Commit Graph

555 Commits

Author SHA1 Message Date
Stéphane Lesimple 0eabd266ad refactor: decrease default verbosity for some tests 2018-04-05 22:20:16 +02:00
Stéphane Lesimple b77fb0f226 fix: don't override ibrs/ibpb results with later tests 2018-04-05 22:04:20 +02:00
Stéphane Lesimple 89c2e0fb21 fix(amd): show cpuinfo and ucode details 2018-04-05 21:39:27 +02:00
Stéphane Lesimple b88f32ed95 feat: print raw cpuid, and fetch ucode version under BSD 2018-04-05 00:07:12 +02:00
Stéphane Lesimple 7a4ebe8009 refactor: rewrite read_cpuid to get more common code parts between BSD and Linux 2018-04-05 00:06:24 +02:00
Stéphane Lesimple 0919f5c236 feat: add explanations of what to do when a vulnerability is not mitigated 2018-04-05 00:03:04 +02:00
Stéphane Lesimple de02dad909 feat: rework Spectre V2 mitigations detection w/ latest vanilla & Red Hat 7 kernels 2018-04-05 00:01:54 +02:00
Stéphane Lesimple 07484d0ea7 add dump of variables at end of script in debug mode 2018-04-04 23:58:15 +02:00
Stéphane Lesimple a8b557b9e2 fix(cpu): skip CPU checks if asked to (--no-hw) or if inspecting a kernel of another architecture 2018-04-03 19:36:28 +02:00
Stéphane Lesimple 619b2749d8 fix(sysfs): only check for sysfs for spectre2 when in live mode 2018-04-03 19:32:36 +02:00
Stéphane Lesimple 94857c983d update readme 2018-04-03 16:00:36 +02:00
Stéphane Lesimple 056ed00baa feat(arm): detect spectre variant 1 mitigation 2018-04-03 15:52:25 +02:00
Stéphane Lesimple aef99d20f3 fix(pti): when PTI activation is unknown, don't say we're vulnerable 2018-04-03 12:45:17 +02:00
Stéphane Lesimple e2d7ed2243 feat(arm): support for variant2 and meltdown mitigation detection 2018-04-01 17:50:18 +02:00
Stéphane Lesimple eeaeff8ec3 set version to v0.36+ for master branch between releases 2018-04-01 17:45:01 +02:00
Stéphane Lesimple f5269a362a feat(bsd): add retpoline detection for BSD 2018-04-01 17:42:29 +02:00
Stéphane Lesimple f3883a37a0 fix(xen): adjust message for DomUs w/ sysfs 2018-03-31 13:44:04 +02:00
Stéphane Lesimple b6fd69a022 release: v0.36 2018-03-27 23:08:38 +02:00
Stéphane Lesimple 7adb7661f3 enh: change colors and use red only to report vulnerability 2018-03-25 18:15:08 +02:00
Stéphane Lesimple c7892e3399 update README.md 2018-03-25 14:18:39 +02:00
Stéphane Lesimple aa74315df4 feat: speed up kernel version detection 2018-03-25 13:42:19 +02:00
Stéphane Lesimple 0b8a09ec70 fix: mis adjustments for BSD compat 2018-03-25 13:26:00 +02:00
Stéphane Lesimple b42d8f2f27 fix(write_msr): use /dev/zero instead of manually echoing zeroes 2018-03-25 12:53:50 +02:00
Stéphane Lesimple f191ec7884 feat: add --hw-only to only show CPU microcode/cpuid/msr details 2018-03-25 12:48:37 +02:00
Stéphane Lesimple 28da7a0103 misc: message clarifications 2018-03-25 12:48:03 +02:00
Stéphane Lesimple ece25b98a1 feat: implement support for NetBSD/FreeBSD/DragonFlyBSD 2018-03-25 12:28:02 +02:00
Stéphane Lesimple 889172dbb1 feat: add special extract_vmlinux mode for old RHEL kernels 2018-03-25 11:55:44 +02:00
Stéphane Lesimple 37ce032888 fix: bypass MSR/CPUID checks for non-x86 CPUs 2018-03-25 11:55:44 +02:00
Stéphane Lesimple 701cf882ad feat: more robust validation of extracted kernel image 2018-03-25 11:55:44 +02:00
Stéphane Lesimple 6a94c3f158 feat(extract_vmlinux): look for ELF magic in decompressed blob and cut at found offset 2018-03-25 11:55:42 +02:00
Stéphane Lesimple 2d993812ab feat: add --prefix-arch for cross-arch kernel inspection 2018-03-25 11:55:10 +02:00
Stéphane Lesimple 4961f8327f fix(ucode): fix blacklist detection for some ucode versions 2018-03-19 12:09:39 +01:00
Alex ecdc448531 Check MSR in each CPU/Thread (#136) 2018-03-17 17:17:15 +01:00
Stéphane Lesimple 12ea49fe0c fix(kvm): properly detect PVHVM mode (fixes #163) 2018-03-16 18:29:58 +01:00
Stéphane Lesimple 053f1613de fix(doc): use https:// URLs in the script comment header 2018-03-16 18:24:59 +01:00
Stéphane Lesimple bda18d04a0 fix: pine64: re-add vmlinuz location and some error checks 2018-03-10 16:02:44 +01:00
Stéphane Lesimple 2551295541 doc: use https URLs 2018-03-10 15:20:07 +01:00
Stéphane Lesimple d5832dc1dc feat: add ELF magic detection on kernel image blob for some arm64 systems 2018-03-10 14:57:25 +01:00
Stéphane Lesimple d2f46740e9 feat: enhance kernel image version detection for some old kernels 2018-03-10 14:57:25 +01:00
Sam Morris 2f6a6554a2 Produce output for consumption by prometheus-node-exporter
A report of all vulnerable machines to be produced with a query such as:

    spexec_vuln_status{status!="OK"}
2018-02-27 11:08:39 +01:00
Stéphane Lesimple 30842dd9c0 release: bump to v0.35 2018-02-16 10:35:49 +01:00
Stéphane Lesimple b4ac5fcbe3 feat(variant2): better explanation when kernel supports IBRS but CPU does not 2018-02-16 10:34:01 +01:00
Stéphane Lesimple fef380d66f feat(readme): add quick run section 2018-02-15 21:19:49 +01:00
Stéphane Lesimple 55a6fd3911 feat(variant1): better detection for Red Hat/Ubuntu patch 2018-02-15 21:19:49 +01:00
Sylvestre Ledru 35c8a63de6 Remove the color in the title 2018-02-15 20:21:00 +01:00
Stéphane Lesimple 5f914e555e fix(xen): declare Xen's PTI patch as a valid mitigation for variant3 2018-02-14 14:24:55 +01:00
Stéphane Lesimple 66dce2c158 fix(ucode): update blacklisted ucodes list from latest Intel info 2018-02-14 14:14:16 +01:00
Calvin Walton 155cac2102 Teach checker how to find kernels installed by systemd kernel-install 2018-02-10 20:51:33 +01:00
Stéphane Lesimple 22cae605e1 fix(retpoline): remove the "retpoline enabled" test
This test worked for some early versions of the retpoline
implementation in vanilla kernels, but the corresponding
flag has been removed from /proc/cpuinfo in latest kernels.
The full information is available in /sys instead, which
was already implemented in the script.
2018-02-09 20:12:33 +01:00
Stéphane Lesimple eb75e51975 fix(ucode): update list of blacklisted ucodes from 2018-02-08 Intel document
Removed 2 ucodes and added 2 other ones
2018-02-09 19:56:27 +01:00