Commit Graph

427 Commits

Author SHA1 Message Date
Agata Gruza 482d6c200a Enhanced IBRS capabilities
There are two flavors of IBRS: plain and enhanced. This patch tells which flavor of IBRS is in use.
2019-08-16 12:53:39 +02:00
David Guglielmi 91d0699029 update MCEdb from v111 to v112 2019-06-03 22:49:03 +02:00
Stéphane Lesimple fcc4ff4de2 update MCEdb from v110 to v111, bump to v0.42 2019-05-24 22:49:45 +02:00
Stéphane Lesimple 0bd38ddda0 enh: -v -v now implies --dump-mock-data 2019-05-24 11:36:39 +02:00
Stéphane Lesimple e83dc818cd feat(mds): implement FreeBSD mitigation detection 2019-05-24 11:17:04 +02:00
Stéphane Lesimple d69ea67101 feat(mock): add --dump-mock-data 2019-05-24 10:49:40 +02:00
Stéphane Lesimple dfe0d10f2a fix(mds): remove useless display of MD_CLEAR info in non-hw section 2019-05-24 10:20:48 +02:00
Stéphane Lesimple 58a5acfdbb fix(bsd): read_msr returned data in an incorrect format 2019-05-24 09:33:56 +02:00
Stéphane Lesimple ccb4dbef7c enh(mock): avoid reading the sysfs interface outside sys_interface_check() for higher mocking coverage 2019-05-24 09:28:18 +02:00
Stéphane Lesimple afbb26277f feat(mock): add mocking functionality to help reproducing issues under specific CPUs 2019-05-24 09:28:18 +02:00
Stéphane Lesimple 77b34d48c6 fix(mds): check MDS_NO bit in is_cpu_mds_free() 2019-05-24 09:28:18 +02:00
Stéphane Lesimple 497efe6a82 fix(l1tf): RDCL_NO bit didn't take precedence for vulnerability check on some Intel CPUs 2019-05-24 09:28:18 +02:00
Stéphane Lesimple 62b46df4e7 fix(l1tf): remove libvirtd from hypervisor detection (#278) 2019-05-18 14:22:42 +02:00
Stéphane Lesimple 7d1f269bed fix(mds): AMD confirms they're not vulnerable 2019-05-16 11:31:28 +02:00
Erich Ritz 4f9ca803c8 Fix help text (#285)
* fix --help message

Commit 7b72c20f89 added help text for the
--cve switch, and the "can be specified multiple times" note got
associated with the --cve switch instead of staying with the --variant
switch.  Restore the line to belong to the --variant switch help
message.

* Add new variants to error message

Commit 8e870db4f5 added new variants but
did not add them to the error message that listed the allowable
variants.  Add them now.
2019-05-15 19:34:51 +02:00
Stéphane Lesimple 5788cec18b fix(mds): ARM and CAVIUM are not thought to be vulnerable 2019-05-15 10:56:49 +02:00
Stéphane Lesimple ae56ec0bc5 bump to v0.41 2019-05-15 09:57:28 +02:00
Stéphane Lesimple 8fd4e3ab01 fix(xen): remove xenbus and xenwatch as they also exist in domU 2019-05-15 00:23:05 +02:00
Stéphane Lesimple de793a7204 feat(mds): more verbose info about kernel support and microcode support for mitigation 2019-05-15 00:21:08 +02:00
Stéphane Lesimple 5939c38c5c update mcedb from v109 to v110 to better detect MDS microcodes 2019-05-14 20:31:27 +02:00
Stéphane Lesimple db7d3206fd feat(mds): add detection of availability of MD_CLEAR instruction 2019-05-14 20:30:47 +02:00
Stéphane Lesimple 1d13a423b8 adjust README 2019-05-14 20:16:01 +02:00
Agata Gruza 8e870db4f5 Added support for MDS related vulnerabilities (#282) 2019-05-14 19:21:20 +02:00
Stéphane Lesimple d547ce4ab4 fix(ssb): fix error when no process uses prctl to set ssb mitigation
fixes #281
2019-05-13 15:35:58 +02:00
Stéphane Lesimple d187827841 enh(vmm): add Xen daemons detection 2019-05-08 20:44:54 +02:00
Hans-Joachim Kliemeck 2e304ec617 enh(xen): improvements for xen systems (#270)
* add mitigation detection for l1tf for xen based systems
* add information for hardware mitigation
* add xen support for meltdown
2019-05-07 20:35:52 +02:00
Stéphane Lesimple fcc04437e8 update builtin MCEdb from v96 to v109 2019-05-07 20:29:59 +02:00
Stéphane Lesimple d31a9810e6 enhance previous commit logic 2019-05-05 20:09:53 +02:00
Stéphane Lesimple 4edb867def fix(vmm): revert to checking the running processes to detect a hypervisor
More information available on #278
2019-05-05 20:04:25 +02:00
Stéphane Lesimple 1264b1c7a3 chore: more shellcheck 0.6 fixes 2019-05-05 18:34:09 +02:00
Stéphane Lesimple 7beca1ac50 fix: invalid names in json batch mode (fixes #279) 2019-05-05 18:15:41 +02:00
David 8ad10e15d3 chore: Comply with Shellcheck SC2209 (#280) 2019-05-05 17:31:18 +02:00
Stéphane Lesimple bfa4de96e6 enh(l1tf): in paranoid mode, assume we're running a hypervisor unless stated otherwise
This change ensures we check for SMT and advise the user to disable it for maximum security.
Doing this, we'll help users mitigate a whole range of vulnerabilities taking advantage of SMT to attack purely from userland other userland processes, as seen in CVE-2018-5407 (also see #261)
2019-04-21 14:05:43 +02:00
Stéphane Lesimple b022b27a51 feat(ssbd): in live mode, report whether the mitigation is active (fix #210) 2019-04-20 20:27:45 +02:00
Dario Faggioli c4bae6ee6a IBRS kernel reported active even if sysfs has "IBRS_FW" only (#275) (#276)
On a (pre-SkyLake) system, where /sys/.../vulnerabilities/spectre_v2 is
"Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, RSB filling"

the tool, incorrectly, reports, a couple of lines above:
* IBRS enabled and active:  YES  (for kernel and firmware code)

Use '\<IBRS\>', as suggested by @jirislaby, in upstream issue #275
(https://github.com/speed47/spectre-meltdown-checker/issues/275) when
checking whether IBRS is enabled/active for the kernel.

With that, the output becomes:
* IBRS enabled and active:  YES  (for firmware code only)

which is actually the case.

I double checked that, if the same kernel is used on a post-SkyLake
hardware, which on openSUSE uses IBRS as, even with this change, the
tool (this time correctly) reports:
* IBRS enabled and active:  YES  (for kernel and firmware code)
2019-04-20 14:04:29 +02:00
Stéphane Lesimple 23e7db044e fix(bsd): load vmm if not already loaded, fixes #274
As we read sysctl values under the vmm hierarchy, the modules needs to be loaded,
so if not already done, we load it before testing for CVE-2018-3620 and CVE-2018-3646
2019-04-19 19:47:04 +02:00
Stéphane Lesimple fc4981bb94 update MCEDB from v84 to v96 2019-01-20 19:52:46 +01:00
Dajiang Zhong 419508758e add spectre and meltdown mitigation technologies checking for Hygon CPU (#271)
* add spectre and meltdown mitigation technologies checking for Hygon CPU

* update microarhitecture name for Hygon CPU family 24 with moksha
2019-01-20 19:32:36 +01:00
Stéphane Lesimple d7d2e6934b fix: typo in bare metal detection (fixes #269) 2018-12-12 00:24:17 +01:00
Lily Wilson 904a83c675 Fix Arch kernel image detection (#268)
currently, the script tries to use the wrong kernel image on Arch if an
alternative kernel (hardened, zen, or lts) is in use. Fortunately, all
the Arch kernel packages place a symlink to the kernel image as /usr/lib/modules/$(uname -r)/vmlinuz, so simply removing the guess for Arch fixes the issue.
2018-12-10 19:36:58 +01:00
Rob Gill 906f54cf9d Improved hypervisor detection (#259)
* Code consistency

``` opt_batch_format="text" ``` replaced by ``` opt_batch_format='text' ```
```nrpe_vuln='"" ``` replaced by ``` nrpe_vuln='' ``` , as used by other parse options

Redundant ``` ! -z ``` replaced by ``` -n ```, as used elsewhere

Signed-off-by: Rob Gill <rrobgill@protonmail.com>

* Improved hypervisor detection

Tests for presence of hypervisor flag in /proc/cpuino
Tests for evidence of hypervisor in dmesg

Signed-off-by: Rob Gill <rrobgill@protonmail.com>

* formatting fix

Signed-off-by: Rob Gill <rrobgill@protonmail.com>

* Set $l1d_mode to -1 in cases where cpu/vulnerabilities/l1tf is not available

(prevents invalid number error when evaluating [ "$l1d_mode" -ge 1 ])

Signed-off-by: Rob Gill <rrobgill@protonmail.com>

* Update Intel Atom 6 cpu names to align with kernel

Update processor names of atom 6 family processors to align with those from kernel as of October 2018.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/arch/x86/include/asm/intel-family.h?id=f2c4db1bd80720cd8cb2a5aa220d9bc9f374f04e
Update list of known immune processors from
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/arch/x86/kernel/cpu/common.c?id=f2c4db1bd80720cd8cb2a5aa220d9bc9f374f04e

* Fix unset $l1d_mode

Another instance of unset l1d_mode causing error "./spectre-meltdown-checker.sh: 3867: [: Illegal number:"

* chore: update readme with brief summary of L1tfs

L1tf mitigation and impact details from

https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html and https://blogs.oracle.com/oraclesecurity/intel-l1tf

* typo
2018-12-10 19:33:07 +01:00
Brett T. Warden c45a06f414 Warn on missing kernel info (#265)
Missing kernel information can cause all sorts of false positives or
negatives. This is worth at least a warning, and repeating immediately
following the status.
2018-11-25 18:37:03 +01:00
Brett T. Warden 4a6fa070a4 Fix misdetection of files under Clear Linux (#264) 2018-11-25 18:14:04 +01:00
Stéphane Lesimple c705afe764 bump to v0.40 2018-10-03 20:56:46 +02:00
Stanislav Kholmanskikh 401ccd4b14 Correct aarch64 KPTI dmesg message
As it's seen in unmap_kernel_at_el0 (both the function definition
and its usage in arm64_features[]) from arch/arm64/kernel/cpufeature.c
the kernel reports this string:

CPU features: detected: Kernel page table isolation (KPTI)

or (before commit e0f6429dc1c0 ("arm64: cpufeature: Remove redundant "feature"
in reports")):

CPU features: detected feature: Kernel page table isolation (KPTI)

if KPTI is enabled on the system.

So on let's adjust check_variant3_linux() to make it grep these
strings if executed on an aarch64 platform.

Tested on a Cavium ThunderX2 machine.

Signed-off-by: Stanislav Kholmanskikh <stanislav.kholmanskikh@oracle.com>
2018-10-03 20:49:55 +02:00
Stanislav Kholmanskikh 55120839dd Fix a typo in check_variant3_linux()
Signed-off-by: Stanislav Kholmanskikh <stanislav.kholmanskikh@oracle.com>
2018-10-03 20:49:55 +02:00
Stéphane Lesimple f5106b3c02 update MCEDB from v83 to v84 (no actual change) 2018-09-30 16:57:35 +02:00
Stéphane Lesimple 68289dae1e feat: add --update-builtin-mcedb to update the DB inside the script 2018-09-30 16:56:58 +02:00
Stéphane Lesimple 3b2d529654 feat(l1tf): read & report ARCH_CAPABILITIES bit 3 (SKIP_VMENTRY_L1DFLUSH) 2018-09-29 13:16:07 +02:00
Stéphane Lesimple cbb18cb6b6 fix(l1tf): properly detect status under Red Hat/CentOS kernels 2018-09-29 13:01:13 +02:00
Stéphane Lesimple 299103a3ae some fixes when script is not started as root 2018-09-29 13:01:13 +02:00
Stéphane Lesimple dc5402b349 chore: speed optimization of hw check and indentation fixes 2018-09-29 13:01:13 +02:00
Stéphane Lesimple 90c2ae5de2 feat: use the MCExtractor DB as the reference for the microcode versions
Use platomav's MCExtractor DB as the reference to decide whether our CPU microcode is the latest or not.
We have a builtin version of the DB in the script, but an updated version can be fetched and stored locally with --update-mcedb
2018-09-29 13:01:13 +02:00
Michael Lass 53d6a44754 Fix detection of CVE-2018-3615 (L1TF_SGX) (#253)
* Add another location of Arch Linux ARM kernel

* Fix detection of CVE-2018-3615

We change the value of variantl1tf in the line directly before so its
value will never be "immune". Instead we can directly use the value of
variantl1tf to initialize variantl1tf_sgx.
2018-09-29 11:35:10 +02:00
Stéphane Lesimple 297d890ce9 fix ucode version check regression introduced by fbbb19f under BSD 2018-09-23 15:00:39 +02:00
Stéphane Lesimple 0252e74f94 feat(bsd): implement CVE-2018-3620 and CVE-2018-3646 mitigation detection 2018-09-22 12:26:56 +02:00
Nicolas Sauzede fbbb19f244 Fix cases where a CPU ucode version is not found in $procfs/cpuinfo. (#246)
* Fix cases where a CPU ucode version is not found in $procfs/cpuinfo.

When running whithin a virtual machine, it seems like $procfs/cpuinfo doesn't contain
a 'microcode' line, which triggers a script runtime error.
Fall back to '0x0' in this case, as other part of the script seems to already this
as a default value anyway.

* Double quote to prevent globbing and word splitting.
2018-09-19 22:00:59 +02:00
Stéphane Lesimple 1571a56ce2 feat: add L1D flush cpuid feature bit detection 2018-09-19 09:05:23 +02:00
Stéphane Lesimple 3cf9141601 fix: don't display summary if no CVE was tested (e.g. --hw-only) 2018-09-19 09:04:52 +02:00
Stéphane Lesimple bff38f1b26 BSD: add not-implemented-yet notice for Foreshadow-NG 2018-09-18 22:06:01 +02:00
Stéphane Lesimple b419fe7c63 feat(variant4): properly detect SSBD under BSD 2018-09-18 22:00:32 +02:00
alexvong1995 f193484a4a chore: fix deprecated SPDX license identifier (#249) (#251)
The SPDX license identifier 'GPL-3.0' has been deprecated according to
<https://spdx.org/licenses/GPL-3.0.html>.
2018-09-18 20:00:53 +02:00
Laszlo Toth 349d77b3b6 Fix kernel detection when /lib/kernel exists on a distro (#252)
Commit b48b2177b7 ("feat: Add Clear Linux Distro (#244)") broke kernel
detection for distros using that directory for other purposes than
storing the kernel image.

Example:
 # pacman -Qo /lib/kernel
/usr/lib/kernel/ is owned by mkinitcpio 24-2
/usr/lib/kernel/ is owned by systemd 239.2-1

Signed-off-by: Laszlo Toth <laszlth@gmail.com>
2018-09-18 20:00:20 +02:00
Stéphane Lesimple e589ed7f02 fix: don't test SGX again in check_CVE_2018_3615, already done by is_cpu_vulnerable 2018-09-17 22:28:04 +02:00
Stéphane Lesimple ae1206288f fix: remove some harcoded /proc paths, use $procfs instead 2018-09-17 22:26:20 +02:00
Stéphane Lesimple 7b72c20f89 feat(l1tf): explode L1TF in its 3 distinct CVEs 2018-09-17 21:44:48 +02:00
Luis Ponce b48b2177b7 feat: Add Clear Linux Distro (#244)
Add path of Clear Linux kernel binary and kernel config file.
2018-09-15 15:51:49 +02:00
Pierre Gaxatte 8f31634df6 feat(batch): Add a batch short option for one line result (#243)
When using this script on a large amount a machine (via clustershell or
instance) it can be easier to have a very short result on one line
showing only the vulnerabilities
2018-09-15 15:45:10 +02:00
Luis Ponce 96798b1932 chore: add SPDX GPL-3.0 license identifier (#245)
The spectre-meltdown-checker.sh file is missing licensing information.
The SPDX identifier is a legally binding shorthand, which can be
used instead of the full boiler plate text.
2018-09-15 15:33:41 +02:00
Stéphane Lesimple 687ce1a7fa fix: load cpuid module if absent even when /dev/cpu/0/cpuid is there 2018-09-08 23:15:50 +02:00
Stéphane Lesimple 80e0db7cc4 fix: don't show erroneous ucode version when latest version is unknown (fixes #238) 2018-08-28 20:51:46 +02:00
David Guglielmi e8890ffac6 feat(config): support for genkernel kernel config file (#239)
Add support for distributions using genkernel.
2018-08-28 20:24:37 +02:00
Karsten Weiss afb36c519d Fix typo: 'RBS filling' => 'RSB filling' (#237) 2018-08-18 12:05:17 +02:00
Stéphane Lesimple 0009c0d473 fix: --batch now implies --no-color to avoid colored warnings 2018-08-18 12:04:18 +02:00
Stéphane Lesimple dd67fd94d7 feat: add FLUSH_CMD MSR availability detection (part of L1TF mitigation) 2018-08-16 19:05:09 +02:00
Stéphane Lesimple 339ad31757 fix: add missing l1tf CPU vulnerability display in hw section 2018-08-16 15:19:29 +02:00
Stéphane Lesimple 794c5be1d2 feat: add optional git describe support to display inter-release version numbers 2018-08-16 15:18:47 +02:00
Stéphane Lesimple a7afc585a9 fix several incorrect ucode version numbers 2018-08-16 10:51:55 +02:00
Stéphane Lesimple fc1dffd09a feat: implement detection of latest known versions of intel microcodes 2018-08-15 12:53:49 +02:00
Stéphane Lesimple e942616189 feat: initial support for L1TF 2018-08-15 12:05:08 +02:00
Stéphane Lesimple 360be7b35f fix: hide arch_capabilities_msr_not_read warning under !intel 2018-08-13 15:42:56 +02:00
Stéphane Lesimple 5f59257826 bump to v0.39 2018-08-13 15:33:03 +02:00
Stéphane Lesimple 92d59cbdc1 chore: adjust some comments, add 2 missing inits 2018-08-11 10:31:10 +02:00
Stéphane Lesimple 4747b932e7 feat: add detection of RSBA feature bit and adjust logic accordingly 2018-08-10 10:26:23 +02:00
Stéphane Lesimple 860023a806 fix: ARCH MSR was not read correctly, preventing proper SSB_NO and RDCL_NO detection 2018-08-10 10:26:23 +02:00
Stéphane Lesimple ab67a9221d feat: read/write msr now supports msr-tools or perl as dd fallback 2018-08-10 10:26:23 +02:00
0x9fff00 f4592bf3a8 Add Arch armv5/armv7 kernel image location (#227) 2018-08-09 22:13:30 +02:00
Stéphane Lesimple be15e47671 chore: setting master to v0.38+ 2018-08-09 14:25:22 +02:00
Nathan Parsons d3481d9524 Add support for the kernel being within a btrfs subvolume (#226)
- /boot may be within a named root subvolume (eg. "/@/boot")
- /boot may be in its own subvolume (eg. "/@boot")
2018-08-09 14:00:35 +02:00
Stéphane Lesimple 21af561148 bump to v0.38 2018-08-07 10:55:50 +02:00
Stéphane Lesimple cb740397f3 feat(arm32): add spectrev1 mitigation detection 2018-08-07 10:42:03 +02:00
Stéphane Lesimple 84195689af change: default to --no-explain, use --explain to get detailed mitigation help 2018-08-04 16:31:41 +02:00
Stéphane Lesimple b637681fa8 fix: debug output: msg inaccuracy for ARM checks 2018-08-04 16:19:54 +02:00
Stéphane Lesimple 9316c30577 fix: armv8: models < 0xd07 are not vulnerable 2018-08-04 16:19:54 +02:00
Lily Wilson f9dd9d8cb9 add guess for archlinuxarm aarch64 kernel image on raspberry pi 3 (#222) 2018-08-01 00:15:52 +02:00
Stéphane Lesimple 0f0d103a89 fix: correctly init capabilities_ssb_no var in all cases 2018-07-26 10:18:14 +02:00
Stéphane Lesimple b262c40541 fix: remove spurious character after an else statement 2018-07-25 21:55:50 +02:00
Stéphane Lesimple cc2910fbbc fix: read_cpuid: don't use iflag=skip_bytes for compat with old dd versions
This closes #215 #199 #193
2018-07-23 09:12:30 +02:00
manish jaggi 30c4a1f6d2 arm64: cavium: Add CPU Implementer Cavium (#216)
This patch adds 0x43 check for cavium implementor id in function
parse_cpu_details. Also adds that Cavium Soc is not vulnerable to variant 3/3a

Signed-off-by: Manish Jaggi <manish.jagg@cavium.com>
2018-07-22 19:06:19 +02:00
Stéphane Lesimple cf06636a3f fix: prometheus output: use printf for proper \n interpretation (#204) 2018-06-21 23:35:51 +02:00