Sylvestre Ledru
35c8a63de6
Remove the color in the title
2018-02-15 20:21:00 +01:00
Stéphane Lesimple
5f914e555e
fix(xen): declare Xen's PTI patch as a valid mitigation for variant3
2018-02-14 14:24:55 +01:00
Stéphane Lesimple
66dce2c158
fix(ucode): update blacklisted ucodes list from latest Intel info
2018-02-14 14:14:16 +01:00
Calvin Walton
155cac2102
Teach checker how to find kernels installed by systemd kernel-install
2018-02-10 20:51:33 +01:00
Stéphane Lesimple
22cae605e1
fix(retpoline): remove the "retpoline enabled" test
...
This test worked for some early versions of the retpoline
implementation in vanilla kernels, but the corresponding
flag has been removed from /proc/cpuinfo in latest kernels.
The full information is available in /sys instead, which
was already implemented in the script.
2018-02-09 20:12:33 +01:00
Stéphane Lesimple
eb75e51975
fix(ucode): update list of blacklisted ucodes from 2018-02-08 Intel document
...
Removed 2 ucodes and added 2 other ones
2018-02-09 19:56:27 +01:00
積丹尼 Dan Jacobson
253e180807
Update spectre-meltdown-checker.sh
...
Dots better than colon for indicating waiting.
2018-02-06 19:02:56 +01:00
Stéphane Lesimple
5d6102a00e
enh: show kernel version in offline mode
2018-02-02 11:27:04 +01:00
Stéphane Lesimple
a2dfca671e
feat: detect disrepancy between found kernel image and running kernel
2018-02-02 11:13:54 +01:00
Stéphane Lesimple
36bd80d75f
enh: speedup by not decompressing kernel on --sysfs-only
2018-02-02 11:13:31 +01:00
Stéphane Lesimple
1834dd6201
feat: add skylake era cpu detection routine
2018-02-02 11:12:10 +01:00
Stéphane Lesimple
3d765bc703
enh: lazy loading of cpu informations
2018-02-02 11:11:51 +01:00
Stéphane Lesimple
07afd95b63
feat: better cleanup routine on exit & interrupt
2018-02-02 11:09:36 +01:00
Stéphane Lesimple
b7a10126d1
fix: ARM CPU display name & detection
...
Fix ARM CPU display name, and properly
detect known vulnerable ARM CPUs when
multiple different model cores are
present (mostly Android phones)
2018-02-02 11:00:23 +01:00
Stéphane Lesimple
6346a0deaa
fix: --no-color workaround for android's sed
2018-02-02 10:59:49 +01:00
Stéphane Lesimple
8106f91981
release: bump to v0.34
2018-01-31 16:28:54 +01:00
Stéphane Lesimple
b1fdf88f28
enh: display ucode info even when not blacklisted
2018-01-31 16:21:32 +01:00
Stéphane Lesimple
4d29607630
cleanup: shellcheck pass
2018-01-31 16:15:20 +01:00
Stéphane Lesimple
0267659adc
cleanup: remove superseded atom detection code
...
This is now handled properly by checking the CPU
vendor, family, model instead of looking for the
commercial name of the CPU in /proc/cpuinfo
2018-01-31 16:15:20 +01:00
Stéphane Lesimple
247b176882
feat: detect known speculative-execution free CPUs
...
Based on a kernel patch that has been merged to Linus' tree.
Some of the detections we did by grepping the model name
will probably no longer be needed.
2018-01-31 16:15:20 +01:00
Stéphane Lesimple
bcae8824ec
refacto: create a dedicated func to read cpuid bits
2018-01-31 16:15:20 +01:00
Stéphane Lesimple
71e7109c22
refacto: move cpu discovery bits to a dedicated function
2018-01-31 16:15:20 +01:00
Stéphane Lesimple
aa18b51e1c
fix(variant1): smarter lfence check
...
Instead of just counting the number of LFENCE
instructions, now we're only counting the those
that directly follow a jump instruction.
2018-01-31 14:34:54 +01:00
Stéphane Lesimple
b738ac4bd7
fix: regression introduced by previous commit
...
449: ./spectre-meltdown-checker.sh: 3: parameter not set
This happened only on blacklisted microcodes, fixed by
adding set +u before the return
2018-01-31 12:13:50 +01:00
Stéphane Lesimple
799ce3eb30
update blacklisted ucode list from kernel source
2018-01-31 11:26:23 +01:00
Stéphane Lesimple
f1e18c136f
doc(disclaimer): Spectre affects all software
...
Add a paragraph in the disclaimer stating that this tool focuses
on the kernel side of things, and that for Spectre, any software
might be vulnerable.
2018-01-30 14:37:52 +01:00
Stéphane Lesimple
e05ec5c85f
feat(variant1): detect vanilla mitigation
...
Implement detection of mitigation for Variant 1 that is
being pushed on vanilla kernel.
Current name of the patch:
"spectre variant1 mitigations for tip/x86/pti" (v6)
Also detect some distros that already backported this
patch without modifying the vulnerabilities sysfs hierarchy.
This detection is more reliable than the LFENCE one, trust
it and skip the LFENCE heuristic if a match is found.
2018-01-30 12:55:34 +01:00
Stéphane Lesimple
6e544d6055
fix(cpu): Pentium Exxxx are vulnerable to Meltdown
2018-01-29 11:18:15 +01:00
Stéphane Lesimple
90a65965ff
adjust: show how to enable IBRS/IBPB in -v only
2018-01-29 11:06:15 +01:00
Stéphane Lesimple
9b53635eda
refacto: fix shellcheck warnings for better compat
...
Now `shellcheck -s sh` no longer shows any warnings.
This should improve compatibility with exotic shells
as long as they're POSIX compliant.
2018-01-29 10:34:08 +01:00
Joseph Mulloy
7404929661
Fix printing of microcode to use cpuinfo values
...
The values used should be the ones that come from cpuinfo instead of
the test values. The following line will print the last tuple tested
instead of the actual values of the CPU.
Line 689: _debug "is_ucode_blacklisted: no ($model/$stepping/$ucode)"
2018-01-26 18:23:18 +01:00
Stéphane Lesimple
0798bd4c5b
fix: report arch_capabilities as NO when no MSR
...
When the arch_capabilities MSR is not there, it means
that all the features it might advertise can be considered
as NO instead of UNKNOWN
2018-01-26 14:55:01 +01:00
Stéphane Lesimple
42094c4f8b
release: v0.33
2018-01-26 14:20:29 +01:00
Stéphane Lesimple
03d2dfe008
feat: add blacklisted Intel ucode detection
...
Some Intel microcodes are known to cause instabilities
such as random reboots. Intel advises to revert to a
previous version if a newer one that fixes those issues
is not available. Detect such known bad microcodes.
2018-01-26 14:19:54 +01:00
Stéphane Lesimple
9f00ffa5af
fix: fallback to UNKNOWN when we get -EACCES
...
For detection of IBRS_ALL and RDCL_NO, fallback to
UNKNOWN when we were unable to read the CPUID or MSR.
2018-01-26 14:16:34 +01:00
Matthieu Cerda
7f0d80b305
xen: detect if the host is a Xen Dom0 or PV DomU ( fixes #83 )
2018-01-25 11:04:30 +01:00
Stéphane Lesimple
d1c1f0f0f0
fix(batch): fix regression introduced by acf12a6
...
In batch mode, $echo_cmd was not initialized early
enough, and caused this error:
./spectre-meltdown-checker.sh: 899: ./spectre-meltdown-checker.sh: -ne: not found
Fix it by initing echo_cmd unconditionally at the start
2018-01-24 17:57:19 +01:00
Stéphane Lesimple
acf12a6d2d
feat(cpu) add STIBP, RDCL_NO, IBRS_ALL checks
...
Move all the CPU checks to their own section,
for clarity. We now check for IBRS, IBPB, STIBP,
RDCL_NO and IBRS_ALL. We also show whether the
system CPU is vulnerable to the three variants,
regardless of the fact that mitigations are in
place or not, which is determined in each vuln-
specific section.
2018-01-24 14:44:16 +01:00
Stéphane Lesimple
b45e40bec8
feat(stibp): add STIBP cpuid feature check
2018-01-24 12:19:02 +01:00
Stéphane Lesimple
3c1d452c99
fix(cpuid): fix off-by-one SPEC_CTRL bit check
2018-01-24 12:18:56 +01:00
Stéphane Lesimple
53b9eda040
fix: don't make IBPB mandatory when it's not there
...
On some kernels there could be IBRS support but not
IBPB support, in that case, don't report VULN just
because IBPB is not enabled when IBRS is
2018-01-24 09:04:25 +01:00
Stéphane Lesimple
3b0ec998b1
fix(cosmetic): tiny msg fixes
2018-01-24 09:04:25 +01:00
Stéphane Lesimple
d55bafde19
fix(cpu): trust is_cpu_vulnerable even w/ debugfs
...
For variant3 under AMD, the debugfs vulnerabilities hierarchy
flags the system as Vulnerable, which is wrong. Trust our own
is_cpu_vulnerable() func in that case
2018-01-24 09:04:25 +01:00
Stéphane Lesimple
147462c0ab
fix(variant3): do our checks even if sysfs is here
2018-01-24 09:04:25 +01:00
Stéphane Lesimple
ddc7197b86
fix(retpoline): retpoline-compiler detection
...
When kernel is not compiled with retpoline option, doesn't
have the sysfs vulnerability hierarchy and our heuristic to
detect a retpoline-aware compiler didn't match, change result
for retpoline-aware compiler detection from UNKNOWN to NO.
When CONFIG_RETPOLINE is not set, a retpoline-aware compiler
won't produce different asm than a standard one anyway.
2018-01-24 09:04:25 +01:00
Stéphane Lesimple
e7aa3b9d16
feat(retpoline): check if retpoline is enabled
...
Before we would just check if retpoline was compiled
in, now we also check that it's enabled at runtime
(only in live mode)
2018-01-24 09:04:25 +01:00
Stéphane Lesimple
ff5c92fa6f
feat(sysfs): print details even with sysfs
...
Before, when the /sys kernel vulnerability interface
was available, we would bypass all our tests and just
print the output of the vulnerability interface. Now,
we still rely on it when available, but we run our
checks anyway, except for variant 1 where the current
method of mitigation detection doesn't add much value
to the bare /sys check
2018-01-24 09:04:25 +01:00
Stéphane Lesimple
443d9a2ae9
feat(ibpb): now also check for IBPB on variant 2
...
In addition to IBRS (and microcode support), IBPB
must be used to mitigate variant 2, if retpoline
support is not available. The vulnerability status
of a system will be defined as "non vulnerable"
if IBRS and IBPB are both enabled, or if IBPB
is enabled with a value of 2 for RedHat kernels,
see https://access.redhat.com/articles/3311301
2018-01-24 09:04:25 +01:00
Stéphane Lesimple
3e454f1817
fix(offline): report unknown when too few info
...
In offline mode, in the worst case where an invalid
config file is given, and we have no vmlinux image
nor System.map, the script was reporting Variant 2
and Variant 3 as vulnerable in the global status.
Replace this by a proper pair of UNKNOWNs
2018-01-23 22:20:34 +01:00
Stéphane Lesimple
c8a25c5d97
feat: detect invalid kconfig files
2018-01-23 21:48:19 +01:00
Stéphane Lesimple
40381349ab
fix(dmesg): detect when dmesg is truncated
...
To avoid false negatives when looking for a message
in dmesg, we were previously also grepping in known
on-disk archives of dmesg (dmesg.log, kern.log).
This in turn caused false positives because we have no
guarantee that we're grepping the dmesg of the current
running kernel. Hence we now only look in the live
`dmesg`, detect if it has been truncated, and report
it to the user.
2018-01-21 16:26:08 +01:00
Stéphane Lesimple
0aa5857a76
fix(cpu): Pentium Exxxx series are not vulnerable
...
Pentium E series are not in the vulnerable list from
Intel, and Spectre2 PoC reportedly doesn't work on
an E5200
2018-01-21 16:13:17 +01:00
Stéphane Lesimple
b3b7f634e6
fix(display): use text-mode compatible colors
...
in text-mode 80-cols TERM=linux terminals, colors
were not displaying properly, one had to use
--no-color to be able to read some parts of the
text.
2018-01-21 12:32:22 +01:00
Stéphane Lesimple
263ef65fec
bump to v0.32
2018-01-20 12:49:12 +01:00
Stéphane Lesimple
a1bd233c49
revert to a simpler check_vmlinux()
2018-01-20 12:26:26 +01:00
Stéphane Lesimple
de6590cd09
cache is_cpu_vulnerable result for performance
2018-01-20 12:24:23 +01:00
Stéphane Lesimple
56d4f82484
is_cpu_vulnerable: implement check for multi-arm systems
2018-01-20 12:24:23 +01:00
Stéphane Lesimple
7fa2d6347b
check_vmlinux: when readelf doesn't work, try harder with another way
2018-01-20 12:23:55 +01:00
Stéphane Lesimple
3be5e90481
be smarter to find a usable echo command
2018-01-20 12:23:55 +01:00
Stéphane Lesimple
995620a682
add pine64 vmlinuz location
2018-01-20 12:23:19 +01:00
Stéphane Lesimple
193e0d8d08
arm: cosmetic fix for name and handle aarch64
2018-01-20 12:22:48 +01:00
Stéphane Lesimple
72ef94ab3d
ARM: display a friendly name instead of empty string
2018-01-20 12:22:48 +01:00
Harald Hoyer
ccc0453df7
search in /lib/modules/$(uname -r) for vmlinuz, config, System.map
...
On Fedora machines /lib/modules/$(uname -r) has all the files.
2018-01-20 11:19:34 +01:00
Stéphane Lesimple
14ca49a042
Atom N270: implement another variation
2018-01-19 18:47:38 +01:00
Stéphane Lesimple
db357b8e25
CoreOS: remove ephemeral install of a non-used package
2018-01-18 10:17:25 +01:00
Stéphane Lesimple
42a57dd980
add kern.log as another backend of dmesg output
2018-01-17 17:17:39 +01:00
Stéphane Lesimple
5ab95f3656
fix(atom): don't use a pcre regex, only an extended one
2018-01-17 12:01:13 +01:00
Stéphane Lesimple
5b6e39916d
fix(atom): properly detect Nxxx Atom series
2018-01-17 11:07:47 +01:00
Willy Sudiarto Raharjo
556951d5f0
Add Support for Slackware.
...
Signed-off-by: Willy Sudiarto Raharjo <willysr@gmail.com>
2018-01-16 11:55:03 +01:00
Stéphane Lesimple
7a88aec95f
Implement CoreOS compatibility mode ( #84 )
...
* Add special CoreOS compatibility mode
* CoreOS: refuse --coreos if we're not under CoreOS
* CoreOS: warn if launched without --coreos option
* is_coreos: make stderr silent
* CoreOS: tiny adjustments
2018-01-16 10:33:01 +01:00
Stéphane Lesimple
bd18323d79
bump to v0.31 to reflect changes
2018-01-14 22:34:09 +01:00
Stéphane Lesimple
b89d67dd15
meltdown: detecting Xen PV, reporting as not vulnerable
2018-01-14 22:31:21 +01:00
Stéphane Lesimple
704e54019a
is_cpu_vulnerable: add check for old Atoms
2018-01-14 21:32:56 +01:00
Stéphane Lesimple
d96093171a
verbose: add PCID check for performance impact of PTI
2018-01-14 17:18:34 +01:00
Stéphane Lesimple
dcc4488340
Merge pull request #80 from speed47/cpuid_spec_ctrl
...
v0.30, cpuid spec ctrl and other enhancements
2018-01-14 16:48:02 +01:00
Stéphane Lesimple
32e3fe6c07
bump to v0.30 to reflect changes
2018-01-14 16:45:59 +01:00
Stéphane Lesimple
71213c11b3
ibrs: check for spec_ctrl_ibrs in cpuinfo
2018-01-14 16:36:51 +01:00
Andreas Rammhold
2964c4ab44
add support for NixOS kernel
...
this removes the need to specify the kernel version manually on NixOS
2018-01-14 16:18:29 +01:00
Stéphane Lesimple
749f432d32
also check for spec_ctrl flag in cpuinfo
2018-01-14 15:47:51 +01:00
Stéphane Lesimple
a422b53d7c
also check for cpuinfo flag
2018-01-14 15:47:51 +01:00
Stéphane Lesimple
c483a2cf60
check spec_ctrl support using cpuid
2018-01-14 15:47:51 +01:00
Stéphane Lesimple
dead0054a4
fix: proper detail msg in vuln status
2018-01-14 15:47:22 +01:00
Stéphane Lesimple
e5e4851d72
proper return codes regardless of the batch mode
2018-01-14 14:24:31 +01:00
Stéphane Lesimple
7f92717a2c
add info about accuracy when missing kernel files
2018-01-13 13:59:17 +01:00
Stéphane Lesimple
b47d505689
AMD now vuln to variant2 (as per their stmt)
2018-01-13 13:35:31 +01:00
Corey Hickey
4a2d051285
minor is_cpu_vulnerable() changes ( #71 )
...
* correct is_cpu_vulnerable() comment
As far as I can tell, the function and usage are correct for the comment
to be inverted.
Add a clarifying note as to why the value choice makes sense.
* exit on invalid varient
If this happens, it's a bug in the script. None of the calling code
checks for status 255, so don't let a scripting bug cause a false
negative.
* no need to set vulnerable CPUs
According to comment above this code:
'by default, everything is vulnerable, we work in a "whitelist" logic here.'
2018-01-13 13:16:37 +01:00
Sylvestre Ledru
f3551b9734
Only show the name of the script, not the full path ( #72 )
2018-01-13 13:14:19 +01:00
Sylvestre Ledru
45b98e125f
fix some typos ( #73 )
2018-01-13 13:13:40 +01:00
Stéphane Lesimple
dce917bfbb
add --version, bump to v0.28
2018-01-12 19:10:44 +01:00
Stéphane Lesimple
8f18f53aba
add cpu model in output
2018-01-12 19:08:12 +01:00
M. Willis Monroe
8bd093173d
Fixed a few spelling errors ( #60 )
2018-01-12 11:46:36 +01:00
Stéphane Lesimple
bfe5a3b840
add some debug
2018-01-12 10:53:19 +01:00
Stéphane Lesimple
6a0242eea3
bump to v0.27
2018-01-11 15:36:41 +01:00
Stéphane Lesimple
bc4e39038a
fix(opcodes): fix regression introduced in previous commit
...
We were saying unknown instead of vulnerable when the count of lfence opcodes was low
This was not impacting batch mode or the final decision, just the human-readable output of the script.
2018-01-11 15:35:57 +01:00
Stéphane Lesimple
62f8ed6f61
adding support for new /sys interface ( #55 )
...
* adding support for new /sys interface
* fix(objdump): prefer -d instead of -D, some kernels crash objdump otherwise
2018-01-11 12:23:16 +01:00
Tobias Rüetschi
52a8f78885
send warning to stderr. ( #53 )
...
With --batch json there must not be any other output on stdout, so redirect warnings to stderr will show the warning on the console and only the json output is on stdout.
2018-01-11 09:55:43 +01:00
Stéphane Lesimple
a09a5ba38f
bump to v0.25 to reflect changes
2018-01-11 09:08:29 +01:00
Abdoul Bah
5a7d8d7edf
Produce JSON output formatted for Puppet, Ansible, Chef... ( #50 )
...
Produce JSON output formatted for Puppet, Ansible, Chef...
2018-01-11 09:04:13 +01:00
Stéphane Lesimple
49fdc6c449
Merge pull request #51 from cowanml/file_read_check_fixup
...
fixed file read test
2018-01-10 21:39:09 +01:00
Matt Cowan
af3de2a862
fixed file read test
2018-01-10 15:17:14 -05:00
Stéphane Lesimple
c6e1b0ac8a
feat(kernel): add support for LZ4 decompression
2018-01-10 20:10:57 +01:00
Stéphane Lesimple
eb0ebef5a8
fix(opensuse): add specific location for ibrs_enabled file
2018-01-10 17:40:33 +01:00
Stéphane Lesimple
a658de2f01
fix(kernel): fix detection for separate /boot partitions
2018-01-10 16:27:16 +01:00
Stéphane Lesimple
8ed1f5e3af
feat(kernel): check the BOOT_IMAGE info from cmdline before trying the default names
2018-01-10 15:46:29 +01:00
Stéphane Lesimple
ffc542eb82
bump to v0.23 to reflect changes
2018-01-10 15:25:55 +01:00
Stéphane Lesimple
74bc7ba637
add --variant to specify what check we want to run
2018-01-10 15:22:30 +01:00
Marcus Downing
59fe8c2ad8
Error on unknown batch format
2018-01-10 13:57:10 +00:00
Marcus Downing
7c11d07865
Stray tab
2018-01-10 11:59:33 +00:00
Marcus Downing
7c5cfbb8c3
batch nrpe
2018-01-10 11:57:45 +00:00
Marcus Downing
381038eceb
NRPE mode
2018-01-10 11:18:45 +00:00
Stéphane Lesimple
d6e4aa43f0
Merge pull request #37 from deufrai/better-dmesg-support
...
Improve PTI detection
2018-01-09 19:52:45 +01:00
Stéphane Lesimple
e5e09384f0
typofix
2018-01-09 18:54:35 +01:00
Stéphane Lesimple
7222367f04
add disclaimer and bump to 0.21
2018-01-09 18:52:21 +01:00
Stéphane Lesimple
ab512687cf
Merge pull request #38 from Alkorin/fixARM
...
Fix ARM checks
2018-01-09 18:47:25 +01:00
Alkorin
335439dee0
Fix small typo in error message
2018-01-09 18:44:15 +01:00
Alkorin
45297b6f7d
Fix ARM checks
2018-01-09 18:41:48 +01:00
Frederic CORNU
a7b14306d5
Improve PTI detection even more
...
when PTI detection relies on dmesg, dmesg output is checked first
then /var/log/dmesg if dmesg output lacks boot time messages
2018-01-09 18:26:32 +01:00
Frederic CORNU
608952ff71
Improve PTI detection
...
In case of a busy or misconfigured server, kernel message buffer loop
can be filled with messages broadcasted later than boot time. So dmesg
command wont return boot time messages.
Grepping /var/log/dmesg fixes it and this log file location semms pretty
standard across many common distros
2018-01-09 18:17:39 +01:00
Stéphane Lesimple
1c3d349667
Merge pull request #31 from Feandil/batch
...
Add a "batch" and "verbose" mode
2018-01-09 18:12:39 +01:00
Stéphane Lesimple
b93b13263d
fix(pti): remove escapes since we use grep -E now
2018-01-09 16:01:44 +01:00
Vincent Brillault
ad342cab06
Introduce "verbose" and "batch" modes
...
Rewrite the way the output is processed:
- Define verbosity level (currently warn, info (default) & verbose)
- Add a batch mode, for simple machine parsing
2018-01-09 15:58:13 +01:00
Vincent Brillault
5fd85e288b
No-color: interpret string (-e) to be able to mach \x1B
2018-01-09 15:57:10 +01:00
Stéphane Lesimple
322f4efc8f
fix broken logic of 68961f9
, increment version to 0.20
2018-01-09 14:55:12 +01:00
Vincent Brillault
b6bfcdbd45
Move configuration at the beginning of the script
2018-01-09 14:18:02 +01:00
Stéphane Lesimple
68961f98c2
adding known non-vulnerable ARM chips
2018-01-09 13:11:48 +01:00
Stéphane Lesimple
f0f2ea9b11
v0.19: introduce --no-color
2018-01-09 10:32:51 +01:00
Stéphane Lesimple
6f1bdba1d9
bump to v0.18 to reflect changes
2018-01-09 09:21:42 +01:00
Stéphane Lesimple
7b05105a54
Merge pull request #25 from Feandil/proc_config
...
When using /proc/config.gz, indicate it more clearly
2018-01-09 09:19:36 +01:00
Stéphane Lesimple
8aed2d4086
Merge pull request #26 from Feandil/proc_kallsym
...
Use /proc/kallsyms to get symbols, if available
2018-01-09 09:17:18 +01:00
Vincent Brillault
f4140a992a
Use /proc/kallsyms to get symbols, if available
2018-01-09 08:58:09 +01:00
Vincent Brillault
2c51b00a90
When using /proc/config.gz, indicate it more clearly
2018-01-09 08:54:07 +01:00
Stéphane Lesimple
2d94514c07
adding mention of heuristic for variant 1 check
2018-01-09 08:43:52 +01:00
Stéphane Lesimple
0e8f97afbc
Merge pull request #24 from angus-p/Remove-extra-space
...
remove superfluous space from test line 315
2018-01-09 08:34:10 +01:00
angus-p
cc0b325383
remove superfluous space from test line 315
...
Extra space was causing non-existent variable to be tested resulting in 'YES' if running in live mode and IBRS compiled in
2018-01-09 03:47:25 +00:00
Matthew Radcliffe
4454f03136
Increases tmp directory uniqueness to 6 characters to support Slackware
2018-01-08 22:28:55 -05:00
Stéphane Lesimple
949f316f89
missed version bump + README typofix
2018-01-08 23:15:42 +01:00
Stéphane Lesimple
d73a24cb5b
implement offline mode and help
2018-01-08 23:09:17 +01:00
Grim Kriegor
2d33a4369e
Linux-libre support
2018-01-08 21:56:11 +00:00
Stéphane Lesimple
8d4d295309
bump to v0.16 to reflect changes
2018-01-08 17:48:20 +01:00
Stéphane Lesimple
1ff437edbb
Merge pull request #16 from Alkorin/fixes
...
Fixes
2018-01-08 17:45:59 +01:00
Stéphane Lesimple
34656827f5
detect retpoline-compliant compiler from latest LKML patches
2018-01-08 17:32:19 +01:00
Alkorin
8c8a8d35fd
Detect if 'readelf' is present
2018-01-08 16:52:09 +01:00
Alkorin
debd10b517
Detect if 'strings' is present
2018-01-08 16:51:20 +01:00
Alkorin
21f81ff5c9
Detect if uncompress binaries are present
2018-01-08 16:51:14 +01:00
Stéphane Lesimple
206e4b7fbc
add detection of retpoline-aware compiler
2018-01-08 16:28:00 +01:00
Alkorin
1a14483c98
Use 'readelf' instead of 'file' to detect kernel
2018-01-08 15:56:19 +01:00
Alkorin
26564206db
Do not execute checks if we already found that PTI is enabled
2018-01-08 15:56:19 +01:00
Stéphane Lesimple
207168e097
detect if the used compiler supports retpoline (WIP)
2018-01-08 15:45:09 +01:00
Sebastian Wiesinger
c88acdd31d
Remove superfluous 'YES' output when checking cpuinfo
2018-01-08 14:50:59 +01:00
Sebastian Wiesinger
124ce8e27a
Recognize 'kaiser' flag in /proc/cpuinfo
2018-01-08 14:38:43 +01:00
Vincent Brillault
a792348928
RedHat uses a different configuration name
2018-01-08 12:59:12 +01:00
Vincent Brillault
66f7708095
Refactor RedHat support:
...
- Isolate file check to different elif (allowing to add more)
- Do the PTI debugfs check first (faster and supposed to be dynamic)
- If pti_enable is 0, don't trust dmesg (supposed to be dynamic)
2018-01-08 12:59:03 +01:00
Vincent Brillault
34ef5ef21b
Delay umount (for RedHat access to pti_enable)
2018-01-08 12:58:22 +01:00
Stéphane Lesimple
edbdf0da1f
push the lfence opcodes threshold to 70
2018-01-08 12:49:23 +01:00
Alkorin
47c30babf1
Avoid 'cat: /sys/kernel/debug/x86/pti_enabled: Permission denied'
2018-01-08 12:41:28 +01:00
Stéphane Lesimple
ef7a5c4cf6
adding uname -v to get potential additional vendor information
2018-01-08 12:22:56 +01:00
Vincent Brillault
b7197d6f54
Fix debugfs mount check
2018-01-08 12:15:51 +01:00
Stéphane Lesimple
c792fa35bf
add kernel version information to the output
2018-01-08 12:14:12 +01:00
Stéphane Lesimple
d1498fe03f
Merge pull request #5 from fccagou/centos
...
fix(centos): check according to redhat patch.
2018-01-08 12:10:07 +01:00
Stéphane Lesimple
12bdd0e412
root check is now more visible
2018-01-08 11:31:19 +01:00
fccagou
0f50e04dab
fix(centos): check according to redhat patch. https://access.redhat.com/articles/3311301
2018-01-08 11:14:22 +01:00
David Guglielmi
bf056ae73d
Add support for Gentoo genkernel image path
2018-01-08 11:08:53 +01:00
Frederik Schreiber
40a9d43c44
add arch linux bootimage path
2018-01-08 10:36:29 +01:00
Stéphane Lesimple
c1004d5171
fix extract-vmlinux for non-gzip
2018-01-08 09:56:29 +01:00
Stéphane Lesimple
fa0850466e
add some comments, enhance pti detection
2018-01-08 09:37:54 +01:00
Thibault Nélis
1aaca63dcf
Improve "running as root" check
...
Small issue with the USER environment variable:
$ echo $USER
thib
$ sudo sh -c 'echo $USER'
thib
$ sudo -i sh -c 'echo $USER'
root
Rather than recommending users to use sudo --login / -i, use the (very
widespread/portable) id program to retrieve the effective user ID
instead and don't change the recommendation.
$ id -u
1000
$ sudo id -u
0
$ sudo -i id -u
0
2018-01-08 01:22:14 +01:00
Stéphane Lesimple
96dfa03c00
fix for uncompressed vmlinux case
2018-01-08 00:45:12 +01:00
Stéphane Lesimple
05c79425ab
detect kpti directly in vmlinux if option is not there
2018-01-07 22:47:41 +01:00
Stéphane Lesimple
64eb1d005c
add couple missing elses
2018-01-07 18:49:15 +01:00
Stéphane Lesimple
bffda8b3e7
remove dependency on rdmsr
2018-01-07 18:36:56 +01:00
Stéphane Lesimple
13f2133a97
cosmetic fix
2018-01-07 18:14:08 +01:00
Stéphane Lesimple
8c2fd0f0bb
fix MSR reading, need rdmsr for now
2018-01-07 18:13:25 +01:00
Stéphane Lesimple
761c2b80e4
cosmetic fix
2018-01-07 17:19:37 +01:00
Stéphane Lesimple
d6977928e5
msg fix
2018-01-07 17:15:08 +01:00
Stéphane Lesimple
bd4c74331e
add retpolines check
2018-01-07 16:57:14 +01:00
Stéphane Lesimple
82972f8790
fix status unknown for variant 1
2018-01-07 16:32:34 +01:00
Stéphane Lesimple
30de4f6336
remove hardcoded kernel image path
2018-01-07 16:25:50 +01:00
Stéphane Lesimple
9ed1fcd98a
cosmetic + v0.02
2018-01-07 16:22:30 +01:00
Stéphane Lesimple
ef7c0d7ec5
add variant 1 check
2018-01-07 16:16:11 +01:00
Stéphane Lesimple
3b760822ff
fix echo under some shells
2018-01-07 16:00:01 +01:00
Stéphane Lesimple
0201b02313
typofix
2018-01-07 15:37:50 +01:00
Stéphane Lesimple
c937e6603b
add System.map way of detecting kpti build
2018-01-07 15:36:05 +01:00
Stéphane Lesimple
4211178b3a
v0.01
2018-01-07 15:00:59 +01:00