Commit Graph

421 Commits

Author SHA1 Message Date
Stéphane Lesimple 89c2e0fb21 fix(amd): show cpuinfo and ucode details 2018-04-05 21:39:27 +02:00
Stéphane Lesimple b88f32ed95 feat: print raw cpuid, and fetch ucode version under BSD 2018-04-05 00:07:12 +02:00
Stéphane Lesimple 7a4ebe8009 refactor: rewrite read_cpuid to get more common code parts between BSD and Linux 2018-04-05 00:06:24 +02:00
Stéphane Lesimple 0919f5c236 feat: add explanations of what to do when a vulnerability is not mitigated 2018-04-05 00:03:04 +02:00
Stéphane Lesimple de02dad909 feat: rework Spectre V2 mitigations detection w/ latest vanilla & Red Hat 7 kernels 2018-04-05 00:01:54 +02:00
Stéphane Lesimple 07484d0ea7 add dump of variables at end of script in debug mode 2018-04-04 23:58:15 +02:00
Stéphane Lesimple a8b557b9e2 fix(cpu): skip CPU checks if asked to (--no-hw) or if inspecting a kernel of another architecture 2018-04-03 19:36:28 +02:00
Stéphane Lesimple 619b2749d8 fix(sysfs): only check for sysfs for spectre2 when in live mode 2018-04-03 19:32:36 +02:00
Stéphane Lesimple 056ed00baa feat(arm): detect spectre variant 1 mitigation 2018-04-03 15:52:25 +02:00
Stéphane Lesimple aef99d20f3 fix(pti): when PTI activation is unknown, don't say we're vulnerable 2018-04-03 12:45:17 +02:00
Stéphane Lesimple e2d7ed2243 feat(arm): support for variant2 and meltdown mitigation detection 2018-04-01 17:50:18 +02:00
Stéphane Lesimple eeaeff8ec3 set version to v0.36+ for master branch between releases 2018-04-01 17:45:01 +02:00
Stéphane Lesimple f5269a362a feat(bsd): add retpoline detection for BSD 2018-04-01 17:42:29 +02:00
Stéphane Lesimple f3883a37a0 fix(xen): adjust message for DomUs w/ sysfs 2018-03-31 13:44:04 +02:00
Stéphane Lesimple b6fd69a022 release: v0.36 2018-03-27 23:08:38 +02:00
Stéphane Lesimple 7adb7661f3 enh: change colors and use red only to report vulnerability 2018-03-25 18:15:08 +02:00
Stéphane Lesimple aa74315df4 feat: speed up kernel version detection 2018-03-25 13:42:19 +02:00
Stéphane Lesimple 0b8a09ec70 fix: mis adjustments for BSD compat 2018-03-25 13:26:00 +02:00
Stéphane Lesimple b42d8f2f27 fix(write_msr): use /dev/zero instead of manually echoing zeroes 2018-03-25 12:53:50 +02:00
Stéphane Lesimple f191ec7884 feat: add --hw-only to only show CPU microcode/cpuid/msr details 2018-03-25 12:48:37 +02:00
Stéphane Lesimple 28da7a0103 misc: message clarifications 2018-03-25 12:48:03 +02:00
Stéphane Lesimple ece25b98a1 feat: implement support for NetBSD/FreeBSD/DragonFlyBSD 2018-03-25 12:28:02 +02:00
Stéphane Lesimple 889172dbb1 feat: add special extract_vmlinux mode for old RHEL kernels 2018-03-25 11:55:44 +02:00
Stéphane Lesimple 37ce032888 fix: bypass MSR/CPUID checks for non-x86 CPUs 2018-03-25 11:55:44 +02:00
Stéphane Lesimple 701cf882ad feat: more robust validation of extracted kernel image 2018-03-25 11:55:44 +02:00
Stéphane Lesimple 6a94c3f158 feat(extract_vmlinux): look for ELF magic in decompressed blob and cut at found offset 2018-03-25 11:55:42 +02:00
Stéphane Lesimple 2d993812ab feat: add --prefix-arch for cross-arch kernel inspection 2018-03-25 11:55:10 +02:00
Stéphane Lesimple 4961f8327f fix(ucode): fix blacklist detection for some ucode versions 2018-03-19 12:09:39 +01:00
Alex ecdc448531 Check MSR in each CPU/Thread (#136) 2018-03-17 17:17:15 +01:00
Stéphane Lesimple 12ea49fe0c fix(kvm): properly detect PVHVM mode (fixes #163) 2018-03-16 18:29:58 +01:00
Stéphane Lesimple 053f1613de fix(doc): use https:// URLs in the script comment header 2018-03-16 18:24:59 +01:00
Stéphane Lesimple bda18d04a0 fix: pine64: re-add vmlinuz location and some error checks 2018-03-10 16:02:44 +01:00
Stéphane Lesimple d5832dc1dc feat: add ELF magic detection on kernel image blob for some arm64 systems 2018-03-10 14:57:25 +01:00
Stéphane Lesimple d2f46740e9 feat: enhance kernel image version detection for some old kernels 2018-03-10 14:57:25 +01:00
Sam Morris 2f6a6554a2 Produce output for consumption by prometheus-node-exporter
A report of all vulnerable machines to be produced with a query such as:

    spexec_vuln_status{status!="OK"}
2018-02-27 11:08:39 +01:00
Stéphane Lesimple 30842dd9c0 release: bump to v0.35 2018-02-16 10:35:49 +01:00
Stéphane Lesimple b4ac5fcbe3 feat(variant2): better explanation when kernel supports IBRS but CPU does not 2018-02-16 10:34:01 +01:00
Stéphane Lesimple 55a6fd3911 feat(variant1): better detection for Red Hat/Ubuntu patch 2018-02-15 21:19:49 +01:00
Sylvestre Ledru 35c8a63de6 Remove the color in the title 2018-02-15 20:21:00 +01:00
Stéphane Lesimple 5f914e555e fix(xen): declare Xen's PTI patch as a valid mitigation for variant3 2018-02-14 14:24:55 +01:00
Stéphane Lesimple 66dce2c158 fix(ucode): update blacklisted ucodes list from latest Intel info 2018-02-14 14:14:16 +01:00
Calvin Walton 155cac2102 Teach checker how to find kernels installed by systemd kernel-install 2018-02-10 20:51:33 +01:00
Stéphane Lesimple 22cae605e1 fix(retpoline): remove the "retpoline enabled" test
This test worked for some early versions of the retpoline
implementation in vanilla kernels, but the corresponding
flag has been removed from /proc/cpuinfo in latest kernels.
The full information is available in /sys instead, which
was already implemented in the script.
2018-02-09 20:12:33 +01:00
Stéphane Lesimple eb75e51975 fix(ucode): update list of blacklisted ucodes from 2018-02-08 Intel document
Removed 2 ucodes and added 2 other ones
2018-02-09 19:56:27 +01:00
積丹尼 Dan Jacobson 253e180807 Update spectre-meltdown-checker.sh
Dots better than colon for indicating waiting.
2018-02-06 19:02:56 +01:00
Stéphane Lesimple 5d6102a00e enh: show kernel version in offline mode 2018-02-02 11:27:04 +01:00
Stéphane Lesimple a2dfca671e feat: detect disrepancy between found kernel image and running kernel 2018-02-02 11:13:54 +01:00
Stéphane Lesimple 36bd80d75f enh: speedup by not decompressing kernel on --sysfs-only 2018-02-02 11:13:31 +01:00
Stéphane Lesimple 1834dd6201 feat: add skylake era cpu detection routine 2018-02-02 11:12:10 +01:00
Stéphane Lesimple 3d765bc703 enh: lazy loading of cpu informations 2018-02-02 11:11:51 +01:00
Stéphane Lesimple 07afd95b63 feat: better cleanup routine on exit & interrupt 2018-02-02 11:09:36 +01:00
Stéphane Lesimple b7a10126d1 fix: ARM CPU display name & detection
Fix ARM CPU display name, and properly
detect known vulnerable ARM CPUs when
multiple different model cores are
present (mostly Android phones)
2018-02-02 11:00:23 +01:00
Stéphane Lesimple 6346a0deaa fix: --no-color workaround for android's sed 2018-02-02 10:59:49 +01:00
Stéphane Lesimple 8106f91981 release: bump to v0.34 2018-01-31 16:28:54 +01:00
Stéphane Lesimple b1fdf88f28 enh: display ucode info even when not blacklisted 2018-01-31 16:21:32 +01:00
Stéphane Lesimple 4d29607630 cleanup: shellcheck pass 2018-01-31 16:15:20 +01:00
Stéphane Lesimple 0267659adc cleanup: remove superseded atom detection code
This is now handled properly by checking the CPU
vendor, family, model instead of looking for the
commercial name of the CPU in /proc/cpuinfo
2018-01-31 16:15:20 +01:00
Stéphane Lesimple 247b176882 feat: detect known speculative-execution free CPUs
Based on a kernel patch that has been merged to Linus' tree.
Some of the detections we did by grepping the model name
will probably no longer be needed.
2018-01-31 16:15:20 +01:00
Stéphane Lesimple bcae8824ec refacto: create a dedicated func to read cpuid bits 2018-01-31 16:15:20 +01:00
Stéphane Lesimple 71e7109c22 refacto: move cpu discovery bits to a dedicated function 2018-01-31 16:15:20 +01:00
Stéphane Lesimple aa18b51e1c fix(variant1): smarter lfence check
Instead of just counting the number of LFENCE
instructions, now we're only counting the those
that directly follow a jump instruction.
2018-01-31 14:34:54 +01:00
Stéphane Lesimple b738ac4bd7 fix: regression introduced by previous commit
449: ./spectre-meltdown-checker.sh: 3: parameter not set
This happened only on blacklisted microcodes, fixed by
adding set +u before the return
2018-01-31 12:13:50 +01:00
Stéphane Lesimple 799ce3eb30 update blacklisted ucode list from kernel source 2018-01-31 11:26:23 +01:00
Stéphane Lesimple f1e18c136f doc(disclaimer): Spectre affects all software
Add a paragraph in the disclaimer stating that this tool focuses
on the kernel side of things, and that for Spectre, any software
might be vulnerable.
2018-01-30 14:37:52 +01:00
Stéphane Lesimple e05ec5c85f feat(variant1): detect vanilla mitigation
Implement detection of mitigation for Variant 1 that is
being pushed on vanilla kernel.
Current name of the patch:
"spectre variant1 mitigations for tip/x86/pti" (v6)
Also detect some distros that already backported this
patch without modifying the vulnerabilities sysfs hierarchy.
This detection is more reliable than the LFENCE one, trust
it and skip the LFENCE heuristic if a match is found.
2018-01-30 12:55:34 +01:00
Stéphane Lesimple 6e544d6055 fix(cpu): Pentium Exxxx are vulnerable to Meltdown 2018-01-29 11:18:15 +01:00
Stéphane Lesimple 90a65965ff adjust: show how to enable IBRS/IBPB in -v only 2018-01-29 11:06:15 +01:00
Stéphane Lesimple 9b53635eda refacto: fix shellcheck warnings for better compat
Now `shellcheck -s sh` no longer shows any warnings.
This should improve compatibility with exotic shells
as long as they're POSIX compliant.
2018-01-29 10:34:08 +01:00
Joseph Mulloy 7404929661 Fix printing of microcode to use cpuinfo values
The values used should be the ones that come from cpuinfo instead of
the test values. The following line will print the last tuple tested
instead of the actual values of the CPU.

Line 689: _debug "is_ucode_blacklisted: no ($model/$stepping/$ucode)"
2018-01-26 18:23:18 +01:00
Stéphane Lesimple 0798bd4c5b fix: report arch_capabilities as NO when no MSR
When the arch_capabilities MSR is not there, it means
that all the features it might advertise can be considered
as NO instead of UNKNOWN
2018-01-26 14:55:01 +01:00
Stéphane Lesimple 42094c4f8b release: v0.33 2018-01-26 14:20:29 +01:00
Stéphane Lesimple 03d2dfe008 feat: add blacklisted Intel ucode detection
Some Intel microcodes are known to cause instabilities
such as random reboots. Intel advises to revert to a
previous version if a newer one that fixes those issues
is not available. Detect such known bad microcodes.
2018-01-26 14:19:54 +01:00
Stéphane Lesimple 9f00ffa5af fix: fallback to UNKNOWN when we get -EACCES
For detection of IBRS_ALL and RDCL_NO, fallback to
UNKNOWN when we were unable to read the CPUID or MSR.
2018-01-26 14:16:34 +01:00
Matthieu Cerda 7f0d80b305 xen: detect if the host is a Xen Dom0 or PV DomU (fixes #83) 2018-01-25 11:04:30 +01:00
Stéphane Lesimple d1c1f0f0f0 fix(batch): fix regression introduced by acf12a6
In batch mode, $echo_cmd was not initialized early
enough, and caused this error:
./spectre-meltdown-checker.sh: 899: ./spectre-meltdown-checker.sh: -ne: not found
Fix it by initing echo_cmd unconditionally at the start
2018-01-24 17:57:19 +01:00
Stéphane Lesimple acf12a6d2d feat(cpu) add STIBP, RDCL_NO, IBRS_ALL checks
Move all the CPU checks to their own section,
for clarity. We now check for IBRS, IBPB, STIBP,
RDCL_NO and IBRS_ALL. We also show whether the
system CPU is vulnerable to the three variants,
regardless of the fact that mitigations are in
place or not, which is determined in each vuln-
specific section.
2018-01-24 14:44:16 +01:00
Stéphane Lesimple b45e40bec8 feat(stibp): add STIBP cpuid feature check 2018-01-24 12:19:02 +01:00
Stéphane Lesimple 3c1d452c99 fix(cpuid): fix off-by-one SPEC_CTRL bit check 2018-01-24 12:18:56 +01:00
Stéphane Lesimple 53b9eda040 fix: don't make IBPB mandatory when it's not there
On some kernels there could be IBRS support but not
IBPB support, in that case, don't report VULN just
because IBPB is not enabled when IBRS is
2018-01-24 09:04:25 +01:00
Stéphane Lesimple 3b0ec998b1 fix(cosmetic): tiny msg fixes 2018-01-24 09:04:25 +01:00
Stéphane Lesimple d55bafde19 fix(cpu): trust is_cpu_vulnerable even w/ debugfs
For variant3 under AMD, the debugfs vulnerabilities hierarchy
flags the system as Vulnerable, which is wrong. Trust our own
is_cpu_vulnerable() func in that case
2018-01-24 09:04:25 +01:00
Stéphane Lesimple 147462c0ab fix(variant3): do our checks even if sysfs is here 2018-01-24 09:04:25 +01:00
Stéphane Lesimple ddc7197b86 fix(retpoline): retpoline-compiler detection
When kernel is not compiled with retpoline option, doesn't
have the sysfs vulnerability hierarchy and our heuristic to
detect a retpoline-aware compiler didn't match, change result
for retpoline-aware compiler detection from UNKNOWN to NO.
When CONFIG_RETPOLINE is not set, a retpoline-aware compiler
won't produce different asm than a standard one anyway.
2018-01-24 09:04:25 +01:00
Stéphane Lesimple e7aa3b9d16 feat(retpoline): check if retpoline is enabled
Before we would just check if retpoline was compiled
in, now we also check that it's enabled at runtime
(only in live mode)
2018-01-24 09:04:25 +01:00
Stéphane Lesimple ff5c92fa6f feat(sysfs): print details even with sysfs
Before, when the /sys kernel vulnerability interface
was available, we would bypass all our tests and just
print the output of the vulnerability interface. Now,
we still rely on it when available, but we run our
checks anyway, except for variant 1 where the current
method of mitigation detection doesn't add much value
to the bare /sys check
2018-01-24 09:04:25 +01:00
Stéphane Lesimple 443d9a2ae9 feat(ibpb): now also check for IBPB on variant 2
In addition to IBRS (and microcode support), IBPB
must be used to mitigate variant 2, if retpoline
support is not available. The vulnerability status
of a system will be defined as "non vulnerable"
if IBRS and IBPB are both enabled, or if IBPB
is enabled with a value of 2 for RedHat kernels,
see https://access.redhat.com/articles/3311301
2018-01-24 09:04:25 +01:00
Stéphane Lesimple 3e454f1817 fix(offline): report unknown when too few info
In offline mode, in the worst case where an invalid
config file is given, and we have no vmlinux image
nor System.map, the script was reporting Variant 2
and Variant 3 as vulnerable in the global status.
Replace this by a proper pair of UNKNOWNs
2018-01-23 22:20:34 +01:00
Stéphane Lesimple c8a25c5d97 feat: detect invalid kconfig files 2018-01-23 21:48:19 +01:00
Stéphane Lesimple 40381349ab fix(dmesg): detect when dmesg is truncated
To avoid false negatives when looking for a message
in dmesg, we were previously also grepping in known
on-disk archives of dmesg (dmesg.log, kern.log).
This in turn caused false positives because we have no
guarantee that we're grepping the dmesg of the current
running kernel. Hence we now only look in the live
`dmesg`, detect if it has been truncated, and report
it to the user.
2018-01-21 16:26:08 +01:00
Stéphane Lesimple 0aa5857a76 fix(cpu): Pentium Exxxx series are not vulnerable
Pentium E series are not in the vulnerable list from
Intel, and Spectre2 PoC reportedly doesn't work on
an E5200
2018-01-21 16:13:17 +01:00
Stéphane Lesimple b3b7f634e6 fix(display): use text-mode compatible colors
in text-mode 80-cols TERM=linux terminals, colors
were not displaying properly, one had to use
--no-color to be able to read some parts of the
text.
2018-01-21 12:32:22 +01:00
Stéphane Lesimple 263ef65fec bump to v0.32 2018-01-20 12:49:12 +01:00
Stéphane Lesimple a1bd233c49 revert to a simpler check_vmlinux() 2018-01-20 12:26:26 +01:00
Stéphane Lesimple de6590cd09 cache is_cpu_vulnerable result for performance 2018-01-20 12:24:23 +01:00
Stéphane Lesimple 56d4f82484 is_cpu_vulnerable: implement check for multi-arm systems 2018-01-20 12:24:23 +01:00
Stéphane Lesimple 7fa2d6347b check_vmlinux: when readelf doesn't work, try harder with another way 2018-01-20 12:23:55 +01:00
Stéphane Lesimple 3be5e90481 be smarter to find a usable echo command 2018-01-20 12:23:55 +01:00
Stéphane Lesimple 995620a682 add pine64 vmlinuz location 2018-01-20 12:23:19 +01:00
Stéphane Lesimple 193e0d8d08 arm: cosmetic fix for name and handle aarch64 2018-01-20 12:22:48 +01:00
Stéphane Lesimple 72ef94ab3d ARM: display a friendly name instead of empty string 2018-01-20 12:22:48 +01:00
Harald Hoyer ccc0453df7 search in /lib/modules/$(uname -r) for vmlinuz, config, System.map
On Fedora machines /lib/modules/$(uname -r) has all the files.
2018-01-20 11:19:34 +01:00
Stéphane Lesimple 14ca49a042 Atom N270: implement another variation 2018-01-19 18:47:38 +01:00
Stéphane Lesimple db357b8e25 CoreOS: remove ephemeral install of a non-used package 2018-01-18 10:17:25 +01:00
Stéphane Lesimple 42a57dd980 add kern.log as another backend of dmesg output 2018-01-17 17:17:39 +01:00
Stéphane Lesimple 5ab95f3656 fix(atom): don't use a pcre regex, only an extended one 2018-01-17 12:01:13 +01:00
Stéphane Lesimple 5b6e39916d fix(atom): properly detect Nxxx Atom series 2018-01-17 11:07:47 +01:00
Willy Sudiarto Raharjo 556951d5f0 Add Support for Slackware.
Signed-off-by: Willy Sudiarto Raharjo <willysr@gmail.com>
2018-01-16 11:55:03 +01:00
Stéphane Lesimple 7a88aec95f
Implement CoreOS compatibility mode (#84)
* Add special CoreOS compatibility mode
* CoreOS: refuse --coreos if we're not under CoreOS
* CoreOS: warn if launched without --coreos option
* is_coreos: make stderr silent
* CoreOS: tiny adjustments
2018-01-16 10:33:01 +01:00
Stéphane Lesimple bd18323d79 bump to v0.31 to reflect changes 2018-01-14 22:34:09 +01:00
Stéphane Lesimple b89d67dd15 meltdown: detecting Xen PV, reporting as not vulnerable 2018-01-14 22:31:21 +01:00
Stéphane Lesimple 704e54019a is_cpu_vulnerable: add check for old Atoms 2018-01-14 21:32:56 +01:00
Stéphane Lesimple d96093171a verbose: add PCID check for performance impact of PTI 2018-01-14 17:18:34 +01:00
Stéphane Lesimple dcc4488340
Merge pull request #80 from speed47/cpuid_spec_ctrl
v0.30, cpuid spec ctrl and other enhancements
2018-01-14 16:48:02 +01:00
Stéphane Lesimple 32e3fe6c07 bump to v0.30 to reflect changes 2018-01-14 16:45:59 +01:00
Stéphane Lesimple 71213c11b3 ibrs: check for spec_ctrl_ibrs in cpuinfo 2018-01-14 16:36:51 +01:00
Andreas Rammhold 2964c4ab44
add support for NixOS kernel
this removes the need to specify the kernel version manually on NixOS
2018-01-14 16:18:29 +01:00
Stéphane Lesimple 749f432d32 also check for spec_ctrl flag in cpuinfo 2018-01-14 15:47:51 +01:00
Stéphane Lesimple a422b53d7c also check for cpuinfo flag 2018-01-14 15:47:51 +01:00
Stéphane Lesimple c483a2cf60 check spec_ctrl support using cpuid 2018-01-14 15:47:51 +01:00
Stéphane Lesimple dead0054a4 fix: proper detail msg in vuln status 2018-01-14 15:47:22 +01:00
Stéphane Lesimple e5e4851d72 proper return codes regardless of the batch mode 2018-01-14 14:24:31 +01:00
Stéphane Lesimple 7f92717a2c add info about accuracy when missing kernel files 2018-01-13 13:59:17 +01:00
Stéphane Lesimple b47d505689 AMD now vuln to variant2 (as per their stmt) 2018-01-13 13:35:31 +01:00
Corey Hickey 4a2d051285 minor is_cpu_vulnerable() changes (#71)
* correct is_cpu_vulnerable() comment

As far as I can tell, the function and usage are correct for the comment
to be inverted.

Add a clarifying note as to why the value choice makes sense.

* exit on invalid varient

If this happens, it's a bug in the script. None of the calling code
checks for status 255, so don't let a scripting bug cause a false
negative.

* no need to set vulnerable CPUs

According to comment above this code:
'by default, everything is vulnerable, we work in a "whitelist" logic here.'
2018-01-13 13:16:37 +01:00
Sylvestre Ledru f3551b9734 Only show the name of the script, not the full path (#72) 2018-01-13 13:14:19 +01:00
Sylvestre Ledru 45b98e125f fix some typos (#73) 2018-01-13 13:13:40 +01:00
Stéphane Lesimple dce917bfbb add --version, bump to v0.28 2018-01-12 19:10:44 +01:00
Stéphane Lesimple 8f18f53aba add cpu model in output 2018-01-12 19:08:12 +01:00
M. Willis Monroe 8bd093173d Fixed a few spelling errors (#60) 2018-01-12 11:46:36 +01:00
Stéphane Lesimple bfe5a3b840 add some debug 2018-01-12 10:53:19 +01:00
Stéphane Lesimple 6a0242eea3 bump to v0.27 2018-01-11 15:36:41 +01:00
Stéphane Lesimple bc4e39038a fix(opcodes): fix regression introduced in previous commit
We were saying unknown instead of vulnerable when the count of lfence opcodes was low
This was not impacting batch mode or the final decision, just the human-readable output of the script.
2018-01-11 15:35:57 +01:00
Stéphane Lesimple 62f8ed6f61
adding support for new /sys interface (#55)
* adding support for new /sys interface
* fix(objdump): prefer -d instead of -D, some kernels crash objdump otherwise
2018-01-11 12:23:16 +01:00
Tobias Rüetschi 52a8f78885 send warning to stderr. (#53)
With --batch json there must not be any other output on stdout, so redirect warnings to stderr will show the warning on the console and only the json output is on stdout.
2018-01-11 09:55:43 +01:00
Stéphane Lesimple a09a5ba38f bump to v0.25 to reflect changes 2018-01-11 09:08:29 +01:00
Abdoul Bah 5a7d8d7edf Produce JSON output formatted for Puppet, Ansible, Chef... (#50)
Produce JSON output formatted for Puppet, Ansible, Chef...
2018-01-11 09:04:13 +01:00
Stéphane Lesimple 49fdc6c449
Merge pull request #51 from cowanml/file_read_check_fixup
fixed file read test
2018-01-10 21:39:09 +01:00
Matt Cowan af3de2a862 fixed file read test 2018-01-10 15:17:14 -05:00
Stéphane Lesimple c6e1b0ac8a feat(kernel): add support for LZ4 decompression 2018-01-10 20:10:57 +01:00
Stéphane Lesimple eb0ebef5a8 fix(opensuse): add specific location for ibrs_enabled file 2018-01-10 17:40:33 +01:00
Stéphane Lesimple a658de2f01 fix(kernel): fix detection for separate /boot partitions 2018-01-10 16:27:16 +01:00
Stéphane Lesimple 8ed1f5e3af feat(kernel): check the BOOT_IMAGE info from cmdline before trying the default names 2018-01-10 15:46:29 +01:00
Stéphane Lesimple ffc542eb82 bump to v0.23 to reflect changes 2018-01-10 15:25:55 +01:00
Stéphane Lesimple 74bc7ba637 add --variant to specify what check we want to run 2018-01-10 15:22:30 +01:00
Marcus Downing 59fe8c2ad8 Error on unknown batch format 2018-01-10 13:57:10 +00:00
Marcus Downing 7c11d07865 Stray tab 2018-01-10 11:59:33 +00:00
Marcus Downing 7c5cfbb8c3 batch nrpe 2018-01-10 11:57:45 +00:00
Marcus Downing 381038eceb NRPE mode 2018-01-10 11:18:45 +00:00
Stéphane Lesimple d6e4aa43f0
Merge pull request #37 from deufrai/better-dmesg-support
Improve PTI detection
2018-01-09 19:52:45 +01:00
Stéphane Lesimple e5e09384f0 typofix 2018-01-09 18:54:35 +01:00
Stéphane Lesimple 7222367f04 add disclaimer and bump to 0.21 2018-01-09 18:52:21 +01:00
Stéphane Lesimple ab512687cf
Merge pull request #38 from Alkorin/fixARM
Fix ARM checks
2018-01-09 18:47:25 +01:00
Alkorin 335439dee0 Fix small typo in error message 2018-01-09 18:44:15 +01:00
Alkorin 45297b6f7d Fix ARM checks 2018-01-09 18:41:48 +01:00
Frederic CORNU a7b14306d5 Improve PTI detection even more
when PTI detection relies on dmesg, dmesg output is checked first
then /var/log/dmesg if dmesg output lacks boot time messages
2018-01-09 18:26:32 +01:00
Frederic CORNU 608952ff71 Improve PTI detection
In case of a busy or misconfigured server, kernel message buffer loop
can be filled with messages broadcasted later than boot time. So dmesg
command wont return boot time messages.

Grepping /var/log/dmesg fixes it and this log file location semms pretty
standard across many common distros
2018-01-09 18:17:39 +01:00
Stéphane Lesimple 1c3d349667
Merge pull request #31 from Feandil/batch
Add a "batch" and "verbose" mode
2018-01-09 18:12:39 +01:00
Stéphane Lesimple b93b13263d fix(pti): remove escapes since we use grep -E now 2018-01-09 16:01:44 +01:00
Vincent Brillault ad342cab06
Introduce "verbose" and "batch" modes
Rewrite the way the output is processed:
- Define verbosity level (currently warn, info (default) & verbose)
- Add a batch mode, for simple machine parsing
2018-01-09 15:58:13 +01:00
Vincent Brillault 5fd85e288b
No-color: interpret string (-e) to be able to mach \x1B 2018-01-09 15:57:10 +01:00
Stéphane Lesimple 322f4efc8f fix broken logic of 68961f9, increment version to 0.20 2018-01-09 14:55:12 +01:00
Vincent Brillault b6bfcdbd45
Move configuration at the beginning of the script 2018-01-09 14:18:02 +01:00
Stéphane Lesimple 68961f98c2 adding known non-vulnerable ARM chips 2018-01-09 13:11:48 +01:00
Stéphane Lesimple f0f2ea9b11 v0.19: introduce --no-color 2018-01-09 10:32:51 +01:00
Stéphane Lesimple 6f1bdba1d9 bump to v0.18 to reflect changes 2018-01-09 09:21:42 +01:00
Stéphane Lesimple 7b05105a54
Merge pull request #25 from Feandil/proc_config
When using /proc/config.gz, indicate it more clearly
2018-01-09 09:19:36 +01:00
Stéphane Lesimple 8aed2d4086
Merge pull request #26 from Feandil/proc_kallsym
Use /proc/kallsyms to get symbols, if available
2018-01-09 09:17:18 +01:00
Vincent Brillault f4140a992a
Use /proc/kallsyms to get symbols, if available 2018-01-09 08:58:09 +01:00
Vincent Brillault 2c51b00a90
When using /proc/config.gz, indicate it more clearly 2018-01-09 08:54:07 +01:00
Stéphane Lesimple 2d94514c07 adding mention of heuristic for variant 1 check 2018-01-09 08:43:52 +01:00
Stéphane Lesimple 0e8f97afbc
Merge pull request #24 from angus-p/Remove-extra-space
remove superfluous space from test line 315
2018-01-09 08:34:10 +01:00
angus-p cc0b325383
remove superfluous space from test line 315
Extra space was causing non-existent variable to be tested resulting in 'YES' if running in live mode and IBRS compiled in
2018-01-09 03:47:25 +00:00
Matthew Radcliffe 4454f03136 Increases tmp directory uniqueness to 6 characters to support Slackware 2018-01-08 22:28:55 -05:00
Stéphane Lesimple 949f316f89 missed version bump + README typofix 2018-01-08 23:15:42 +01:00
Stéphane Lesimple d73a24cb5b implement offline mode and help 2018-01-08 23:09:17 +01:00
Grim Kriegor 2d33a4369e Linux-libre support 2018-01-08 21:56:11 +00:00
Stéphane Lesimple 8d4d295309 bump to v0.16 to reflect changes 2018-01-08 17:48:20 +01:00
Stéphane Lesimple 1ff437edbb
Merge pull request #16 from Alkorin/fixes
Fixes
2018-01-08 17:45:59 +01:00
Stéphane Lesimple 34656827f5 detect retpoline-compliant compiler from latest LKML patches 2018-01-08 17:32:19 +01:00
Alkorin 8c8a8d35fd Detect if 'readelf' is present 2018-01-08 16:52:09 +01:00
Alkorin debd10b517 Detect if 'strings' is present 2018-01-08 16:51:20 +01:00
Alkorin 21f81ff5c9 Detect if uncompress binaries are present 2018-01-08 16:51:14 +01:00
Stéphane Lesimple 206e4b7fbc add detection of retpoline-aware compiler 2018-01-08 16:28:00 +01:00
Alkorin 1a14483c98 Use 'readelf' instead of 'file' to detect kernel 2018-01-08 15:56:19 +01:00
Alkorin 26564206db Do not execute checks if we already found that PTI is enabled 2018-01-08 15:56:19 +01:00
Stéphane Lesimple 207168e097 detect if the used compiler supports retpoline (WIP) 2018-01-08 15:45:09 +01:00
Sebastian Wiesinger c88acdd31d Remove superfluous 'YES' output when checking cpuinfo 2018-01-08 14:50:59 +01:00
Sebastian Wiesinger 124ce8e27a Recognize 'kaiser' flag in /proc/cpuinfo 2018-01-08 14:38:43 +01:00
Vincent Brillault a792348928
RedHat uses a different configuration name 2018-01-08 12:59:12 +01:00
Vincent Brillault 66f7708095
Refactor RedHat support:
- Isolate file check to different elif (allowing to add more)
- Do the PTI debugfs check first (faster and supposed to be dynamic)
- If pti_enable is 0, don't trust dmesg (supposed to be dynamic)
2018-01-08 12:59:03 +01:00
Vincent Brillault 34ef5ef21b
Delay umount (for RedHat access to pti_enable) 2018-01-08 12:58:22 +01:00
Stéphane Lesimple edbdf0da1f push the lfence opcodes threshold to 70 2018-01-08 12:49:23 +01:00
Alkorin 47c30babf1 Avoid 'cat: /sys/kernel/debug/x86/pti_enabled: Permission denied' 2018-01-08 12:41:28 +01:00
Stéphane Lesimple ef7a5c4cf6 adding uname -v to get potential additional vendor information 2018-01-08 12:22:56 +01:00
Vincent Brillault b7197d6f54
Fix debugfs mount check 2018-01-08 12:15:51 +01:00
Stéphane Lesimple c792fa35bf add kernel version information to the output 2018-01-08 12:14:12 +01:00
Stéphane Lesimple d1498fe03f
Merge pull request #5 from fccagou/centos
fix(centos): check according to redhat patch.
2018-01-08 12:10:07 +01:00
Stéphane Lesimple 12bdd0e412 root check is now more visible 2018-01-08 11:31:19 +01:00
fccagou 0f50e04dab fix(centos): check according to redhat patch. https://access.redhat.com/articles/3311301 2018-01-08 11:14:22 +01:00
David Guglielmi bf056ae73d Add support for Gentoo genkernel image path 2018-01-08 11:08:53 +01:00
Frederik Schreiber 40a9d43c44 add arch linux bootimage path 2018-01-08 10:36:29 +01:00
Stéphane Lesimple c1004d5171 fix extract-vmlinux for non-gzip 2018-01-08 09:56:29 +01:00
Stéphane Lesimple fa0850466e add some comments, enhance pti detection 2018-01-08 09:37:54 +01:00
Thibault Nélis 1aaca63dcf Improve "running as root" check
Small issue with the USER environment variable:

  $ echo $USER
  thib
  $ sudo sh -c 'echo $USER'
  thib
  $ sudo -i sh -c 'echo $USER'
  root

Rather than recommending users to use sudo --login / -i, use the (very
widespread/portable) id program to retrieve the effective user ID
instead and don't change the recommendation.

  $ id -u
  1000
  $ sudo id -u
  0
  $ sudo -i id -u
  0
2018-01-08 01:22:14 +01:00
Stéphane Lesimple 96dfa03c00 fix for uncompressed vmlinux case 2018-01-08 00:45:12 +01:00
Stéphane Lesimple 05c79425ab detect kpti directly in vmlinux if option is not there 2018-01-07 22:47:41 +01:00
Stéphane Lesimple 64eb1d005c add couple missing elses 2018-01-07 18:49:15 +01:00
Stéphane Lesimple bffda8b3e7 remove dependency on rdmsr 2018-01-07 18:36:56 +01:00
Stéphane Lesimple 13f2133a97 cosmetic fix 2018-01-07 18:14:08 +01:00
Stéphane Lesimple 8c2fd0f0bb fix MSR reading, need rdmsr for now 2018-01-07 18:13:25 +01:00
Stéphane Lesimple 761c2b80e4 cosmetic fix 2018-01-07 17:19:37 +01:00
Stéphane Lesimple d6977928e5 msg fix 2018-01-07 17:15:08 +01:00
Stéphane Lesimple bd4c74331e add retpolines check 2018-01-07 16:57:14 +01:00
Stéphane Lesimple 82972f8790 fix status unknown for variant 1 2018-01-07 16:32:34 +01:00
Stéphane Lesimple 30de4f6336 remove hardcoded kernel image path 2018-01-07 16:25:50 +01:00
Stéphane Lesimple 9ed1fcd98a cosmetic + v0.02 2018-01-07 16:22:30 +01:00
Stéphane Lesimple ef7c0d7ec5 add variant 1 check 2018-01-07 16:16:11 +01:00
Stéphane Lesimple 3b760822ff fix echo under some shells 2018-01-07 16:00:01 +01:00
Stéphane Lesimple 0201b02313 typofix 2018-01-07 15:37:50 +01:00
Stéphane Lesimple c937e6603b add System.map way of detecting kpti build 2018-01-07 15:36:05 +01:00
Stéphane Lesimple 4211178b3a v0.01 2018-01-07 15:00:59 +01:00