peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2026-04-11 11:13:21 +02:00
Code Issues Projects Releases Wiki Activity

enh: guard x86/arm specific checks in kernel/cpu for the proper arch

Browse Source
This commit is contained in:
Stéphane Lesimple
2026-04-10 18:37:32 +02:00
parent e110706df8
commit f7ba617e16
20 changed files with 874 additions and 693 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
DEVELOPMENT.md
View File

@@ -105,7 +105,8 @@ The entire tool is a single bash script with no external script dependencies. Ke
- **Output/logging functions** (~line 253): `pr_warn`, `pr_info`, `pr_verbose`, `pr_debug`, `explain`, `pstatus`, `pvulnstatus` - verbosity-aware output with color support - **Output/logging functions** (~line 253): `pr_warn`, `pr_info`, `pr_verbose`, `pr_debug`, `explain`, `pstatus`, `pvulnstatus` - verbosity-aware output with color support
- **CPU detection** (~line 2171): `parse_cpu_details`, `is_intel`/`is_amd`/`is_hygon`, `read_cpuid`, `read_msr`, `is_cpu_smt_enabled` - hardware identification via CPUID/MSR registers - **CPU detection** (~line 2171): `parse_cpu_details`, `is_intel`/`is_amd`/`is_hygon`, `read_cpuid`, `read_msr`, `is_cpu_smt_enabled` - hardware identification via CPUID/MSR registers
- **Kernel architecture detection** (`src/libs/365_kernel_arch.sh`): `is_arm64_kernel`/`is_x86_kernel` - detects the target kernel's architecture (not the host CPU) using kernel artifacts (System.map symbols, kconfig, kernel image), with `cpu_vendor` as a fast path for live mode. Results are cached in `g_kernel_arch`. Use these helpers to guard arch-specific kernel/kconfig/System.map checks and to select the appropriate verdict messages - **Kernel architecture detection** (`src/libs/365_kernel_arch.sh`): `is_arm_kernel`/`is_x86_kernel` - detects the target kernel's architecture (not the host CPU) using kernel artifacts (System.map symbols, kconfig, kernel image), with `cpu_vendor` as a fast path for live mode. Results are cached in `g_kernel_arch`. Use these helpers to guard arch-specific kernel/kconfig/System.map checks and to select the appropriate verdict messages
- **CPU architecture detection** (`src/libs/360_cpu_smt.sh`): `is_x86_cpu`/`is_arm_cpu` - detects the host CPU's architecture via `cpu_vendor`. Use these to gate hardware operations (CPUID, MSR, microcode). Always use positive logic: `if is_x86_cpu` (not `if ! is_arm_cpu`)
- **Microcode database** (embedded): Intel/AMD microcode version lookup via `read_mcedb`/`read_inteldb`; updated automatically via `.github/workflows/autoupdate.yml` - **Microcode database** (embedded): Intel/AMD microcode version lookup via `read_mcedb`/`read_inteldb`; updated automatically via `.github/workflows/autoupdate.yml`
- **Kernel analysis** (~line 1568): `extract_kernel`, `try_decompress` - extracts and inspects kernel images (handles gzip, bzip2, xz, lz4, zstd compression) - **Kernel analysis** (~line 1568): `extract_kernel`, `try_decompress` - extracts and inspects kernel images (handles gzip, bzip2, xz, lz4, zstd compression)
- **Vulnerability checks**: 19 `check_CVE_<year>_<number>()` functions, each with `_linux()` and `_bsd()` variants. Uses whitelist logic (assumes affected unless proven otherwise) - **Vulnerability checks**: 19 `check_CVE_<year>_<number>()` functions, each with `_linux()` and `_bsd()` variants. Uses whitelist logic (assumes affected unless proven otherwise)
@@ -391,18 +392,30 @@ This is where the real detection lives. Check for mitigations at each layer:
Each source may independently be unavailable (no-runtime mode without the file, or stripped kernel), so check all that are present. A match in any one confirms kernel support. Each source may independently be unavailable (no-runtime mode without the file, or stripped kernel), so check all that are present. A match in any one confirms kernel support.
**Architecture awareness:** Kernel symbols, kconfig options, and kernel-image strings are architecture-specific. An x86 host may be inspecting an ARM64 kernel (or vice versa) in offline mode, so always guard arch-specific checks with `is_arm64_kernel` or `is_x86_kernel` from `src/libs/365_kernel_arch.sh`. This prevents searching for irrelevant strings (e.g. x86 `spec_store_bypass` in an ARM64 kernel image) and ensures verdict messages and `explain` text match the target architecture (e.g. "update CPU microcode" for x86 vs "update firmware for SMCCC ARCH_WORKAROUND_2" for ARM). Example: **Architecture awareness:** Kernel symbols, kconfig options, and kernel-image strings are architecture-specific. An x86 host may be inspecting an ARM kernel (or vice versa) in offline mode, so always use positive-logic arch guards from `src/libs/365_kernel_arch.sh` and `src/libs/360_cpu_smt.sh`. This prevents searching for irrelevant strings (e.g. x86 `spec_store_bypass` in an ARM kernel image) and ensures verdict messages and `explain` text match the target architecture (e.g. "update CPU microcode" for x86 vs "update firmware for SMCCC ARCH_WORKAROUND_2" for ARM).
Use **positive logic** — always `if is_x86_kernel` (not `if ! is_arm_kernel`) and `if is_x86_cpu` (not `if ! is_arm_cpu`). This ensures unknown architectures (MIPS, RISC-V, PowerPC) are handled safely by defaulting to "skip" rather than "execute."
Two sets of helpers serve different purposes:
- **`is_x86_kernel`/`is_arm_kernel`**: Gate kernel artifact checks (kernel image strings, kconfig, System.map).
- **`is_x86_cpu`/`is_arm_cpu`**: Gate hardware operations (CPUID, MSR, `/proc/cpuinfo` flags).
Example:
```sh ```sh
# x86-specific kernel image search: skip on ARM64 kernels # x86-specific kernel image search
if [ -n "$g_kernel" ] && ! is_arm64_kernel; then if [ -n "$g_kernel" ] && is_x86_kernel; then
mitigation=$("${opt_arch_prefix}strings" "$g_kernel" | grep x86_specific_string) mitigation=$("${opt_arch_prefix}strings" "$g_kernel" | grep x86_specific_string)
fi fi
# ARM64-specific System.map search: skip on x86 kernels # ARM-specific System.map search
if [ -n "$opt_map" ] && is_arm64_kernel; then if [ -n "$opt_map" ] && is_arm_kernel; then
mitigation=$(grep -w arm64_mitigation_function "$opt_map") mitigation=$(grep -w arm_mitigation_function "$opt_map")
fi
# x86-specific hardware read
if is_x86_cpu; then
read_cpuid 0x7 0x0 "$EDX" 26 1 1
fi fi
``` ```
The same applies to Phase 4 verdict messages: when the explanation or remediation advice differs between architectures (e.g. "CPU microcode update" vs "firmware/kernel update"), branch on `is_arm64_kernel`/`is_x86_kernel` rather than on `cpu_vendor`, because `cpu_vendor` reflects the host, not the target kernel. The same applies to Phase 4 verdict messages: when the explanation or remediation advice differs between architectures (e.g. "CPU microcode update" vs "firmware/kernel update"), branch on `is_arm_kernel`/`is_x86_kernel` rather than on `cpu_vendor`, because `cpu_vendor` reflects the host, not the target kernel.
- **Runtime state** (live mode only): Read MSRs, check cpuinfo flags, parse dmesg, inspect debugfs. All runtime-only checks — including `/proc/cpuinfo` flags — must be guarded by `if [ "$opt_runtime" = 1 ]`, both when collecting the evidence in Phase 2 and when using it in Phase 4. In Phase 4, use explicit live/no-runtime branches so that live-only variables (e.g. cpuinfo flags, MSR values) are never referenced in the no-runtime path. - **Runtime state** (live mode only): Read MSRs, check cpuinfo flags, parse dmesg, inspect debugfs. All runtime-only checks — including `/proc/cpuinfo` flags — must be guarded by `if [ "$opt_runtime" = 1 ]`, both when collecting the evidence in Phase 2 and when using it in Phase 4. In Phase 4, use explicit live/no-runtime branches so that live-only variables (e.g. cpuinfo flags, MSR values) are never referenced in the no-runtime path.
```sh ```sh
@@ -803,7 +816,7 @@ CVEs that need VMM context should call `check_has_vmm` early in their `_linux()`
- **Handle `--paranoid` and `--vmm`** when the CVE has stricter mitigation tiers or VMM-specific aspects (see "Cross-Cutting Features" above). - **Handle `--paranoid` and `--vmm`** when the CVE has stricter mitigation tiers or VMM-specific aspects (see "Cross-Cutting Features" above).
- **Keep JSON output in sync** - when adding new `cap_*` variables, add them to `_build_json_cpu()` in `src/libs/250_output_emitters.sh` (see Step 2 JSON note above). Per-CVE fields are handled automatically. - **Keep JSON output in sync** - when adding new `cap_*` variables, add them to `_build_json_cpu()` in `src/libs/250_output_emitters.sh` (see Step 2 JSON note above). Per-CVE fields are handled automatically.
- **All indentation must use 4 spaces** (CI enforces this via `fmt-check`; the vim modeline `et` enables expandtab). - **All indentation must use 4 spaces** (CI enforces this via `fmt-check`; the vim modeline `et` enables expandtab).
- **Guard arch-specific checks with `is_arm64_kernel`/`is_x86_kernel`** - kernel image strings, kconfig symbols, and System.map functions are architecture-specific. Use the helpers from `src/libs/365_kernel_arch.sh` to avoid searching for irrelevant symbols and to select correct verdict messages. Never use `cpu_vendor` to branch on architecture in Phase 2/4 — it reflects the host, not the target kernel being inspected. - **Guard arch-specific checks with positive logic** — use `is_x86_kernel`/`is_arm_kernel` for kernel artifact checks, `is_x86_cpu`/`is_arm_cpu` for hardware operations. Always use positive form (`if is_x86_cpu`, not `if ! is_arm_cpu`) so unknown architectures default to "skip." Never use `cpu_vendor` to branch on architecture in Phase 2/4 — it reflects the host, not the target kernel being inspected.
- **Stay POSIX-compatible** - no bashisms, no GNU-only flags in portable code paths. - **Stay POSIX-compatible** - no bashisms, no GNU-only flags in portable code paths.
## Function documentation headers ## Function documentation headers

22
src/libs/360_cpu_smt.sh
View File

@@ -21,6 +21,28 @@ is_intel() {
return 1 return 1
} }
# Check whether the host CPU is x86/x86_64.
# Use this to gate CPUID, MSR, and microcode operations.
# Returns: 0 if x86, 1 otherwise
is_x86_cpu() {
parse_cpu_details
case "$cpu_vendor" in
GenuineIntel | AuthenticAMD | HygonGenuine | CentaurHauls | Shanghai) return 0 ;;
esac
return 1
}
# Check whether the host CPU is ARM/ARM64.
# Use this to gate ARM-specific hardware checks.
# Returns: 0 if ARM, 1 otherwise
is_arm_cpu() {
parse_cpu_details
case "$cpu_vendor" in
ARM | CAVIUM | PHYTIUM) return 0 ;;
esac
return 1
}
# Check whether SMT (HyperThreading) is enabled on the system # Check whether SMT (HyperThreading) is enabled on the system
# Returns: 0 if SMT enabled, 1 otherwise # Returns: 0 if SMT enabled, 1 otherwise
is_cpu_smt_enabled() { is_cpu_smt_enabled() {

120
src/libs/365_kernel_arch.sh Normal file
View File

@@ -0,0 +1,120 @@
# vim: set ts=4 sw=4 sts=4 et:
###############################
# Kernel architecture detection helpers.
# Detects the target kernel's architecture regardless of the host system,
# enabling correct behavior in offline cross-inspection (e.g. x86 host
# analyzing an ARM kernel image or System.map).
# Global cache; populated by _detect_kernel_arch on first call.
# Values: 'arm', 'x86', 'unknown'
g_kernel_arch=''
# Internal: populate g_kernel_arch using all available information sources,
# in order from most to least reliable.
_detect_kernel_arch() {
# Return immediately if already detected
[ -n "$g_kernel_arch" ] && return 0
# arm64_sys_ is the ARM64 syscall table symbol prefix; present in any
# ARM64 System.map (or /proc/kallsyms) and in the kernel image itself.
# sys_call_table + vector_swi is the ARM (32-bit) equivalent.
if [ -n "$opt_map" ]; then
if grep -q 'arm64_sys_' "$opt_map" 2>/dev/null; then
g_kernel_arch='arm'
return 0
fi
if grep -q ' vector_swi$' "$opt_map" 2>/dev/null; then
g_kernel_arch='arm'
return 0
fi
fi
if [ -n "$g_kernel" ]; then
if grep -q 'arm64_sys_' "$g_kernel" 2>/dev/null; then
g_kernel_arch='arm'
return 0
fi
fi
# Kconfig is definitive when available
if [ -n "$opt_config" ]; then
if grep -qE '^CONFIG_(ARM64|ARM)=y' "$opt_config" 2>/dev/null; then
g_kernel_arch='arm'
return 0
fi
if grep -qE '^CONFIG_X86(_64)?=y' "$opt_config" 2>/dev/null; then
g_kernel_arch='x86'
return 0
fi
fi
# Cross-compilation prefix as a last resort (e.g. --arch-prefix aarch64-linux-gnu-)
case "${opt_arch_prefix:-}" in
aarch64-* | arm64-* | arm-* | armv*-)
g_kernel_arch='arm'
return 0
;;
x86_64-* | i686-* | i?86-*)
g_kernel_arch='x86'
return 0
;;
esac
# Last resort: if no artifacts identified the arch, assume the target
# kernel matches the host CPU. This covers live mode when no kernel
# image, config, or System.map is available.
if is_x86_cpu; then
g_kernel_arch='x86'
return 0
fi
if is_arm_cpu; then
g_kernel_arch='arm'
return 0
fi
g_kernel_arch='unknown'
return 0
}
# Return 0 (true) if the target kernel is ARM (32 or 64-bit), 1 otherwise.
is_arm_kernel() {
_detect_kernel_arch
[ "$g_kernel_arch" = 'arm' ]
}
# Return 0 (true) if the target kernel is x86/x86_64, 1 otherwise.
is_x86_kernel() {
_detect_kernel_arch
[ "$g_kernel_arch" = 'x86' ]
}
# Compare the target kernel's architecture against the host CPU.
# If they differ, hardware reads (CPUID, MSR, sysfs) would reflect the host,
# not the target kernel — force no-hw mode to avoid misleading results.
# Sets: g_mode (when mismatch detected)
# Callers: src/main.sh (after check_kernel_info, before check_cpu)
check_kernel_cpu_arch_mismatch() {
local host_arch
_detect_kernel_arch
host_arch='unknown'
if is_x86_cpu; then
host_arch='x86'
elif is_arm_cpu; then
host_arch='arm'
fi
# Unsupported CPU architecture (MIPS, RISC-V, PowerPC, ...): force no-hw
# since we have no hardware-level checks for these platforms
if [ "$host_arch" = 'unknown' ]; then
pr_warn "Unsupported CPU architecture (vendor: $cpu_vendor), forcing no-hw mode"
g_mode='no-hw'
return 0
fi
# If kernel arch is unknown, we can't tell if there's a mismatch
[ "$g_kernel_arch" = 'unknown' ] && return 0
[ "$host_arch" = "$g_kernel_arch" ] && return 0
pr_warn "Target kernel architecture ($g_kernel_arch) differs from host CPU ($host_arch), forcing no-hw mode"
g_mode='no-hw'
}

80
src/vulns-helpers/check_mds.sh
View File

@@ -132,50 +132,54 @@ check_mds_linux() {
fi fi
if [ "$opt_sysfs_only" != 1 ]; then if [ "$opt_sysfs_only" != 1 ]; then
pr_info_nol "* Kernel supports using MD_CLEAR mitigation: " # MDS is Intel-only; skip x86-specific kernel/cpuinfo checks on non-x86 kernels
kernel_md_clear='' kernel_md_clear=''
kernel_md_clear_can_tell=1 kernel_md_clear_can_tell=0
if [ "$opt_runtime" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw md_clear; then if is_x86_kernel; then
kernel_md_clear="md_clear found in $g_procfs/cpuinfo" pr_info_nol "* Kernel supports using MD_CLEAR mitigation: "
pstatus green YES "$kernel_md_clear" kernel_md_clear_can_tell=1
fi if [ "$opt_runtime" = 1 ] && grep ^flags "$g_procfs/cpuinfo" | grep -qw md_clear; then
if [ -z "$kernel_md_clear" ]; then kernel_md_clear="md_clear found in $g_procfs/cpuinfo"
if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
kernel_md_clear_can_tell=0
elif [ -n "$g_kernel_err" ]; then
kernel_md_clear_can_tell=0
elif "${opt_arch_prefix}strings" "$g_kernel" | grep -q 'Clear CPU buffers'; then
pr_debug "md_clear: found 'Clear CPU buffers' string in kernel image"
kernel_md_clear='found md_clear implementation evidence in kernel image'
pstatus green YES "$kernel_md_clear" pstatus green YES "$kernel_md_clear"
fi fi
fi if [ -z "$kernel_md_clear" ]; then
if [ -z "$kernel_md_clear" ]; then if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
if [ "$kernel_md_clear_can_tell" = 1 ]; then kernel_md_clear_can_tell=0
pstatus yellow NO elif [ -n "$g_kernel_err" ]; then
else kernel_md_clear_can_tell=0
pstatus yellow UNKNOWN elif "${opt_arch_prefix}strings" "$g_kernel" | grep -q 'Clear CPU buffers'; then
pr_debug "md_clear: found 'Clear CPU buffers' string in kernel image"
kernel_md_clear='found md_clear implementation evidence in kernel image'
pstatus green YES "$kernel_md_clear"
fi
fi
if [ -z "$kernel_md_clear" ]; then
if [ "$kernel_md_clear_can_tell" = 1 ]; then
pstatus yellow NO
else
pstatus yellow UNKNOWN
fi
fi fi
fi
if [ "$opt_runtime" = 1 ] && [ "$sys_interface_available" = 1 ]; then if [ "$opt_runtime" = 1 ] && [ "$sys_interface_available" = 1 ]; then
pr_info_nol "* Kernel mitigation is enabled and active: " pr_info_nol "* Kernel mitigation is enabled and active: "
if echo "$ret_sys_interface_check_fullmsg" | grep -qi ^mitigation; then if echo "$ret_sys_interface_check_fullmsg" | grep -qi ^mitigation; then
mds_mitigated=1 mds_mitigated=1
pstatus green YES pstatus green YES
else else
mds_mitigated=0 mds_mitigated=0
pstatus yellow NO pstatus yellow NO
fi
pr_info_nol "* SMT is either mitigated or disabled: "
if echo "$ret_sys_interface_check_fullmsg" | grep -Eq 'SMT (disabled|mitigated)'; then
mds_smt_mitigated=1
pstatus green YES
else
mds_smt_mitigated=0
pstatus yellow NO
fi
fi fi
pr_info_nol "* SMT is either mitigated or disabled: " fi # is_x86_kernel
if echo "$ret_sys_interface_check_fullmsg" | grep -Eq 'SMT (disabled|mitigated)'; then
mds_smt_mitigated=1
pstatus green YES
else
mds_smt_mitigated=0
pstatus yellow NO
fi
fi
elif [ "$sys_interface_available" = 0 ]; then elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only! # we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!" msg="/sys vulnerability interface use forced, but it's not available!"

96
src/vulns-helpers/check_mmio.sh
View File

@@ -125,61 +125,65 @@ check_mmio_linux() {
fi fi
if [ "$opt_sysfs_only" != 1 ]; then if [ "$opt_sysfs_only" != 1 ]; then
pr_info_nol "* Kernel supports MMIO Stale Data mitigation: " # MMIO Stale Data is Intel-only; skip x86-specific kernel/MSR checks on non-x86 kernels
kernel_mmio='' kernel_mmio=''
kernel_mmio_can_tell=1 kernel_mmio_can_tell=0
if [ -n "$g_kernel_err" ]; then if is_x86_kernel; then
kernel_mmio_can_tell=0 pr_info_nol "* Kernel supports MMIO Stale Data mitigation: "
elif grep -q 'mmio_stale_data' "$g_kernel" 2>/dev/null; then kernel_mmio_can_tell=1
pr_debug "mmio: found 'mmio_stale_data' string in kernel image" if [ -n "$g_kernel_err" ]; then
kernel_mmio='found MMIO Stale Data mitigation evidence in kernel image' kernel_mmio_can_tell=0
pstatus green YES "$kernel_mmio" elif grep -q 'mmio_stale_data' "$g_kernel" 2>/dev/null; then
fi pr_debug "mmio: found 'mmio_stale_data' string in kernel image"
if [ -z "$kernel_mmio" ] && [ -n "$opt_config" ] && grep -q '^CONFIG_MITIGATION_MMIO_STALE_DATA=y' "$opt_config"; then kernel_mmio='found MMIO Stale Data mitigation evidence in kernel image'
kernel_mmio='found MMIO Stale Data mitigation config option enabled'
pstatus green YES "$kernel_mmio"
fi
if [ -z "$kernel_mmio" ] && [ -n "$opt_map" ]; then
if grep -qE 'mmio_select_mitigation|cpu_show_mmio_stale_data' "$opt_map"; then
kernel_mmio='found MMIO Stale Data mitigation function in System.map'
pstatus green YES "$kernel_mmio" pstatus green YES "$kernel_mmio"
fi fi
fi if [ -z "$kernel_mmio" ] && [ -n "$opt_config" ] && grep -q '^CONFIG_MITIGATION_MMIO_STALE_DATA=y' "$opt_config"; then
if [ -z "$kernel_mmio" ]; then kernel_mmio='found MMIO Stale Data mitigation config option enabled'
if [ "$kernel_mmio_can_tell" = 1 ]; then pstatus green YES "$kernel_mmio"
pstatus yellow NO fi
else if [ -z "$kernel_mmio" ] && [ -n "$opt_map" ]; then
if grep -qE 'mmio_select_mitigation|cpu_show_mmio_stale_data' "$opt_map"; then
kernel_mmio='found MMIO Stale Data mitigation function in System.map'
pstatus green YES "$kernel_mmio"
fi
fi
if [ -z "$kernel_mmio" ]; then
if [ "$kernel_mmio_can_tell" = 1 ]; then
pstatus yellow NO
else
pstatus yellow UNKNOWN
fi
fi
pr_info_nol "* CPU microcode supports Fill Buffer clearing: "
if [ "$cap_fb_clear" = -1 ]; then
pstatus yellow UNKNOWN pstatus yellow UNKNOWN
fi elif [ "$cap_fb_clear" = 1 ]; then
fi
pr_info_nol "* CPU microcode supports Fill Buffer clearing: "
if [ "$cap_fb_clear" = -1 ]; then
pstatus yellow UNKNOWN
elif [ "$cap_fb_clear" = 1 ]; then
pstatus green YES
else
pstatus yellow NO
fi
if [ "$opt_runtime" = 1 ] && [ "$sys_interface_available" = 1 ]; then
pr_info_nol "* Kernel mitigation is enabled and active: "
if echo "$ret_sys_interface_check_fullmsg" | grep -qi ^mitigation; then
mmio_mitigated=1
pstatus green YES pstatus green YES
else else
mmio_mitigated=0
pstatus yellow NO pstatus yellow NO
fi fi
pr_info_nol "* SMT is either mitigated or disabled: "
if echo "$ret_sys_interface_check_fullmsg" | grep -Eq 'SMT (disabled|mitigated)'; then if [ "$opt_runtime" = 1 ] && [ "$sys_interface_available" = 1 ]; then
mmio_smt_mitigated=1 pr_info_nol "* Kernel mitigation is enabled and active: "
pstatus green YES if echo "$ret_sys_interface_check_fullmsg" | grep -qi ^mitigation; then
else mmio_mitigated=1
mmio_smt_mitigated=0 pstatus green YES
pstatus yellow NO else
mmio_mitigated=0
pstatus yellow NO
fi
pr_info_nol "* SMT is either mitigated or disabled: "
if echo "$ret_sys_interface_check_fullmsg" | grep -Eq 'SMT (disabled|mitigated)'; then
mmio_smt_mitigated=1
pstatus green YES
else
mmio_smt_mitigated=0
pstatus yellow NO
fi
fi fi
fi fi # is_x86_kernel
elif [ "$sys_interface_available" = 0 ]; then elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only! # we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!" msg="/sys vulnerability interface use forced, but it's not available!"

13
src/vulns-helpers/check_sls.sh
View File

@@ -173,10 +173,8 @@ check_CVE_0000_0001_linux() {
return return
fi fi
# --- arm64: no kernel mitigation available --- # --- ARM: no kernel mitigation available ---
local _sls_arch if is_arm_kernel; then
_sls_arch=$(uname -m 2>/dev/null || echo unknown)
if echo "$_sls_arch" | grep -qw 'aarch64'; then
pvulnstatus "$cve" VULN "no kernel mitigation available for arm64 SLS (CVE-2020-13844)" pvulnstatus "$cve" VULN "no kernel mitigation available for arm64 SLS (CVE-2020-13844)"
explain "Your ARM processor is affected by Straight-Line Speculation (CVE-2020-13844).\n" \ explain "Your ARM processor is affected by Straight-Line Speculation (CVE-2020-13844).\n" \
"GCC and Clang support -mharden-sls=all for aarch64, which inserts SB (Speculation Barrier)\n" \ "GCC and Clang support -mharden-sls=all for aarch64, which inserts SB (Speculation Barrier)\n" \
@@ -186,7 +184,12 @@ check_CVE_0000_0001_linux() {
return return
fi fi
# --- method 1: kernel config check (x86_64) --- # --- x86: config check and binary heuristic ---
if ! is_x86_kernel; then
pvulnstatus "$cve" UNK "SLS mitigation detection not supported for this kernel architecture"
return
fi
local _sls_config='' local _sls_config=''
if [ -n "$opt_config" ] && [ -r "$opt_config" ]; then if [ -n "$opt_config" ] && [ -r "$opt_config" ]; then
pr_info_nol " * Kernel compiled with SLS mitigation: " pr_info_nol " * Kernel compiled with SLS mitigation: "

1134
src/vulns/CVE-2017-5715.sh
View File

File diff suppressed because it is too large Load Diff

5
src/vulns/CVE-2017-5754.sh
View File

@@ -153,7 +153,10 @@ check_CVE_2017_5754_linux() {
pstatus blue N/A "not testable in no-runtime mode" pstatus blue N/A "not testable in no-runtime mode"
fi fi
pti_performance_check # PCID/INVPCID are x86-only CPU features
if is_x86_cpu; then
pti_performance_check
fi
elif [ "$sys_interface_available" = 0 ]; then elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only! # we have no sysfs but were asked to use it only!

2
src/vulns/CVE-2018-12207.sh
View File

@@ -24,7 +24,7 @@ check_CVE_2018_12207_linux() {
if [ -n "$g_kernel_err" ]; then if [ -n "$g_kernel_err" ]; then
kernel_itlbmh_err="$g_kernel_err" kernel_itlbmh_err="$g_kernel_err"
# commit 5219505fcbb640e273a0d51c19c38de0100ec5a9 # commit 5219505fcbb640e273a0d51c19c38de0100ec5a9
elif grep -q 'itlb_multihit' "$g_kernel"; then elif is_x86_kernel && grep -q 'itlb_multihit' "$g_kernel"; then
kernel_itlbmh="found itlb_multihit in kernel image" kernel_itlbmh="found itlb_multihit in kernel image"
fi fi
if [ -n "$kernel_itlbmh" ]; then if [ -n "$kernel_itlbmh" ]; then

12
src/vulns/CVE-2018-3639.sh
View File

@@ -24,13 +24,13 @@ check_CVE_2018_3639_linux() {
pr_debug "found Speculation.Store.Bypass: in $g_procfs/self/status" pr_debug "found Speculation.Store.Bypass: in $g_procfs/self/status"
fi fi
fi fi
# arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them # spec_store_bypass is x86-specific; ARM kernels use ARM64_SSBD instead
if [ -z "$kernel_ssb" ] && [ -n "$g_kernel" ] && ! is_arm64_kernel; then if [ -z "$kernel_ssb" ] && [ -n "$g_kernel" ] && is_x86_kernel; then
kernel_ssb=$("${opt_arch_prefix}strings" "$g_kernel" | grep spec_store_bypass | head -n1) kernel_ssb=$("${opt_arch_prefix}strings" "$g_kernel" | grep spec_store_bypass | head -n1)
[ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in kernel" [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in kernel"
fi fi
# arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them # spec_store_bypass is x86-specific; ARM kernels use ARM64_SSBD instead
if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! is_arm64_kernel; then if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && is_x86_kernel; then
kernel_ssb=$(grep spec_store_bypass "$opt_map" | awk '{print $3}' | head -n1) kernel_ssb=$(grep spec_store_bypass "$opt_map" | awk '{print $3}' | head -n1)
[ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map" [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
fi fi
@@ -121,7 +121,7 @@ check_CVE_2018_3639_linux() {
fi fi
else else
if [ -n "$kernel_ssb" ]; then if [ -n "$kernel_ssb" ]; then
if is_arm64_kernel; then if is_arm_kernel; then
pvulnstatus "$cve" VULN "no SSB mitigation is active on your system" pvulnstatus "$cve" VULN "no SSB mitigation is active on your system"
explain "ARM CPUs mitigate SSB either through a hardware SSBS bit (ARMv8.5+ CPUs) or through firmware support for SMCCC ARCH_WORKAROUND_2. Your kernel reports SSB status but neither mechanism appears to be active. For CPUs predating ARMv8.5 (such as Cortex-A57 or Cortex-A72), check with your board or SoC vendor for a firmware update that provides SMCCC ARCH_WORKAROUND_2 support." explain "ARM CPUs mitigate SSB either through a hardware SSBS bit (ARMv8.5+ CPUs) or through firmware support for SMCCC ARCH_WORKAROUND_2. Your kernel reports SSB status but neither mechanism appears to be active. For CPUs predating ARMv8.5 (such as Cortex-A57 or Cortex-A72), check with your board or SoC vendor for a firmware update that provides SMCCC ARCH_WORKAROUND_2 support."
else else
@@ -129,7 +129,7 @@ check_CVE_2018_3639_linux() {
explain "Your kernel is recent enough to use the CPU microcode features for mitigation, but your CPU microcode doesn't actually provide the necessary features for the kernel to use. The microcode of your CPU hence needs to be upgraded. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section)." explain "Your kernel is recent enough to use the CPU microcode features for mitigation, but your CPU microcode doesn't actually provide the necessary features for the kernel to use. The microcode of your CPU hence needs to be upgraded. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section)."
fi fi
else else
if is_arm64_kernel; then if is_arm_kernel; then
pvulnstatus "$cve" VULN "your kernel and firmware do not support SSB mitigation" pvulnstatus "$cve" VULN "your kernel and firmware do not support SSB mitigation"
explain "ARM SSB mitigation requires kernel support (CONFIG_ARM64_SSBD) combined with either a hardware SSBS bit (ARMv8.5+ CPUs) or firmware support for SMCCC ARCH_WORKAROUND_2. Ensure you are running a recent kernel compiled with CONFIG_ARM64_SSBD. For CPUs predating ARMv8.5, also check with your board or SoC vendor for a firmware update providing SMCCC ARCH_WORKAROUND_2 support." explain "ARM SSB mitigation requires kernel support (CONFIG_ARM64_SSBD) combined with either a hardware SSBS bit (ARMv8.5+ CPUs) or firmware support for SMCCC ARCH_WORKAROUND_2. Ensure you are running a recent kernel compiled with CONFIG_ARM64_SSBD. For CPUs predating ARMv8.5, also check with your board or SoC vendor for a firmware update providing SMCCC ARCH_WORKAROUND_2 support."
else else

2
src/vulns/CVE-2018-3640.sh
View File

@@ -11,7 +11,7 @@ check_CVE_2018_3640() {
sys_interface_available=0 sys_interface_available=0
msg='' msg=''
if is_arm64_kernel; then if is_arm_kernel; then
# ARM64: mitigation is via an EL2 indirect trampoline (spectre_v3a_enable_mitigation), # ARM64: mitigation is via an EL2 indirect trampoline (spectre_v3a_enable_mitigation),
# applied automatically at boot for affected CPUs (Cortex-A57, Cortex-A72). # applied automatically at boot for affected CPUs (Cortex-A57, Cortex-A72).
# No microcode update is involved. # No microcode update is involved.

2
src/vulns/CVE-2019-11135.sh
View File

@@ -21,7 +21,7 @@ check_CVE_2019_11135_linux() {
kernel_taa='' kernel_taa=''
if [ -n "$g_kernel_err" ]; then if [ -n "$g_kernel_err" ]; then
kernel_taa_err="$g_kernel_err" kernel_taa_err="$g_kernel_err"
elif grep -q 'tsx_async_abort' "$g_kernel"; then elif is_x86_kernel && grep -q 'tsx_async_abort' "$g_kernel"; then
kernel_taa="found tsx_async_abort in kernel image" kernel_taa="found tsx_async_abort in kernel image"
fi fi
if [ -n "$kernel_taa" ]; then if [ -n "$kernel_taa" ]; then

2
src/vulns/CVE-2020-0543.sh
View File

@@ -21,7 +21,7 @@ check_CVE_2020_0543_linux() {
kernel_srbds='' kernel_srbds=''
if [ -n "$g_kernel_err" ]; then if [ -n "$g_kernel_err" ]; then
kernel_srbds_err="$g_kernel_err" kernel_srbds_err="$g_kernel_err"
elif grep -q 'Dependent on hypervisor' "$g_kernel"; then elif is_x86_kernel && grep -q 'Dependent on hypervisor' "$g_kernel"; then
kernel_srbds="found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation" kernel_srbds="found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation"
fi fi
if [ -n "$kernel_srbds" ]; then if [ -n "$kernel_srbds" ]; then

10
src/vulns/CVE-2022-40982.sh
View File

@@ -119,17 +119,17 @@ check_CVE_2022_40982_linux() {
kernel_gds_err='' kernel_gds_err=''
if [ -n "$g_kernel_err" ]; then if [ -n "$g_kernel_err" ]; then
kernel_gds_err="$g_kernel_err" kernel_gds_err="$g_kernel_err"
elif grep -q 'gather_data_sampling' "$g_kernel"; then elif is_x86_kernel && grep -q 'gather_data_sampling' "$g_kernel"; then
kernel_gds="found gather_data_sampling in kernel image" kernel_gds="found gather_data_sampling in kernel image"
fi fi
if [ -z "$kernel_gds" ] && [ -r "$opt_config" ]; then if [ -z "$kernel_gds" ] && is_x86_kernel && [ -r "$opt_config" ]; then
if grep -q '^CONFIG_GDS_FORCE_MITIGATION=y' "$opt_config" || if grep -q '^CONFIG_GDS_FORCE_MITIGATION=y' "$opt_config" ||
grep -q '^CONFIG_MITIGATION_GDS_FORCE=y' "$opt_config" || grep -q '^CONFIG_MITIGATION_GDS_FORCE=y' "$opt_config" ||
grep -q '^CONFIG_MITIGATION_GDS=y' "$opt_config"; then grep -q '^CONFIG_MITIGATION_GDS=y' "$opt_config"; then
kernel_gds="GDS mitigation config option found enabled in kernel config" kernel_gds="GDS mitigation config option found enabled in kernel config"
fi fi
fi fi
if [ -z "$kernel_gds" ] && [ -n "$opt_map" ]; then if [ -z "$kernel_gds" ] && is_x86_kernel && [ -n "$opt_map" ]; then
if grep -q 'gds_select_mitigation' "$opt_map"; then if grep -q 'gds_select_mitigation' "$opt_map"; then
kernel_gds="found gds_select_mitigation in System.map" kernel_gds="found gds_select_mitigation in System.map"
fi fi
@@ -152,10 +152,10 @@ check_CVE_2022_40982_linux() {
if [ "$dmesgret" -eq 0 ]; then if [ "$dmesgret" -eq 0 ]; then
kernel_avx_disabled="AVX disabled by the kernel (dmesg)" kernel_avx_disabled="AVX disabled by the kernel (dmesg)"
pstatus green YES "$kernel_avx_disabled" pstatus green YES "$kernel_avx_disabled"
elif [ "$cap_avx2" = 0 ]; then elif [ "$cap_avx2" = 0 ] && is_x86_cpu; then
# Find out by ourselves # Find out by ourselves
# cpuinfo says we don't have AVX2, query # cpuinfo says we don't have AVX2, query
# the CPU directly about AVX2 support # the CPU directly about AVX2 support (x86-only)
read_cpuid 0x7 0x0 "$EBX" 5 1 1 read_cpuid 0x7 0x0 "$EBX" 5 1 1
ret=$? ret=$?
if [ "$ret" -eq "$READ_CPUID_RET_OK" ]; then if [ "$ret" -eq "$READ_CPUID_RET_OK" ]; then

4
src/vulns/CVE-2023-20588.sh
View File

@@ -88,10 +88,10 @@ check_CVE_2023_20588_linux() {
kernel_mitigated='' kernel_mitigated=''
if [ -n "$g_kernel_err" ]; then if [ -n "$g_kernel_err" ]; then
pstatus yellow UNKNOWN "$g_kernel_err" pstatus yellow UNKNOWN "$g_kernel_err"
elif grep -q 'amd_clear_divider' "$g_kernel"; then elif is_x86_kernel && grep -q 'amd_clear_divider' "$g_kernel"; then
kernel_mitigated="found amd_clear_divider in kernel image" kernel_mitigated="found amd_clear_divider in kernel image"
pstatus green YES "$kernel_mitigated" pstatus green YES "$kernel_mitigated"
elif [ -n "$opt_map" ] && grep -q 'amd_clear_divider' "$opt_map"; then elif is_x86_kernel && [ -n "$opt_map" ] && grep -q 'amd_clear_divider' "$opt_map"; then
kernel_mitigated="found amd_clear_divider in System.map" kernel_mitigated="found amd_clear_divider in System.map"
pstatus green YES "$kernel_mitigated" pstatus green YES "$kernel_mitigated"
else else

8
src/vulns/CVE-2023-28746.sh
View File

@@ -83,17 +83,17 @@ check_CVE_2023_28746_linux() {
kernel_rfds_err='' kernel_rfds_err=''
if [ -n "$g_kernel_err" ]; then if [ -n "$g_kernel_err" ]; then
kernel_rfds_err="$g_kernel_err" kernel_rfds_err="$g_kernel_err"
elif grep -q 'Clear Register File' "$g_kernel"; then elif is_x86_kernel && grep -q 'Clear Register File' "$g_kernel"; then
kernel_rfds="found 'Clear Register File' string in kernel image" kernel_rfds="found 'Clear Register File' string in kernel image"
elif grep -q 'reg_file_data_sampling' "$g_kernel"; then elif is_x86_kernel && grep -q 'reg_file_data_sampling' "$g_kernel"; then
kernel_rfds="found reg_file_data_sampling in kernel image" kernel_rfds="found reg_file_data_sampling in kernel image"
fi fi
if [ -z "$kernel_rfds" ] && [ -r "$opt_config" ]; then if [ -z "$kernel_rfds" ] && is_x86_kernel && [ -r "$opt_config" ]; then
if grep -q '^CONFIG_MITIGATION_RFDS=y' "$opt_config"; then if grep -q '^CONFIG_MITIGATION_RFDS=y' "$opt_config"; then
kernel_rfds="RFDS mitigation config option found enabled in kernel config" kernel_rfds="RFDS mitigation config option found enabled in kernel config"
fi fi
fi fi
if [ -z "$kernel_rfds" ] && [ -n "$opt_map" ]; then if [ -z "$kernel_rfds" ] && is_x86_kernel && [ -n "$opt_map" ]; then
if grep -q 'rfds_select_mitigation' "$opt_map"; then if grep -q 'rfds_select_mitigation' "$opt_map"; then
kernel_rfds="found rfds_select_mitigation in System.map" kernel_rfds="found rfds_select_mitigation in System.map"
fi fi

6
src/vulns/CVE-2024-28956.sh
View File

@@ -92,15 +92,15 @@ check_CVE_2024_28956_linux() {
kernel_its_err='' kernel_its_err=''
if [ -n "$g_kernel_err" ]; then if [ -n "$g_kernel_err" ]; then
kernel_its_err="$g_kernel_err" kernel_its_err="$g_kernel_err"
elif grep -q 'indirect_target_selection' "$g_kernel"; then elif is_x86_kernel && grep -q 'indirect_target_selection' "$g_kernel"; then
kernel_its="found indirect_target_selection in kernel image" kernel_its="found indirect_target_selection in kernel image"
fi fi
if [ -z "$kernel_its" ] && [ -r "$opt_config" ]; then if [ -z "$kernel_its" ] && is_x86_kernel && [ -r "$opt_config" ]; then
if grep -q '^CONFIG_MITIGATION_ITS=y' "$opt_config"; then if grep -q '^CONFIG_MITIGATION_ITS=y' "$opt_config"; then
kernel_its="ITS mitigation config option found enabled in kernel config" kernel_its="ITS mitigation config option found enabled in kernel config"
fi fi
fi fi
if [ -z "$kernel_its" ] && [ -n "$opt_map" ]; then if [ -z "$kernel_its" ] && is_x86_kernel && [ -n "$opt_map" ]; then
if grep -q 'its_select_mitigation' "$opt_map"; then if grep -q 'its_select_mitigation' "$opt_map"; then
kernel_its="found its_select_mitigation in System.map" kernel_its="found its_select_mitigation in System.map"
fi fi

6
src/vulns/CVE-2024-36350.sh
View File

@@ -72,15 +72,15 @@ check_CVE_2024_36350_linux() {
if [ -n "$g_kernel_err" ]; then if [ -n "$g_kernel_err" ]; then
kernel_tsa_err="$g_kernel_err" kernel_tsa_err="$g_kernel_err"
# commit d8010d4ba43e: "Transient Scheduler Attacks:" is printed by tsa_select_mitigation() # commit d8010d4ba43e: "Transient Scheduler Attacks:" is printed by tsa_select_mitigation()
elif grep -q 'Transient Scheduler Attacks' "$g_kernel"; then elif is_x86_kernel && grep -q 'Transient Scheduler Attacks' "$g_kernel"; then
kernel_tsa="found TSA mitigation message in kernel image" kernel_tsa="found TSA mitigation message in kernel image"
fi fi
if [ -z "$kernel_tsa" ] && [ -r "$opt_config" ]; then if [ -z "$kernel_tsa" ] && is_x86_kernel && [ -r "$opt_config" ]; then
if grep -q '^CONFIG_MITIGATION_TSA=y' "$opt_config"; then if grep -q '^CONFIG_MITIGATION_TSA=y' "$opt_config"; then
kernel_tsa="CONFIG_MITIGATION_TSA=y found in kernel config" kernel_tsa="CONFIG_MITIGATION_TSA=y found in kernel config"
fi fi
fi fi
if [ -z "$kernel_tsa" ] && [ -n "$opt_map" ]; then if [ -z "$kernel_tsa" ] && is_x86_kernel && [ -n "$opt_map" ]; then
if grep -q 'tsa_select_mitigation' "$opt_map"; then if grep -q 'tsa_select_mitigation' "$opt_map"; then
kernel_tsa="found tsa_select_mitigation in System.map" kernel_tsa="found tsa_select_mitigation in System.map"
fi fi

6
src/vulns/CVE-2024-36357.sh
View File

@@ -72,15 +72,15 @@ check_CVE_2024_36357_linux() {
if [ -n "$g_kernel_err" ]; then if [ -n "$g_kernel_err" ]; then
kernel_tsa_err="$g_kernel_err" kernel_tsa_err="$g_kernel_err"
# commit d8010d4ba43e: "Transient Scheduler Attacks:" is printed by tsa_select_mitigation() # commit d8010d4ba43e: "Transient Scheduler Attacks:" is printed by tsa_select_mitigation()
elif grep -q 'Transient Scheduler Attacks' "$g_kernel"; then elif is_x86_kernel && grep -q 'Transient Scheduler Attacks' "$g_kernel"; then
kernel_tsa="found TSA mitigation message in kernel image" kernel_tsa="found TSA mitigation message in kernel image"
fi fi
if [ -z "$kernel_tsa" ] && [ -r "$opt_config" ]; then if [ -z "$kernel_tsa" ] && is_x86_kernel && [ -r "$opt_config" ]; then
if grep -q '^CONFIG_MITIGATION_TSA=y' "$opt_config"; then if grep -q '^CONFIG_MITIGATION_TSA=y' "$opt_config"; then
kernel_tsa="CONFIG_MITIGATION_TSA=y found in kernel config" kernel_tsa="CONFIG_MITIGATION_TSA=y found in kernel config"
fi fi
fi fi
if [ -z "$kernel_tsa" ] && [ -n "$opt_map" ]; then if [ -z "$kernel_tsa" ] && is_x86_kernel && [ -n "$opt_map" ]; then
if grep -q 'tsa_select_mitigation' "$opt_map"; then if grep -q 'tsa_select_mitigation' "$opt_map"; then
kernel_tsa="found tsa_select_mitigation in System.map" kernel_tsa="found tsa_select_mitigation in System.map"
fi fi

6
src/vulns/CVE-2025-40300.sh
View File

@@ -85,15 +85,15 @@ check_CVE_2025_40300_linux() {
kernel_vmscape_err='' kernel_vmscape_err=''
if [ -n "$g_kernel_err" ]; then if [ -n "$g_kernel_err" ]; then
kernel_vmscape_err="$g_kernel_err" kernel_vmscape_err="$g_kernel_err"
elif grep -q 'vmscape' "$g_kernel"; then elif is_x86_kernel && grep -q 'vmscape' "$g_kernel"; then
kernel_vmscape="found vmscape in kernel image" kernel_vmscape="found vmscape in kernel image"
fi fi
if [ -z "$kernel_vmscape" ] && [ -r "$opt_config" ]; then if [ -z "$kernel_vmscape" ] && is_x86_kernel && [ -r "$opt_config" ]; then
if grep -q '^CONFIG_MITIGATION_VMSCAPE=y' "$opt_config"; then if grep -q '^CONFIG_MITIGATION_VMSCAPE=y' "$opt_config"; then
kernel_vmscape="VMScape mitigation config option found enabled in kernel config" kernel_vmscape="VMScape mitigation config option found enabled in kernel config"
fi fi
fi fi
if [ -z "$kernel_vmscape" ] && [ -n "$opt_map" ]; then if [ -z "$kernel_vmscape" ] && is_x86_kernel && [ -n "$opt_map" ]; then
if grep -q 'vmscape_select_mitigation' "$opt_map"; then if grep -q 'vmscape_select_mitigation' "$opt_map"; then
kernel_vmscape="found vmscape_select_mitigation in System.map" kernel_vmscape="found vmscape_select_mitigation in System.map"
fi fi