peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2026-05-13 02:52:54 +02:00
Code Issues Projects Releases Wiki Activity
718 Commits 6 Branches 49 Tags
7329c1fd2f75eac1a9045029484314f5f7eb1131
Commit Graph

718 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Stéphane Lesimple 7329c1fd2f feat: hide CVE checks that arebirrelevant for current arch 
CVE_REGISTRY gains an optional fifth field that tags checks as x86-only or
arm-only, untagged entries apply everywhere. The main CVE dispatcher and the
affectedness summary both skip gated entries in default "all CVEs" runs,
removing the noise of arm64 errata on x86 hosts and of x86 CVEs on ARM hosts
across text, json, nrpe and prometheus outputs. Explicit --cve/--variant/--errata
selection bypasses the gate so manual queries still run anywhere.
The gate honours no-hw mode by ignoring the host CPU and keying off the
inspected kernel's architecture only, which handles cross-arch offline
analysis driven by --kernel/--config/--map.
 2026-04-21 08:53:08 +02:00
Stéphane Lesimple 8a302b56e6 feat: add ARM64 silicon errata checks (issue #357) 
Add detection for three speculation/security-relevant ARM64 errata
families that are tracked by vendor erratum IDs rather than CVEs: Speculative
AT TLB corruption (1165522/1319367/1319537/1530923), speculative unprivileged
load (2966298/3117295), and MSR SSBS not self-synchronizing (3194386 and
siblings). Reserves a new CVE-0001-NNNN placeholder range for vendor errata
and adds a --errata <number> selector alongside --variant/--cve.

CPU affection is determined per-core from (implementer, part, variant,
revision) tuples read from /proc/cpuinfo, matching the kernel's MIDR ranges
(including Kryo4xx Silver for erratum 1530923). Kernel mitigation detection
uses the erratum-specific CONFIG_ARM64_ERRATUM_NNNN symbols, kernel image
descriptor strings, and dmesg output (no sysfs for these)
 2026-04-21 08:33:50 +02:00
Stéphane Lesimple 03b1787d69 fix: mmio stale data: EOL Intel CPUs may be vulnerable (#437) 2026-04-20 22:42:13 +02:00
林博仁 Buo-ren Lin 8a417e5579 doc: readme: correct markdown indentation for unordered list items (#569) 
Signed-off-by: 林博仁(Buo-ren Lin) <buo.ren.lin@gmail.com>
 2026-04-20 18:03:37 +02:00
Stéphane Lesimple b7a6182a65 doc: add Jump Conditional Code (JCC) Erratum to the unsupported list 2026-04-20 17:47:50 +02:00
Stéphane Lesimple e2d110a3b5 doc: update output formats doc + normalize json to bool 2026-04-20 12:55:34 +02:00
Stéphane Lesimple 1bb33d5cf2 chore: remove from test branch workflows that must live on master 2026-04-20 12:53:36 +02:00
Stéphane Lesimple 6732eb141b doc: CVE-2018-3665 (Lazy FP State Restore (LazyFP)), unsupported 2026-04-19 12:49:17 +02:00
Stéphane Lesimple 048ce5b6a2 enh: add FPDSS check for AMD Zen1/Zen+ (CVE-2025-54505) 2026-04-18 17:18:42 +02:00
Stéphane Lesimple 48454a5344 fix: remove useless checks under ARM for CVE-2023-28746 2026-04-10 19:50:15 +02:00
Stéphane Lesimple e67c9e4265 enh: use g_mode to explicitly save/load the current running mode 2026-04-10 19:28:10 +02:00
Stéphane Lesimple f7ba617e16 enh: guard x86/arm specific checks in kernel/cpu for the proper arch 2026-04-10 19:28:10 +02:00
Stéphane Lesimple e110706df8 enh: factorize is_arch_kernel 2026-04-10 18:37:14 +02:00
Stéphane Lesimple de853fc801 chore: fix build workflow 2026-04-08 23:00:40 +02:00
Stéphane Lesimple 98ec067aef enh: rework json/prom output to better split x86/arm 2026-04-08 22:58:36 +02:00
Stéphane Lesimple ff42393fa6 new batch mode docs, add doc/ to -build branch 2026-04-08 22:58:36 +02:00
Stéphane Lesimple f0fb59310e fix: add a missing pstatus to CVE-2023-20588 check 2026-04-08 22:35:53 +02:00
Stéphane Lesimple be0f2d20d2 fix: remove misleading explain on correctly mitigated SLS 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 3639de9e8a chore: fix github workflow check with new --batch output 2026-04-08 22:35:53 +02:00
Stéphane Lesimple df3c2aeaa3 add screenshot to README 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 945f70bb63 fix: early abort when using --allow-msr-write 2026-04-08 22:35:53 +02:00
Stéphane Lesimple db84fc10de chore: make fmt 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 60ea669e41 enh: better explain the 4 run modes 2026-04-08 22:35:53 +02:00
Stéphane Lesimple f1c0d5548c chg: remove --no-intel-db, it's now always used when available 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 9e617a4363 remove prometheus-legacy format 2026-04-08 22:35:53 +02:00
Stéphane Lesimple b9c203120b enh: --no-runtime and --no-hw modes replacing --live and implicit 'offline' mode 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 3f7e0a11f7 enh: CVE-2018-3640 (Spectre 3a): enhance ARM mitigation detection 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 5c469787ea enh: rework --batch nrpe entirely 2026-04-08 22:35:53 +02:00
Stéphane Lesimple a952fe32c4 fix: exit_cleanup: don't lose passed exit code 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 61fa02d577 feat: rework the --batch prometheus output entirely 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 39dea1245e feat: rework the --batch json output entirely 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 3afbda8430 enh: when reading CPUID is unavailable (VM?), fallback to cpuinfo where applicable 
cap_* variable <= cpuinfo flag

cap_ibrs              <= ibrs
cap_ibpb              <= ibpb
cap_stibp             <= stibp
cap_ssbd              <= ssbd / virt_ssbd
cap_l1df              <= flush_l1d
cap_md_clear          <= md_clear
cap_arch_capabilities <= arch_capabilities

Should fix #288
 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 6d69ce9a77 enh: read/write_msr: clearer error messages 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 3ebfba2ac2 fix: CVE-2017-5715 (Spectre V2): Red Hat specific fix for RSB Filling (fixes #235) 2026-04-08 22:35:53 +02:00
Stéphane Lesimple a3f6553e65 fix: read/write msr and lockdown: fix a variable error, properly report lockdown to users 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 42ed8efa65 fix: better compatibility under busybox, silence buggy unzlma versions (fix #432) 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 2c766b7cc6 fix: wrmsr: specify core number (closes #294) 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 49472f1b64 enh: clearer kernel info section at the top of the script 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 333aa74fea enh: clearer CPU details section 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 8d9504d174 chore: add comment about is_intel/amd/hygon recursion 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 6043f586ef enh: update IntelDB affected CPU list to 2026-04 data, including Hybrid CPU detection 2026-04-08 22:35:53 +02:00
Stéphane Lesimple e1ace7c281 doc: document Platypus (CVE-2020-8694 CVE-2020-8695) as out of scope (#384) 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 24ab98d757 doc: document CVE-2020-24511 and CVE-2020-24512 as being out of scope along with rationale (#409) 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 155b3808b9 fix: CPUs affected by MSBDS but not MDS (fix #351) 2026-04-08 22:35:53 +02:00
Stéphane Lesimple b6a41918b0 doc: add CVE-2019-11157 (Plundervolt) to unsupported CVE list 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 3c56ac35dd fix: better detect kernel lockdown & no longer require cap_flush_cmd to deem CVE-2018-3615 as mitigated (fix #296) 2026-04-08 22:35:53 +02:00
Stéphane Lesimple b0bb1f4676 feat: implement check for MMIO Stale Data (CVE-2022-21123 CVE-2022-21125 CVE-2022-21166) (#437) 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 0fa7e44327 doc: add Blindside to unsupported list (#374) 2026-04-08 22:35:53 +02:00
Stéphane Lesimple f100b4e1dc doc: add CVE-2020-0549 (L1D Eviction Sampling, CacheOut) as unsupported 2026-04-08 22:35:53 +02:00
Stéphane Lesimple 6332fc3405 fix: CVE-2019-11135 (TAA) detect new 0x10F MSR for TSX-disabled CPUs (#414) 2026-04-08 22:35:53 +02:00