peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2025-10-31 20:50:55 +01:00
Code Issues Projects Releases Wiki Activity

enh: rework the vuln logic of MDS with --paranoid (fixes #307)

Browse Source
This commit is contained in:
Stéphane Lesimple
2019-09-22 04:02:22 +02:00
parent cc224c0522
commit f5ec320fe5
1 changed files with 45 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
spectre-meltdown-checker.sh
View File

@@ -4535,9 +4535,9 @@ check_mds_linux()
sys_interface_available=0 sys_interface_available=0
msg='' msg=''
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/mds" '^[^;]+'; then if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/mds" '^[^;]+'; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1 sys_interface_available=1
fi fi
if [ "$opt_sysfs_only" != 1 ]; then if [ "$opt_sysfs_only" != 1 ]; then
_info_nol "* Kernel supports using MD_CLEAR mitigation: " _info_nol "* Kernel supports using MD_CLEAR mitigation: "
kernel_md_clear='' kernel_md_clear=''
@@ -4592,44 +4592,60 @@ check_mds_linux()
if ! is_cpu_vulnerable "$cve"; then if ! is_cpu_vulnerable "$cve"; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not vulnerable" pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not vulnerable"
elif [ -z "$msg" ]; then else
# if msg is empty, sysfs check didn't fill it, rely on our own test if [ "$opt_sysfs_only" != 1 ]; then
if [ "$cpuid_md_clear" = 1 ]; then # compute mystatus and mymsg from our own logic
if [ -n "$kernel_md_clear" ]; then if [ "$cpuid_md_clear" = 1 ]; then
if [ "$opt_live" = 1 ]; then if [ -n "$kernel_md_clear" ]; then
# mitigation must also be enabled if [ "$opt_live" = 1 ]; then
if [ "$mds_mitigated" = 1 ]; then # mitigation must also be enabled
if [ "$opt_paranoid" != 1 ] || [ "$mds_smt_mitigated" = 1 ]; then if [ "$mds_mitigated" = 1 ]; then
pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled" if [ "$opt_paranoid" != 1 ] || [ "$mds_smt_mitigated" = 1 ]; then
mystatus=OK
mymsg="Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled"
else
mystatus=VULN
mymsg="Your microcode and kernel are both up to date for this mitigation, but your must disable SMT (Hyper-Threading) for a complete mitigation"
fi
else else
pvulnstatus "$cve" VULN "Your microcode and kernel are both up to date for this mitigation, but your must disable SMT (Hyper-Threading) for a complete mitigation" mystatus=VULN
mymsg="Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active"
fi fi
else else
pvulnstatus "$cve" VULN "Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active" mystatus=OK
mymsg="Your microcode and kernel are both up to date for this mitigation"
fi fi
else else
pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for this mitigation" mystatus=VULN
mymsg="Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability"
fi fi
else else
pvulnstatus "$cve" VULN "Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability" if [ -n "$kernel_md_clear" ]; then
fi mystatus=VULN
else mymsg="Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability"
if [ -n "$kernel_md_clear" ]; then else
pvulnstatus "$cve" VULN "Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability" mystatus=VULN
else mymsg="Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability"
pvulnstatus "$cve" VULN "Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability" fi
fi
fi
else
if [ "$opt_paranoid" = 1 ]; then
# in paranoid mode, we don't only need microcode + kernel update, we also want SMT mitigation
if echo "$fullmsg" | grep -qF -e 'SMT mitigated' -e 'SMT disabled'; then
pvulnstatus "$cve" OK "$fullmsg"
else
pvulnstatus "$cve" VULN "Your kernel and microcode partially mitigate the vulnerability, but you must disable SMT (Hyper-Threading) for a complete mitigation"
fi fi
else else
# sysfs only: return the status/msg we got
pvulnstatus "$cve" "$status" "$fullmsg" pvulnstatus "$cve" "$status" "$fullmsg"
return
fi
# if we didn't get a msg+status from sysfs, use ours
if [ -z "$msg" ]; then
pvulnstatus "$cve" "$mystatus" "$mymsg"
elif [ "$opt_paranoid" = 1 ]; then
# if paranoid mode is enabled, we now that we won't agree on status, so take ours
pvulnstatus "$cve" "$mystatus" "$mymsg"
elif [ "$status" = "$mystatus" ]; then
# if we agree on status, we'll print the common status and our message (more detailed than the sysfs one)
pvulnstatus "$cve" "$status" "$mymsg"
else
# if we don't agree on status, maybe our logic is flawed due to a new kernel/mitigation? use the one from sysfs
pvulnstatus "$cve" "$status" "$msg"
fi fi
fi fi
} }