Stéphane Lesimple
a343bccb49
bump to v0.43
3 years ago
Stéphane Lesimple
1f604c119b
fix var typo
3 years ago
Stéphane Lesimple
bfed3187a6
fix: variant3a: Silvermont CPUs are not vulnerable to variant 3a
3 years ago
Stéphane Lesimple
0cd7e1164f
feat: detect vanilla 5.4+ locked down mode
3 years ago
Stéphane Lesimple
71129d6b48
fix: tsx: rtm feature bit is in EBX(11)
3 years ago
Stéphane Lesimple
6e799e8b01
fix: mcepsc: fix logic error on non-speculative CPUs that prevented detection of MCEPSC immunity
3 years ago
Stéphane Lesimple
4993b04922
fix: taa: CPUs having TAA_NO bit set are not vulnerable
3 years ago
Stéphane Lesimple
4fc2afe1bc
feat: add TSX_CTRL MSR detection in hardware info
3 years ago
Stéphane Lesimple
bd47275501
feat: add detection of iTLB Multihit vuln/mitigation (CVE-2018-12207)
3 years ago
Stéphane Lesimple
8ddf6b2d6d
enh: replace shell wildcard by a find to avoid potiental error (list of args too long)
3 years ago
Stéphane Lesimple
16b6490ffc
chore: avoid ${var:-]} syntax, badly confusing vim's syntax highlighter
3 years ago
Stéphane Lesimple
18df38fae6
fix: sgx: on locked down kernels, fallback to CPUID bit for detection
...
on locked down kernels (Fedora / Red Hat feature that prevents writing
to MSRs from userspace, even if root), we can't write to FLUSH_CMD MSR
to verify that it's present. So fallback to checking the existence of
the L1D flush CPUID feature bit to infer that the microcode has been
updated in a recent enough version that also mitigates SGX (fixes for
both issues have been included in the same microcode updates for all
Intel CPUs)
3 years ago
Stéphane Lesimple
a306757c22
fix: detect Red Hat locked down kernels (impacts MSR writes)
3 years ago
Stéphane Lesimple
e01f97ee75
fix: fwdb: don't use local db if it's older than our builtin version
3 years ago
Stéphane Lesimple
fa7f814f4f
chore: rename mcedb cmdline parameters to fwdb
3 years ago
Stéphane Lesimple
bb32a16a86
update fwdb to v130.20191104+i20191027
3 years ago
Stéphane Lesimple
8c84c0ba17
enh: fwdb: use both Intel GitHub repo and MCEdb to build our database
3 years ago
Stéphane Lesimple
6abe1bc62b
enh: kernel decompression: better tolerance over missing tools
...
fixes #297
3 years ago
Stéphane Lesimple
5ca7fe91ff
fix: pteinv: don't check kernel image if not available
3 years ago
Stéphane Lesimple
4ba68fba74
fix: silence useless error from grep ( fixes #322 )
3 years ago
Stéphane Lesimple
59ad312773
fix: msr: fix msr module detection under Ubuntu 19.10 ( fixes #316 )
3 years ago
Stéphane Lesimple
418533c47e
chore: remove LICENSE file, SPDX id is enough
3 years ago
Stéphane Lesimple
3e757b6177
chore: add github check workflow
3 years ago
Stéphane Lesimple
f724f94085
enh: kernel: autodetect customized arch kernels from cmdline
3 years ago
Stéphane Lesimple
dcf540888d
enh: mock: implement reading from /proc/cmdline
3 years ago
Stéphane Lesimple
9911c243b2
feat: use --live with --kernel/--config/--map to override file detection in live mode
3 years ago
Stéphane Lesimple
cb279a49ec
enh(taa): more complete version
3 years ago
Stéphane Lesimple
c100ce4c0d
mcedb: update from v112 to v130
3 years ago
Stéphane Lesimple
4741b06160
fix: batch mode for TAA
3 years ago
Stéphane Lesimple
e0a1c2ec77
fix shellcheck warnings
3 years ago
Agata Gruza
c18b88d745
Fixing typo
3 years ago
Agata Gruza
d623524342
Added support for TAA related vulnerabilities
3 years ago
Stéphane Lesimple
f5ec320fe5
enh: rework the vuln logic of MDS with --paranoid ( fixes #307 )
3 years ago
Stéphane Lesimple
cc224c0522
fix: mocking value for read_msr
...
we were returning the mocking value before actually setting it.
also remove spaces around the returned value (no behavior change)
3 years ago
Corey Wright
0518604fe6
Use kernel_err to avoid misreporting missing Linux kernel image
...
When checking for CVE-2017-5715 (i.e. `check_CVE_2017_5715_linux()`),
if we can't inspect (with `readelf`) or decompress the Linux kernel
image, then we report there is no kernel image (i.e. `we need the
kernel image` or `kernel image missing`, respectively), which confuses
users when the associated file exists.
Instead use `kernel_err` to provide a correct and detailed description
of the problem (e.g. `missing '...' tool, please install it, usually
it's in the '...' package`), so the user can take the prescribed
action.
3 years ago
Erik Zettel
d57fecec91
spectre-meltdown-checker.sh: fix typos
3 years ago
Stéphane Lesimple
f835f4d07d
Explain that Enhanced IBRS is better for performance than classic IBRS
3 years ago
Agata Gruza
482d6c200a
Enhanced IBRS capabilities
...
There are two flavors of IBRS: plain and enhanced. This patch tells which flavor of IBRS is in use.
3 years ago
David Guglielmi
91d0699029
update MCEdb from v111 to v112
3 years ago
Stéphane Lesimple
fcc4ff4de2
update MCEdb from v110 to v111, bump to v0.42
3 years ago
Stéphane Lesimple
0bd38ddda0
enh: -v -v now implies --dump-mock-data
3 years ago
Stéphane Lesimple
e83dc818cd
feat(mds): implement FreeBSD mitigation detection
3 years ago
Stéphane Lesimple
d69ea67101
feat(mock): add --dump-mock-data
3 years ago
Stéphane Lesimple
dfe0d10f2a
fix(mds): remove useless display of MD_CLEAR info in non-hw section
3 years ago
Stéphane Lesimple
58a5acfdbb
fix(bsd): read_msr returned data in an incorrect format
3 years ago
Stéphane Lesimple
ccb4dbef7c
enh(mock): avoid reading the sysfs interface outside sys_interface_check() for higher mocking coverage
3 years ago
Stéphane Lesimple
afbb26277f
feat(mock): add mocking functionality to help reproducing issues under specific CPUs
3 years ago
Stéphane Lesimple
77b34d48c6
fix(mds): check MDS_NO bit in is_cpu_mds_free()
3 years ago
Stéphane Lesimple
497efe6a82
fix(l1tf): RDCL_NO bit didn't take precedence for vulnerability check on some Intel CPUs
3 years ago
Stéphane Lesimple
62b46df4e7
fix(l1tf): remove libvirtd from hypervisor detection ( #278 )
3 years ago