verbose: add PCID check for performance impact of PTI

This commit is contained in:
Stéphane Lesimple 2018-01-14 17:18:34 +01:00
parent dcc4488340
commit d96093171a

View File

@ -730,7 +730,7 @@ check_variant2()
if [ "$opt_verbose" -ge 2 ]; then if [ "$opt_verbose" -ge 2 ]; then
_verbose_nol "* The kernel has set the spec_ctrl flag in cpuinfo: " _verbose_nol "* The kernel has set the spec_ctrl flag in cpuinfo: "
if [ "$opt_live" = 1 ]; then if [ "$opt_live" = 1 ]; then
if grep -qw spec_ctrl /proc/cpuinfo; then if grep ^flags /proc/cpuinfo | grep -qw spec_ctrl; then
pstatus green YES pstatus green YES
else else
pstatus red NO pstatus red NO
@ -766,7 +766,7 @@ check_variant2()
# which in that case means ibrs is supported *and* enabled for kernel & user # which in that case means ibrs is supported *and* enabled for kernel & user
# as per the ibrs patch series v3 # as per the ibrs patch series v3
if [ "$ibrs_supported" = 0 ]; then if [ "$ibrs_supported" = 0 ]; then
if grep -qw spec_ctrl_ibrs /proc/cpuinfo; then if grep ^flags /proc/cpuinfo | grep -qw spec_ctrl_ibrs; then
_debug "ibrs: found spec_ctrl_ibrs flag in /proc/cpuinfo" _debug "ibrs: found spec_ctrl_ibrs flag in /proc/cpuinfo"
ibrs_supported=1 ibrs_supported=1
# enabled=2 -> kernel & user # enabled=2 -> kernel & user
@ -982,6 +982,28 @@ check_variant3()
else else
pstatus blue N/A "can't verify if PTI is enabled in offline mode" pstatus blue N/A "can't verify if PTI is enabled in offline mode"
fi fi
# no security impact but give a hint to the user in verbose mode
# about PCID/INVPCID cpuid features that must be present to avoid
# too big a performance impact with PTI
# refs:
# https://marc.info/?t=151532047900001&r=1&w=2
# https://groups.google.com/forum/m/#!topic/mechanical-sympathy/L9mHTbeQLNU
if [ "$opt_verbose" -ge 2 ]; then
_info "* Performance impact if PTI is enabled"
_info_nol "* CPU supports PCID: "
if grep ^flags /proc/cpuinfo | grep -qw pcid; then
pstatus green YES 'performance degradation with PTI will be limited'
else
pstatus blue NO 'no security impact but performance will be degraded with PTI'
fi
_info_nol "* CPU supports INVPCID: "
if grep ^flags /proc/cpuinfo | grep -qw invpcid; then
pstatus green YES 'performance degradation with PTI will be limited'
else
pstatus blue NO 'no security impact but performance will be degraded with PTI'
fi
fi
fi fi
# if we have the /sys interface, don't even check is_cpu_vulnerable ourselves, the kernel already does it # if we have the /sys interface, don't even check is_cpu_vulnerable ourselves, the kernel already does it