peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2026-06-04 13:43:05 +02:00
Code Issues Projects Releases Wiki Activity

enh: guard x86/arm specific checks in kernel/cpu for the proper arch

Browse Source 
built from commit c64d4bb4810c26fa2798cb9ebcd94d3da1465ec3
 dated 2026-04-10 18:37:32 +0200
 by Stéphane Lesimple (speed47_github@speed47.net)
This commit is contained in:
github-actions[bot]
2026-04-10 16:40:49 +00:00
parent 83be8fd544
commit f587d9355e
1 changed files with 739 additions and 700 deletions
Download Patch File Download Diff File Expand all files Collapse all files
spectre-meltdown-checker.sh
+99 -60
View File
@@ -13,7 +13,7 @@
#
# Stephane Lesimple
#
VERSION='26.32.0408875'
VERSION='26.32.0410694'
# --- Common paths and basedirs ---
readonly VULN_SYSFS_BASE="/sys/devices/system/cpu/vulnerabilities"
@@ -3892,6 +3892,28 @@ is_intel() {
return 1
}
# Check whether the host CPU is x86/x86_64.
# Use this to gate CPUID, MSR, and microcode operations.
# Returns: 0 if x86, 1 otherwise
is_x86_cpu() {
parse_cpu_details
case "$cpu_vendor" in
GenuineIntel | AuthenticAMD | HygonGenuine | CentaurHauls | Shanghai) return 0 ;;
esac
return 1
}
# Check whether the host CPU is ARM/ARM64.
# Use this to gate ARM-specific hardware checks.
# Returns: 0 if ARM, 1 otherwise
is_arm_cpu() {
parse_cpu_details
case "$cpu_vendor" in
ARM | CAVIUM | PHYTIUM) return 0 ;;
esac
return 1
}
# Check whether SMT (HyperThreading) is enabled on the system
# Returns: 0 if SMT enabled, 1 otherwise
is_cpu_smt_enabled() {
@@ -5921,8 +5943,11 @@ check_mds_linux() {
fi
if [ "$opt_sysfs_only" != 1 ]; then
pr_info_nol "* Kernel supports using MD_CLEAR mitigation: "
# MDS is Intel-only; skip x86-specific kernel/cpuinfo checks on non-x86 kernels
kernel_md_clear=''
kernel_md_clear_can_tell=0
if is_x86_kernel; then
pr_info_nol "* Kernel supports using MD_CLEAR mitigation: "
kernel_md_clear_can_tell=1
if [ "$opt_runtime" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw md_clear; then
kernel_md_clear="md_clear found in $g_procfs/cpuinfo"
@@ -5965,6 +5990,7 @@ check_mds_linux() {
pstatus yellow NO
fi
fi
fi # is_x86_kernel
elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!"
@@ -6161,8 +6187,11 @@ check_mmio_linux() {
fi
if [ "$opt_sysfs_only" != 1 ]; then
pr_info_nol "* Kernel supports MMIO Stale Data mitigation: "
# MMIO Stale Data is Intel-only; skip x86-specific kernel/MSR checks on non-x86 kernels
kernel_mmio=''
kernel_mmio_can_tell=0
if is_x86_kernel; then
pr_info_nol "* Kernel supports MMIO Stale Data mitigation: "
kernel_mmio_can_tell=1
if [ -n "$g_kernel_err" ]; then
kernel_mmio_can_tell=0
@@ -6216,6 +6245,7 @@ check_mmio_linux() {
pstatus yellow NO
fi
fi
fi # is_x86_kernel
elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!"
@@ -6464,10 +6494,8 @@ check_CVE_0000_0001_linux() {
return
fi
# --- arm64: no kernel mitigation available ---
local _sls_arch
_sls_arch=$(uname -m 2>/dev/null || echo unknown)
if echo "$_sls_arch" | grep -qw 'aarch64'; then
# --- ARM: no kernel mitigation available ---
if is_arm_kernel; then
pvulnstatus "$cve" VULN "no kernel mitigation available for arm64 SLS (CVE-2020-13844)"
explain "Your ARM processor is affected by Straight-Line Speculation (CVE-2020-13844).\n" \
"GCC and Clang support -mharden-sls=all for aarch64, which inserts SB (Speculation Barrier)\n" \
@@ -6477,7 +6505,12 @@ check_CVE_0000_0001_linux() {
return
fi
# --- method 1: kernel config check (x86_64) ---
# --- x86: config check and binary heuristic ---
if ! is_x86_kernel; then
pvulnstatus "$cve" UNK "SLS mitigation detection not supported for this kernel architecture"
return
fi
local _sls_config=''
if [ -n "$opt_config" ] && [ -r "$opt_config" ]; then
pr_info_nol " * Kernel compiled with SLS mitigation: "
@@ -6851,6 +6884,10 @@ check_CVE_2017_5715_linux() {
v2_vuln_module=''
v2_is_autoibrs=0
# Mitigation 1 (IBRS/IBPB) and Mitigation 3 (sub-mitigations) are x86-only.
# On ARM64, only Mitigation 2 (branch predictor hardening) is relevant.
if is_x86_kernel; then
pr_info "* Mitigation 1"
g_ibrs_can_tell=0
@@ -7082,10 +7119,13 @@ check_CVE_2017_5715_linux() {
pstatus blue N/A "not testable in no-runtime mode"
fi
pr_info "* Mitigation 2"
pr_info_nol " * Kernel has branch predictor hardening (arm): "
fi # is_x86_kernel (Mitigation 1)
bp_harden_can_tell=0
bp_harden=''
if is_arm_kernel; then
pr_info "* Mitigation 2"
pr_info_nol " * Kernel has branch predictor hardening (arm): "
if [ -r "$opt_config" ]; then
bp_harden_can_tell=1
bp_harden=$(grep -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
@@ -7109,6 +7149,9 @@ check_CVE_2017_5715_linux() {
pstatus yellow UNKNOWN
fi
fi
fi
if is_x86_kernel; then
pr_info_nol " * Kernel compiled with retpoline option: "
# We check the RETPOLINE kernel options
@@ -7477,6 +7520,8 @@ check_CVE_2017_5715_linux() {
fi
fi
fi # is_x86_kernel (retpoline + Mitigation 3)
elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!"
@@ -7498,9 +7543,9 @@ check_CVE_2017_5715_linux() {
# ARM branch predictor hardening (unchanged)
if [ -n "$bp_harden" ]; then
pvulnstatus "$cve" OK "Branch predictor hardening mitigates the vulnerability"
elif [ -z "$bp_harden" ] && [ "$cpu_vendor" = ARM ]; then
elif [ -z "$bp_harden" ] && is_arm_kernel; then
pvulnstatus "$cve" VULN "Branch predictor hardening is needed to mitigate the vulnerability"
explain "Your kernel has not been compiled with the CONFIG_UNMAP_KERNEL_AT_EL0 option, recompile it with this option enabled."
explain "Your kernel does not have branch predictor hardening. On kernels v5.10+, this code is compiled unconditionally so you may need a newer kernel. On older kernels (v4.16 to v5.9), recompile with the CONFIG_HARDEN_BRANCH_PREDICTOR option enabled."
# LFENCE-only is always VULN (reclassified in v5.17)
elif [ "$v2_base_mode" = "lfence" ]; then
@@ -8297,7 +8342,10 @@ check_CVE_2017_5754_linux() {
pstatus blue N/A "not testable in no-runtime mode"
fi
# PCID/INVPCID are x86-only CPU features
if is_x86_cpu; then
pti_performance_check
fi
elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only!
@@ -8479,7 +8527,7 @@ check_CVE_2018_12207_linux() {
if [ -n "$g_kernel_err" ]; then
kernel_itlbmh_err="$g_kernel_err"
# commit 5219505fcbb640e273a0d51c19c38de0100ec5a9
elif grep -q 'itlb_multihit' "$g_kernel"; then
elif is_x86_kernel && grep -q 'itlb_multihit' "$g_kernel"; then
kernel_itlbmh="found itlb_multihit in kernel image"
fi
if [ -n "$kernel_itlbmh" ]; then
@@ -8749,13 +8797,13 @@ check_CVE_2018_3639_linux() {
pr_debug "found Speculation.Store.Bypass: in $g_procfs/self/status"
fi
fi
# arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
if [ -z "$kernel_ssb" ] && [ -n "$g_kernel" ] && ! grep -q 'arm64_sys_' "$g_kernel"; then
# spec_store_bypass is x86-specific; ARM kernels use ARM64_SSBD instead
if [ -z "$kernel_ssb" ] && [ -n "$g_kernel" ] && is_x86_kernel; then
kernel_ssb=$("${opt_arch_prefix}strings" "$g_kernel" | grep spec_store_bypass | head -n1)
[ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in kernel"
fi
# arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! grep -q 'arm64_sys_' "$opt_map"; then
# spec_store_bypass is x86-specific; ARM kernels use ARM64_SSBD instead
if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && is_x86_kernel; then
kernel_ssb=$(grep spec_store_bypass "$opt_map" | awk '{print $3}' | head -n1)
[ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
fi
@@ -8846,7 +8894,7 @@ check_CVE_2018_3639_linux() {
fi
else
if [ -n "$kernel_ssb" ]; then
if [ "$cpu_vendor" = ARM ] || [ "$cpu_vendor" = CAVIUM ] || [ "$cpu_vendor" = PHYTIUM ]; then
if is_arm_kernel; then
pvulnstatus "$cve" VULN "no SSB mitigation is active on your system"
explain "ARM CPUs mitigate SSB either through a hardware SSBS bit (ARMv8.5+ CPUs) or through firmware support for SMCCC ARCH_WORKAROUND_2. Your kernel reports SSB status but neither mechanism appears to be active. For CPUs predating ARMv8.5 (such as Cortex-A57 or Cortex-A72), check with your board or SoC vendor for a firmware update that provides SMCCC ARCH_WORKAROUND_2 support."
else
@@ -8854,7 +8902,7 @@ check_CVE_2018_3639_linux() {
explain "Your kernel is recent enough to use the CPU microcode features for mitigation, but your CPU microcode doesn't actually provide the necessary features for the kernel to use. The microcode of your CPU hence needs to be upgraded. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section)."
fi
else
if [ "$cpu_vendor" = ARM ] || [ "$cpu_vendor" = CAVIUM ] || [ "$cpu_vendor" = PHYTIUM ]; then
if is_arm_kernel; then
pvulnstatus "$cve" VULN "your kernel and firmware do not support SSB mitigation"
explain "ARM SSB mitigation requires kernel support (CONFIG_ARM64_SSBD) combined with either a hardware SSBS bit (ARMv8.5+ CPUs) or firmware support for SMCCC ARCH_WORKAROUND_2. Ensure you are running a recent kernel compiled with CONFIG_ARM64_SSBD. For CPUs predating ARMv8.5, also check with your board or SoC vendor for a firmware update providing SMCCC ARCH_WORKAROUND_2 support."
else
@@ -8926,7 +8974,7 @@ check_CVE_2018_3639_bsd() {
# CVE-2018-3640, Variant 3a, Rogue System Register Read
check_CVE_2018_3640() {
local status sys_interface_available msg cve is_arm64_kernel arm_v3a_mitigation
local status sys_interface_available msg cve arm_v3a_mitigation
cve='CVE-2018-3640'
pr_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
@@ -8934,21 +8982,7 @@ check_CVE_2018_3640() {
sys_interface_available=0
msg=''
# Detect whether the target kernel is ARM64, for both live and no-runtime modes.
# In no-runtime cross-inspection (x86 host, ARM kernel), cpu_vendor reflects the host,
# so also check for arm64_sys_ symbols (same pattern used in CVE-2018-3639).
is_arm64_kernel=0
if [ "$cpu_vendor" = ARM ] || [ "$cpu_vendor" = CAVIUM ] || [ "$cpu_vendor" = PHYTIUM ]; then
is_arm64_kernel=1
elif [ -n "$opt_map" ] && grep -q 'arm64_sys_' "$opt_map" 2>/dev/null; then
is_arm64_kernel=1
elif [ -n "$g_kernel" ] && grep -q 'arm64_sys_' "$g_kernel" 2>/dev/null; then
is_arm64_kernel=1
elif [ -n "$opt_config" ] && grep -qw 'CONFIG_ARM64=y' "$opt_config" 2>/dev/null; then
is_arm64_kernel=1
fi
if [ "$is_arm64_kernel" = 1 ]; then
if is_arm_kernel; then
# ARM64: mitigation is via an EL2 indirect trampoline (spectre_v3a_enable_mitigation),
# applied automatically at boot for affected CPUs (Cortex-A57, Cortex-A72).
# No microcode update is involved.
@@ -9305,7 +9339,7 @@ check_CVE_2019_11135_linux() {
kernel_taa=''
if [ -n "$g_kernel_err" ]; then
kernel_taa_err="$g_kernel_err"
elif grep -q 'tsx_async_abort' "$g_kernel"; then
elif is_x86_kernel && grep -q 'tsx_async_abort' "$g_kernel"; then
kernel_taa="found tsx_async_abort in kernel image"
fi
if [ -n "$kernel_taa" ]; then
@@ -9460,7 +9494,7 @@ check_CVE_2020_0543_linux() {
kernel_srbds=''
if [ -n "$g_kernel_err" ]; then
kernel_srbds_err="$g_kernel_err"
elif grep -q 'Dependent on hypervisor' "$g_kernel"; then
elif is_x86_kernel && grep -q 'Dependent on hypervisor' "$g_kernel"; then
kernel_srbds="found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation"
fi
if [ -n "$kernel_srbds" ]; then
@@ -10153,17 +10187,17 @@ check_CVE_2022_40982_linux() {
kernel_gds_err=''
if [ -n "$g_kernel_err" ]; then
kernel_gds_err="$g_kernel_err"
elif grep -q 'gather_data_sampling' "$g_kernel"; then
elif is_x86_kernel && grep -q 'gather_data_sampling' "$g_kernel"; then
kernel_gds="found gather_data_sampling in kernel image"
fi
if [ -z "$kernel_gds" ] && [ -r "$opt_config" ]; then
if [ -z "$kernel_gds" ] && is_x86_kernel && [ -r "$opt_config" ]; then
if grep -q '^CONFIG_GDS_FORCE_MITIGATION=y' "$opt_config" ||
grep -q '^CONFIG_MITIGATION_GDS_FORCE=y' "$opt_config" ||
grep -q '^CONFIG_MITIGATION_GDS=y' "$opt_config"; then
kernel_gds="GDS mitigation config option found enabled in kernel config"
fi
fi
if [ -z "$kernel_gds" ] && [ -n "$opt_map" ]; then
if [ -z "$kernel_gds" ] && is_x86_kernel && [ -n "$opt_map" ]; then
if grep -q 'gds_select_mitigation' "$opt_map"; then
kernel_gds="found gds_select_mitigation in System.map"
fi
@@ -10186,10 +10220,10 @@ check_CVE_2022_40982_linux() {
if [ "$dmesgret" -eq 0 ]; then
kernel_avx_disabled="AVX disabled by the kernel (dmesg)"
pstatus green YES "$kernel_avx_disabled"
elif [ "$cap_avx2" = 0 ]; then
elif [ "$cap_avx2" = 0 ] && is_x86_cpu; then
# Find out by ourselves
# cpuinfo says we don't have AVX2, query
# the CPU directly about AVX2 support
# the CPU directly about AVX2 support (x86-only)
read_cpuid 0x7 0x0 "$EBX" 5 1 1
ret=$?
if [ "$ret" -eq "$READ_CPUID_RET_OK" ]; then
@@ -10600,10 +10634,10 @@ check_CVE_2023_20588_linux() {
kernel_mitigated=''
if [ -n "$g_kernel_err" ]; then
pstatus yellow UNKNOWN "$g_kernel_err"
elif grep -q 'amd_clear_divider' "$g_kernel"; then
elif is_x86_kernel && grep -q 'amd_clear_divider' "$g_kernel"; then
kernel_mitigated="found amd_clear_divider in kernel image"
pstatus green YES "$kernel_mitigated"
elif [ -n "$opt_map" ] && grep -q 'amd_clear_divider' "$opt_map"; then
elif is_x86_kernel && [ -n "$opt_map" ] && grep -q 'amd_clear_divider' "$opt_map"; then
kernel_mitigated="found amd_clear_divider in System.map"
pstatus green YES "$kernel_mitigated"
else
@@ -10998,17 +11032,17 @@ check_CVE_2023_28746_linux() {
kernel_rfds_err=''
if [ -n "$g_kernel_err" ]; then
kernel_rfds_err="$g_kernel_err"
elif grep -q 'Clear Register File' "$g_kernel"; then
elif is_x86_kernel && grep -q 'Clear Register File' "$g_kernel"; then
kernel_rfds="found 'Clear Register File' string in kernel image"
elif grep -q 'reg_file_data_sampling' "$g_kernel"; then
elif is_x86_kernel && grep -q 'reg_file_data_sampling' "$g_kernel"; then
kernel_rfds="found reg_file_data_sampling in kernel image"
fi
if [ -z "$kernel_rfds" ] && [ -r "$opt_config" ]; then
if [ -z "$kernel_rfds" ] && is_x86_kernel && [ -r "$opt_config" ]; then
if grep -q '^CONFIG_MITIGATION_RFDS=y' "$opt_config"; then
kernel_rfds="RFDS mitigation config option found enabled in kernel config"
fi
fi
if [ -z "$kernel_rfds" ] && [ -n "$opt_map" ]; then
if [ -z "$kernel_rfds" ] && is_x86_kernel && [ -n "$opt_map" ]; then
if grep -q 'rfds_select_mitigation' "$opt_map"; then
kernel_rfds="found rfds_select_mitigation in System.map"
fi
@@ -11183,15 +11217,15 @@ check_CVE_2024_28956_linux() {
kernel_its_err=''
if [ -n "$g_kernel_err" ]; then
kernel_its_err="$g_kernel_err"
elif grep -q 'indirect_target_selection' "$g_kernel"; then
elif is_x86_kernel && grep -q 'indirect_target_selection' "$g_kernel"; then
kernel_its="found indirect_target_selection in kernel image"
fi
if [ -z "$kernel_its" ] && [ -r "$opt_config" ]; then
if [ -z "$kernel_its" ] && is_x86_kernel && [ -r "$opt_config" ]; then
if grep -q '^CONFIG_MITIGATION_ITS=y' "$opt_config"; then
kernel_its="ITS mitigation config option found enabled in kernel config"
fi
fi
if [ -z "$kernel_its" ] && [ -n "$opt_map" ]; then
if [ -z "$kernel_its" ] && is_x86_kernel && [ -n "$opt_map" ]; then
if grep -q 'its_select_mitigation' "$opt_map"; then
kernel_its="found its_select_mitigation in System.map"
fi
@@ -11329,15 +11363,15 @@ check_CVE_2024_36350_linux() {
if [ -n "$g_kernel_err" ]; then
kernel_tsa_err="$g_kernel_err"
# commit d8010d4ba43e: "Transient Scheduler Attacks:" is printed by tsa_select_mitigation()
elif grep -q 'Transient Scheduler Attacks' "$g_kernel"; then
elif is_x86_kernel && grep -q 'Transient Scheduler Attacks' "$g_kernel"; then
kernel_tsa="found TSA mitigation message in kernel image"
fi
if [ -z "$kernel_tsa" ] && [ -r "$opt_config" ]; then
if [ -z "$kernel_tsa" ] && is_x86_kernel && [ -r "$opt_config" ]; then
if grep -q '^CONFIG_MITIGATION_TSA=y' "$opt_config"; then
kernel_tsa="CONFIG_MITIGATION_TSA=y found in kernel config"
fi
fi
if [ -z "$kernel_tsa" ] && [ -n "$opt_map" ]; then
if [ -z "$kernel_tsa" ] && is_x86_kernel && [ -n "$opt_map" ]; then
if grep -q 'tsa_select_mitigation' "$opt_map"; then
kernel_tsa="found tsa_select_mitigation in System.map"
fi
@@ -11508,15 +11542,15 @@ check_CVE_2024_36357_linux() {
if [ -n "$g_kernel_err" ]; then
kernel_tsa_err="$g_kernel_err"
# commit d8010d4ba43e: "Transient Scheduler Attacks:" is printed by tsa_select_mitigation()
elif grep -q 'Transient Scheduler Attacks' "$g_kernel"; then
elif is_x86_kernel && grep -q 'Transient Scheduler Attacks' "$g_kernel"; then
kernel_tsa="found TSA mitigation message in kernel image"
fi
if [ -z "$kernel_tsa" ] && [ -r "$opt_config" ]; then
if [ -z "$kernel_tsa" ] && is_x86_kernel && [ -r "$opt_config" ]; then
if grep -q '^CONFIG_MITIGATION_TSA=y' "$opt_config"; then
kernel_tsa="CONFIG_MITIGATION_TSA=y found in kernel config"
fi
fi
if [ -z "$kernel_tsa" ] && [ -n "$opt_map" ]; then
if [ -z "$kernel_tsa" ] && is_x86_kernel && [ -n "$opt_map" ]; then
if grep -q 'tsa_select_mitigation' "$opt_map"; then
kernel_tsa="found tsa_select_mitigation in System.map"
fi
@@ -11752,15 +11786,15 @@ check_CVE_2025_40300_linux() {
kernel_vmscape_err=''
if [ -n "$g_kernel_err" ]; then
kernel_vmscape_err="$g_kernel_err"
elif grep -q 'vmscape' "$g_kernel"; then
elif is_x86_kernel && grep -q 'vmscape' "$g_kernel"; then
kernel_vmscape="found vmscape in kernel image"
fi
if [ -z "$kernel_vmscape" ] && [ -r "$opt_config" ]; then
if [ -z "$kernel_vmscape" ] && is_x86_kernel && [ -r "$opt_config" ]; then
if grep -q '^CONFIG_MITIGATION_VMSCAPE=y' "$opt_config"; then
kernel_vmscape="VMScape mitigation config option found enabled in kernel config"
fi
fi
if [ -z "$kernel_vmscape" ] && [ -n "$opt_map" ]; then
if [ -z "$kernel_vmscape" ] && is_x86_kernel && [ -n "$opt_map" ]; then
if grep -q 'vmscape_select_mitigation' "$opt_map"; then
kernel_vmscape="found vmscape_select_mitigation in System.map"
fi
@@ -11819,6 +11853,11 @@ check_CVE_2025_40300_bsd() {
check_kernel_info
# Detect arch mismatch between host CPU and target kernel (e.g. x86 host
# inspecting an ARM kernel): force no-hw mode so CPUID/MSR/sysfs reads
# from the host don't pollute the results.
check_kernel_cpu_arch_mismatch
# Build JSON meta and system sections early (after kernel info is resolved)
if [ "$opt_batch" = 1 ] && [ "$opt_batch_format" = "json" ]; then
_build_json_meta