peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2026-04-22 16:43:20 +02:00
Code Issues Projects Releases Wiki Activity
718 Commits 6 Branches 49 Tags
7329c1fd2f75eac1a9045029484314f5f7eb1131
Commit Graph

718 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Stéphane Lesimple
7329c1fd2f feat: hide CVE checks that arebirrelevant for current arch 
CVE_REGISTRY gains an optional fifth field that tags checks as x86-only or
arm-only, untagged entries apply everywhere. The main CVE dispatcher and the
affectedness summary both skip gated entries in default "all CVEs" runs,
removing the noise of arm64 errata on x86 hosts and of x86 CVEs on ARM hosts
across text, json, nrpe and prometheus outputs. Explicit --cve/--variant/--errata
selection bypasses the gate so manual queries still run anywhere.
The gate honours no-hw mode by ignoring the host CPU and keying off the
inspected kernel's architecture only, which handles cross-arch offline
analysis driven by --kernel/--config/--map.
 2026-04-21 08:53:08 +02:00
Stéphane Lesimple
8a302b56e6 feat: add ARM64 silicon errata checks (issue #357) 
Add detection for three speculation/security-relevant ARM64 errata
families that are tracked by vendor erratum IDs rather than CVEs: Speculative
AT TLB corruption (1165522/1319367/1319537/1530923), speculative unprivileged
load (2966298/3117295), and MSR SSBS not self-synchronizing (3194386 and
siblings). Reserves a new CVE-0001-NNNN placeholder range for vendor errata
and adds a --errata <number> selector alongside --variant/--cve.

CPU affection is determined per-core from (implementer, part, variant,
revision) tuples read from /proc/cpuinfo, matching the kernel's MIDR ranges
(including Kryo4xx Silver for erratum 1530923). Kernel mitigation detection
uses the erratum-specific CONFIG_ARM64_ERRATUM_NNNN symbols, kernel image
descriptor strings, and dmesg output (no sysfs for these)
 2026-04-21 08:33:50 +02:00
Stéphane Lesimple
03b1787d69 fix: mmio stale data: EOL Intel CPUs may be vulnerable (#437) 2026-04-20 22:42:13 +02:00
林博仁 Buo-ren Lin
8a417e5579 doc: readme: correct markdown indentation for unordered list items (#569) 
Signed-off-by: 林博仁(Buo-ren Lin) <buo.ren.lin@gmail.com>
 2026-04-20 18:03:37 +02:00
Stéphane Lesimple
b7a6182a65 doc: add Jump Conditional Code (JCC) Erratum to the unsupported list 2026-04-20 17:47:50 +02:00
Stéphane Lesimple
e2d110a3b5 doc: update output formats doc + normalize json to bool 2026-04-20 12:55:34 +02:00
Stéphane Lesimple
1bb33d5cf2 chore: remove from test branch workflows that must live on master 2026-04-20 12:53:36 +02:00
Stéphane Lesimple
6732eb141b doc: CVE-2018-3665 (Lazy FP State Restore (LazyFP)), unsupported 2026-04-19 12:49:17 +02:00
Stéphane Lesimple
048ce5b6a2 enh: add FPDSS check for AMD Zen1/Zen+ (CVE-2025-54505) 2026-04-18 17:18:42 +02:00
Stéphane Lesimple
48454a5344 fix: remove useless checks under ARM for CVE-2023-28746 2026-04-10 19:50:15 +02:00
Stéphane Lesimple
e67c9e4265 enh: use g_mode to explicitly save/load the current running mode 2026-04-10 19:28:10 +02:00
Stéphane Lesimple
f7ba617e16 enh: guard x86/arm specific checks in kernel/cpu for the proper arch 2026-04-10 19:28:10 +02:00
Stéphane Lesimple
e110706df8 enh: factorize is_arch_kernel 2026-04-10 18:37:14 +02:00
Stéphane Lesimple
de853fc801 chore: fix build workflow 2026-04-08 23:00:40 +02:00
Stéphane Lesimple
98ec067aef enh: rework json/prom output to better split x86/arm 2026-04-08 22:58:36 +02:00
Stéphane Lesimple
ff42393fa6 new batch mode docs, add doc/ to -build branch 2026-04-08 22:58:36 +02:00
Stéphane Lesimple
f0fb59310e fix: add a missing pstatus to CVE-2023-20588 check 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
be0f2d20d2 fix: remove misleading explain on correctly mitigated SLS 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
3639de9e8a chore: fix github workflow check with new --batch output 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
df3c2aeaa3 add screenshot to README 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
945f70bb63 fix: early abort when using --allow-msr-write 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
db84fc10de chore: make fmt 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
60ea669e41 enh: better explain the 4 run modes 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
f1c0d5548c chg: remove --no-intel-db, it's now always used when available 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
9e617a4363 remove prometheus-legacy format 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
b9c203120b enh: --no-runtime and --no-hw modes replacing --live and implicit 'offline' mode 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
3f7e0a11f7 enh: CVE-2018-3640 (Spectre 3a): enhance ARM mitigation detection 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
5c469787ea enh: rework --batch nrpe entirely 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
a952fe32c4 fix: exit_cleanup: don't lose passed exit code 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
61fa02d577 feat: rework the --batch prometheus output entirely 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
39dea1245e feat: rework the --batch json output entirely 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
3afbda8430 enh: when reading CPUID is unavailable (VM?), fallback to cpuinfo where applicable 
cap_* variable <= cpuinfo flag

cap_ibrs              <= ibrs
cap_ibpb              <= ibpb
cap_stibp             <= stibp
cap_ssbd              <= ssbd / virt_ssbd
cap_l1df              <= flush_l1d
cap_md_clear          <= md_clear
cap_arch_capabilities <= arch_capabilities

Should fix #288
 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
6d69ce9a77 enh: read/write_msr: clearer error messages 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
3ebfba2ac2 fix: CVE-2017-5715 (Spectre V2): Red Hat specific fix for RSB Filling (fixes #235) 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
a3f6553e65 fix: read/write msr and lockdown: fix a variable error, properly report lockdown to users 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
42ed8efa65 fix: better compatibility under busybox, silence buggy unzlma versions (fix #432) 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
2c766b7cc6 fix: wrmsr: specify core number (closes #294) 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
49472f1b64 enh: clearer kernel info section at the top of the script 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
333aa74fea enh: clearer CPU details section 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
8d9504d174 chore: add comment about is_intel/amd/hygon recursion 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
6043f586ef enh: update IntelDB affected CPU list to 2026-04 data, including Hybrid CPU detection 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
e1ace7c281 doc: document Platypus (CVE-2020-8694 CVE-2020-8695) as out of scope (#384) 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
24ab98d757 doc: document CVE-2020-24511 and CVE-2020-24512 as being out of scope along with rationale (#409) 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
155b3808b9 fix: CPUs affected by MSBDS but not MDS (fix #351) 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
b6a41918b0 doc: add CVE-2019-11157 (Plundervolt) to unsupported CVE list 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
3c56ac35dd fix: better detect kernel lockdown & no longer require cap_flush_cmd to deem CVE-2018-3615 as mitigated (fix #296) 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
b0bb1f4676 feat: implement check for MMIO Stale Data (CVE-2022-21123 CVE-2022-21125 CVE-2022-21166) (#437) 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
0fa7e44327 doc: add Blindside to unsupported list (#374) 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
f100b4e1dc doc: add CVE-2020-0549 (L1D Eviction Sampling, CacheOut) as unsupported 2026-04-08 22:35:53 +02:00
Stéphane Lesimple
6332fc3405 fix: CVE-2019-11135 (TAA) detect new 0x10F MSR for TSX-disabled CPUs (#414) 2026-04-08 22:35:53 +02:00