From c483a2cf608980c4517c08cec86bb75f6807a2d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Sat, 13 Jan 2018 16:24:09 +0100 Subject: [PATCH 1/5] check spec_ctrl support using cpuid --- spectre-meltdown-checker.sh | 43 ++++++++++++++++++++++++++++++++++--- 1 file changed, 40 insertions(+), 3 deletions(-) diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index 75f186c..d32ca62 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -8,7 +8,7 @@ # # Stephane Lesimple # -VERSION=0.29 +VERSION='0.29+cpuid_spec_ctrl-test1' show_usage() { @@ -664,11 +664,11 @@ check_variant2() sys_interface_available=1 else _info "* Mitigation 1" - _info_nol "* Hardware (CPU microcode) support for mitigation: " + _info_nol "* Hardware / CPU microcode support for mitigation (SPEC_CTRL MSR): " if [ ! -e /dev/cpu/0/msr ]; then # try to load the module ourselves (and remember it so we can rmmod it afterwards) modprobe msr 2>/dev/null && insmod_msr=1 - _debug "attempted to load module msr, ret=$insmod_msr" + _debug "attempted to load module msr, insmod_msr=$insmod_msr" fi if [ ! -e /dev/cpu/0/msr ]; then pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?" @@ -690,6 +690,43 @@ check_variant2() _debug "attempted to unload module msr, ret=$?" fi + # CPUID test + _info_nol "* Hardware / CPU microcode support for mitigation (CPUID bit): " + # $(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip=15 count=1 2>/dev/null | od -t u -A n | awk '{print $1}'); echo $z; echo $(($z & 32)) + if [ ! -e /dev/cpu/0/cpuid ]; then + # try to load the module ourselves (and remember it so we can rmmod it afterwards) + modprobe cpuid 2>/dev/null && insmod_cpuid=1 + _debug "attempted to load module cpuid, insmod_cpuid=$insmod_cpuid" + fi + if [ ! -e /dev/cpu/0/cpuid ]; then + pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/cpuidr, is cpuid support enabled in your kernel?" + else + # from kernel src: { X86_FEATURE_SPEC_CTRL, CPUID_EDX,26, 0x00000007, 0 }, + if [ "$opt_verbose" -ge 3 ]; then + dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 >/dev/null 2>/dev/null + _debug "cpuid: reading leaf7 of cpuid on cpu0, ret=$?" + _debug "cpuid: leaf7 eax-ebx-ecd-edx: "$(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | od -x -A n) + _debug "cpuid: leaf7 edx higher-half is: "$(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip=15 count=1 2>/dev/null | od -x -A n) + fi + # getting high byte of edx on leaf7 of cpuinfo in decimal + edx_hb=$(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip=15 count=1 2>/dev/null | od -t u -A n | awk '{print $1}') + _debug "cpuid: leaf7 edx higher byte: $edx_hb (decimal)" + edx_bit26=$(( edx_hb & 8 )) + _debug "cpuid: edx_bit26=$edx_bit26" + if [ "$edx_bit26" -eq 8 ]; then + pstatus green YES + else + pstatus red NO + fi + fi + + if [ "$insmod_cpuid" = 1 ]; then + # if we used modprobe ourselves, rmmod the module + rmmod cpuid 2>/dev/null + _debug "attempted to unload module cpuid, ret=$?" + fi + # /CPUID test + _info_nol "* Kernel support for IBRS: " if [ "$opt_live" = 1 ]; then mount_debugfs From a422b53d7c6d2cedb382e946427d4020d6b0c107 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Sun, 14 Jan 2018 15:28:53 +0100 Subject: [PATCH 2/5] also check for cpuinfo flag --- spectre-meltdown-checker.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index d32ca62..b017e4c 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -664,7 +664,7 @@ check_variant2() sys_interface_available=1 else _info "* Mitigation 1" - _info_nol "* Hardware / CPU microcode support for mitigation (SPEC_CTRL MSR): " + _info_nol "* Hardware (CPU microcode) support for mitigation [SPEC_CTRL MSR]: " if [ ! -e /dev/cpu/0/msr ]; then # try to load the module ourselves (and remember it so we can rmmod it afterwards) modprobe msr 2>/dev/null && insmod_msr=1 @@ -691,8 +691,7 @@ check_variant2() fi # CPUID test - _info_nol "* Hardware / CPU microcode support for mitigation (CPUID bit): " - # $(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip=15 count=1 2>/dev/null | od -t u -A n | awk '{print $1}'); echo $z; echo $(($z & 32)) + _info_nol "* Hardware (CPU microcode) support for mitigation [CPUID bit]: " if [ ! -e /dev/cpu/0/cpuid ]; then # try to load the module ourselves (and remember it so we can rmmod it afterwards) modprobe cpuid 2>/dev/null && insmod_cpuid=1 @@ -720,12 +719,13 @@ check_variant2() fi fi - if [ "$insmod_cpuid" = 1 ]; then - # if we used modprobe ourselves, rmmod the module - rmmod cpuid 2>/dev/null - _debug "attempted to unload module cpuid, ret=$?" + # hardware support according to kernel + _info_nol "* Hardware (CPU microcode) support for mitigation [cpuinfo flag]: " + if grep -qw spec_ctrl /proc/cpuinfo; then + pstatus green YES + else + pstatus red NO fi - # /CPUID test _info_nol "* Kernel support for IBRS: " if [ "$opt_live" = 1 ]; then From 749f432d32c8a31fa7c0456ff4b26f06f5db2185 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Sun, 14 Jan 2018 15:44:11 +0100 Subject: [PATCH 3/5] also check for spec_ctrl flag in cpuinfo --- spectre-meltdown-checker.sh | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index b017e4c..e852fa0 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -142,6 +142,11 @@ _verbose() _echo 2 "$@" } +_verbose_nol() +{ + _echo_nol 2 "$@" +} + _debug() { _echo 3 "\033[34m(debug) $@\033[0m" @@ -664,7 +669,8 @@ check_variant2() sys_interface_available=1 else _info "* Mitigation 1" - _info_nol "* Hardware (CPU microcode) support for mitigation [SPEC_CTRL MSR]: " + _info "* Hardware (CPU microcode) support for mitigation" + _info_nol "* The SPEC_CTRL MSR is available: " if [ ! -e /dev/cpu/0/msr ]; then # try to load the module ourselves (and remember it so we can rmmod it afterwards) modprobe msr 2>/dev/null && insmod_msr=1 @@ -691,7 +697,7 @@ check_variant2() fi # CPUID test - _info_nol "* Hardware (CPU microcode) support for mitigation [CPUID bit]: " + _info_nol "* The SPEC_CTRL CPUID feature bit is set: " if [ ! -e /dev/cpu/0/cpuid ]; then # try to load the module ourselves (and remember it so we can rmmod it afterwards) modprobe cpuid 2>/dev/null && insmod_cpuid=1 @@ -720,11 +726,13 @@ check_variant2() fi # hardware support according to kernel - _info_nol "* Hardware (CPU microcode) support for mitigation [cpuinfo flag]: " - if grep -qw spec_ctrl /proc/cpuinfo; then - pstatus green YES - else - pstatus red NO + if [ "$opt_verbose" -ge 2 ]; then + _verbose_nol "* The kernel has set the spec_ctrl flag in cpuinfo: " + if grep -qw spec_ctrl /proc/cpuinfo; then + pstatus green YES + else + pstatus red NO + fi fi _info_nol "* Kernel support for IBRS: " From 71213c11b3d396c6dc43f43b133ea2f56a46bf39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Sun, 14 Jan 2018 16:36:51 +0100 Subject: [PATCH 4/5] ibrs: check for spec_ctrl_ibrs in cpuinfo --- spectre-meltdown-checker.sh | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index e852fa0..5468915 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -728,10 +728,14 @@ check_variant2() # hardware support according to kernel if [ "$opt_verbose" -ge 2 ]; then _verbose_nol "* The kernel has set the spec_ctrl flag in cpuinfo: " - if grep -qw spec_ctrl /proc/cpuinfo; then - pstatus green YES + if [ "$opt_live" = 1 ]; then + if grep -qw spec_ctrl /proc/cpuinfo; then + pstatus green YES + else + pstatus red NO + fi else - pstatus red NO + pstatus blue N/A "not testable in offline mode" fi fi @@ -756,6 +760,18 @@ check_variant2() _debug "ibrs: file $ibrs_file doesn't exist" fi done + # on some newer kernels, the spec_ctrl_ibrs flag in /proc/cpuinfo + # is set when ibrs has been administratively enabled (usually from cmdline) + # which in that case means ibrs is supported *and* enabled for kernel & user + # as per the ibrs patch series v3 + if [ "$ibrs_supported" = 0 ]; then + if grep -qw spec_ctrl_ibrs /proc/cpuinfo; then + _debug "ibrs: found spec_ctrl_ibrs flag in /proc/cpuinfo" + ibrs_supported=1 + # enabled=2 -> kernel & user + ibrs_enabled=2 + fi + fi fi if [ "$ibrs_supported" != 1 -a -n "$opt_map" ]; then if grep -q spec_ctrl "$opt_map"; then From 32e3fe6c07be30fdda0d34930716c3397e8d8a00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Sun, 14 Jan 2018 16:45:59 +0100 Subject: [PATCH 5/5] bump to v0.30 to reflect changes --- spectre-meltdown-checker.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index 5468915..f7d7c4d 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -8,7 +8,7 @@ # # Stephane Lesimple # -VERSION='0.29+cpuid_spec_ctrl-test1' +VERSION=0.30 show_usage() {