We can figure out whether SMT is enabled or not, by checking the
topology of the CPUs, as it is exposed in /sys.
This means the information is available also when we are running
in `--sysfs-only` mode.
Info about 2nd mitigation to L1TF are gathered in various ways.
Some are available under /sys, and hence should be checked when
we're invoked without parameters, and with `--sysfs-only`, while
they should be ignored when we are invoked with `--no-sysfs`.
Some others use other sources, and hence should be ignored if
we are invoked with `--sysfs-only`.
Checking whether or not EPT is enabled, happens via /sys.
We should therefore also make sure that we do that when being
invoked with no options, and with `--sysfs-only`, and that we
don't when invoked with `--no-sysfs`.
We are now able to figure out whether or not we are running an hypervisor
(at least potentially) via /sys, so let's actually use that information.
This commit makes sure that, both when running with no options and with
`--sysfs-only`, finding 'VMX' inside the L1TF sysfs vulnerability file
is enough for calling the system a virtualization host.
If we can look in `/sys/devices/system/cpu/vulnerabilities/l1tf`, and
we find 'VMX' in it, it means we can run KVM guests, and hence we are
running as an hypervisor.
Right now, on a system with VMX enabled, with KVM guests running, and
booted with "l1tf=off", I see this:
`
CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: VMX: vulnerable
* This system is a host running a hypervisor: NO
... ... ...
* L1D flush enabled: NO
> STATUS: NOT VULNERABLE (this system is not running a hypervisor)
`
Which is wrong.
In fact, as said, guests are running, so we are an hypervisor,
and with "l1tf=off" (and hence L1D flush disabled) we are vulnerable.
We don't use $msg and $status.
Also, by always initializing l1d_mode, we fix the following "crash",
when running with `--sysfs-only`:
`
CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: VMX: vulnerable
./spectre-meltdown-checker.sh: line 3945: [: : integer expression expected
`
currently, the script tries to use the wrong kernel image on Arch if an
alternative kernel (hardened, zen, or lts) is in use. Fortunately, all
the Arch kernel packages place a symlink to the kernel image as /usr/lib/modules/$(uname -r)/vmlinuz, so simply removing the guess for Arch fixes the issue.
Missing kernel information can cause all sorts of false positives or
negatives. This is worth at least a warning, and repeating immediately
following the status.
As it's seen in unmap_kernel_at_el0 (both the function definition
and its usage in arm64_features[]) from arch/arm64/kernel/cpufeature.c
the kernel reports this string:
CPU features: detected: Kernel page table isolation (KPTI)
or (before commit e0f6429dc1c0 ("arm64: cpufeature: Remove redundant "feature"
in reports")):
CPU features: detected feature: Kernel page table isolation (KPTI)
if KPTI is enabled on the system.
So on let's adjust check_variant3_linux() to make it grep these
strings if executed on an aarch64 platform.
Tested on a Cavium ThunderX2 machine.
Signed-off-by: Stanislav Kholmanskikh <stanislav.kholmanskikh@oracle.com>
Use platomav's MCExtractor DB as the reference to decide whether our CPU microcode is the latest or not.
We have a builtin version of the DB in the script, but an updated version can be fetched and stored locally with --update-mcedb
* Add another location of Arch Linux ARM kernel
* Fix detection of CVE-2018-3615
We change the value of variantl1tf in the line directly before so its
value will never be "immune". Instead we can directly use the value of
variantl1tf to initialize variantl1tf_sgx.
* Fix cases where a CPU ucode version is not found in $procfs/cpuinfo.
When running whithin a virtual machine, it seems like $procfs/cpuinfo doesn't contain
a 'microcode' line, which triggers a script runtime error.
Fall back to '0x0' in this case, as other part of the script seems to already this
as a default value anyway.
* Double quote to prevent globbing and word splitting.
Commit b48b2177b7 ("feat: Add Clear Linux Distro (#244)") broke kernel
detection for distros using that directory for other purposes than
storing the kernel image.
Example:
# pacman -Qo /lib/kernel
/usr/lib/kernel/ is owned by mkinitcpio 24-2
/usr/lib/kernel/ is owned by systemd 239.2-1
Signed-off-by: Laszlo Toth <laszlth@gmail.com>
When using this script on a large amount a machine (via clustershell or
instance) it can be easier to have a very short result on one line
showing only the vulnerabilities
The spectre-meltdown-checker.sh file is missing licensing information.
The SPDX identifier is a legally binding shorthand, which can be
used instead of the full boiler plate text.
* Listed the required volumes in the Dockerfile.
* Added docker-compose.yml for convenience as users won't need to manually
specify volumes and stuff when running through docker-compose.
Adjusted README.md to reflect this change.