bda18d04a0
fix: pine64: re-add vmlinuz location and some error checks
2018-03-10 16:02:44 +01:00
d5832dc1dc
feat: add ELF magic detection on kernel image blob for some arm64 systems
2018-03-10 14:57:25 +01:00
d2f46740e9
feat: enhance kernel image version detection for some old kernels
2018-03-10 14:57:25 +01:00
2f6a6554a2
Produce output for consumption by prometheus-node-exporter
...
A report of all vulnerable machines to be produced with a query such as:
spexec_vuln_status{status!="OK"}
2018-02-27 11:08:39 +01:00
30842dd9c0
release: bump to v0.35
2018-02-16 10:35:49 +01:00
b4ac5fcbe3
feat(variant2): better explanation when kernel supports IBRS but CPU does not
2018-02-16 10:34:01 +01:00
55a6fd3911
feat(variant1): better detection for Red Hat/Ubuntu patch
2018-02-15 21:19:49 +01:00
35c8a63de6
Remove the color in the title
2018-02-15 20:21:00 +01:00
5f914e555e
fix(xen): declare Xen's PTI patch as a valid mitigation for variant3
2018-02-14 14:24:55 +01:00
66dce2c158
fix(ucode): update blacklisted ucodes list from latest Intel info
2018-02-14 14:14:16 +01:00
155cac2102
Teach checker how to find kernels installed by systemd kernel-install
2018-02-10 20:51:33 +01:00
22cae605e1
fix(retpoline): remove the "retpoline enabled" test
...
This test worked for some early versions of the retpoline
implementation in vanilla kernels, but the corresponding
flag has been removed from /proc/cpuinfo in latest kernels.
The full information is available in /sys instead, which
was already implemented in the script.
2018-02-09 20:12:33 +01:00
eb75e51975
fix(ucode): update list of blacklisted ucodes from 2018-02-08 Intel document
...
Removed 2 ucodes and added 2 other ones
2018-02-09 19:56:27 +01:00
253e180807
Update spectre-meltdown-checker.sh
...
Dots better than colon for indicating waiting.
2018-02-06 19:02:56 +01:00
5d6102a00e
enh: show kernel version in offline mode
2018-02-02 11:27:04 +01:00
a2dfca671e
feat: detect disrepancy between found kernel image and running kernel
2018-02-02 11:13:54 +01:00
36bd80d75f
enh: speedup by not decompressing kernel on --sysfs-only
2018-02-02 11:13:31 +01:00
1834dd6201
feat: add skylake era cpu detection routine
2018-02-02 11:12:10 +01:00
3d765bc703
enh: lazy loading of cpu informations
2018-02-02 11:11:51 +01:00
07afd95b63
feat: better cleanup routine on exit & interrupt
2018-02-02 11:09:36 +01:00
b7a10126d1
fix: ARM CPU display name & detection
...
Fix ARM CPU display name, and properly
detect known vulnerable ARM CPUs when
multiple different model cores are
present (mostly Android phones)
2018-02-02 11:00:23 +01:00
6346a0deaa
fix: --no-color workaround for android's sed
2018-02-02 10:59:49 +01:00
8106f91981
release: bump to v0.34
2018-01-31 16:28:54 +01:00
b1fdf88f28
enh: display ucode info even when not blacklisted
2018-01-31 16:21:32 +01:00
4d29607630
cleanup: shellcheck pass
2018-01-31 16:15:20 +01:00
0267659adc
cleanup: remove superseded atom detection code
...
This is now handled properly by checking the CPU
vendor, family, model instead of looking for the
commercial name of the CPU in /proc/cpuinfo
2018-01-31 16:15:20 +01:00
247b176882
feat: detect known speculative-execution free CPUs
...
Based on a kernel patch that has been merged to Linus' tree.
Some of the detections we did by grepping the model name
will probably no longer be needed.
2018-01-31 16:15:20 +01:00
bcae8824ec
refacto: create a dedicated func to read cpuid bits
2018-01-31 16:15:20 +01:00
71e7109c22
refacto: move cpu discovery bits to a dedicated function
2018-01-31 16:15:20 +01:00
aa18b51e1c
fix(variant1): smarter lfence check
...
Instead of just counting the number of LFENCE
instructions, now we're only counting the those
that directly follow a jump instruction.
2018-01-31 14:34:54 +01:00
b738ac4bd7
fix: regression introduced by previous commit
...
449: ./spectre-meltdown-checker.sh: 3: parameter not set
This happened only on blacklisted microcodes, fixed by
adding set +u before the return
2018-01-31 12:13:50 +01:00
799ce3eb30
update blacklisted ucode list from kernel source
2018-01-31 11:26:23 +01:00
f1e18c136f
doc(disclaimer): Spectre affects all software
...
Add a paragraph in the disclaimer stating that this tool focuses
on the kernel side of things, and that for Spectre, any software
might be vulnerable.
2018-01-30 14:37:52 +01:00
e05ec5c85f
feat(variant1): detect vanilla mitigation
...
Implement detection of mitigation for Variant 1 that is
being pushed on vanilla kernel.
Current name of the patch:
"spectre variant1 mitigations for tip/x86/pti" (v6)
Also detect some distros that already backported this
patch without modifying the vulnerabilities sysfs hierarchy.
This detection is more reliable than the LFENCE one, trust
it and skip the LFENCE heuristic if a match is found.
2018-01-30 12:55:34 +01:00
6e544d6055
fix(cpu): Pentium Exxxx are vulnerable to Meltdown
2018-01-29 11:18:15 +01:00
90a65965ff
adjust: show how to enable IBRS/IBPB in -v only
2018-01-29 11:06:15 +01:00
9b53635eda
refacto: fix shellcheck warnings for better compat
...
Now `shellcheck -s sh` no longer shows any warnings.
This should improve compatibility with exotic shells
as long as they're POSIX compliant.
2018-01-29 10:34:08 +01:00
7404929661
Fix printing of microcode to use cpuinfo values
...
The values used should be the ones that come from cpuinfo instead of
the test values. The following line will print the last tuple tested
instead of the actual values of the CPU.
Line 689: _debug "is_ucode_blacklisted: no ($model/$stepping/$ucode)"
2018-01-26 18:23:18 +01:00
0798bd4c5b
fix: report arch_capabilities as NO when no MSR
...
When the arch_capabilities MSR is not there, it means
that all the features it might advertise can be considered
as NO instead of UNKNOWN
2018-01-26 14:55:01 +01:00
42094c4f8b
release: v0.33
2018-01-26 14:20:29 +01:00
03d2dfe008
feat: add blacklisted Intel ucode detection
...
Some Intel microcodes are known to cause instabilities
such as random reboots. Intel advises to revert to a
previous version if a newer one that fixes those issues
is not available. Detect such known bad microcodes.
2018-01-26 14:19:54 +01:00
9f00ffa5af
fix: fallback to UNKNOWN when we get -EACCES
...
For detection of IBRS_ALL and RDCL_NO, fallback to
UNKNOWN when we were unable to read the CPUID or MSR.
2018-01-26 14:16:34 +01:00
7f0d80b305
xen: detect if the host is a Xen Dom0 or PV DomU ( fixes #83 )
2018-01-25 11:04:30 +01:00
d1c1f0f0f0
fix(batch): fix regression introduced by acf12a6
...
In batch mode, $echo_cmd was not initialized early
enough, and caused this error:
./spectre-meltdown-checker.sh: 899: ./spectre-meltdown-checker.sh: -ne: not found
Fix it by initing echo_cmd unconditionally at the start
2018-01-24 17:57:19 +01:00
acf12a6d2d
feat(cpu) add STIBP, RDCL_NO, IBRS_ALL checks
...
Move all the CPU checks to their own section,
for clarity. We now check for IBRS, IBPB, STIBP,
RDCL_NO and IBRS_ALL. We also show whether the
system CPU is vulnerable to the three variants,
regardless of the fact that mitigations are in
place or not, which is determined in each vuln-
specific section.
2018-01-24 14:44:16 +01:00
b45e40bec8
feat(stibp): add STIBP cpuid feature check
2018-01-24 12:19:02 +01:00
3c1d452c99
fix(cpuid): fix off-by-one SPEC_CTRL bit check
2018-01-24 12:18:56 +01:00
53b9eda040
fix: don't make IBPB mandatory when it's not there
...
On some kernels there could be IBRS support but not
IBPB support, in that case, don't report VULN just
because IBPB is not enabled when IBRS is
2018-01-24 09:04:25 +01:00
3b0ec998b1
fix(cosmetic): tiny msg fixes
2018-01-24 09:04:25 +01:00
d55bafde19
fix(cpu): trust is_cpu_vulnerable even w/ debugfs
...
For variant3 under AMD, the debugfs vulnerabilities hierarchy
flags the system as Vulnerable, which is wrong. Trust our own
is_cpu_vulnerable() func in that case
2018-01-24 09:04:25 +01:00
Stéphane Lesimple
Sam Morris
Sylvestre Ledru
Calvin Walton
積丹尼 Dan Jacobson
Joseph Mulloy
Matthieu Cerda