mirror of
https://github.com/speed47/spectre-meltdown-checker.git
synced 2025-01-09 19:00:29 +01:00
feat: rework Spectre V2 mitigations detection w/ latest vanilla & Red Hat 7 kernels
This commit is contained in:
parent
07484d0ea7
commit
de02dad909
@ -1832,10 +1832,17 @@ check_variant2_linux()
|
|||||||
fi
|
fi
|
||||||
if [ "$opt_sysfs_only" != 1 ]; then
|
if [ "$opt_sysfs_only" != 1 ]; then
|
||||||
_info "* Mitigation 1"
|
_info "* Mitigation 1"
|
||||||
_info_nol " * Kernel is compiled with IBRS/IBPB support: "
|
|
||||||
ibrs_can_tell=0
|
ibrs_can_tell=0
|
||||||
|
ibrs_supported=''
|
||||||
|
ibrs_enabled=''
|
||||||
|
ibpb_can_tell=0
|
||||||
|
ibpb_supported=''
|
||||||
|
ibpb_enabled=''
|
||||||
|
|
||||||
if [ "$opt_live" = 1 ]; then
|
if [ "$opt_live" = 1 ]; then
|
||||||
|
# in live mode, we can check for the ibrs_enabled file in debugfs
|
||||||
|
# all versions of the patches have it (NOT the case of IBPB or KPTI)
|
||||||
ibrs_can_tell=1
|
ibrs_can_tell=1
|
||||||
mount_debugfs
|
mount_debugfs
|
||||||
for dir in \
|
for dir in \
|
||||||
@ -1847,17 +1854,18 @@ check_variant2_linux()
|
|||||||
# /sys/kernel/debug/ibrs_enabled: vanilla
|
# /sys/kernel/debug/ibrs_enabled: vanilla
|
||||||
# /sys/kernel/debug/x86/ibrs_enabled: Red Hat (see https://access.redhat.com/articles/3311301)
|
# /sys/kernel/debug/x86/ibrs_enabled: Red Hat (see https://access.redhat.com/articles/3311301)
|
||||||
# /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed
|
# /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed
|
||||||
pstatus green YES
|
specex_knob_dir=$dir
|
||||||
ibrs_knob_dir=$dir
|
ibrs_supported="$dir/ibrs_enabled exists"
|
||||||
ibrs_supported=1
|
|
||||||
ibrs_enabled=$(cat "$dir/ibrs_enabled" 2>/dev/null)
|
ibrs_enabled=$(cat "$dir/ibrs_enabled" 2>/dev/null)
|
||||||
_debug "ibrs: found $dir/ibrs_enabled=$ibrs_enabled"
|
_debug "ibrs: found $dir/ibrs_enabled=$ibrs_enabled"
|
||||||
|
# if ibrs_enabled is there, ibpb_enabled will be in the same dir
|
||||||
if [ -e "$dir/ibpb_enabled" ]; then
|
if [ -e "$dir/ibpb_enabled" ]; then
|
||||||
|
# if the file is there, we have IBPB compiled-in (see note above for IBRS)
|
||||||
|
ibpb_supported="$dir/ibpb_enabled exists"
|
||||||
ibpb_enabled=$(cat "$dir/ibpb_enabled" 2>/dev/null)
|
ibpb_enabled=$(cat "$dir/ibpb_enabled" 2>/dev/null)
|
||||||
_debug "ibpb: found $dir/ibpb_enabled=$ibpb_enabled"
|
_debug "ibpb: found $dir/ibpb_enabled=$ibpb_enabled"
|
||||||
else
|
else
|
||||||
ibpb_enabled=-1
|
_debug "ibpb: $dir/ibpb_enabled file doesn't exist"
|
||||||
_debug "ibpb: no ibpb_enabled file in $dir"
|
|
||||||
fi
|
fi
|
||||||
break
|
break
|
||||||
else
|
else
|
||||||
@ -1868,42 +1876,93 @@ check_variant2_linux()
|
|||||||
# is set when ibrs has been administratively enabled (usually from cmdline)
|
# is set when ibrs has been administratively enabled (usually from cmdline)
|
||||||
# which in that case means ibrs is supported *and* enabled for kernel & user
|
# which in that case means ibrs is supported *and* enabled for kernel & user
|
||||||
# as per the ibrs patch series v3
|
# as per the ibrs patch series v3
|
||||||
if [ "$ibrs_supported" = 0 ]; then
|
if [ -z "$ibrs_supported" ]; then
|
||||||
if grep ^flags "$procfs/cpuinfo" | grep -qw spec_ctrl_ibrs; then
|
if grep ^flags "$procfs/cpuinfo" | grep -qw spec_ctrl_ibrs; then
|
||||||
_debug "ibrs: found spec_ctrl_ibrs flag in $procfs/cpuinfo"
|
_debug "ibrs: found spec_ctrl_ibrs flag in $procfs/cpuinfo"
|
||||||
ibrs_supported=1
|
ibrs_supported="spec_ctrl_ibrs flag in $procfs/cpuinfo"
|
||||||
# enabled=2 -> kernel & user
|
# enabled=2 -> kernel & user
|
||||||
ibrs_enabled=2
|
ibrs_enabled=2
|
||||||
# XXX and what about ibpb ?
|
# XXX and what about ibpb ?
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
if [ -e "/sys/devices/system/cpu/vulnerabilities/spectre_v2" ]; then
|
||||||
|
# when IBPB is enabled on 4.15+, we can see it in sysfs
|
||||||
|
if grep -q ', IBPB' "/sys/devices/system/cpu/vulnerabilities/spectre_v2"; then
|
||||||
|
_debug "ibpb: found enabled in sysfs"
|
||||||
|
ibpb_supported='IBPB found enabled in sysfs'
|
||||||
|
ibpb_enabled=1
|
||||||
fi
|
fi
|
||||||
if [ "$ibrs_supported" != 1 ] && [ -n "$opt_map" ]; then
|
# when IBRS_FW is enabled on 4.15+, we can see it in sysfs
|
||||||
|
if grep -q ', IBRS_FW' "/sys/devices/system/cpu/vulnerabilities/spectre_v2"; then
|
||||||
|
_debug "ibrs: found IBRS_FW in sysfs"
|
||||||
|
ibrs_supported='found IBRS_FW in sysfs'
|
||||||
|
ibrs_fw_enabled=1
|
||||||
|
fi
|
||||||
|
# when IBRS is enabled on 4.15+, we can see it in sysfs
|
||||||
|
if grep -q 'Indirect Branch Restricted Speculation' "/sys/devices/system/cpu/vulnerabilities/spectre_v2"; then
|
||||||
|
_debug "ibrs: found IBRS in sysfs"
|
||||||
|
ibrs_supported='found IBRS in sysfs'
|
||||||
|
ibrs_enabled=3
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
# in live mode, if ibrs or ibpb is supported and we didn't find these are enabled, then they are not
|
||||||
|
[ -n "$ibrs_supported" ] && [ -z "$ibrs_enabled" ] && ibrs_enabled=0
|
||||||
|
[ -n "$ibpb_supported" ] && [ -z "$ibpb_enabled" ] && ibpb_enabled=0
|
||||||
|
fi
|
||||||
|
if [ -z "$ibrs_supported" ]; then
|
||||||
|
check_redhat_canonical_spectre
|
||||||
|
if [ "$redhat_canonical_spectre" = 1 ]; then
|
||||||
|
ibrs_supported="Red Hat/Ubuntu variant"
|
||||||
|
ibpb_supported="Red Hat/Ubuntu variant"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then
|
||||||
|
if ! which "${opt_arch_prefix}strings" >/dev/null 2>&1; then
|
||||||
|
:
|
||||||
|
else
|
||||||
|
ibrs_can_tell=1
|
||||||
|
ibrs_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1)
|
||||||
|
if [ -n "$ibrs_supported" ]; then
|
||||||
|
_debug "ibrs: found ibrs evidence in kernel image ($ibrs_supported)"
|
||||||
|
ibrs_supported="found '$ibrs_supported' in kernel image"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if [ -z "$ibrs_supported" ] && [ -n "$opt_map" ]; then
|
||||||
ibrs_can_tell=1
|
ibrs_can_tell=1
|
||||||
if grep -q spec_ctrl "$opt_map"; then
|
if grep -q spec_ctrl "$opt_map"; then
|
||||||
pstatus green YES
|
ibrs_supported="found spec_ctrl in symbols file"
|
||||||
ibrs_supported=1
|
|
||||||
_debug "ibrs: found '*spec_ctrl*' symbol in $opt_map"
|
_debug "ibrs: found '*spec_ctrl*' symbol in $opt_map"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ "$ibrs_supported" != 1 ]; then
|
# recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat
|
||||||
check_redhat_canonical_spectre
|
# we can detect it directly in the image
|
||||||
if [ "$redhat_canonical_spectre" = 1 ]; then
|
if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then
|
||||||
pstatus green YES "Red Hat/Ubuntu patch"
|
if ! which "${opt_arch_prefix}strings" >/dev/null 2>&1; then
|
||||||
ibrs_supported=1
|
:
|
||||||
|
else
|
||||||
|
ibpb_can_tell=1
|
||||||
|
ibpb_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1)
|
||||||
|
if [ -n "$ibpb_supported" ]; then
|
||||||
|
_debug "ibpb: found ibpb evidence in kernel image ($ibpb_supported)"
|
||||||
|
ibpb_supported="found '$ibpb_supported' in kernel image"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ "$ibrs_supported" != 1 ]; then
|
fi
|
||||||
|
|
||||||
|
_info_nol " * Kernel is compiled with IBRS support: "
|
||||||
|
if [ -z "$ibrs_supported" ]; then
|
||||||
if [ "$ibrs_can_tell" = 1 ]; then
|
if [ "$ibrs_can_tell" = 1 ]; then
|
||||||
pstatus yellow NO
|
pstatus yellow NO
|
||||||
else
|
else
|
||||||
# if we're in offline mode without System.map, we can't really know
|
# if we're in offline mode without System.map, we can't really know
|
||||||
pstatus yellow UNKNOWN "in offline mode, we need System.map to be able to tell"
|
pstatus yellow UNKNOWN "in offline mode, we need the kernel image and System.map to be able to tell"
|
||||||
fi
|
fi
|
||||||
|
else
|
||||||
|
pstatus green YES "$ibrs_supported"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
_info " * Currently enabled features"
|
_info_nol " * IBRS enabled and active: "
|
||||||
_info_nol " * IBRS enabled for Kernel space: "
|
|
||||||
if [ "$opt_live" = 1 ]; then
|
if [ "$opt_live" = 1 ]; then
|
||||||
if [ "$ibpb_enabled" = 2 ]; then
|
if [ "$ibpb_enabled" = 2 ]; then
|
||||||
# if ibpb=2, ibrs is forcefully=0
|
# if ibpb=2, ibrs is forcefully=0
|
||||||
@ -1912,19 +1971,21 @@ check_variant2_linux()
|
|||||||
# 0 means disabled
|
# 0 means disabled
|
||||||
# 1 is enabled only for kernel space
|
# 1 is enabled only for kernel space
|
||||||
# 2 is enabled for kernel and user space
|
# 2 is enabled for kernel and user space
|
||||||
|
# 3 is enabled
|
||||||
case "$ibrs_enabled" in
|
case "$ibrs_enabled" in
|
||||||
"")
|
|
||||||
if [ "$ibrs_supported" = 1 ]; then
|
|
||||||
pstatus yellow UNKNOWN
|
|
||||||
else
|
|
||||||
pstatus yellow NO
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
0)
|
0)
|
||||||
|
if [ "$ibrs_fw_enabled" = 1 ]; then
|
||||||
|
pstatus green YES "for firmware code"
|
||||||
|
else
|
||||||
pstatus yellow NO
|
pstatus yellow NO
|
||||||
_verbose " - To enable, \`echo 1 > $ibrs_knob_dir/ibrs_enabled' as root. If you don't have hardware support, you'll get an error."
|
if [ -e "$specex_knob_dir/ibrs_enabled" ]; then
|
||||||
|
_verbose " - To enable, \`echo 1 > $specex_knob_dir/ibrs_enabled' as root. If you don't have hardware support, you'll get an error."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
;;
|
;;
|
||||||
1 | 2) pstatus green YES;;
|
1) pstatus green YES "for kernel space";;
|
||||||
|
2) pstatus green YES "for both kernel and user space";;
|
||||||
|
3) if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and firmware code"; else pstatus green YES; fi;;
|
||||||
*) pstatus yellow UNKNOWN;;
|
*) pstatus yellow UNKNOWN;;
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
@ -1932,33 +1993,19 @@ check_variant2_linux()
|
|||||||
pstatus blue N/A "not testable in offline mode"
|
pstatus blue N/A "not testable in offline mode"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
_info_nol " * IBRS enabled for User space: "
|
_info_nol " * Kernel is compiled with IBPB support: "
|
||||||
if [ "$opt_live" = 1 ]; then
|
if [ -z "$ibpb_supported" ]; then
|
||||||
if [ "$ibpb_enabled" = 2 ]; then
|
if [ "$ibpb_can_tell" = 1 ]; then
|
||||||
# if ibpb=2, ibrs is forcefully=0
|
|
||||||
pstatus blue NO "IBPB used instead of IBRS in all kernel entrypoints"
|
|
||||||
else
|
|
||||||
case "$ibrs_enabled" in
|
|
||||||
"")
|
|
||||||
if [ "$ibrs_supported" = 1 ]; then
|
|
||||||
pstatus yellow UNKNOWN
|
|
||||||
else
|
|
||||||
pstatus yellow NO
|
pstatus yellow NO
|
||||||
fi
|
else
|
||||||
;;
|
# if we're in offline mode without System.map, we can't really know
|
||||||
0 | 1)
|
pstatus yellow UNKNOWN "in offline mode, we need the kernel image to be able to tell"
|
||||||
pstatus yellow NO
|
|
||||||
_verbose " - To enable, \`echo 2 > $ibrs_knob_dir/ibrs_enabled' as root. If you don't have hardware support, you'll get an error."
|
|
||||||
;;
|
|
||||||
2) pstatus green YES;;
|
|
||||||
*) pstatus yellow UNKNOWN;;
|
|
||||||
esac
|
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
pstatus blue N/A "not testable in offline mode"
|
pstatus green YES "$ibpb_supported"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
_info_nol " * IBPB enabled: "
|
_info_nol " * IBPB enabled and active: "
|
||||||
if [ "$opt_live" = 1 ]; then
|
if [ "$opt_live" = 1 ]; then
|
||||||
case "$ibpb_enabled" in
|
case "$ibpb_enabled" in
|
||||||
"")
|
"")
|
||||||
@ -1970,7 +2017,7 @@ check_variant2_linux()
|
|||||||
;;
|
;;
|
||||||
0)
|
0)
|
||||||
pstatus yellow NO
|
pstatus yellow NO
|
||||||
_verbose " - To enable, \`echo 1 > $ibrs_knob_dir/ibpb_enabled' as root. If you don't have hardware support, you'll get an error."
|
_verbose " - To enable, \`echo 1 > $specex_knob_dir/ibpb_enabled' as root. If you don't have hardware support, you'll get an error."
|
||||||
;;
|
;;
|
||||||
1) pstatus green YES;;
|
1) pstatus green YES;;
|
||||||
2) pstatus green YES "IBPB used instead of IBRS in all kernel entrypoints";;
|
2) pstatus green YES "IBPB used instead of IBRS in all kernel entrypoints";;
|
||||||
@ -2027,12 +2074,17 @@ check_variant2_linux()
|
|||||||
# See gcc commit https://github.com/hjl-tools/gcc/commit/23b517d4a67c02d3ef80b6109218f2aadad7bd79
|
# See gcc commit https://github.com/hjl-tools/gcc/commit/23b517d4a67c02d3ef80b6109218f2aadad7bd79
|
||||||
# In latest retpoline LKML patches, the noretpoline_setup symbol exists only if CONFIG_RETPOLINE is set
|
# In latest retpoline LKML patches, the noretpoline_setup symbol exists only if CONFIG_RETPOLINE is set
|
||||||
# *AND* if the compiler is retpoline-compliant, so look for that symbol
|
# *AND* if the compiler is retpoline-compliant, so look for that symbol
|
||||||
|
#
|
||||||
|
# if there is "retpoline" in the file and NOT "minimal", then it's full retpoline
|
||||||
|
# (works for vanilla and Red Hat variants)
|
||||||
if [ "$opt_live" = 1 ] && [ -e "/sys/devices/system/cpu/vulnerabilities/spectre_v2" ]; then
|
if [ "$opt_live" = 1 ] && [ -e "/sys/devices/system/cpu/vulnerabilities/spectre_v2" ]; then
|
||||||
if grep -qw Minimal /sys/devices/system/cpu/vulnerabilities/spectre_v2; then
|
if grep -qwi retpoline /sys/devices/system/cpu/vulnerabilities/spectre_v2; then
|
||||||
|
if grep -qwi minimal /sys/devices/system/cpu/vulnerabilities/spectre_v2; then
|
||||||
pstatus yellow NO "kernel reports minimal retpoline compilation"
|
pstatus yellow NO "kernel reports minimal retpoline compilation"
|
||||||
elif grep -qw Full /sys/devices/system/cpu/vulnerabilities/spectre_v2; then
|
else
|
||||||
retpoline_compiler=1
|
retpoline_compiler=1
|
||||||
pstatus green YES "kernel reports full retpoline compilation"
|
pstatus green YES "kernel reports full retpoline compilation"
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
if [ "$retpoline" = 1 ]; then
|
if [ "$retpoline" = 1 ]; then
|
||||||
pstatus yellow UNKNOWN
|
pstatus yellow UNKNOWN
|
||||||
@ -2085,6 +2137,22 @@ check_variant2_linux()
|
|||||||
pstatus yellow NO
|
pstatus yellow NO
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# only Red Hat has a tunable to disable it on runtime
|
||||||
|
if [ "$opt_live" = 1 ]; then
|
||||||
|
if [ -e "$specex_knob_dir/retp_enabled" ]; then
|
||||||
|
retp_enabled=$(cat "$specex_knob_dir/retp_enabled" 2>/dev/null)
|
||||||
|
_debug "retpoline: found $specex_knob_dir/retp_enabled=$retp_enabled"
|
||||||
|
_info_nol " * Retpoline is enabled: "
|
||||||
|
if [ "$retp_enabled" = 1 ]; then
|
||||||
|
pstatus green YES
|
||||||
|
else
|
||||||
|
pstatus yellow NO
|
||||||
|
_verbose " - To enable, \`echo 1 > $specex_knob_dir/retp_enabled' as root."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
elif [ "$sys_interface_available" = 0 ]; then
|
elif [ "$sys_interface_available" = 0 ]; then
|
||||||
# we have no sysfs but were asked to use it only!
|
# we have no sysfs but were asked to use it only!
|
||||||
msg="/sys vulnerability interface use forced, but it's not available!"
|
msg="/sys vulnerability interface use forced, but it's not available!"
|
||||||
@ -2097,7 +2165,7 @@ check_variant2_linux()
|
|||||||
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
|
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
|
||||||
elif [ -z "$msg" ]; then
|
elif [ -z "$msg" ]; then
|
||||||
# if msg is empty, sysfs check didn't fill it, rely on our own test
|
# if msg is empty, sysfs check didn't fill it, rely on our own test
|
||||||
if [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ]; then
|
if [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" != 0 ]; then
|
||||||
pvulnstatus $cve OK "retpoline mitigates the vulnerability"
|
pvulnstatus $cve OK "retpoline mitigates the vulnerability"
|
||||||
elif [ -n "$bp_harden" ]; then
|
elif [ -n "$bp_harden" ]; then
|
||||||
pvulnstatus $cve OK 'branch predictor hardening mitigates the vulnerability for ARM'
|
pvulnstatus $cve OK 'branch predictor hardening mitigates the vulnerability for ARM'
|
||||||
@ -2115,8 +2183,10 @@ check_variant2_linux()
|
|||||||
pvulnstatus $cve VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability"
|
pvulnstatus $cve VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if [ "$ibrs_supported" = 1 ]; then
|
if [ -n "$ibrs_supported" ]; then
|
||||||
pvulnstatus $cve OK "offline mode: IBRS/IBPB will mitigate the vulnerability if enabled at runtime"
|
pvulnstatus $cve OK "offline mode: IBRS/IBPB will mitigate the vulnerability if enabled at runtime"
|
||||||
|
elif [ "$retpoline" = 1 ]; then
|
||||||
|
pvulnstatus $cve OK "retpoline mitigates the vulnerability"
|
||||||
elif [ "$ibrs_can_tell" = 1 ]; then
|
elif [ "$ibrs_can_tell" = 1 ]; then
|
||||||
pvulnstatus $cve VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability"
|
pvulnstatus $cve VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability"
|
||||||
else
|
else
|
||||||
@ -2291,7 +2361,7 @@ check_variant3_linux()
|
|||||||
pstatus yellow NO
|
pstatus yellow NO
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
pstatus blue N/A "can't verify if PTI is enabled in offline mode"
|
pstatus blue N/A "not testable in offline mode"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# no security impact but give a hint to the user in verbose mode
|
# no security impact but give a hint to the user in verbose mode
|
||||||
|
Loading…
Reference in New Issue
Block a user