peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2025-11-04 07:40:56 +01:00
Code Issues Projects Releases Wiki Activity

Meltdown: check kernel args

Browse Source 
If pti=off or nopti is passed as a kernel argument, kpti is disabled, so even if
the kernel supports it, the system is vulnerable to variant 3
The cmdline check has the highest priority, but is disabled if
/sys/kernel/debug/x86/pti_enabled is found, as this is the only method to enable
kpti at runtime (as far as I know)

Signed-off-by: Alexandre Bruyelles <abruyelles@odiso.com>
This commit is contained in:
Alexandre Bruyelles
2018-01-19 22:45:23 +01:00
parent 14ca49a042
commit ef37fd6322
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
spectre-meltdown-checker.sh
View File

@@ -1032,7 +1032,10 @@ check_variant3()
dmesg_grep="Kernel/User page tables isolation: enabled" dmesg_grep="Kernel/User page tables isolation: enabled"
dmesg_grep="$dmesg_grep|Kernel page table isolation enabled" dmesg_grep="$dmesg_grep|Kernel page table isolation enabled"
dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace" dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
if grep ^flags /proc/cpuinfo | grep -qw pti; then if grep -q -e pti=off -e nopti /proc/cmdline && ! [ -e /sys/kernel/debug/x86/pti_enabled ]; then
_debug "kpti disabled on command line : pti=off or nopti in /proc/cmdlin"
kpti_enabled=0
elif grep ^flags /proc/cpuinfo | grep -qw pti; then
# vanilla PTI patch sets the 'pti' flag in cpuinfo # vanilla PTI patch sets the 'pti' flag in cpuinfo
_debug "kpti_enabled: found 'pti' flag in /proc/cpuinfo" _debug "kpti_enabled: found 'pti' flag in /proc/cpuinfo"
kpti_enabled=1 kpti_enabled=1