peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2026-06-19 04:53:02 +02:00
Code Issues Projects Releases Wiki Activity

enh: guard x86/arm specific checks in kernel/cpu for the proper arch

Browse Source
This commit is contained in:
Stéphane Lesimple
2026-04-10 18:37:32 +02:00
parent e110706df8
commit f7ba617e16
20 changed files with 874 additions and 693 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/vulns/CVE-2018-3639.sh
+6 -6
View File
@@ -24,13 +24,13 @@ check_CVE_2018_3639_linux() {
pr_debug "found Speculation.Store.Bypass: in $g_procfs/self/status"
fi
fi
# arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
if [ -z "$kernel_ssb" ] && [ -n "$g_kernel" ] && ! is_arm64_kernel; then
# spec_store_bypass is x86-specific; ARM kernels use ARM64_SSBD instead
if [ -z "$kernel_ssb" ] && [ -n "$g_kernel" ] && is_x86_kernel; then
kernel_ssb=$("${opt_arch_prefix}strings" "$g_kernel" | grep spec_store_bypass | head -n1)
[ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in kernel"
fi
# arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! is_arm64_kernel; then
# spec_store_bypass is x86-specific; ARM kernels use ARM64_SSBD instead
if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && is_x86_kernel; then
kernel_ssb=$(grep spec_store_bypass "$opt_map" | awk '{print $3}' | head -n1)
[ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
fi
@@ -121,7 +121,7 @@ check_CVE_2018_3639_linux() {
fi
else
if [ -n "$kernel_ssb" ]; then
if is_arm64_kernel; then
if is_arm_kernel; then
pvulnstatus "$cve" VULN "no SSB mitigation is active on your system"
explain "ARM CPUs mitigate SSB either through a hardware SSBS bit (ARMv8.5+ CPUs) or through firmware support for SMCCC ARCH_WORKAROUND_2. Your kernel reports SSB status but neither mechanism appears to be active. For CPUs predating ARMv8.5 (such as Cortex-A57 or Cortex-A72), check with your board or SoC vendor for a firmware update that provides SMCCC ARCH_WORKAROUND_2 support."
else
@@ -129,7 +129,7 @@ check_CVE_2018_3639_linux() {
explain "Your kernel is recent enough to use the CPU microcode features for mitigation, but your CPU microcode doesn't actually provide the necessary features for the kernel to use. The microcode of your CPU hence needs to be upgraded. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section)."
fi
else
if is_arm64_kernel; then
if is_arm_kernel; then
pvulnstatus "$cve" VULN "your kernel and firmware do not support SSB mitigation"
explain "ARM SSB mitigation requires kernel support (CONFIG_ARM64_SSBD) combined with either a hardware SSBS bit (ARMv8.5+ CPUs) or firmware support for SMCCC ARCH_WORKAROUND_2. Ensure you are running a recent kernel compiled with CONFIG_ARM64_SSBD. For CPUs predating ARMv8.5, also check with your board or SoC vendor for a firmware update providing SMCCC ARCH_WORKAROUND_2 support."
else