mirror of
https://github.com/speed47/spectre-meltdown-checker.git
synced 2026-06-06 22:53:03 +02:00
enh: use g_mode to explicitly save/load the current running mode
This commit is contained in:
Stéphane Lesimple
+12
-12
@@ -269,7 +269,7 @@ check_CVE_2017_5715_linux() {
|
||||
g_ibpb_supported=''
|
||||
g_ibpb_enabled=''
|
||||
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if [ "$g_mode" = live ]; then
|
||||
# in live mode, we can check for the ibrs_enabled file in debugfs
|
||||
# all versions of the patches have it (NOT the case of IBPB or KPTI)
|
||||
g_ibrs_can_tell=1
|
||||
@@ -420,7 +420,7 @@ check_CVE_2017_5715_linux() {
|
||||
fi
|
||||
|
||||
pr_info_nol " * IBRS enabled and active: "
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if [ "$g_mode" = live ]; then
|
||||
if [ "$g_ibpb_enabled" = 2 ]; then
|
||||
# if ibpb=2, ibrs is forcefully=0
|
||||
pstatus blue NO "IBPB used instead of IBRS in all kernel entrypoints"
|
||||
@@ -471,7 +471,7 @@ check_CVE_2017_5715_linux() {
|
||||
fi
|
||||
|
||||
pr_info_nol " * IBPB enabled and active: "
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if [ "$g_mode" = live ]; then
|
||||
case "$g_ibpb_enabled" in
|
||||
"")
|
||||
if [ "$g_ibrs_supported" = 1 ]; then
|
||||
@@ -554,7 +554,7 @@ check_CVE_2017_5715_linux() {
|
||||
#
|
||||
# since 5.15.28, this is now "Retpolines" as the implementation was switched to a generic one,
|
||||
# so we look for both "retpoline" and "retpolines"
|
||||
if [ "$opt_runtime" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then
|
||||
if [ "$g_mode" = live ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then
|
||||
if echo "$ret_sys_interface_check_fullmsg" | grep -qwi -e retpoline -e retpolines; then
|
||||
if echo "$ret_sys_interface_check_fullmsg" | grep -qwi minimal; then
|
||||
retpoline_compiler=0
|
||||
@@ -605,7 +605,7 @@ check_CVE_2017_5715_linux() {
|
||||
|
||||
# only Red Hat has a tunable to disable it on runtime
|
||||
retp_enabled=-1
|
||||
if [ "$opt_runtime" = 1 ]; then
|
||||
if [ "$g_mode" = live ]; then
|
||||
if [ -e "$g_specex_knob_dir/retp_enabled" ]; then
|
||||
retp_enabled=$(cat "$g_specex_knob_dir/retp_enabled" 2>/dev/null)
|
||||
pr_debug "retpoline: found $g_specex_knob_dir/retp_enabled=$retp_enabled"
|
||||
@@ -635,7 +635,7 @@ check_CVE_2017_5715_linux() {
|
||||
if is_vulnerable_to_empty_rsb || [ "$opt_verbose" -ge 2 ]; then
|
||||
pr_info_nol " * Kernel supports RSB filling: "
|
||||
rsb_filling=0
|
||||
if [ "$opt_runtime" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then
|
||||
if [ "$g_mode" = live ] && [ "$opt_no_sysfs" != 1 ]; then
|
||||
# if we're live and we aren't denied looking into /sys, let's do it
|
||||
if echo "$ret_sys_interface_check_fullmsg" | grep -qw RSB; then
|
||||
rsb_filling=1
|
||||
@@ -728,7 +728,7 @@ check_CVE_2017_5715_linux() {
|
||||
*", IBPB"* | *"; IBPB"*) v2_ibpb_mode=conditional ;;
|
||||
*) v2_ibpb_mode=disabled ;;
|
||||
esac
|
||||
elif [ "$opt_runtime" = 1 ]; then
|
||||
elif [ "$g_mode" = live ]; then
|
||||
case "$g_ibpb_enabled" in
|
||||
2) v2_ibpb_mode=always-on ;;
|
||||
1) v2_ibpb_mode=conditional ;;
|
||||
@@ -826,7 +826,7 @@ check_CVE_2017_5715_linux() {
|
||||
*"PBRSB-eIBRS: Vulnerable"*) v2_pbrsb_status=vulnerable ;;
|
||||
*) v2_pbrsb_status=unknown ;;
|
||||
esac
|
||||
elif [ "$opt_runtime" != 1 ] && [ -n "$g_kernel" ]; then
|
||||
elif [ "$g_mode" != live ] && [ -n "$g_kernel" ]; then
|
||||
if grep -q 'PBRSB-eIBRS' "$g_kernel" 2>/dev/null; then
|
||||
v2_pbrsb_status=sw-sequence
|
||||
else
|
||||
@@ -857,7 +857,7 @@ check_CVE_2017_5715_linux() {
|
||||
*"BHI: Vulnerable"*) v2_bhi_status=vulnerable ;;
|
||||
*) v2_bhi_status=unknown ;;
|
||||
esac
|
||||
elif [ "$opt_runtime" != 1 ] && [ -n "$opt_config" ] && [ -r "$opt_config" ]; then
|
||||
elif [ "$g_mode" != live ] && [ -n "$opt_config" ] && [ -r "$opt_config" ]; then
|
||||
if grep -q '^CONFIG_\(MITIGATION_\)\?SPECTRE_BHI' "$opt_config"; then
|
||||
if [ "$cap_bhi" = 1 ]; then
|
||||
v2_bhi_status=bhi_dis_s
|
||||
@@ -881,7 +881,7 @@ check_CVE_2017_5715_linux() {
|
||||
esac
|
||||
|
||||
# --- v2_vuln_module ---
|
||||
if [ "$opt_runtime" = 1 ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then
|
||||
if [ "$g_mode" = live ] && [ -n "$ret_sys_interface_check_fullmsg" ]; then
|
||||
pr_info_nol " * Non-retpoline module loaded: "
|
||||
if echo "$ret_sys_interface_check_fullmsg" | grep -q 'vulnerable module loaded'; then
|
||||
v2_vuln_module=1
|
||||
@@ -982,7 +982,7 @@ check_CVE_2017_5715_linux() {
|
||||
if [ -n "${SMC_MOCK_UNPRIVILEGED_BPF_DISABLED:-}" ]; then
|
||||
_ebpf_disabled="$SMC_MOCK_UNPRIVILEGED_BPF_DISABLED"
|
||||
g_mocked=1
|
||||
elif [ "$opt_runtime" = 1 ] && [ -r "$g_procfs/sys/kernel/unprivileged_bpf_disabled" ]; then
|
||||
elif [ "$g_mode" = live ] && [ -r "$g_procfs/sys/kernel/unprivileged_bpf_disabled" ]; then
|
||||
_ebpf_disabled=$(cat "$g_procfs/sys/kernel/unprivileged_bpf_disabled" 2>/dev/null)
|
||||
g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_UNPRIVILEGED_BPF_DISABLED='$_ebpf_disabled'")
|
||||
fi
|
||||
@@ -1170,7 +1170,7 @@ check_CVE_2017_5715_linux() {
|
||||
pvulnstatus "$cve" OK "Full IBPB is mitigating the vulnerability"
|
||||
|
||||
# No-runtime mode fallback
|
||||
elif [ "$opt_runtime" != 1 ]; then
|
||||
elif [ "$g_mode" != live ]; then
|
||||
if [ "$retpoline" = 1 ] && [ -n "$g_ibpb_supported" ]; then
|
||||
pvulnstatus "$cve" OK "no-runtime mode: kernel supports retpoline + IBPB to mitigate the vulnerability"
|
||||
elif [ -n "$g_ibrs_supported" ] && [ -n "$g_ibpb_supported" ]; then
|
||||
|
||||
Reference in New Issue
Block a user