peter/spectre-meltdown-checker
peter
/
spectre-meltdown-checker
mirror of https://github.com/speed47/spectre-meltdown-checker.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Meltdown: check kernel args 

If pti=off or nopti is passed as a kernel argument, kpti is disabled, so even if
the kernel supports it, the system is vulnerable to variant 3
The cmdline check has the highest priority, but is disabled if
/sys/kernel/debug/x86/pti_enabled is found, as this is the only method to enable
kpti at runtime (as far as I know)

Signed-off-by: Alexandre Bruyelles <abruyelles@odiso.com>
This commit is contained in:
Alexandre Bruyelles 2018-01-19 22:45:23 +01:00
parent 14ca49a042
commit ef37fd6322
No known key found for this signature in database
GPG Key ID: D304106391A41F03
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
spectre-meltdown-checker.sh
View File

@ -1032,7 +1032,10 @@ check_variant3()
dmesg_grep="Kernel/User page tables isolation: enabled"
dmesg_grep="$dmesg_grep|Kernel page table isolation enabled"
dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
if grep ^flags /proc/cpuinfo | grep -qw pti; then
if grep -q -e pti=off -e nopti /proc/cmdline && ! [ -e /sys/kernel/debug/x86/pti_enabled ]; then
_debug "kpti disabled on command line : pti=off or nopti in /proc/cmdlin"
kpti_enabled=0
elif grep ^flags /proc/cpuinfo | grep -qw pti; then
# vanilla PTI patch sets the 'pti' flag in cpuinfo
_debug "kpti_enabled: found 'pti' flag in /proc/cpuinfo"
kpti_enabled=1