feat(ibpb=2): add detection of SMT before concluding the system is not vulnerable

This commit is contained in:
Stéphane Lesimple 2018-04-08 16:24:43 +02:00
parent 29c294edff
commit e16ad802da

View File

@ -974,6 +974,24 @@ is_intel()
return 1 return 1
} }
is_cpu_smt_enabled()
{
# SMT / HyperThreading is enabled if siblings != cpucores
if [ -e "$procfs/cpuinfo" ]; then
_siblings=$(awk '/^siblings/ {print $3;exit}' "$procfs/cpuinfo")
_cpucores=$(awk '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo")
if [ -n "$_siblings" ] && [ -n "$_cpucores" ]; then
if [ "$_siblings" = "$_cpucores" ]; then
return 1
else
return 0
fi
fi
fi
# we can't tell
return 2
}
is_ucode_blacklisted() is_ucode_blacklisted()
{ {
parse_cpu_details parse_cpu_details
@ -2294,6 +2312,8 @@ check_variant2_linux()
pvulnstatus $cve OK "Full retpoline + IBPB are mitigating the vulnerability" pvulnstatus $cve OK "Full retpoline + IBPB are mitigating the vulnerability"
elif [ "$ibrs_enabled" -ge 1 ] && [ "$ibpb_enabled" -ge 1 ]; then elif [ "$ibrs_enabled" -ge 1 ] && [ "$ibpb_enabled" -ge 1 ]; then
pvulnstatus $cve OK "IBRS + IBPB are mitigating the vulnerability" pvulnstatus $cve OK "IBRS + IBPB are mitigating the vulnerability"
elif [ "$ibpb_enabled" = 2 ] && ! is_cpu_smt_enabled; then
pvulnstatus $cve OK "Full IBPB is mitigating the vulnerability"
elif [ -n "$bp_harden" ]; then elif [ -n "$bp_harden" ]; then
pvulnstatus $cve OK "Branch predictor hardening mitigates the vulnerability" pvulnstatus $cve OK "Branch predictor hardening mitigates the vulnerability"
elif [ -z "$bp_harden" ] && [ "$cpu_vendor" = ARM ]; then elif [ -z "$bp_harden" ] && [ "$cpu_vendor" = ARM ]; then
@ -2353,6 +2373,8 @@ check_variant2_linux()
explain "Both your CPU and your kernel have IBPB support, but it is currently disabled. You may enable it. Check in your distro's documentation on how to do this." explain "Both your CPU and your kernel have IBPB support, but it is currently disabled. You may enable it. Check in your distro's documentation on how to do this."
fi fi
fi fi
elif [ "$ibpb_enabled" = 2 ] && is_cpu_smt_enabled; then
explain "You have ibpb_enabled set to 2, but it only offers sufficient protection when simultaneous multi-threading (aka SMT or HyperThreading) is disabled. You should reboot your system with the kernel parameter \`nosmt\`."
fi fi
# /IBPB # /IBPB