peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2025-10-31 20:50:55 +01:00
Code Issues Projects Releases Wiki Activity

feat(mds): implement FreeBSD mitigation detection

Browse Source
This commit is contained in:
Stéphane Lesimple
2019-05-15 20:45:28 +02:00
parent d69ea67101
commit e83dc818cd
1 changed files with 114 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

121
spectre-meltdown-checker.sh
View File

@@ -589,14 +589,14 @@ is_cpu_mds_free()
#VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS), #VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS),
#VULNWL_HYGON(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS), #VULNWL_HYGON(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS),
parse_cpu_details parse_cpu_details
if is_intel; then if is_intel; then
if [ "$cpu_family" = 6 ]; then if [ "$cpu_family" = 6 ]; then
if [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] || \ if [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_X" ] || \ [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_X" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ]; then [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ]; then
return 0 return 0
fi fi
fi fi
[ "$capabilities_mds_no" = 1 ] && return 0 [ "$capabilities_mds_no" = 1 ] && return 0
fi fi
@@ -613,7 +613,7 @@ is_cpu_mds_free()
return 0 return 0
fi fi
return 1 return 1
} }
is_cpu_ssb_free() is_cpu_ssb_free()
@@ -2609,7 +2609,7 @@ check_cpu()
pstatus green YES pstatus green YES
else else
pstatus yellow NO pstatus yellow NO
fi fi
fi fi
_info_nol " * CPU supports Software Guard Extensions (SGX): " _info_nol " * CPU supports Software Guard Extensions (SGX): "
@@ -4404,7 +4404,114 @@ check_mds()
{ {
cve=$1 cve=$1
_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
if [ "$os" = Linux ]; then
check_mds_linux "$cve"
elif echo "$os" | grep -q BSD; then
check_mds_bsd "$cve"
else
_warn "Unsupported OS ($os)"
fi
}
check_mds_bsd()
{
_info_nol "* Kernel supports using MD_CLEAR mitigation: "
if [ "$opt_live" = 1 ]; then
if sysctl hw.mds_disable >/dev/null 2>&1; then
pstatus green YES
kernel_md_clear=1
else
pstatus yellow NO
kernel_md_clear=0
fi
else
if command -v "strings" >/dev/null 2>&1; then
if strings /boot/kernel/kernel | grep -Fq hw.mds_disable; then
pstatus green YES
kernel_md_clear=1
else
kernel_md_clear=0
pstatus yellow NO
fi
else
pstatus yellow UNKNOWN
fi
fi
_info_nol "* CPU Hyper-Threading (SMT) is disabled: "
if sysctl machdep.hyperthreading_allowed >/dev/null 2>&1; then
kernel_smt_allowed=$(sysctl -n machdep.hyperthreading_allowed 2>/dev/null)
if [ "$kernel_smt_allowed" = 1 ]; then
pstatus yellow NO
else
pstatus green YES
fi
else
pstatus yellow UNKNOWN "sysctl machdep.hyperthreading_allowed doesn't exist"
fi
_info_nol "* Kernel mitigation is enabled: "
if [ "$kernel_md_clear" = 1 ]; then
kernel_mds_enabled=$(sysctl -n hw.mds_disable 2>/dev/null)
else
kernel_mds_enabled=0
fi
case "$kernel_mds_enabled" in
0) pstatus yellow NO;;
1) pstatus green YES "with microcode support";;
2) pstatus green YES "software-only support (SLOW)";;
3) pstatus green YES;;
*) pstatus yellow UNKNOWN "unknown value $kernel_mds_enabled"
esac
_info_nol "* Kernel mitigation is active: "
if [ "$kernel_md_clear" = 1 ]; then
kernel_mds_state=$(sysctl -n hw.mds_disable_state 2>/dev/null)
else
kernel_mds_state=inactive
fi
# https://github.com/freebsd/freebsd/blob/master/sys/x86/x86/cpu_machdep.c#L953
case "$kernel_mds_state" in
inactive) pstatus yellow NO;;
VERW) pstatus green YES "with microcode support";;
software*) pstatus green YES "software-only support (SLOW)";;
*) pstatus yellow UNKNOWN
esac
if ! is_cpu_vulnerable "$cve"; then
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not vulnerable"
else
if [ "$cpuid_md_clear" = 1 ]; then
if [ "$kernel_md_clear" = 1 ]; then
if [ "$opt_live" = 1 ]; then
# mitigation must also be enabled
if [ "$kernel_mds_enabled" -ge 1 ]; then
if [ "$opt_paranoid" != 1 ] || [ "$kernel_smt_allowed" = 0 ]; then
pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled"
else
pvulnstatus "$cve" VULN "Your microcode and kernel are both up to date for this mitigation, but your must disable SMT (Hyper-Threading) for a complete mitigation"
fi
else
pvulnstatus "$cve" VULN "Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active"
fi
else
pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for this mitigation"
fi
else
pvulnstatus "$cve" VULN "Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability"
fi
else
if [ "$kernel_md_clear" = 1 ]; then
pvulnstatus "$cve" VULN "Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability"
else
pvulnstatus "$cve" VULN "Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability"
fi
fi
fi
}
check_mds_linux()
{
status=UNK status=UNK
sys_interface_available=0 sys_interface_available=0
msg='' msg=''