2cde6e4649
feat(ssbd): add detection of proper CPUID bits on AMD
2018-05-23 22:50:52 +02:00
f4d51e7e53
fix(variant4): add another detection way for Red Hat kernel
2018-05-23 22:47:54 +02:00
85d46b2799
feat(variant4): add more detailed explanations
2018-05-23 21:08:58 +02:00
61e02abd0c
feat(variant3a): detect up to date microcode
2018-05-23 21:08:08 +02:00
114756fab7
fix(amd): not vulnerable to variant3a
2018-05-23 20:38:43 +02:00
ea75969eb7
fix(help): Update variant options in usage message ( #200 )
2018-05-22 15:54:25 +02:00
ca391cbfc9
fix(variant2): correctly detect IBRS/IBPB in SLES kernels
2018-05-22 12:06:46 +02:00
68af5c5f92
feat(variant4): detect SSBD-aware kernel
2018-05-22 12:05:46 +02:00
f75cc0bb6f
feat(variant4): add sysfs mitigation hint and some explanation about the vuln
2018-05-22 09:39:11 +02:00
f33d65ff71
feat(variant3a): add information about microcode-sufficient mitigation
2018-05-22 09:38:29 +02:00
725eaa8bf5
feat(arm): adjust vulnerable ARM CPUs for variant3a and variant4
2018-05-22 09:19:29 +02:00
c6ee0358d1
feat(variant4): report SSB_NO CPUs as not vulnerable
2018-05-22 09:18:30 +02:00
22d0b203da
fix(ssb_no): rename ssbd_no to ssb_no and fix shift
2018-05-22 00:38:31 +02:00
3062a8416a
fix(msg): add missing words
2018-05-22 00:10:08 +02:00
6a4318addf
feat(variant3a/4): initial support for 2 new CVEs
2018-05-22 00:06:56 +02:00
c19986188f
fix(variant2): adjust detection for SLES kernels
2018-05-19 09:53:12 +02:00
7e4899bcb8
ibrs can't be enabled on no ibrs cpu ( #195 )
...
* ibrs can't be enabled on no ibrs cpu
If the cpu is identified, and does not support SPEC_CTRL or IBRS, then ibrs can't be enabled, even if supported by the kernel.
Instead of reporting IBRS enabled and active UNKNOWN, report IBRS enabled and active NO.
2018-05-17 15:39:48 +02:00
5cc77741af
Update spectre-meltdown-checker.sh
2018-05-05 13:00:44 +02:00
1c0f6d9580
cpuid and msr module check
...
This adds a check before loading the cpuid and msr modules under linux, ensuring they are not unloaded in exit_cleanup() if they were initially present.
2018-05-05 13:00:44 +02:00
4acd0f647a
Suggestion to change VM to a CPU with IBRS capability
2018-04-20 20:35:12 +02:00
fb52dbe7bf
set master branch to v0.37+
2018-04-20 20:34:42 +02:00
edebe4dcd4
bump to v0.37
2018-04-18 23:51:45 +02:00
83ea78f523
fix: arm: also detect variant 1 mitigation when using native objdump
2018-04-17 18:50:32 +02:00
602b68d493
fix(spectrev2): explain that retpoline is possible for Skylake+ if there is RSB filling, even if IBRS is still better
2018-04-16 09:27:28 +02:00
97bccaa0d7
feat: rephrase IBPB warning when only retpoline is enabled in non-paranoid mode
2018-04-16 09:13:25 +02:00
68e619b0d3
feat: show RSB filling capability for non-Skylake in verbose mode
2018-04-16 09:08:25 +02:00
a6f4475cee
feat: make IBRS_FW blue instead of green
2018-04-16 09:07:54 +02:00
223f5028df
feat: add --paranoid to choose whether we require IBPB
2018-04-15 23:05:30 +02:00
c0108b9690
fix(spectre2): don't explain how to fix when NOT VULNERABLE
2018-04-15 20:55:55 +02:00
a3016134bd
feat: make RSB filling support mandatory for Skylake+ CPUs
2018-04-15 20:55:31 +02:00
59d85b39c9
feat: detect RSB filling capability in the kernel
2018-04-15 20:55:01 +02:00
baaefb0c31
fix: remove shellcheck warnings
2018-04-11 22:24:03 +02:00
d452aca03a
fix: invalid bash syntax when ibpb_enabled or ibrs_enabled are empty
2018-04-11 10:29:42 +02:00
10b8d94724
feat: detect latest Red Hat kernels' RO ibpb_enabled knob
2018-04-10 22:51:45 +02:00
8606e60ef7
refactor: no longer display the retoline-aware compiler test when we can't tell for sure
2018-04-10 22:51:45 +02:00
6a48251647
fix: regression in 51aeae25, when retpoline & ibpb are enabled
2018-04-10 22:51:45 +02:00
f4bf5e95ec
fix: typos
2018-04-10 22:51:45 +02:00
60eac1ad43
feat: also do PTI performance check with (inv)pcid for BSD
2018-04-10 22:51:45 +02:00
b3cc06a6ad
fix regression introduced by 82c25dc
2018-04-10 22:51:45 +02:00
5553576e31
feat(amd/zen): re-introduce IBRS for AMD except ZEN family
2018-04-10 22:51:45 +02:00
e16ad802da
feat(ibpb=2): add detection of SMT before concluding the system is not vulnerable
2018-04-10 22:51:45 +02:00
29c294edff
feat(bsd): explain how to mitigate variant2
2018-04-10 22:51:45 +02:00
59714011db
refactor: IBRS_ALL & RDCL_NO are Intel-only
2018-04-10 22:51:45 +02:00
51e8261a32
refactor: separate hw checks for Intel & AMD
2018-04-10 22:49:28 +02:00
2a4bfad835
refactor: add is_amd and is_intel funcs
2018-04-10 22:49:28 +02:00
7e52cea66e
feat(spectre2): refined how status of this vuln is decided and more precise explanations on how to fix
2018-04-10 22:49:28 +02:00
417d7aab91
Fix trailing whitespace and mixed indent styles;
2018-04-10 22:42:47 +02:00
67bf761029
Fix some user facing typos with codespell -w -q3 .
2018-04-08 18:44:13 +02:00
0eabd266ad
refactor: decrease default verbosity for some tests
2018-04-05 22:20:16 +02:00
b77fb0f226
fix: don't override ibrs/ibpb results with later tests
2018-04-05 22:04:20 +02:00
89c2e0fb21
fix(amd): show cpuinfo and ucode details
2018-04-05 21:39:27 +02:00
b88f32ed95
feat: print raw cpuid, and fetch ucode version under BSD
2018-04-05 00:07:12 +02:00
7a4ebe8009
refactor: rewrite read_cpuid to get more common code parts between BSD and Linux
2018-04-05 00:06:24 +02:00
0919f5c236
feat: add explanations of what to do when a vulnerability is not mitigated
2018-04-05 00:03:04 +02:00
de02dad909
feat: rework Spectre V2 mitigations detection w/ latest vanilla & Red Hat 7 kernels
2018-04-05 00:01:54 +02:00
07484d0ea7
add dump of variables at end of script in debug mode
2018-04-04 23:58:15 +02:00
a8b557b9e2
fix(cpu): skip CPU checks if asked to (--no-hw) or if inspecting a kernel of another architecture
2018-04-03 19:36:28 +02:00
619b2749d8
fix(sysfs): only check for sysfs for spectre2 when in live mode
2018-04-03 19:32:36 +02:00
056ed00baa
feat(arm): detect spectre variant 1 mitigation
2018-04-03 15:52:25 +02:00
aef99d20f3
fix(pti): when PTI activation is unknown, don't say we're vulnerable
2018-04-03 12:45:17 +02:00
e2d7ed2243
feat(arm): support for variant2 and meltdown mitigation detection
2018-04-01 17:50:18 +02:00
eeaeff8ec3
set version to v0.36+ for master branch between releases
2018-04-01 17:45:01 +02:00
f5269a362a
feat(bsd): add retpoline detection for BSD
2018-04-01 17:42:29 +02:00
f3883a37a0
fix(xen): adjust message for DomUs w/ sysfs
2018-03-31 13:44:04 +02:00
b6fd69a022
release: v0.36
2018-03-27 23:08:38 +02:00
7adb7661f3
enh: change colors and use red only to report vulnerability
2018-03-25 18:15:08 +02:00
aa74315df4
feat: speed up kernel version detection
2018-03-25 13:42:19 +02:00
0b8a09ec70
fix: mis adjustments for BSD compat
2018-03-25 13:26:00 +02:00
b42d8f2f27
fix(write_msr): use /dev/zero instead of manually echoing zeroes
2018-03-25 12:53:50 +02:00
f191ec7884
feat: add --hw-only to only show CPU microcode/cpuid/msr details
2018-03-25 12:48:37 +02:00
28da7a0103
misc: message clarifications
2018-03-25 12:48:03 +02:00
ece25b98a1
feat: implement support for NetBSD/FreeBSD/DragonFlyBSD
2018-03-25 12:28:02 +02:00
889172dbb1
feat: add special extract_vmlinux mode for old RHEL kernels
2018-03-25 11:55:44 +02:00
37ce032888
fix: bypass MSR/CPUID checks for non-x86 CPUs
2018-03-25 11:55:44 +02:00
701cf882ad
feat: more robust validation of extracted kernel image
2018-03-25 11:55:44 +02:00
6a94c3f158
feat(extract_vmlinux): look for ELF magic in decompressed blob and cut at found offset
2018-03-25 11:55:42 +02:00
2d993812ab
feat: add --prefix-arch for cross-arch kernel inspection
2018-03-25 11:55:10 +02:00
4961f8327f
fix(ucode): fix blacklist detection for some ucode versions
2018-03-19 12:09:39 +01:00
ecdc448531
Check MSR in each CPU/Thread ( #136 )
2018-03-17 17:17:15 +01:00
12ea49fe0c
fix(kvm): properly detect PVHVM mode ( fixes #163 )
2018-03-16 18:29:58 +01:00
053f1613de
fix(doc): use https:// URLs in the script comment header
2018-03-16 18:24:59 +01:00
bda18d04a0
fix: pine64: re-add vmlinuz location and some error checks
2018-03-10 16:02:44 +01:00
d5832dc1dc
feat: add ELF magic detection on kernel image blob for some arm64 systems
2018-03-10 14:57:25 +01:00
d2f46740e9
feat: enhance kernel image version detection for some old kernels
2018-03-10 14:57:25 +01:00
2f6a6554a2
Produce output for consumption by prometheus-node-exporter
...
A report of all vulnerable machines to be produced with a query such as:
spexec_vuln_status{status!="OK"}
2018-02-27 11:08:39 +01:00
30842dd9c0
release: bump to v0.35
2018-02-16 10:35:49 +01:00
b4ac5fcbe3
feat(variant2): better explanation when kernel supports IBRS but CPU does not
2018-02-16 10:34:01 +01:00
55a6fd3911
feat(variant1): better detection for Red Hat/Ubuntu patch
2018-02-15 21:19:49 +01:00
35c8a63de6
Remove the color in the title
2018-02-15 20:21:00 +01:00
5f914e555e
fix(xen): declare Xen's PTI patch as a valid mitigation for variant3
2018-02-14 14:24:55 +01:00
66dce2c158
fix(ucode): update blacklisted ucodes list from latest Intel info
2018-02-14 14:14:16 +01:00
155cac2102
Teach checker how to find kernels installed by systemd kernel-install
2018-02-10 20:51:33 +01:00
22cae605e1
fix(retpoline): remove the "retpoline enabled" test
...
This test worked for some early versions of the retpoline
implementation in vanilla kernels, but the corresponding
flag has been removed from /proc/cpuinfo in latest kernels.
The full information is available in /sys instead, which
was already implemented in the script.
2018-02-09 20:12:33 +01:00
eb75e51975
fix(ucode): update list of blacklisted ucodes from 2018-02-08 Intel document
...
Removed 2 ucodes and added 2 other ones
2018-02-09 19:56:27 +01:00
253e180807
Update spectre-meltdown-checker.sh
...
Dots better than colon for indicating waiting.
2018-02-06 19:02:56 +01:00
5d6102a00e
enh: show kernel version in offline mode
2018-02-02 11:27:04 +01:00
a2dfca671e
feat: detect disrepancy between found kernel image and running kernel
2018-02-02 11:13:54 +01:00
36bd80d75f
enh: speedup by not decompressing kernel on --sysfs-only
2018-02-02 11:13:31 +01:00
1834dd6201
feat: add skylake era cpu detection routine
2018-02-02 11:12:10 +01:00
3d765bc703
enh: lazy loading of cpu informations
2018-02-02 11:11:51 +01:00
07afd95b63
feat: better cleanup routine on exit & interrupt
2018-02-02 11:09:36 +01:00
b7a10126d1
fix: ARM CPU display name & detection
...
Fix ARM CPU display name, and properly
detect known vulnerable ARM CPUs when
multiple different model cores are
present (mostly Android phones)
2018-02-02 11:00:23 +01:00
6346a0deaa
fix: --no-color workaround for android's sed
2018-02-02 10:59:49 +01:00
8106f91981
release: bump to v0.34
2018-01-31 16:28:54 +01:00
b1fdf88f28
enh: display ucode info even when not blacklisted
2018-01-31 16:21:32 +01:00
4d29607630
cleanup: shellcheck pass
2018-01-31 16:15:20 +01:00
0267659adc
cleanup: remove superseded atom detection code
...
This is now handled properly by checking the CPU
vendor, family, model instead of looking for the
commercial name of the CPU in /proc/cpuinfo
2018-01-31 16:15:20 +01:00
247b176882
feat: detect known speculative-execution free CPUs
...
Based on a kernel patch that has been merged to Linus' tree.
Some of the detections we did by grepping the model name
will probably no longer be needed.
2018-01-31 16:15:20 +01:00
bcae8824ec
refacto: create a dedicated func to read cpuid bits
2018-01-31 16:15:20 +01:00
71e7109c22
refacto: move cpu discovery bits to a dedicated function
2018-01-31 16:15:20 +01:00
aa18b51e1c
fix(variant1): smarter lfence check
...
Instead of just counting the number of LFENCE
instructions, now we're only counting the those
that directly follow a jump instruction.
2018-01-31 14:34:54 +01:00
b738ac4bd7
fix: regression introduced by previous commit
...
449: ./spectre-meltdown-checker.sh: 3: parameter not set
This happened only on blacklisted microcodes, fixed by
adding set +u before the return
2018-01-31 12:13:50 +01:00
799ce3eb30
update blacklisted ucode list from kernel source
2018-01-31 11:26:23 +01:00
f1e18c136f
doc(disclaimer): Spectre affects all software
...
Add a paragraph in the disclaimer stating that this tool focuses
on the kernel side of things, and that for Spectre, any software
might be vulnerable.
2018-01-30 14:37:52 +01:00
e05ec5c85f
feat(variant1): detect vanilla mitigation
...
Implement detection of mitigation for Variant 1 that is
being pushed on vanilla kernel.
Current name of the patch:
"spectre variant1 mitigations for tip/x86/pti" (v6)
Also detect some distros that already backported this
patch without modifying the vulnerabilities sysfs hierarchy.
This detection is more reliable than the LFENCE one, trust
it and skip the LFENCE heuristic if a match is found.
2018-01-30 12:55:34 +01:00
6e544d6055
fix(cpu): Pentium Exxxx are vulnerable to Meltdown
2018-01-29 11:18:15 +01:00
90a65965ff
adjust: show how to enable IBRS/IBPB in -v only
2018-01-29 11:06:15 +01:00
9b53635eda
refacto: fix shellcheck warnings for better compat
...
Now `shellcheck -s sh` no longer shows any warnings.
This should improve compatibility with exotic shells
as long as they're POSIX compliant.
2018-01-29 10:34:08 +01:00
7404929661
Fix printing of microcode to use cpuinfo values
...
The values used should be the ones that come from cpuinfo instead of
the test values. The following line will print the last tuple tested
instead of the actual values of the CPU.
Line 689: _debug "is_ucode_blacklisted: no ($model/$stepping/$ucode)"
2018-01-26 18:23:18 +01:00
0798bd4c5b
fix: report arch_capabilities as NO when no MSR
...
When the arch_capabilities MSR is not there, it means
that all the features it might advertise can be considered
as NO instead of UNKNOWN
2018-01-26 14:55:01 +01:00
42094c4f8b
release: v0.33
2018-01-26 14:20:29 +01:00
03d2dfe008
feat: add blacklisted Intel ucode detection
...
Some Intel microcodes are known to cause instabilities
such as random reboots. Intel advises to revert to a
previous version if a newer one that fixes those issues
is not available. Detect such known bad microcodes.
2018-01-26 14:19:54 +01:00
9f00ffa5af
fix: fallback to UNKNOWN when we get -EACCES
...
For detection of IBRS_ALL and RDCL_NO, fallback to
UNKNOWN when we were unable to read the CPUID or MSR.
2018-01-26 14:16:34 +01:00
7f0d80b305
xen: detect if the host is a Xen Dom0 or PV DomU ( fixes #83 )
2018-01-25 11:04:30 +01:00
d1c1f0f0f0
fix(batch): fix regression introduced by acf12a6
...
In batch mode, $echo_cmd was not initialized early
enough, and caused this error:
./spectre-meltdown-checker.sh: 899: ./spectre-meltdown-checker.sh: -ne: not found
Fix it by initing echo_cmd unconditionally at the start
2018-01-24 17:57:19 +01:00
acf12a6d2d
feat(cpu) add STIBP, RDCL_NO, IBRS_ALL checks
...
Move all the CPU checks to their own section,
for clarity. We now check for IBRS, IBPB, STIBP,
RDCL_NO and IBRS_ALL. We also show whether the
system CPU is vulnerable to the three variants,
regardless of the fact that mitigations are in
place or not, which is determined in each vuln-
specific section.
2018-01-24 14:44:16 +01:00
b45e40bec8
feat(stibp): add STIBP cpuid feature check
2018-01-24 12:19:02 +01:00
3c1d452c99
fix(cpuid): fix off-by-one SPEC_CTRL bit check
2018-01-24 12:18:56 +01:00
53b9eda040
fix: don't make IBPB mandatory when it's not there
...
On some kernels there could be IBRS support but not
IBPB support, in that case, don't report VULN just
because IBPB is not enabled when IBRS is
2018-01-24 09:04:25 +01:00
3b0ec998b1
fix(cosmetic): tiny msg fixes
2018-01-24 09:04:25 +01:00
d55bafde19
fix(cpu): trust is_cpu_vulnerable even w/ debugfs
...
For variant3 under AMD, the debugfs vulnerabilities hierarchy
flags the system as Vulnerable, which is wrong. Trust our own
is_cpu_vulnerable() func in that case
2018-01-24 09:04:25 +01:00
147462c0ab
fix(variant3): do our checks even if sysfs is here
2018-01-24 09:04:25 +01:00
ddc7197b86
fix(retpoline): retpoline-compiler detection
...
When kernel is not compiled with retpoline option, doesn't
have the sysfs vulnerability hierarchy and our heuristic to
detect a retpoline-aware compiler didn't match, change result
for retpoline-aware compiler detection from UNKNOWN to NO.
When CONFIG_RETPOLINE is not set, a retpoline-aware compiler
won't produce different asm than a standard one anyway.
2018-01-24 09:04:25 +01:00
e7aa3b9d16
feat(retpoline): check if retpoline is enabled
...
Before we would just check if retpoline was compiled
in, now we also check that it's enabled at runtime
(only in live mode)
2018-01-24 09:04:25 +01:00
ff5c92fa6f
feat(sysfs): print details even with sysfs
...
Before, when the /sys kernel vulnerability interface
was available, we would bypass all our tests and just
print the output of the vulnerability interface. Now,
we still rely on it when available, but we run our
checks anyway, except for variant 1 where the current
method of mitigation detection doesn't add much value
to the bare /sys check
2018-01-24 09:04:25 +01:00
443d9a2ae9
feat(ibpb): now also check for IBPB on variant 2
...
In addition to IBRS (and microcode support), IBPB
must be used to mitigate variant 2, if retpoline
support is not available. The vulnerability status
of a system will be defined as "non vulnerable"
if IBRS and IBPB are both enabled, or if IBPB
is enabled with a value of 2 for RedHat kernels,
see https://access.redhat.com/articles/3311301
2018-01-24 09:04:25 +01:00
3e454f1817
fix(offline): report unknown when too few info
...
In offline mode, in the worst case where an invalid
config file is given, and we have no vmlinux image
nor System.map, the script was reporting Variant 2
and Variant 3 as vulnerable in the global status.
Replace this by a proper pair of UNKNOWNs
2018-01-23 22:20:34 +01:00
c8a25c5d97
feat: detect invalid kconfig files
2018-01-23 21:48:19 +01:00
40381349ab
fix(dmesg): detect when dmesg is truncated
...
To avoid false negatives when looking for a message
in dmesg, we were previously also grepping in known
on-disk archives of dmesg (dmesg.log, kern.log).
This in turn caused false positives because we have no
guarantee that we're grepping the dmesg of the current
running kernel. Hence we now only look in the live
`dmesg`, detect if it has been truncated, and report
it to the user.
2018-01-21 16:26:08 +01:00
0aa5857a76
fix(cpu): Pentium Exxxx series are not vulnerable
...
Pentium E series are not in the vulnerable list from
Intel, and Spectre2 PoC reportedly doesn't work on
an E5200
2018-01-21 16:13:17 +01:00
b3b7f634e6
fix(display): use text-mode compatible colors
...
in text-mode 80-cols TERM=linux terminals, colors
were not displaying properly, one had to use
--no-color to be able to read some parts of the
text.
2018-01-21 12:32:22 +01:00
263ef65fec
bump to v0.32
2018-01-20 12:49:12 +01:00
a1bd233c49
revert to a simpler check_vmlinux()
2018-01-20 12:26:26 +01:00
de6590cd09
cache is_cpu_vulnerable result for performance
2018-01-20 12:24:23 +01:00
56d4f82484
is_cpu_vulnerable: implement check for multi-arm systems
2018-01-20 12:24:23 +01:00
7fa2d6347b
check_vmlinux: when readelf doesn't work, try harder with another way
2018-01-20 12:23:55 +01:00
3be5e90481
be smarter to find a usable echo command
2018-01-20 12:23:55 +01:00
995620a682
add pine64 vmlinuz location
2018-01-20 12:23:19 +01:00
193e0d8d08
arm: cosmetic fix for name and handle aarch64
2018-01-20 12:22:48 +01:00
72ef94ab3d
ARM: display a friendly name instead of empty string
2018-01-20 12:22:48 +01:00
ccc0453df7
search in /lib/modules/$(uname -r) for vmlinuz, config, System.map
...
On Fedora machines /lib/modules/$(uname -r) has all the files.
2018-01-20 11:19:34 +01:00
14ca49a042
Atom N270: implement another variation
2018-01-19 18:47:38 +01:00
db357b8e25
CoreOS: remove ephemeral install of a non-used package
2018-01-18 10:17:25 +01:00
42a57dd980
add kern.log as another backend of dmesg output
2018-01-17 17:17:39 +01:00
5ab95f3656
fix(atom): don't use a pcre regex, only an extended one
2018-01-17 12:01:13 +01:00
5b6e39916d
fix(atom): properly detect Nxxx Atom series
2018-01-17 11:07:47 +01:00
556951d5f0
Add Support for Slackware.
...
Signed-off-by: Willy Sudiarto Raharjo <willysr@gmail.com>
2018-01-16 11:55:03 +01:00
7a88aec95f
Implement CoreOS compatibility mode ( #84 )
...
* Add special CoreOS compatibility mode
* CoreOS: refuse --coreos if we're not under CoreOS
* CoreOS: warn if launched without --coreos option
* is_coreos: make stderr silent
* CoreOS: tiny adjustments
2018-01-16 10:33:01 +01:00
bd18323d79
bump to v0.31 to reflect changes
2018-01-14 22:34:09 +01:00
b89d67dd15
meltdown: detecting Xen PV, reporting as not vulnerable
2018-01-14 22:31:21 +01:00
704e54019a
is_cpu_vulnerable: add check for old Atoms
2018-01-14 21:32:56 +01:00
d96093171a
verbose: add PCID check for performance impact of PTI
2018-01-14 17:18:34 +01:00
dcc4488340
Merge pull request #80 from speed47/cpuid_spec_ctrl
...
v0.30, cpuid spec ctrl and other enhancements
2018-01-14 16:48:02 +01:00
32e3fe6c07
bump to v0.30 to reflect changes
2018-01-14 16:45:59 +01:00
71213c11b3
ibrs: check for spec_ctrl_ibrs in cpuinfo
2018-01-14 16:36:51 +01:00
2964c4ab44
add support for NixOS kernel
...
this removes the need to specify the kernel version manually on NixOS
2018-01-14 16:18:29 +01:00
749f432d32
also check for spec_ctrl flag in cpuinfo
2018-01-14 15:47:51 +01:00
a422b53d7c
also check for cpuinfo flag
2018-01-14 15:47:51 +01:00
c483a2cf60
check spec_ctrl support using cpuid
2018-01-14 15:47:51 +01:00
dead0054a4
fix: proper detail msg in vuln status
2018-01-14 15:47:22 +01:00
e5e4851d72
proper return codes regardless of the batch mode
2018-01-14 14:24:31 +01:00
7f92717a2c
add info about accuracy when missing kernel files
2018-01-13 13:59:17 +01:00
b47d505689
AMD now vuln to variant2 (as per their stmt)
2018-01-13 13:35:31 +01:00
4a2d051285
minor is_cpu_vulnerable() changes ( #71 )
...
* correct is_cpu_vulnerable() comment
As far as I can tell, the function and usage are correct for the comment
to be inverted.
Add a clarifying note as to why the value choice makes sense.
* exit on invalid varient
If this happens, it's a bug in the script. None of the calling code
checks for status 255, so don't let a scripting bug cause a false
negative.
* no need to set vulnerable CPUs
According to comment above this code:
'by default, everything is vulnerable, we work in a "whitelist" logic here.'
2018-01-13 13:16:37 +01:00
f3551b9734
Only show the name of the script, not the full path ( #72 )
2018-01-13 13:14:19 +01:00
45b98e125f
fix some typos ( #73 )
2018-01-13 13:13:40 +01:00
dce917bfbb
add --version, bump to v0.28
2018-01-12 19:10:44 +01:00
8f18f53aba
add cpu model in output
2018-01-12 19:08:12 +01:00
8bd093173d
Fixed a few spelling errors ( #60 )
2018-01-12 11:46:36 +01:00
bfe5a3b840
add some debug
2018-01-12 10:53:19 +01:00
6a0242eea3
bump to v0.27
2018-01-11 15:36:41 +01:00
bc4e39038a
fix(opcodes): fix regression introduced in previous commit
...
We were saying unknown instead of vulnerable when the count of lfence opcodes was low
This was not impacting batch mode or the final decision, just the human-readable output of the script.
2018-01-11 15:35:57 +01:00
62f8ed6f61
adding support for new /sys interface ( #55 )
...
* adding support for new /sys interface
* fix(objdump): prefer -d instead of -D, some kernels crash objdump otherwise
2018-01-11 12:23:16 +01:00
52a8f78885
send warning to stderr. ( #53 )
...
With --batch json there must not be any other output on stdout, so redirect warnings to stderr will show the warning on the console and only the json output is on stdout.
2018-01-11 09:55:43 +01:00
a09a5ba38f
bump to v0.25 to reflect changes
2018-01-11 09:08:29 +01:00
5a7d8d7edf
Produce JSON output formatted for Puppet, Ansible, Chef... ( #50 )
...
Produce JSON output formatted for Puppet, Ansible, Chef...
2018-01-11 09:04:13 +01:00
49fdc6c449
Merge pull request #51 from cowanml/file_read_check_fixup
...
fixed file read test
2018-01-10 21:39:09 +01:00
af3de2a862
fixed file read test
2018-01-10 15:17:14 -05:00
c6e1b0ac8a
feat(kernel): add support for LZ4 decompression
2018-01-10 20:10:57 +01:00
eb0ebef5a8
fix(opensuse): add specific location for ibrs_enabled file
2018-01-10 17:40:33 +01:00
a658de2f01
fix(kernel): fix detection for separate /boot partitions
2018-01-10 16:27:16 +01:00
8ed1f5e3af
feat(kernel): check the BOOT_IMAGE info from cmdline before trying the default names
2018-01-10 15:46:29 +01:00
ffc542eb82
bump to v0.23 to reflect changes
2018-01-10 15:25:55 +01:00
74bc7ba637
add --variant to specify what check we want to run
2018-01-10 15:22:30 +01:00
59fe8c2ad8
Error on unknown batch format
2018-01-10 13:57:10 +00:00
7c11d07865
Stray tab
2018-01-10 11:59:33 +00:00
7c5cfbb8c3
batch nrpe
2018-01-10 11:57:45 +00:00
381038eceb
NRPE mode
2018-01-10 11:18:45 +00:00
d6e4aa43f0
Merge pull request #37 from deufrai/better-dmesg-support
...
Improve PTI detection
2018-01-09 19:52:45 +01:00
e5e09384f0
typofix
2018-01-09 18:54:35 +01:00
Stéphane Lesimple
Rob Gill
rrobgill
Onno Zweers
Igor Lubashev
Benjamin Bouvier
Sylvestre Ledru
Alex
Sam Morris
Sylvestre Ledru
Calvin Walton
積丹尼 Dan Jacobson
Joseph Mulloy
Matthieu Cerda
Harald Hoyer
Willy Sudiarto Raharjo
Andreas Rammhold
Corey Hickey
Sylvestre Ledru
M. Willis Monroe
Tobias Rüetschi
Abdoul Bah
Matt Cowan
Marcus Downing