Stéphane Lesimple
de793a7204
feat(mds): more verbose info about kernel support and microcode support for mitigation
2019-05-15 00:21:08 +02:00
Stéphane Lesimple
5939c38c5c
update mcedb from v109 to v110 to better detect MDS microcodes
2019-05-14 20:31:27 +02:00
Stéphane Lesimple
db7d3206fd
feat(mds): add detection of availability of MD_CLEAR instruction
2019-05-14 20:30:47 +02:00
Stéphane Lesimple
1d13a423b8
adjust README
2019-05-14 20:16:01 +02:00
Agata Gruza
8e870db4f5
Added support for MDS related vulnerabilities ( #282 )
2019-05-14 19:21:20 +02:00
Stéphane Lesimple
d547ce4ab4
fix(ssb): fix error when no process uses prctl to set ssb mitigation
...
fixes #281
2019-05-13 15:35:58 +02:00
Stéphane Lesimple
d187827841
enh(vmm): add Xen daemons detection
2019-05-08 20:44:54 +02:00
Hans-Joachim Kliemeck
2e304ec617
enh(xen): improvements for xen systems ( #270 )
...
* add mitigation detection for l1tf for xen based systems
* add information for hardware mitigation
* add xen support for meltdown
2019-05-07 20:35:52 +02:00
Stéphane Lesimple
fcc04437e8
update builtin MCEdb from v96 to v109
2019-05-07 20:29:59 +02:00
Stéphane Lesimple
d31a9810e6
enhance previous commit logic
2019-05-05 20:09:53 +02:00
Stéphane Lesimple
4edb867def
fix(vmm): revert to checking the running processes to detect a hypervisor
...
More information available on #278
2019-05-05 20:04:25 +02:00
Stéphane Lesimple
1264b1c7a3
chore: more shellcheck 0.6 fixes
2019-05-05 18:34:09 +02:00
Stéphane Lesimple
7beca1ac50
fix: invalid names in json batch mode ( fixes #279 )
2019-05-05 18:15:41 +02:00
David
8ad10e15d3
chore: Comply with Shellcheck SC2209 ( #280 )
2019-05-05 17:31:18 +02:00
Stéphane Lesimple
bfa4de96e6
enh(l1tf): in paranoid mode, assume we're running a hypervisor unless stated otherwise
...
This change ensures we check for SMT and advise the user to disable it for maximum security.
Doing this, we'll help users mitigate a whole range of vulnerabilities taking advantage of SMT to attack purely from userland other userland processes, as seen in CVE-2018-5407 (also see #261 )
2019-04-21 14:05:43 +02:00
Stéphane Lesimple
b022b27a51
feat(ssbd): in live mode, report whether the mitigation is active ( fix #210 )
2019-04-20 20:27:45 +02:00
Dario Faggioli
c4bae6ee6a
IBRS kernel reported active even if sysfs has "IBRS_FW" only ( #275 ) ( #276 )
...
On a (pre-SkyLake) system, where /sys/.../vulnerabilities/spectre_v2 is
"Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, RSB filling"
the tool, incorrectly, reports, a couple of lines above:
* IBRS enabled and active: YES (for kernel and firmware code)
Use '\<IBRS\>', as suggested by @jirislaby, in upstream issue #275
(https://github.com/speed47/spectre-meltdown-checker/issues/275 ) when
checking whether IBRS is enabled/active for the kernel.
With that, the output becomes:
* IBRS enabled and active: YES (for firmware code only)
which is actually the case.
I double checked that, if the same kernel is used on a post-SkyLake
hardware, which on openSUSE uses IBRS as, even with this change, the
tool (this time correctly) reports:
* IBRS enabled and active: YES (for kernel and firmware code)
2019-04-20 14:04:29 +02:00
Stéphane Lesimple
23e7db044e
fix(bsd): load vmm if not already loaded, fixes #274
...
As we read sysctl values under the vmm hierarchy, the modules needs to be loaded,
so if not already done, we load it before testing for CVE-2018-3620 and CVE-2018-3646
2019-04-19 19:47:04 +02:00
Stéphane Lesimple
fc4981bb94
update MCEDB from v84 to v96
2019-01-20 19:52:46 +01:00
Dajiang Zhong
419508758e
add spectre and meltdown mitigation technologies checking for Hygon CPU ( #271 )
...
* add spectre and meltdown mitigation technologies checking for Hygon CPU
* update microarhitecture name for Hygon CPU family 24 with moksha
2019-01-20 19:32:36 +01:00
Stéphane Lesimple
d7d2e6934b
fix: typo in bare metal detection ( fixes #269 )
2018-12-12 00:24:17 +01:00
Lily Wilson
904a83c675
Fix Arch kernel image detection ( #268 )
...
currently, the script tries to use the wrong kernel image on Arch if an
alternative kernel (hardened, zen, or lts) is in use. Fortunately, all
the Arch kernel packages place a symlink to the kernel image as /usr/lib/modules/$(uname -r)/vmlinuz, so simply removing the guess for Arch fixes the issue.
2018-12-10 19:36:58 +01:00
Rob Gill
906f54cf9d
Improved hypervisor detection ( #259 )
...
* Code consistency
``` opt_batch_format="text" ``` replaced by ``` opt_batch_format='text' ```
```nrpe_vuln='"" ``` replaced by ``` nrpe_vuln='' ``` , as used by other parse options
Redundant ``` ! -z ``` replaced by ``` -n ```, as used elsewhere
Signed-off-by: Rob Gill <rrobgill@protonmail.com>
* Improved hypervisor detection
Tests for presence of hypervisor flag in /proc/cpuino
Tests for evidence of hypervisor in dmesg
Signed-off-by: Rob Gill <rrobgill@protonmail.com>
* formatting fix
Signed-off-by: Rob Gill <rrobgill@protonmail.com>
* Set $l1d_mode to -1 in cases where cpu/vulnerabilities/l1tf is not available
(prevents invalid number error when evaluating [ "$l1d_mode" -ge 1 ])
Signed-off-by: Rob Gill <rrobgill@protonmail.com>
* Update Intel Atom 6 cpu names to align with kernel
Update processor names of atom 6 family processors to align with those from kernel as of October 2018.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/arch/x86/include/asm/intel-family.h?id=f2c4db1bd80720cd8cb2a5aa220d9bc9f374f04e
Update list of known immune processors from
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/arch/x86/kernel/cpu/common.c?id=f2c4db1bd80720cd8cb2a5aa220d9bc9f374f04e
* Fix unset $l1d_mode
Another instance of unset l1d_mode causing error "./spectre-meltdown-checker.sh: 3867: [: Illegal number:"
* chore: update readme with brief summary of L1tfs
L1tf mitigation and impact details from
https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html and https://blogs.oracle.com/oraclesecurity/intel-l1tf
* typo
2018-12-10 19:33:07 +01:00
Brett T. Warden
c45a06f414
Warn on missing kernel info ( #265 )
...
Missing kernel information can cause all sorts of false positives or
negatives. This is worth at least a warning, and repeating immediately
following the status.
2018-11-25 18:37:03 +01:00
Brett T. Warden
4a6fa070a4
Fix misdetection of files under Clear Linux ( #264 )
2018-11-25 18:14:04 +01:00
Stéphane Lesimple
c705afe764
bump to v0.40
2018-10-03 20:56:46 +02:00
Stanislav Kholmanskikh
401ccd4b14
Correct aarch64 KPTI dmesg message
...
As it's seen in unmap_kernel_at_el0 (both the function definition
and its usage in arm64_features[]) from arch/arm64/kernel/cpufeature.c
the kernel reports this string:
CPU features: detected: Kernel page table isolation (KPTI)
or (before commit e0f6429dc1c0 ("arm64: cpufeature: Remove redundant "feature"
in reports")):
CPU features: detected feature: Kernel page table isolation (KPTI)
if KPTI is enabled on the system.
So on let's adjust check_variant3_linux() to make it grep these
strings if executed on an aarch64 platform.
Tested on a Cavium ThunderX2 machine.
Signed-off-by: Stanislav Kholmanskikh <stanislav.kholmanskikh@oracle.com>
2018-10-03 20:49:55 +02:00
Stanislav Kholmanskikh
55120839dd
Fix a typo in check_variant3_linux()
...
Signed-off-by: Stanislav Kholmanskikh <stanislav.kholmanskikh@oracle.com>
2018-10-03 20:49:55 +02:00
Stéphane Lesimple
f5106b3c02
update MCEDB from v83 to v84 (no actual change)
2018-09-30 16:57:35 +02:00
Stéphane Lesimple
68289dae1e
feat: add --update-builtin-mcedb to update the DB inside the script
2018-09-30 16:56:58 +02:00
Stéphane Lesimple
3b2d529654
feat(l1tf): read & report ARCH_CAPABILITIES bit 3 (SKIP_VMENTRY_L1DFLUSH)
2018-09-29 13:16:07 +02:00
Stéphane Lesimple
cbb18cb6b6
fix(l1tf): properly detect status under Red Hat/CentOS kernels
2018-09-29 13:01:13 +02:00
Stéphane Lesimple
299103a3ae
some fixes when script is not started as root
2018-09-29 13:01:13 +02:00
Stéphane Lesimple
dc5402b349
chore: speed optimization of hw check and indentation fixes
2018-09-29 13:01:13 +02:00
Stéphane Lesimple
90c2ae5de2
feat: use the MCExtractor DB as the reference for the microcode versions
...
Use platomav's MCExtractor DB as the reference to decide whether our CPU microcode is the latest or not.
We have a builtin version of the DB in the script, but an updated version can be fetched and stored locally with --update-mcedb
2018-09-29 13:01:13 +02:00
Michael Lass
53d6a44754
Fix detection of CVE-2018-3615 (L1TF_SGX) ( #253 )
...
* Add another location of Arch Linux ARM kernel
* Fix detection of CVE-2018-3615
We change the value of variantl1tf in the line directly before so its
value will never be "immune". Instead we can directly use the value of
variantl1tf to initialize variantl1tf_sgx.
2018-09-29 11:35:10 +02:00
Stéphane Lesimple
297d890ce9
fix ucode version check regression introduced by fbbb19f
under BSD
2018-09-23 15:00:39 +02:00
Stéphane Lesimple
0252e74f94
feat(bsd): implement CVE-2018-3620 and CVE-2018-3646 mitigation detection
2018-09-22 12:26:56 +02:00
Nicolas Sauzede
fbbb19f244
Fix cases where a CPU ucode version is not found in $procfs/cpuinfo. ( #246 )
...
* Fix cases where a CPU ucode version is not found in $procfs/cpuinfo.
When running whithin a virtual machine, it seems like $procfs/cpuinfo doesn't contain
a 'microcode' line, which triggers a script runtime error.
Fall back to '0x0' in this case, as other part of the script seems to already this
as a default value anyway.
* Double quote to prevent globbing and word splitting.
2018-09-19 22:00:59 +02:00
Stéphane Lesimple
1571a56ce2
feat: add L1D flush cpuid feature bit detection
2018-09-19 09:05:23 +02:00
Stéphane Lesimple
3cf9141601
fix: don't display summary if no CVE was tested (e.g. --hw-only)
2018-09-19 09:04:52 +02:00
Stéphane Lesimple
bff38f1b26
BSD: add not-implemented-yet notice for Foreshadow-NG
2018-09-18 22:06:01 +02:00
Stéphane Lesimple
b419fe7c63
feat(variant4): properly detect SSBD under BSD
2018-09-18 22:00:32 +02:00
alexvong1995
f193484a4a
chore: fix deprecated SPDX license identifier ( #249 ) ( #251 )
...
The SPDX license identifier 'GPL-3.0' has been deprecated according to
<https://spdx.org/licenses/GPL-3.0.html >.
2018-09-18 20:00:53 +02:00
Laszlo Toth
349d77b3b6
Fix kernel detection when /lib/kernel exists on a distro ( #252 )
...
Commit b48b2177b7
("feat: Add Clear Linux Distro (#244 )") broke kernel
detection for distros using that directory for other purposes than
storing the kernel image.
Example:
# pacman -Qo /lib/kernel
/usr/lib/kernel/ is owned by mkinitcpio 24-2
/usr/lib/kernel/ is owned by systemd 239.2-1
Signed-off-by: Laszlo Toth <laszlth@gmail.com>
2018-09-18 20:00:20 +02:00
Stéphane Lesimple
e589ed7f02
fix: don't test SGX again in check_CVE_2018_3615, already done by is_cpu_vulnerable
2018-09-17 22:28:04 +02:00
Stéphane Lesimple
ae1206288f
fix: remove some harcoded /proc paths, use $procfs instead
2018-09-17 22:26:20 +02:00
Stéphane Lesimple
7b72c20f89
feat(l1tf): explode L1TF in its 3 distinct CVEs
2018-09-17 21:44:48 +02:00
Luis Ponce
b48b2177b7
feat: Add Clear Linux Distro ( #244 )
...
Add path of Clear Linux kernel binary and kernel config file.
2018-09-15 15:51:49 +02:00
Pierre Gaxatte
8f31634df6
feat(batch): Add a batch short option for one line result ( #243 )
...
When using this script on a large amount a machine (via clustershell or
instance) it can be easier to have a very short result on one line
showing only the vulnerabilities
2018-09-15 15:45:10 +02:00
Luis Ponce
96798b1932
chore: add SPDX GPL-3.0 license identifier ( #245 )
...
The spectre-meltdown-checker.sh file is missing licensing information.
The SPDX identifier is a legally binding shorthand, which can be
used instead of the full boiler plate text.
2018-09-15 15:33:41 +02:00
Stéphane Lesimple
687ce1a7fa
fix: load cpuid module if absent even when /dev/cpu/0/cpuid is there
2018-09-08 23:15:50 +02:00
Stéphane Lesimple
80e0db7cc4
fix: don't show erroneous ucode version when latest version is unknown ( fixes #238 )
2018-08-28 20:51:46 +02:00
David Guglielmi
e8890ffac6
feat(config): support for genkernel kernel config file ( #239 )
...
Add support for distributions using genkernel.
2018-08-28 20:24:37 +02:00
Karsten Weiss
afb36c519d
Fix typo: 'RBS filling' => 'RSB filling' ( #237 )
2018-08-18 12:05:17 +02:00
Stéphane Lesimple
0009c0d473
fix: --batch now implies --no-color to avoid colored warnings
2018-08-18 12:04:18 +02:00
Stéphane Lesimple
dd67fd94d7
feat: add FLUSH_CMD MSR availability detection (part of L1TF mitigation)
2018-08-16 19:05:09 +02:00
Stéphane Lesimple
339ad31757
fix: add missing l1tf CPU vulnerability display in hw section
2018-08-16 15:19:29 +02:00
Stéphane Lesimple
794c5be1d2
feat: add optional git describe support to display inter-release version numbers
2018-08-16 15:18:47 +02:00
Stéphane Lesimple
a7afc585a9
fix several incorrect ucode version numbers
2018-08-16 10:51:55 +02:00
Stéphane Lesimple
fc1dffd09a
feat: implement detection of latest known versions of intel microcodes
2018-08-15 12:53:49 +02:00
Stéphane Lesimple
e942616189
feat: initial support for L1TF
2018-08-15 12:05:08 +02:00
Stéphane Lesimple
360be7b35f
fix: hide arch_capabilities_msr_not_read warning under !intel
2018-08-13 15:42:56 +02:00
Stéphane Lesimple
5f59257826
bump to v0.39
2018-08-13 15:33:03 +02:00
Stéphane Lesimple
92d59cbdc1
chore: adjust some comments, add 2 missing inits
2018-08-11 10:31:10 +02:00
Stéphane Lesimple
4747b932e7
feat: add detection of RSBA feature bit and adjust logic accordingly
2018-08-10 10:26:23 +02:00
Stéphane Lesimple
860023a806
fix: ARCH MSR was not read correctly, preventing proper SSB_NO and RDCL_NO detection
2018-08-10 10:26:23 +02:00
Stéphane Lesimple
ab67a9221d
feat: read/write msr now supports msr-tools or perl as dd fallback
2018-08-10 10:26:23 +02:00
0x9fff00
f4592bf3a8
Add Arch armv5/armv7 kernel image location ( #227 )
2018-08-09 22:13:30 +02:00
Stéphane Lesimple
be15e47671
chore: setting master to v0.38+
2018-08-09 14:25:22 +02:00
Nathan Parsons
d3481d9524
Add support for the kernel being within a btrfs subvolume ( #226 )
...
- /boot may be within a named root subvolume (eg. "/@/boot")
- /boot may be in its own subvolume (eg. "/@boot")
2018-08-09 14:00:35 +02:00
Stéphane Lesimple
21af561148
bump to v0.38
2018-08-07 10:55:50 +02:00
Stéphane Lesimple
cb740397f3
feat(arm32): add spectrev1 mitigation detection
2018-08-07 10:42:03 +02:00
Stéphane Lesimple
84195689af
change: default to --no-explain, use --explain to get detailed mitigation help
2018-08-04 16:31:41 +02:00
Stéphane Lesimple
b637681fa8
fix: debug output: msg inaccuracy for ARM checks
2018-08-04 16:19:54 +02:00
Stéphane Lesimple
9316c30577
fix: armv8: models < 0xd07 are not vulnerable
2018-08-04 16:19:54 +02:00
Lily Wilson
f9dd9d8cb9
add guess for archlinuxarm aarch64 kernel image on raspberry pi 3 ( #222 )
2018-08-01 00:15:52 +02:00
Stéphane Lesimple
0f0d103a89
fix: correctly init capabilities_ssb_no var in all cases
2018-07-26 10:18:14 +02:00
Stéphane Lesimple
b262c40541
fix: remove spurious character after an else statement
2018-07-25 21:55:50 +02:00
Stéphane Lesimple
cc2910fbbc
fix: read_cpuid: don't use iflag=skip_bytes for compat with old dd versions
...
This closes #215 #199 #193
2018-07-23 09:12:30 +02:00
manish jaggi
30c4a1f6d2
arm64: cavium: Add CPU Implementer Cavium ( #216 )
...
This patch adds 0x43 check for cavium implementor id in function
parse_cpu_details. Also adds that Cavium Soc is not vulnerable to variant 3/3a
Signed-off-by: Manish Jaggi <manish.jagg@cavium.com>
2018-07-22 19:06:19 +02:00
Stéphane Lesimple
cf06636a3f
fix: prometheus output: use printf for proper \n interpretation ( #204 )
2018-06-21 23:35:51 +02:00
Stéphane Lesimple
60077c8d12
fix(arm): rewrite vuln logic from latest arm statement for Cortex A8 to A76
2018-06-21 23:24:18 +02:00
Rob Gill
c181978d7c
fix(arm): Updated arm cortex status ( #209 )
...
* Cortex A8 Vulnerable
Arm Cortex A8 is vulnerable to variants 1 & 2 (https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability )
Part number is 0xc08 (https://developer.arm.com/docs/ddi0344/b/system-control-coprocessor/system-control-coprocessorregisters/c0-main-id-register )
False negative reported by @V10lator in #206
* ARM Cortex A12 Vulnerable to 1&2
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
* A76 vulnerable to variant 4
All arch 8 cortex A57-A76 are vulnerable to variant 4.
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
* Whitelist variant4 nonvuln Arms
* ARM Cortex Whitelist & Cumulative Blacklist
Applies all information about vulnerabilities of ARM Cortex processors (from https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability ).
Whitelist & blacklist approach, using both vulnerable and non vulnerable status for each identified CPU, with vulnerabilities tracked cumulatively for multi CPU systems.
2018-06-16 12:14:39 +02:00
Rob Gill
5962d20ba7
fix(variant4): whitelist from common.c::cpu_no_spec_store_bypass ( #202 )
...
* variant4 from common.c::cpu_no_spec_store_bypass
Variant 4 - Add function to 'whitelist' the hand-full of CPUs unaffected by speculative store bypass.
This would allow improved determination of variant 4 status ( #189 ) of immune CPUs while waiting for the 4.17/stable patches to be backported to distro kernels.
Source of cpu list : https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/cpu/common.c#n945 )
Modeled after is_cpu_specex_free()
* amd families fix
amd families are reported by parse_cpu_details() in decimal
* remove duplicates
Only list processors which speculate and are immune to variant 4.
Avoids duplication with non-speculating CPUs listed in is_cpu_specex_free()
2018-05-27 15:14:29 +02:00
Rob Gill
17a3488505
fix(help): add missing references to variants 3a & 4 ( #201 )
2018-05-24 16:35:57 +02:00
Stéphane Lesimple
e54e8b3e84
chore: remove warning in README, fix display indentation
2018-05-24 16:32:53 +02:00
Stéphane Lesimple
39c778e3ac
fix(amd): AMD families 0x15-0x17 non-arch MSRs are a valid way to control SSB
2018-05-23 23:08:07 +02:00
Stéphane Lesimple
2cde6e4649
feat(ssbd): add detection of proper CPUID bits on AMD
2018-05-23 22:50:52 +02:00
Stéphane Lesimple
f4d51e7e53
fix(variant4): add another detection way for Red Hat kernel
2018-05-23 22:47:54 +02:00
Stéphane Lesimple
85d46b2799
feat(variant4): add more detailed explanations
2018-05-23 21:08:58 +02:00
Stéphane Lesimple
61e02abd0c
feat(variant3a): detect up to date microcode
2018-05-23 21:08:08 +02:00
Stéphane Lesimple
114756fab7
fix(amd): not vulnerable to variant3a
2018-05-23 20:38:43 +02:00
Rob Gill
ea75969eb7
fix(help): Update variant options in usage message ( #200 )
2018-05-22 15:54:25 +02:00
Stéphane Lesimple
ca391cbfc9
fix(variant2): correctly detect IBRS/IBPB in SLES kernels
2018-05-22 12:06:46 +02:00
Stéphane Lesimple
68af5c5f92
feat(variant4): detect SSBD-aware kernel
2018-05-22 12:05:46 +02:00
Stéphane Lesimple
f75cc0bb6f
feat(variant4): add sysfs mitigation hint and some explanation about the vuln
2018-05-22 09:39:11 +02:00
Stéphane Lesimple
f33d65ff71
feat(variant3a): add information about microcode-sufficient mitigation
2018-05-22 09:38:29 +02:00
Stéphane Lesimple
725eaa8bf5
feat(arm): adjust vulnerable ARM CPUs for variant3a and variant4
2018-05-22 09:19:29 +02:00
Stéphane Lesimple
c6ee0358d1
feat(variant4): report SSB_NO CPUs as not vulnerable
2018-05-22 09:18:30 +02:00
Stéphane Lesimple
22d0b203da
fix(ssb_no): rename ssbd_no to ssb_no and fix shift
2018-05-22 00:38:31 +02:00
Stéphane Lesimple
3062a8416a
fix(msg): add missing words
2018-05-22 00:10:08 +02:00
Stéphane Lesimple
6a4318addf
feat(variant3a/4): initial support for 2 new CVEs
2018-05-22 00:06:56 +02:00
Stéphane Lesimple
c19986188f
fix(variant2): adjust detection for SLES kernels
2018-05-19 09:53:12 +02:00
Rob Gill
7e4899bcb8
ibrs can't be enabled on no ibrs cpu ( #195 )
...
* ibrs can't be enabled on no ibrs cpu
If the cpu is identified, and does not support SPEC_CTRL or IBRS, then ibrs can't be enabled, even if supported by the kernel.
Instead of reporting IBRS enabled and active UNKNOWN, report IBRS enabled and active NO.
2018-05-17 15:39:48 +02:00
rrobgill
5cc77741af
Update spectre-meltdown-checker.sh
2018-05-05 13:00:44 +02:00
rrobgill
1c0f6d9580
cpuid and msr module check
...
This adds a check before loading the cpuid and msr modules under linux, ensuring they are not unloaded in exit_cleanup() if they were initially present.
2018-05-05 13:00:44 +02:00
Onno Zweers
4acd0f647a
Suggestion to change VM to a CPU with IBRS capability
2018-04-20 20:35:12 +02:00
Stéphane Lesimple
fb52dbe7bf
set master branch to v0.37+
2018-04-20 20:34:42 +02:00
Stéphane Lesimple
edebe4dcd4
bump to v0.37
2018-04-18 23:51:45 +02:00
Stéphane Lesimple
83ea78f523
fix: arm: also detect variant 1 mitigation when using native objdump
2018-04-17 18:50:32 +02:00
Stéphane Lesimple
602b68d493
fix(spectrev2): explain that retpoline is possible for Skylake+ if there is RSB filling, even if IBRS is still better
2018-04-16 09:27:28 +02:00
Stéphane Lesimple
97bccaa0d7
feat: rephrase IBPB warning when only retpoline is enabled in non-paranoid mode
2018-04-16 09:13:25 +02:00
Stéphane Lesimple
68e619b0d3
feat: show RSB filling capability for non-Skylake in verbose mode
2018-04-16 09:08:25 +02:00
Stéphane Lesimple
a6f4475cee
feat: make IBRS_FW blue instead of green
2018-04-16 09:07:54 +02:00
Stéphane Lesimple
223f5028df
feat: add --paranoid to choose whether we require IBPB
2018-04-15 23:05:30 +02:00
Stéphane Lesimple
c0108b9690
fix(spectre2): don't explain how to fix when NOT VULNERABLE
2018-04-15 20:55:55 +02:00
Stéphane Lesimple
a3016134bd
feat: make RSB filling support mandatory for Skylake+ CPUs
2018-04-15 20:55:31 +02:00
Stéphane Lesimple
59d85b39c9
feat: detect RSB filling capability in the kernel
2018-04-15 20:55:01 +02:00
Stéphane Lesimple
baaefb0c31
fix: remove shellcheck warnings
2018-04-11 22:24:03 +02:00
Igor Lubashev
d452aca03a
fix: invalid bash syntax when ibpb_enabled or ibrs_enabled are empty
2018-04-11 10:29:42 +02:00
Stéphane Lesimple
10b8d94724
feat: detect latest Red Hat kernels' RO ibpb_enabled knob
2018-04-10 22:51:45 +02:00
Stéphane Lesimple
8606e60ef7
refactor: no longer display the retoline-aware compiler test when we can't tell for sure
2018-04-10 22:51:45 +02:00
Stéphane Lesimple
6a48251647
fix: regression in 51aeae25, when retpoline & ibpb are enabled
2018-04-10 22:51:45 +02:00
Stéphane Lesimple
f4bf5e95ec
fix: typos
2018-04-10 22:51:45 +02:00
Stéphane Lesimple
60eac1ad43
feat: also do PTI performance check with (inv)pcid for BSD
2018-04-10 22:51:45 +02:00
Stéphane Lesimple
b3cc06a6ad
fix regression introduced by 82c25dc
2018-04-10 22:51:45 +02:00
Stéphane Lesimple
5553576e31
feat(amd/zen): re-introduce IBRS for AMD except ZEN family
2018-04-10 22:51:45 +02:00
Stéphane Lesimple
e16ad802da
feat(ibpb=2): add detection of SMT before concluding the system is not vulnerable
2018-04-10 22:51:45 +02:00
Stéphane Lesimple
29c294edff
feat(bsd): explain how to mitigate variant2
2018-04-10 22:51:45 +02:00
Stéphane Lesimple
59714011db
refactor: IBRS_ALL & RDCL_NO are Intel-only
2018-04-10 22:51:45 +02:00
Stéphane Lesimple
51e8261a32
refactor: separate hw checks for Intel & AMD
2018-04-10 22:49:28 +02:00
Stéphane Lesimple
2a4bfad835
refactor: add is_amd and is_intel funcs
2018-04-10 22:49:28 +02:00
Stéphane Lesimple
7e52cea66e
feat(spectre2): refined how status of this vuln is decided and more precise explanations on how to fix
2018-04-10 22:49:28 +02:00
Benjamin Bouvier
417d7aab91
Fix trailing whitespace and mixed indent styles;
2018-04-10 22:42:47 +02:00
Sylvestre Ledru
67bf761029
Fix some user facing typos with codespell -w -q3 .
2018-04-08 18:44:13 +02:00
Stéphane Lesimple
0eabd266ad
refactor: decrease default verbosity for some tests
2018-04-05 22:20:16 +02:00
Stéphane Lesimple
b77fb0f226
fix: don't override ibrs/ibpb results with later tests
2018-04-05 22:04:20 +02:00
Stéphane Lesimple
89c2e0fb21
fix(amd): show cpuinfo and ucode details
2018-04-05 21:39:27 +02:00
Stéphane Lesimple
b88f32ed95
feat: print raw cpuid, and fetch ucode version under BSD
2018-04-05 00:07:12 +02:00
Stéphane Lesimple
7a4ebe8009
refactor: rewrite read_cpuid to get more common code parts between BSD and Linux
2018-04-05 00:06:24 +02:00
Stéphane Lesimple
0919f5c236
feat: add explanations of what to do when a vulnerability is not mitigated
2018-04-05 00:03:04 +02:00
Stéphane Lesimple
de02dad909
feat: rework Spectre V2 mitigations detection w/ latest vanilla & Red Hat 7 kernels
2018-04-05 00:01:54 +02:00
Stéphane Lesimple
07484d0ea7
add dump of variables at end of script in debug mode
2018-04-04 23:58:15 +02:00
Stéphane Lesimple
a8b557b9e2
fix(cpu): skip CPU checks if asked to (--no-hw) or if inspecting a kernel of another architecture
2018-04-03 19:36:28 +02:00
Stéphane Lesimple
619b2749d8
fix(sysfs): only check for sysfs for spectre2 when in live mode
2018-04-03 19:32:36 +02:00
Stéphane Lesimple
056ed00baa
feat(arm): detect spectre variant 1 mitigation
2018-04-03 15:52:25 +02:00
Stéphane Lesimple
aef99d20f3
fix(pti): when PTI activation is unknown, don't say we're vulnerable
2018-04-03 12:45:17 +02:00
Stéphane Lesimple
e2d7ed2243
feat(arm): support for variant2 and meltdown mitigation detection
2018-04-01 17:50:18 +02:00
Stéphane Lesimple
eeaeff8ec3
set version to v0.36+ for master branch between releases
2018-04-01 17:45:01 +02:00