _info_nol "* Kernel supports software mitigation by disabling AVX: " - if [ -n "$kernel_err" ]; then + if [ -n "$kernel_err" ]; then kernel_gds_err="$kernel_err" elif grep -q 'gather_data_sampling' "$kernel"; then kernel_gds="found gather_data_sampling in kernel image" @@ -6234,6 +6234,22 @@ check_CVE_2022_40982_linux() { else pstatus yellow NO fi + + if [ -n "$kernel_gds" ]; then + _info_nol "* Is the kernel mitigation active: " + + # Check dmesg message to see whether AVX has been disabled + dmesg_grep 'Microcode update needed! Disabling AVX as mitigation'; ret=$? + if [ $ret -eq 2 ]; then + pstatus yellow UNKNOWN "dmesg truncated, AVX mitigation detection will be unreliable. Please reboot and relaunch this script" + elif [ $ret -eq 0 ]; then + kernel_avx_disabled="AVX disabled by the kernel" + pstatus green YES "$kernel_avx_disabled" + else + pstatus red NO "No trace of AVX mitigation in dmesg" + fi + fi + elif [ "$sys_interface_available" = 0 ]; then # we have no sysfs but were asked to use it only! msg="/sys vulnerability interface use forced, but it's not available!" @@ -6251,8 +6267,10 @@ check_CVE_2022_40982_linux() { pvulnstatus $cve VULN "Your microcode is up to date but mitigation is disabled" elif [ -z "$kernel_gds" ]; then pvulnstatus $cve VULN "Your microcode doesn't mitigate the vulnerability, and your kernel doesn't support mitigation" + elif [ -z "$kernel_avx_disabled" ]; then + pvulnstatus $cve VULN "Your microcode doesn't mitigate the vulnerability, your kernel support the mitigation but the script did not detect AVX as disabled by the kernel" else - pvulnstatus $cve UNK "Your microcode doesn't mitigate the vulnerability, your kernel supports mitigation, but mitigation detection is not implemented yet so we don't know whether it's active" + pvulnstatus $cve OK "Your microcode doesn't mitigate the vulnerability, but your kernel has disabled AVX support" fi else pvulnstatus $cve "$status" "$msg"