Stéphane Lesimple
cc2910fbbc
fix: read_cpuid: don't use iflag=skip_bytes for compat with old dd versions
...
This closes #215 #199 #193
2018-07-23 09:12:30 +02:00
manish jaggi
30c4a1f6d2
arm64: cavium: Add CPU Implementer Cavium ( #216 )
...
This patch adds 0x43 check for cavium implementor id in function
parse_cpu_details. Also adds that Cavium Soc is not vulnerable to variant 3/3a
Signed-off-by: Manish Jaggi <manish.jagg@cavium.com>
2018-07-22 19:06:19 +02:00
Stéphane Lesimple
cf06636a3f
fix: prometheus output: use printf for proper \n interpretation ( #204 )
2018-06-21 23:35:51 +02:00
Stéphane Lesimple
60077c8d12
fix(arm): rewrite vuln logic from latest arm statement for Cortex A8 to A76
2018-06-21 23:24:18 +02:00
Rob Gill
c181978d7c
fix(arm): Updated arm cortex status ( #209 )
...
* Cortex A8 Vulnerable
Arm Cortex A8 is vulnerable to variants 1 & 2 (https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability )
Part number is 0xc08 (https://developer.arm.com/docs/ddi0344/b/system-control-coprocessor/system-control-coprocessorregisters/c0-main-id-register )
False negative reported by @V10lator in #206
* ARM Cortex A12 Vulnerable to 1&2
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
* A76 vulnerable to variant 4
All arch 8 cortex A57-A76 are vulnerable to variant 4.
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
* Whitelist variant4 nonvuln Arms
* ARM Cortex Whitelist & Cumulative Blacklist
Applies all information about vulnerabilities of ARM Cortex processors (from https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability ).
Whitelist & blacklist approach, using both vulnerable and non vulnerable status for each identified CPU, with vulnerabilities tracked cumulatively for multi CPU systems.
2018-06-16 12:14:39 +02:00
Rob Gill
5962d20ba7
fix(variant4): whitelist from common.c::cpu_no_spec_store_bypass ( #202 )
...
* variant4 from common.c::cpu_no_spec_store_bypass
Variant 4 - Add function to 'whitelist' the hand-full of CPUs unaffected by speculative store bypass.
This would allow improved determination of variant 4 status ( #189 ) of immune CPUs while waiting for the 4.17/stable patches to be backported to distro kernels.
Source of cpu list : https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/cpu/common.c#n945 )
Modeled after is_cpu_specex_free()
* amd families fix
amd families are reported by parse_cpu_details() in decimal
* remove duplicates
Only list processors which speculate and are immune to variant 4.
Avoids duplication with non-speculating CPUs listed in is_cpu_specex_free()
2018-05-27 15:14:29 +02:00
Rob Gill
17a3488505
fix(help): add missing references to variants 3a & 4 ( #201 )
2018-05-24 16:35:57 +02:00
Stéphane Lesimple
e54e8b3e84
chore: remove warning in README, fix display indentation
2018-05-24 16:32:53 +02:00
Stéphane Lesimple
39c778e3ac
fix(amd): AMD families 0x15-0x17 non-arch MSRs are a valid way to control SSB
2018-05-23 23:08:07 +02:00
Stéphane Lesimple
2cde6e4649
feat(ssbd): add detection of proper CPUID bits on AMD
2018-05-23 22:50:52 +02:00
Stéphane Lesimple
f4d51e7e53
fix(variant4): add another detection way for Red Hat kernel
2018-05-23 22:47:54 +02:00
Stéphane Lesimple
85d46b2799
feat(variant4): add more detailed explanations
2018-05-23 21:08:58 +02:00
Stéphane Lesimple
61e02abd0c
feat(variant3a): detect up to date microcode
2018-05-23 21:08:08 +02:00
Stéphane Lesimple
114756fab7
fix(amd): not vulnerable to variant3a
2018-05-23 20:38:43 +02:00
Rob Gill
ea75969eb7
fix(help): Update variant options in usage message ( #200 )
2018-05-22 15:54:25 +02:00
Stéphane Lesimple
ca391cbfc9
fix(variant2): correctly detect IBRS/IBPB in SLES kernels
2018-05-22 12:06:46 +02:00
Stéphane Lesimple
68af5c5f92
feat(variant4): detect SSBD-aware kernel
2018-05-22 12:05:46 +02:00
Stéphane Lesimple
f75cc0bb6f
feat(variant4): add sysfs mitigation hint and some explanation about the vuln
2018-05-22 09:39:11 +02:00
Stéphane Lesimple
f33d65ff71
feat(variant3a): add information about microcode-sufficient mitigation
2018-05-22 09:38:29 +02:00
Stéphane Lesimple
725eaa8bf5
feat(arm): adjust vulnerable ARM CPUs for variant3a and variant4
2018-05-22 09:19:29 +02:00
Stéphane Lesimple
c6ee0358d1
feat(variant4): report SSB_NO CPUs as not vulnerable
2018-05-22 09:18:30 +02:00
Stéphane Lesimple
22d0b203da
fix(ssb_no): rename ssbd_no to ssb_no and fix shift
2018-05-22 00:38:31 +02:00
Stéphane Lesimple
3062a8416a
fix(msg): add missing words
2018-05-22 00:10:08 +02:00
Stéphane Lesimple
6a4318addf
feat(variant3a/4): initial support for 2 new CVEs
2018-05-22 00:06:56 +02:00
Stéphane Lesimple
c19986188f
fix(variant2): adjust detection for SLES kernels
2018-05-19 09:53:12 +02:00
Rob Gill
7e4899bcb8
ibrs can't be enabled on no ibrs cpu ( #195 )
...
* ibrs can't be enabled on no ibrs cpu
If the cpu is identified, and does not support SPEC_CTRL or IBRS, then ibrs can't be enabled, even if supported by the kernel.
Instead of reporting IBRS enabled and active UNKNOWN, report IBRS enabled and active NO.
2018-05-17 15:39:48 +02:00
rrobgill
5cc77741af
Update spectre-meltdown-checker.sh
2018-05-05 13:00:44 +02:00
rrobgill
1c0f6d9580
cpuid and msr module check
...
This adds a check before loading the cpuid and msr modules under linux, ensuring they are not unloaded in exit_cleanup() if they were initially present.
2018-05-05 13:00:44 +02:00
Onno Zweers
4acd0f647a
Suggestion to change VM to a CPU with IBRS capability
2018-04-20 20:35:12 +02:00
Stéphane Lesimple
fb52dbe7bf
set master branch to v0.37+
2018-04-20 20:34:42 +02:00
Stéphane Lesimple
edebe4dcd4
bump to v0.37
2018-04-18 23:51:45 +02:00
Stéphane Lesimple
83ea78f523
fix: arm: also detect variant 1 mitigation when using native objdump
2018-04-17 18:50:32 +02:00
Stéphane Lesimple
602b68d493
fix(spectrev2): explain that retpoline is possible for Skylake+ if there is RSB filling, even if IBRS is still better
2018-04-16 09:27:28 +02:00
Stéphane Lesimple
97bccaa0d7
feat: rephrase IBPB warning when only retpoline is enabled in non-paranoid mode
2018-04-16 09:13:25 +02:00
Stéphane Lesimple
68e619b0d3
feat: show RSB filling capability for non-Skylake in verbose mode
2018-04-16 09:08:25 +02:00
Stéphane Lesimple
a6f4475cee
feat: make IBRS_FW blue instead of green
2018-04-16 09:07:54 +02:00
Stéphane Lesimple
223f5028df
feat: add --paranoid to choose whether we require IBPB
2018-04-15 23:05:30 +02:00
Stéphane Lesimple
c0108b9690
fix(spectre2): don't explain how to fix when NOT VULNERABLE
2018-04-15 20:55:55 +02:00
Stéphane Lesimple
a3016134bd
feat: make RSB filling support mandatory for Skylake+ CPUs
2018-04-15 20:55:31 +02:00
Stéphane Lesimple
59d85b39c9
feat: detect RSB filling capability in the kernel
2018-04-15 20:55:01 +02:00
Stéphane Lesimple
baaefb0c31
fix: remove shellcheck warnings
2018-04-11 22:24:03 +02:00
Igor Lubashev
d452aca03a
fix: invalid bash syntax when ibpb_enabled or ibrs_enabled are empty
2018-04-11 10:29:42 +02:00
Stéphane Lesimple
10b8d94724
feat: detect latest Red Hat kernels' RO ibpb_enabled knob
2018-04-10 22:51:45 +02:00
Stéphane Lesimple
8606e60ef7
refactor: no longer display the retoline-aware compiler test when we can't tell for sure
2018-04-10 22:51:45 +02:00
Stéphane Lesimple
6a48251647
fix: regression in 51aeae25, when retpoline & ibpb are enabled
2018-04-10 22:51:45 +02:00
Stéphane Lesimple
f4bf5e95ec
fix: typos
2018-04-10 22:51:45 +02:00
Stéphane Lesimple
60eac1ad43
feat: also do PTI performance check with (inv)pcid for BSD
2018-04-10 22:51:45 +02:00
Stéphane Lesimple
b3cc06a6ad
fix regression introduced by 82c25dc
2018-04-10 22:51:45 +02:00
Stéphane Lesimple
5553576e31
feat(amd/zen): re-introduce IBRS for AMD except ZEN family
2018-04-10 22:51:45 +02:00
Stéphane Lesimple
e16ad802da
feat(ibpb=2): add detection of SMT before concluding the system is not vulnerable
2018-04-10 22:51:45 +02:00
Stéphane Lesimple
29c294edff
feat(bsd): explain how to mitigate variant2
2018-04-10 22:51:45 +02:00
Stéphane Lesimple
59714011db
refactor: IBRS_ALL & RDCL_NO are Intel-only
2018-04-10 22:51:45 +02:00
Stéphane Lesimple
51e8261a32
refactor: separate hw checks for Intel & AMD
2018-04-10 22:49:28 +02:00
Stéphane Lesimple
2a4bfad835
refactor: add is_amd and is_intel funcs
2018-04-10 22:49:28 +02:00
Stéphane Lesimple
7e52cea66e
feat(spectre2): refined how status of this vuln is decided and more precise explanations on how to fix
2018-04-10 22:49:28 +02:00
Benjamin Bouvier
417d7aab91
Fix trailing whitespace and mixed indent styles;
2018-04-10 22:42:47 +02:00
Sylvestre Ledru
67bf761029
Fix some user facing typos with codespell -w -q3 .
2018-04-08 18:44:13 +02:00
Stéphane Lesimple
0eabd266ad
refactor: decrease default verbosity for some tests
2018-04-05 22:20:16 +02:00
Stéphane Lesimple
b77fb0f226
fix: don't override ibrs/ibpb results with later tests
2018-04-05 22:04:20 +02:00
Stéphane Lesimple
89c2e0fb21
fix(amd): show cpuinfo and ucode details
2018-04-05 21:39:27 +02:00
Stéphane Lesimple
b88f32ed95
feat: print raw cpuid, and fetch ucode version under BSD
2018-04-05 00:07:12 +02:00
Stéphane Lesimple
7a4ebe8009
refactor: rewrite read_cpuid to get more common code parts between BSD and Linux
2018-04-05 00:06:24 +02:00
Stéphane Lesimple
0919f5c236
feat: add explanations of what to do when a vulnerability is not mitigated
2018-04-05 00:03:04 +02:00
Stéphane Lesimple
de02dad909
feat: rework Spectre V2 mitigations detection w/ latest vanilla & Red Hat 7 kernels
2018-04-05 00:01:54 +02:00
Stéphane Lesimple
07484d0ea7
add dump of variables at end of script in debug mode
2018-04-04 23:58:15 +02:00
Stéphane Lesimple
a8b557b9e2
fix(cpu): skip CPU checks if asked to (--no-hw) or if inspecting a kernel of another architecture
2018-04-03 19:36:28 +02:00
Stéphane Lesimple
619b2749d8
fix(sysfs): only check for sysfs for spectre2 when in live mode
2018-04-03 19:32:36 +02:00
Stéphane Lesimple
056ed00baa
feat(arm): detect spectre variant 1 mitigation
2018-04-03 15:52:25 +02:00
Stéphane Lesimple
aef99d20f3
fix(pti): when PTI activation is unknown, don't say we're vulnerable
2018-04-03 12:45:17 +02:00
Stéphane Lesimple
e2d7ed2243
feat(arm): support for variant2 and meltdown mitigation detection
2018-04-01 17:50:18 +02:00
Stéphane Lesimple
eeaeff8ec3
set version to v0.36+ for master branch between releases
2018-04-01 17:45:01 +02:00
Stéphane Lesimple
f5269a362a
feat(bsd): add retpoline detection for BSD
2018-04-01 17:42:29 +02:00
Stéphane Lesimple
f3883a37a0
fix(xen): adjust message for DomUs w/ sysfs
2018-03-31 13:44:04 +02:00
Stéphane Lesimple
b6fd69a022
release: v0.36
2018-03-27 23:08:38 +02:00
Stéphane Lesimple
7adb7661f3
enh: change colors and use red only to report vulnerability
2018-03-25 18:15:08 +02:00
Stéphane Lesimple
aa74315df4
feat: speed up kernel version detection
2018-03-25 13:42:19 +02:00
Stéphane Lesimple
0b8a09ec70
fix: mis adjustments for BSD compat
2018-03-25 13:26:00 +02:00
Stéphane Lesimple
b42d8f2f27
fix(write_msr): use /dev/zero instead of manually echoing zeroes
2018-03-25 12:53:50 +02:00
Stéphane Lesimple
f191ec7884
feat: add --hw-only to only show CPU microcode/cpuid/msr details
2018-03-25 12:48:37 +02:00
Stéphane Lesimple
28da7a0103
misc: message clarifications
2018-03-25 12:48:03 +02:00
Stéphane Lesimple
ece25b98a1
feat: implement support for NetBSD/FreeBSD/DragonFlyBSD
2018-03-25 12:28:02 +02:00
Stéphane Lesimple
889172dbb1
feat: add special extract_vmlinux mode for old RHEL kernels
2018-03-25 11:55:44 +02:00
Stéphane Lesimple
37ce032888
fix: bypass MSR/CPUID checks for non-x86 CPUs
2018-03-25 11:55:44 +02:00
Stéphane Lesimple
701cf882ad
feat: more robust validation of extracted kernel image
2018-03-25 11:55:44 +02:00
Stéphane Lesimple
6a94c3f158
feat(extract_vmlinux): look for ELF magic in decompressed blob and cut at found offset
2018-03-25 11:55:42 +02:00
Stéphane Lesimple
2d993812ab
feat: add --prefix-arch for cross-arch kernel inspection
2018-03-25 11:55:10 +02:00
Stéphane Lesimple
4961f8327f
fix(ucode): fix blacklist detection for some ucode versions
2018-03-19 12:09:39 +01:00
Alex
ecdc448531
Check MSR in each CPU/Thread ( #136 )
2018-03-17 17:17:15 +01:00
Stéphane Lesimple
12ea49fe0c
fix(kvm): properly detect PVHVM mode ( fixes #163 )
2018-03-16 18:29:58 +01:00
Stéphane Lesimple
053f1613de
fix(doc): use https:// URLs in the script comment header
2018-03-16 18:24:59 +01:00
Stéphane Lesimple
bda18d04a0
fix: pine64: re-add vmlinuz location and some error checks
2018-03-10 16:02:44 +01:00
Stéphane Lesimple
d5832dc1dc
feat: add ELF magic detection on kernel image blob for some arm64 systems
2018-03-10 14:57:25 +01:00
Stéphane Lesimple
d2f46740e9
feat: enhance kernel image version detection for some old kernels
2018-03-10 14:57:25 +01:00
Sam Morris
2f6a6554a2
Produce output for consumption by prometheus-node-exporter
...
A report of all vulnerable machines to be produced with a query such as:
spexec_vuln_status{status!="OK"}
2018-02-27 11:08:39 +01:00
Stéphane Lesimple
30842dd9c0
release: bump to v0.35
2018-02-16 10:35:49 +01:00
Stéphane Lesimple
b4ac5fcbe3
feat(variant2): better explanation when kernel supports IBRS but CPU does not
2018-02-16 10:34:01 +01:00
Stéphane Lesimple
55a6fd3911
feat(variant1): better detection for Red Hat/Ubuntu patch
2018-02-15 21:19:49 +01:00
Sylvestre Ledru
35c8a63de6
Remove the color in the title
2018-02-15 20:21:00 +01:00
Stéphane Lesimple
5f914e555e
fix(xen): declare Xen's PTI patch as a valid mitigation for variant3
2018-02-14 14:24:55 +01:00
Stéphane Lesimple
66dce2c158
fix(ucode): update blacklisted ucodes list from latest Intel info
2018-02-14 14:14:16 +01:00