Commit Graph

385 Commits

Author SHA1 Message Date
Stéphane Lesimple
aa74315df4 feat: speed up kernel version detection 2018-03-25 13:42:19 +02:00
Stéphane Lesimple
0b8a09ec70 fix: mis adjustments for BSD compat 2018-03-25 13:26:00 +02:00
Stéphane Lesimple
b42d8f2f27 fix(write_msr): use /dev/zero instead of manually echoing zeroes 2018-03-25 12:53:50 +02:00
Stéphane Lesimple
f191ec7884 feat: add --hw-only to only show CPU microcode/cpuid/msr details 2018-03-25 12:48:37 +02:00
Stéphane Lesimple
28da7a0103 misc: message clarifications 2018-03-25 12:48:03 +02:00
Stéphane Lesimple
ece25b98a1 feat: implement support for NetBSD/FreeBSD/DragonFlyBSD 2018-03-25 12:28:02 +02:00
Stéphane Lesimple
889172dbb1 feat: add special extract_vmlinux mode for old RHEL kernels 2018-03-25 11:55:44 +02:00
Stéphane Lesimple
37ce032888 fix: bypass MSR/CPUID checks for non-x86 CPUs 2018-03-25 11:55:44 +02:00
Stéphane Lesimple
701cf882ad feat: more robust validation of extracted kernel image 2018-03-25 11:55:44 +02:00
Stéphane Lesimple
6a94c3f158 feat(extract_vmlinux): look for ELF magic in decompressed blob and cut at found offset 2018-03-25 11:55:42 +02:00
Stéphane Lesimple
2d993812ab feat: add --prefix-arch for cross-arch kernel inspection 2018-03-25 11:55:10 +02:00
Stéphane Lesimple
4961f8327f fix(ucode): fix blacklist detection for some ucode versions 2018-03-19 12:09:39 +01:00
Alex
ecdc448531 Check MSR in each CPU/Thread (#136) 2018-03-17 17:17:15 +01:00
Stéphane Lesimple
12ea49fe0c fix(kvm): properly detect PVHVM mode (fixes #163) 2018-03-16 18:29:58 +01:00
Stéphane Lesimple
053f1613de fix(doc): use https:// URLs in the script comment header 2018-03-16 18:24:59 +01:00
Stéphane Lesimple
bda18d04a0 fix: pine64: re-add vmlinuz location and some error checks 2018-03-10 16:02:44 +01:00
Stéphane Lesimple
2551295541 doc: use https URLs 2018-03-10 15:20:07 +01:00
Stéphane Lesimple
d5832dc1dc feat: add ELF magic detection on kernel image blob for some arm64 systems 2018-03-10 14:57:25 +01:00
Stéphane Lesimple
d2f46740e9 feat: enhance kernel image version detection for some old kernels 2018-03-10 14:57:25 +01:00
Sam Morris
2f6a6554a2 Produce output for consumption by prometheus-node-exporter
A report of all vulnerable machines to be produced with a query such as:

    spexec_vuln_status{status!="OK"}
2018-02-27 11:08:39 +01:00
Stéphane Lesimple
30842dd9c0 release: bump to v0.35 2018-02-16 10:35:49 +01:00
Stéphane Lesimple
b4ac5fcbe3 feat(variant2): better explanation when kernel supports IBRS but CPU does not 2018-02-16 10:34:01 +01:00
Stéphane Lesimple
fef380d66f feat(readme): add quick run section 2018-02-15 21:19:49 +01:00
Stéphane Lesimple
55a6fd3911 feat(variant1): better detection for Red Hat/Ubuntu patch 2018-02-15 21:19:49 +01:00
Sylvestre Ledru
35c8a63de6 Remove the color in the title 2018-02-15 20:21:00 +01:00
Stéphane Lesimple
5f914e555e fix(xen): declare Xen's PTI patch as a valid mitigation for variant3 2018-02-14 14:24:55 +01:00
Stéphane Lesimple
66dce2c158 fix(ucode): update blacklisted ucodes list from latest Intel info 2018-02-14 14:14:16 +01:00
Calvin Walton
155cac2102 Teach checker how to find kernels installed by systemd kernel-install 2018-02-10 20:51:33 +01:00
Stéphane Lesimple
22cae605e1 fix(retpoline): remove the "retpoline enabled" test
This test worked for some early versions of the retpoline
implementation in vanilla kernels, but the corresponding
flag has been removed from /proc/cpuinfo in latest kernels.
The full information is available in /sys instead, which
was already implemented in the script.
2018-02-09 20:12:33 +01:00
Stéphane Lesimple
eb75e51975 fix(ucode): update list of blacklisted ucodes from 2018-02-08 Intel document
Removed 2 ucodes and added 2 other ones
2018-02-09 19:56:27 +01:00
積丹尼 Dan Jacobson
253e180807 Update spectre-meltdown-checker.sh
Dots better than colon for indicating waiting.
2018-02-06 19:02:56 +01:00
Stéphane Lesimple
5d6102a00e enh: show kernel version in offline mode 2018-02-02 11:27:04 +01:00
Stéphane Lesimple
a2dfca671e feat: detect disrepancy between found kernel image and running kernel 2018-02-02 11:13:54 +01:00
Stéphane Lesimple
36bd80d75f enh: speedup by not decompressing kernel on --sysfs-only 2018-02-02 11:13:31 +01:00
Stéphane Lesimple
1834dd6201 feat: add skylake era cpu detection routine 2018-02-02 11:12:10 +01:00
Stéphane Lesimple
3d765bc703 enh: lazy loading of cpu informations 2018-02-02 11:11:51 +01:00
Stéphane Lesimple
07afd95b63 feat: better cleanup routine on exit & interrupt 2018-02-02 11:09:36 +01:00
Stéphane Lesimple
b7a10126d1 fix: ARM CPU display name & detection
Fix ARM CPU display name, and properly
detect known vulnerable ARM CPUs when
multiple different model cores are
present (mostly Android phones)
2018-02-02 11:00:23 +01:00
Stéphane Lesimple
6346a0deaa fix: --no-color workaround for android's sed 2018-02-02 10:59:49 +01:00
Stéphane Lesimple
8106f91981 release: bump to v0.34 2018-01-31 16:28:54 +01:00
Stéphane Lesimple
b1fdf88f28 enh: display ucode info even when not blacklisted 2018-01-31 16:21:32 +01:00
Stéphane Lesimple
4d29607630 cleanup: shellcheck pass 2018-01-31 16:15:20 +01:00
Stéphane Lesimple
0267659adc cleanup: remove superseded atom detection code
This is now handled properly by checking the CPU
vendor, family, model instead of looking for the
commercial name of the CPU in /proc/cpuinfo
2018-01-31 16:15:20 +01:00
Stéphane Lesimple
247b176882 feat: detect known speculative-execution free CPUs
Based on a kernel patch that has been merged to Linus' tree.
Some of the detections we did by grepping the model name
will probably no longer be needed.
2018-01-31 16:15:20 +01:00
Stéphane Lesimple
bcae8824ec refacto: create a dedicated func to read cpuid bits 2018-01-31 16:15:20 +01:00
Stéphane Lesimple
71e7109c22 refacto: move cpu discovery bits to a dedicated function 2018-01-31 16:15:20 +01:00
Stéphane Lesimple
aa18b51e1c fix(variant1): smarter lfence check
Instead of just counting the number of LFENCE
instructions, now we're only counting the those
that directly follow a jump instruction.
2018-01-31 14:34:54 +01:00
Stéphane Lesimple
b738ac4bd7 fix: regression introduced by previous commit
449: ./spectre-meltdown-checker.sh: 3: parameter not set
This happened only on blacklisted microcodes, fixed by
adding set +u before the return
2018-01-31 12:13:50 +01:00
Stéphane Lesimple
799ce3eb30 update blacklisted ucode list from kernel source 2018-01-31 11:26:23 +01:00
Stéphane Lesimple
f1e18c136f doc(disclaimer): Spectre affects all software
Add a paragraph in the disclaimer stating that this tool focuses
on the kernel side of things, and that for Spectre, any software
might be vulnerable.
2018-01-30 14:37:52 +01:00