Commit Graph

308 Commits

Author SHA1 Message Date
Calvin Walton
155cac2102 Teach checker how to find kernels installed by systemd kernel-install 2018-02-10 20:51:33 +01:00
Stéphane Lesimple
22cae605e1 fix(retpoline): remove the "retpoline enabled" test
This test worked for some early versions of the retpoline
implementation in vanilla kernels, but the corresponding
flag has been removed from /proc/cpuinfo in latest kernels.
The full information is available in /sys instead, which
was already implemented in the script.
2018-02-09 20:12:33 +01:00
Stéphane Lesimple
eb75e51975 fix(ucode): update list of blacklisted ucodes from 2018-02-08 Intel document
Removed 2 ucodes and added 2 other ones
2018-02-09 19:56:27 +01:00
積丹尼 Dan Jacobson
253e180807 Update spectre-meltdown-checker.sh
Dots better than colon for indicating waiting.
2018-02-06 19:02:56 +01:00
Stéphane Lesimple
5d6102a00e enh: show kernel version in offline mode 2018-02-02 11:27:04 +01:00
Stéphane Lesimple
a2dfca671e feat: detect disrepancy between found kernel image and running kernel 2018-02-02 11:13:54 +01:00
Stéphane Lesimple
36bd80d75f enh: speedup by not decompressing kernel on --sysfs-only 2018-02-02 11:13:31 +01:00
Stéphane Lesimple
1834dd6201 feat: add skylake era cpu detection routine 2018-02-02 11:12:10 +01:00
Stéphane Lesimple
3d765bc703 enh: lazy loading of cpu informations 2018-02-02 11:11:51 +01:00
Stéphane Lesimple
07afd95b63 feat: better cleanup routine on exit & interrupt 2018-02-02 11:09:36 +01:00
Stéphane Lesimple
b7a10126d1 fix: ARM CPU display name & detection
Fix ARM CPU display name, and properly
detect known vulnerable ARM CPUs when
multiple different model cores are
present (mostly Android phones)
2018-02-02 11:00:23 +01:00
Stéphane Lesimple
6346a0deaa fix: --no-color workaround for android's sed 2018-02-02 10:59:49 +01:00
Stéphane Lesimple
8106f91981 release: bump to v0.34 2018-01-31 16:28:54 +01:00
Stéphane Lesimple
b1fdf88f28 enh: display ucode info even when not blacklisted 2018-01-31 16:21:32 +01:00
Stéphane Lesimple
4d29607630 cleanup: shellcheck pass 2018-01-31 16:15:20 +01:00
Stéphane Lesimple
0267659adc cleanup: remove superseded atom detection code
This is now handled properly by checking the CPU
vendor, family, model instead of looking for the
commercial name of the CPU in /proc/cpuinfo
2018-01-31 16:15:20 +01:00
Stéphane Lesimple
247b176882 feat: detect known speculative-execution free CPUs
Based on a kernel patch that has been merged to Linus' tree.
Some of the detections we did by grepping the model name
will probably no longer be needed.
2018-01-31 16:15:20 +01:00
Stéphane Lesimple
bcae8824ec refacto: create a dedicated func to read cpuid bits 2018-01-31 16:15:20 +01:00
Stéphane Lesimple
71e7109c22 refacto: move cpu discovery bits to a dedicated function 2018-01-31 16:15:20 +01:00
Stéphane Lesimple
aa18b51e1c fix(variant1): smarter lfence check
Instead of just counting the number of LFENCE
instructions, now we're only counting the those
that directly follow a jump instruction.
2018-01-31 14:34:54 +01:00
Stéphane Lesimple
b738ac4bd7 fix: regression introduced by previous commit
449: ./spectre-meltdown-checker.sh: 3: parameter not set
This happened only on blacklisted microcodes, fixed by
adding set +u before the return
2018-01-31 12:13:50 +01:00
Stéphane Lesimple
799ce3eb30 update blacklisted ucode list from kernel source 2018-01-31 11:26:23 +01:00
Stéphane Lesimple
f1e18c136f doc(disclaimer): Spectre affects all software
Add a paragraph in the disclaimer stating that this tool focuses
on the kernel side of things, and that for Spectre, any software
might be vulnerable.
2018-01-30 14:37:52 +01:00
Stéphane Lesimple
e05ec5c85f feat(variant1): detect vanilla mitigation
Implement detection of mitigation for Variant 1 that is
being pushed on vanilla kernel.
Current name of the patch:
"spectre variant1 mitigations for tip/x86/pti" (v6)
Also detect some distros that already backported this
patch without modifying the vulnerabilities sysfs hierarchy.
This detection is more reliable than the LFENCE one, trust
it and skip the LFENCE heuristic if a match is found.
2018-01-30 12:55:34 +01:00
Stéphane Lesimple
6e544d6055 fix(cpu): Pentium Exxxx are vulnerable to Meltdown 2018-01-29 11:18:15 +01:00
Stéphane Lesimple
90a65965ff adjust: show how to enable IBRS/IBPB in -v only 2018-01-29 11:06:15 +01:00
Stéphane Lesimple
9b53635eda refacto: fix shellcheck warnings for better compat
Now `shellcheck -s sh` no longer shows any warnings.
This should improve compatibility with exotic shells
as long as they're POSIX compliant.
2018-01-29 10:34:08 +01:00
Joseph Mulloy
7404929661 Fix printing of microcode to use cpuinfo values
The values used should be the ones that come from cpuinfo instead of
the test values. The following line will print the last tuple tested
instead of the actual values of the CPU.

Line 689: _debug "is_ucode_blacklisted: no ($model/$stepping/$ucode)"
2018-01-26 18:23:18 +01:00
Stéphane Lesimple
bf46fd5d9b update: new screenshots for README.md 2018-01-26 15:15:24 +01:00
Stéphane Lesimple
0798bd4c5b fix: report arch_capabilities as NO when no MSR
When the arch_capabilities MSR is not there, it means
that all the features it might advertise can be considered
as NO instead of UNKNOWN
2018-01-26 14:55:01 +01:00
Stéphane Lesimple
42094c4f8b release: v0.33 2018-01-26 14:20:29 +01:00
Stéphane Lesimple
03d2dfe008 feat: add blacklisted Intel ucode detection
Some Intel microcodes are known to cause instabilities
such as random reboots. Intel advises to revert to a
previous version if a newer one that fixes those issues
is not available. Detect such known bad microcodes.
2018-01-26 14:19:54 +01:00
Stéphane Lesimple
9f00ffa5af fix: fallback to UNKNOWN when we get -EACCES
For detection of IBRS_ALL and RDCL_NO, fallback to
UNKNOWN when we were unable to read the CPUID or MSR.
2018-01-26 14:16:34 +01:00
Matthieu Cerda
7f0d80b305 xen: detect if the host is a Xen Dom0 or PV DomU (fixes #83) 2018-01-25 11:04:30 +01:00
Stéphane Lesimple
d1c1f0f0f0 fix(batch): fix regression introduced by acf12a6
In batch mode, $echo_cmd was not initialized early
enough, and caused this error:
./spectre-meltdown-checker.sh: 899: ./spectre-meltdown-checker.sh: -ne: not found
Fix it by initing echo_cmd unconditionally at the start
2018-01-24 17:57:19 +01:00
Stéphane Lesimple
acf12a6d2d feat(cpu) add STIBP, RDCL_NO, IBRS_ALL checks
Move all the CPU checks to their own section,
for clarity. We now check for IBRS, IBPB, STIBP,
RDCL_NO and IBRS_ALL. We also show whether the
system CPU is vulnerable to the three variants,
regardless of the fact that mitigations are in
place or not, which is determined in each vuln-
specific section.
2018-01-24 14:44:16 +01:00
Stéphane Lesimple
b45e40bec8 feat(stibp): add STIBP cpuid feature check 2018-01-24 12:19:02 +01:00
Stéphane Lesimple
3c1d452c99 fix(cpuid): fix off-by-one SPEC_CTRL bit check 2018-01-24 12:18:56 +01:00
Stéphane Lesimple
53b9eda040 fix: don't make IBPB mandatory when it's not there
On some kernels there could be IBRS support but not
IBPB support, in that case, don't report VULN just
because IBPB is not enabled when IBRS is
2018-01-24 09:04:25 +01:00
Stéphane Lesimple
3b0ec998b1 fix(cosmetic): tiny msg fixes 2018-01-24 09:04:25 +01:00
Stéphane Lesimple
d55bafde19 fix(cpu): trust is_cpu_vulnerable even w/ debugfs
For variant3 under AMD, the debugfs vulnerabilities hierarchy
flags the system as Vulnerable, which is wrong. Trust our own
is_cpu_vulnerable() func in that case
2018-01-24 09:04:25 +01:00
Stéphane Lesimple
147462c0ab fix(variant3): do our checks even if sysfs is here 2018-01-24 09:04:25 +01:00
Stéphane Lesimple
ddc7197b86 fix(retpoline): retpoline-compiler detection
When kernel is not compiled with retpoline option, doesn't
have the sysfs vulnerability hierarchy and our heuristic to
detect a retpoline-aware compiler didn't match, change result
for retpoline-aware compiler detection from UNKNOWN to NO.
When CONFIG_RETPOLINE is not set, a retpoline-aware compiler
won't produce different asm than a standard one anyway.
2018-01-24 09:04:25 +01:00
Stéphane Lesimple
e7aa3b9d16 feat(retpoline): check if retpoline is enabled
Before we would just check if retpoline was compiled
in, now we also check that it's enabled at runtime
(only in live mode)
2018-01-24 09:04:25 +01:00
Stéphane Lesimple
ff5c92fa6f feat(sysfs): print details even with sysfs
Before, when the /sys kernel vulnerability interface
was available, we would bypass all our tests and just
print the output of the vulnerability interface. Now,
we still rely on it when available, but we run our
checks anyway, except for variant 1 where the current
method of mitigation detection doesn't add much value
to the bare /sys check
2018-01-24 09:04:25 +01:00
Stéphane Lesimple
443d9a2ae9 feat(ibpb): now also check for IBPB on variant 2
In addition to IBRS (and microcode support), IBPB
must be used to mitigate variant 2, if retpoline
support is not available. The vulnerability status
of a system will be defined as "non vulnerable"
if IBRS and IBPB are both enabled, or if IBPB
is enabled with a value of 2 for RedHat kernels,
see https://access.redhat.com/articles/3311301
2018-01-24 09:04:25 +01:00
Stéphane Lesimple
3e454f1817 fix(offline): report unknown when too few info
In offline mode, in the worst case where an invalid
config file is given, and we have no vmlinux image
nor System.map, the script was reporting Variant 2
and Variant 3 as vulnerable in the global status.
Replace this by a proper pair of UNKNOWNs
2018-01-23 22:20:34 +01:00
Stéphane Lesimple
c8a25c5d97 feat: detect invalid kconfig files 2018-01-23 21:48:19 +01:00
Stéphane Lesimple
40381349ab fix(dmesg): detect when dmesg is truncated
To avoid false negatives when looking for a message
in dmesg, we were previously also grepping in known
on-disk archives of dmesg (dmesg.log, kern.log).
This in turn caused false positives because we have no
guarantee that we're grepping the dmesg of the current
running kernel. Hence we now only look in the live
`dmesg`, detect if it has been truncated, and report
it to the user.
2018-01-21 16:26:08 +01:00
Stéphane Lesimple
0aa5857a76 fix(cpu): Pentium Exxxx series are not vulnerable
Pentium E series are not in the vulnerable list from
Intel, and Spectre2 PoC reportedly doesn't work on
an E5200
2018-01-21 16:13:17 +01:00