Commit Graph

519 Commits

Author SHA1 Message Date
Stéphane Lesimple
3b0ec998b1 fix(cosmetic): tiny msg fixes 2018-01-24 09:04:25 +01:00
Stéphane Lesimple
d55bafde19 fix(cpu): trust is_cpu_vulnerable even w/ debugfs
For variant3 under AMD, the debugfs vulnerabilities hierarchy
flags the system as Vulnerable, which is wrong. Trust our own
is_cpu_vulnerable() func in that case
2018-01-24 09:04:25 +01:00
Stéphane Lesimple
147462c0ab fix(variant3): do our checks even if sysfs is here 2018-01-24 09:04:25 +01:00
Stéphane Lesimple
ddc7197b86 fix(retpoline): retpoline-compiler detection
When kernel is not compiled with retpoline option, doesn't
have the sysfs vulnerability hierarchy and our heuristic to
detect a retpoline-aware compiler didn't match, change result
for retpoline-aware compiler detection from UNKNOWN to NO.
When CONFIG_RETPOLINE is not set, a retpoline-aware compiler
won't produce different asm than a standard one anyway.
2018-01-24 09:04:25 +01:00
Stéphane Lesimple
e7aa3b9d16 feat(retpoline): check if retpoline is enabled
Before we would just check if retpoline was compiled
in, now we also check that it's enabled at runtime
(only in live mode)
2018-01-24 09:04:25 +01:00
Stéphane Lesimple
ff5c92fa6f feat(sysfs): print details even with sysfs
Before, when the /sys kernel vulnerability interface
was available, we would bypass all our tests and just
print the output of the vulnerability interface. Now,
we still rely on it when available, but we run our
checks anyway, except for variant 1 where the current
method of mitigation detection doesn't add much value
to the bare /sys check
2018-01-24 09:04:25 +01:00
Stéphane Lesimple
443d9a2ae9 feat(ibpb): now also check for IBPB on variant 2
In addition to IBRS (and microcode support), IBPB
must be used to mitigate variant 2, if retpoline
support is not available. The vulnerability status
of a system will be defined as "non vulnerable"
if IBRS and IBPB are both enabled, or if IBPB
is enabled with a value of 2 for RedHat kernels,
see https://access.redhat.com/articles/3311301
2018-01-24 09:04:25 +01:00
Stéphane Lesimple
3e454f1817 fix(offline): report unknown when too few info
In offline mode, in the worst case where an invalid
config file is given, and we have no vmlinux image
nor System.map, the script was reporting Variant 2
and Variant 3 as vulnerable in the global status.
Replace this by a proper pair of UNKNOWNs
2018-01-23 22:20:34 +01:00
Stéphane Lesimple
c8a25c5d97 feat: detect invalid kconfig files 2018-01-23 21:48:19 +01:00
Stéphane Lesimple
40381349ab fix(dmesg): detect when dmesg is truncated
To avoid false negatives when looking for a message
in dmesg, we were previously also grepping in known
on-disk archives of dmesg (dmesg.log, kern.log).
This in turn caused false positives because we have no
guarantee that we're grepping the dmesg of the current
running kernel. Hence we now only look in the live
`dmesg`, detect if it has been truncated, and report
it to the user.
2018-01-21 16:26:08 +01:00
Stéphane Lesimple
0aa5857a76 fix(cpu): Pentium Exxxx series are not vulnerable
Pentium E series are not in the vulnerable list from
Intel, and Spectre2 PoC reportedly doesn't work on
an E5200
2018-01-21 16:13:17 +01:00
Stéphane Lesimple
b3b7f634e6 fix(display): use text-mode compatible colors
in text-mode 80-cols TERM=linux terminals, colors
were not displaying properly, one had to use
--no-color to be able to read some parts of the
text.
2018-01-21 12:32:22 +01:00
Stéphane Lesimple
263ef65fec bump to v0.32 2018-01-20 12:49:12 +01:00
Stéphane Lesimple
a1bd233c49 revert to a simpler check_vmlinux() 2018-01-20 12:26:26 +01:00
Stéphane Lesimple
de6590cd09 cache is_cpu_vulnerable result for performance 2018-01-20 12:24:23 +01:00
Stéphane Lesimple
56d4f82484 is_cpu_vulnerable: implement check for multi-arm systems 2018-01-20 12:24:23 +01:00
Stéphane Lesimple
7fa2d6347b check_vmlinux: when readelf doesn't work, try harder with another way 2018-01-20 12:23:55 +01:00
Stéphane Lesimple
3be5e90481 be smarter to find a usable echo command 2018-01-20 12:23:55 +01:00
Stéphane Lesimple
995620a682 add pine64 vmlinuz location 2018-01-20 12:23:19 +01:00
Stéphane Lesimple
193e0d8d08 arm: cosmetic fix for name and handle aarch64 2018-01-20 12:22:48 +01:00
Stéphane Lesimple
72ef94ab3d ARM: display a friendly name instead of empty string 2018-01-20 12:22:48 +01:00
Harald Hoyer
ccc0453df7 search in /lib/modules/$(uname -r) for vmlinuz, config, System.map
On Fedora machines /lib/modules/$(uname -r) has all the files.
2018-01-20 11:19:34 +01:00
Stéphane Lesimple
14ca49a042 Atom N270: implement another variation 2018-01-19 18:47:38 +01:00
Stéphane Lesimple
db357b8e25 CoreOS: remove ephemeral install of a non-used package 2018-01-18 10:17:25 +01:00
Stéphane Lesimple
42a57dd980 add kern.log as another backend of dmesg output 2018-01-17 17:17:39 +01:00
Stéphane Lesimple
5ab95f3656 fix(atom): don't use a pcre regex, only an extended one 2018-01-17 12:01:13 +01:00
Stéphane Lesimple
5b6e39916d fix(atom): properly detect Nxxx Atom series 2018-01-17 11:07:47 +01:00
Willy Sudiarto Raharjo
556951d5f0 Add Support for Slackware.
Signed-off-by: Willy Sudiarto Raharjo <willysr@gmail.com>
2018-01-16 11:55:03 +01:00
Stéphane Lesimple
7a88aec95f
Implement CoreOS compatibility mode (#84)
* Add special CoreOS compatibility mode
* CoreOS: refuse --coreos if we're not under CoreOS
* CoreOS: warn if launched without --coreos option
* is_coreos: make stderr silent
* CoreOS: tiny adjustments
2018-01-16 10:33:01 +01:00
Stéphane Lesimple
bd18323d79 bump to v0.31 to reflect changes 2018-01-14 22:34:09 +01:00
Stéphane Lesimple
b89d67dd15 meltdown: detecting Xen PV, reporting as not vulnerable 2018-01-14 22:31:21 +01:00
Stéphane Lesimple
704e54019a is_cpu_vulnerable: add check for old Atoms 2018-01-14 21:32:56 +01:00
Stéphane Lesimple
d96093171a verbose: add PCID check for performance impact of PTI 2018-01-14 17:18:34 +01:00
Stéphane Lesimple
dcc4488340
Merge pull request #80 from speed47/cpuid_spec_ctrl
v0.30, cpuid spec ctrl and other enhancements
2018-01-14 16:48:02 +01:00
Stéphane Lesimple
32e3fe6c07 bump to v0.30 to reflect changes 2018-01-14 16:45:59 +01:00
Stéphane Lesimple
f488947d43
Merge pull request #79 from andir/add-nixos
add support for NixOS kernel
2018-01-14 16:40:10 +01:00
Stéphane Lesimple
71213c11b3 ibrs: check for spec_ctrl_ibrs in cpuinfo 2018-01-14 16:36:51 +01:00
Andreas Rammhold
2964c4ab44
add support for NixOS kernel
this removes the need to specify the kernel version manually on NixOS
2018-01-14 16:18:29 +01:00
Stéphane Lesimple
749f432d32 also check for spec_ctrl flag in cpuinfo 2018-01-14 15:47:51 +01:00
Stéphane Lesimple
a422b53d7c also check for cpuinfo flag 2018-01-14 15:47:51 +01:00
Stéphane Lesimple
c483a2cf60 check spec_ctrl support using cpuid 2018-01-14 15:47:51 +01:00
Stéphane Lesimple
dead0054a4 fix: proper detail msg in vuln status 2018-01-14 15:47:22 +01:00
Stéphane Lesimple
8ed7d465aa
Merge pull request #77 from speed47/exitcode
proper return codes regardless of the batch mode
2018-01-14 14:25:12 +01:00
Stéphane Lesimple
e5e4851d72 proper return codes regardless of the batch mode 2018-01-14 14:24:31 +01:00
Stéphane Lesimple
7f92717a2c add info about accuracy when missing kernel files 2018-01-13 13:59:17 +01:00
Stéphane Lesimple
b47d505689 AMD now vuln to variant2 (as per their stmt) 2018-01-13 13:35:31 +01:00
Corey Hickey
4a2d051285 minor is_cpu_vulnerable() changes (#71)
* correct is_cpu_vulnerable() comment

As far as I can tell, the function and usage are correct for the comment
to be inverted.

Add a clarifying note as to why the value choice makes sense.

* exit on invalid varient

If this happens, it's a bug in the script. None of the calling code
checks for status 255, so don't let a scripting bug cause a false
negative.

* no need to set vulnerable CPUs

According to comment above this code:
'by default, everything is vulnerable, we work in a "whitelist" logic here.'
2018-01-13 13:16:37 +01:00
Sylvestre Ledru
f3551b9734 Only show the name of the script, not the full path (#72) 2018-01-13 13:14:19 +01:00
Sylvestre Ledru
45b98e125f fix some typos (#73) 2018-01-13 13:13:40 +01:00
Stéphane Lesimple
dce917bfbb add --version, bump to v0.28 2018-01-12 19:10:44 +01:00