peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2025-07-15 23:31:22 +02:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: peter:c1c1ac4dbb4270781a04384e3c4126581d9fd637
Branches Tags
peter:master
peter:v0.46 peter:v0.45 peter:v0.44 peter:v0.43 peter:v0.42 peter:v0.41 peter:v0.40 peter:v0.39 peter:v0.38 peter:v0.37 peter:v0.36 peter:v0.35 peter:v0.34 peter:v0.33 peter:v0.32 peter:v0.31 peter:v0.30 peter:v0.29 peter:v0.28 peter:v0.27 peter:v0.26 peter:v0.25 peter:v0.24 peter:v0.23 peter:v0.22 peter:v0.21 peter:v0.20 peter:v0.19 peter:v0.18 peter:v0.17 peter:v0.16 peter:v0.15 peter:v0.14 peter:v0.13 peter:v0.12 peter:v0.11 peter:v0.10 peter:v0.09 peter:v0.08 peter:v0.07 peter:v0.06 peter:v0.05 peter:v0.04 peter:v0.03 peter:v0.02 peter:v0.01
...
compare: peter:master
Branches Tags
peter:master
peter:v0.46 peter:v0.45 peter:v0.44 peter:v0.43 peter:v0.42 peter:v0.41 peter:v0.40 peter:v0.39 peter:v0.38 peter:v0.37 peter:v0.36 peter:v0.35 peter:v0.34 peter:v0.33 peter:v0.32 peter:v0.31 peter:v0.30 peter:v0.29 peter:v0.28 peter:v0.27 peter:v0.26 peter:v0.25 peter:v0.24 peter:v0.23 peter:v0.22 peter:v0.21 peter:v0.20 peter:v0.19 peter:v0.18 peter:v0.17 peter:v0.16 peter:v0.15 peter:v0.14 peter:v0.13 peter:v0.12 peter:v0.11 peter:v0.10 peter:v0.09 peter:v0.08 peter:v0.07 peter:v0.06 peter:v0.05 peter:v0.04 peter:v0.03 peter:v0.02 peter:v0.01

19 Commits
c1c1ac4dbb ... master

Author SHA1 Message Date
Stéphane Lesimple
34c6095912 fix: Linux 6.9+ changed some config options names (#490) 
Issue #490 is about retpoline but other options have also changed,
as reported by a comment on the issue, this commit fixes these
other options:

Breno Leitao (10):
      x86/bugs: Rename CONFIG_GDS_FORCE_MITIGATION => CONFIG_MITIGATION_GDS_FORCE
      x86/bugs: Rename CONFIG_CPU_IBPB_ENTRY       => CONFIG_MITIGATION_IBPB_ENTRY
      x86/bugs: Rename CONFIG_CALL_DEPTH_TRACKING  => CONFIG_MITIGATION_CALL_DEPTH_TRACKING
      x86/bugs: Rename CONFIG_PAGE_TABLE_ISOLATION => CONFIG_MITIGATION_PAGE_TABLE_ISOLATION
      x86/bugs: Rename CONFIG_RETPOLINE            => CONFIG_MITIGATION_RETPOLINE
      x86/bugs: Rename CONFIG_SLS                  => CONFIG_MITIGATION_SLS
      x86/bugs: Rename CONFIG_CPU_UNRET_ENTRY      => CONFIG_MITIGATION_UNRET_ENTRY
      x86/bugs: Rename CONFIG_CPU_IBRS_ENTRY       => CONFIG_MITIGATION_IBRS_ENTRY
      x86/bugs: Rename CONFIG_CPU_SRSO             => CONFIG_MITIGATION_SRSO
      x86/bugs: Rename CONFIG_RETHUNK              => CONFIG_MITIGATION_RETHUNK
 2024-08-04 15:15:45 +02:00
Stéphane Lesimple
e806e4bc41 chore: docker compose v2 
The `docker-compose` command has been replaced by `docker compose`.
The "version" tag has also been deprecated in docker-compose.yml.
 2024-08-04 13:53:36 +02:00
Ivan Zahariev
388d44edbd Fix Retpoline detection for Linux 6.9+ (issue #490) 2024-08-04 13:41:01 +02:00
Stéphane Lesimple
bd0c7c94b5 fix: typo introduced by #483, fixes #486 2024-05-18 13:01:48 +02:00
Stéphane Lesimple
d70e4c2974 fwdb: update to v296+i20240514+988c 2024-05-18 13:01:48 +02:00
Stéphane Lesimple
4e29fb5a21 fix: ucode_platformid_mask is hexa (fixes #485) 2024-02-15 17:27:12 +01:00
Stephane Lesimple
0f2edb1a71 feat: blacklist some more microcodes (fixes #475) 2024-01-09 18:54:39 +01:00
Stephane Lesimple
8ac2539a2a fix: microcode check now supports pf_mask (fixes #482) 2024-01-09 17:05:18 +01:00
Stéphane Lesimple
97f4d5f2bc feat(reptar): add detection and mitigation of Reptar 2024-01-09 15:38:16 +01:00
Stéphane Lesimple
9b7b09ada3 fix(inception): continued mitigation detection 2023-08-25 18:50:53 +02:00
Sébastien Mériot
c94811e63d fix(inception): Zen1/2 results based on kernel mitigations 2023-08-25 18:50:53 +02:00
Sébastien Mériot
3e67047c73 feat(inception): README 2023-08-25 18:50:53 +02:00
Sébastien Mériot
ecee75716e feat(inception): kernel checks + sbpb support detection 2023-08-25 18:50:53 +02:00
Sébastien Mériot
fb6933dc64 feat(inception): Zen1/2 IBPB and SMT checks 2023-08-25 18:50:53 +02:00
Stéphane Lesimple
dc6921a1ac feat(inception): handle sysfs interface 2023-08-25 18:50:53 +02:00
Sébastien Mériot
3167762cfd feat(inception): start supporting AMD inception 2023-08-25 18:50:53 +02:00
Stéphane Lesimple
44223c5308 fix: bsd: kernel version detection 2023-08-11 18:41:35 +02:00
Stéphane Lesimple
dbe208fc48 enh: downfall: detect kernel mitigation without sysfs 2023-08-11 18:10:27 +02:00
Stéphane Lesimple
aca4e2a9b1 enh: move root warning to the bottom 2023-08-11 18:10:27 +02:00
4 changed files with 1289 additions and 788 deletions
Expand all files Collapse all files

12
.github/workflows/check.yml vendored
View File

@ -24,7 +24,7 @@ jobs:
fi fi
- name: check direct execution - name: check direct execution
run: | run: |
expected=17 expected=19
nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l) nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
if [ "$nb" -ne "$expected" ]; then if [ "$nb" -ne "$expected" ]; then
echo "Invalid number of CVEs reported: $nb instead of $expected" echo "Invalid number of CVEs reported: $nb instead of $expected"
@ -32,11 +32,11 @@ jobs:
else else
echo "OK $nb CVEs reported" echo "OK $nb CVEs reported"
fi fi
- name: check docker-compose run execution - name: check docker compose run execution
run: | run: |
expected=17 expected=19
docker-compose build docker compose build
nb=$(docker-compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
if [ "$nb" -ne "$expected" ]; then if [ "$nb" -ne "$expected" ]; then
echo "Invalid number of CVEs reported: $nb instead of $expected" echo "Invalid number of CVEs reported: $nb instead of $expected"
exit 1 exit 1
@ -45,7 +45,7 @@ jobs:
fi fi
- name: check docker run execution - name: check docker run execution
run: | run: |
expected=17 expected=19
docker build -t spectre-meltdown-checker . docker build -t spectre-meltdown-checker .
nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
if [ "$nb" -ne "$expected" ]; then if [ "$nb" -ne "$expected" ]; then

21
README.md
View File

@ -21,7 +21,9 @@ CVE
[CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | Machine Check Exception on Page Size Changes | MCEPSC, No eXcuses, iTLB Multihit [CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | Machine Check Exception on Page Size Changes | MCEPSC, No eXcuses, iTLB Multihit
[CVE-2020-0543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543) | Special Register Buffer Data Sampling | SRBDS [CVE-2020-0543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543) | Special Register Buffer Data Sampling | SRBDS
[CVE-2022-40982](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982) | Gather Data Sampling | GDS, Downfall [CVE-2022-40982](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982) | Gather Data Sampling | GDS, Downfall
[CVE-2023-20569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569) | Return Address Security | Inception, RAS, SRSO
[CVE-2023-20593](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593) | Cross-Process Information Leak | Zenbleed [CVE-2023-20593](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593) | Cross-Process Information Leak | Zenbleed
[CVE-2023-23583](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23583) | Redundant Prefix issue | Reptar
Supported operating systems: Supported operating systems:
- Linux (all versions, flavors and distros) - Linux (all versions, flavors and distros)
@ -74,10 +76,13 @@ sudo ./spectre-meltdown-checker.sh
#### With docker-compose #### With docker-compose
```shell ```shell
docker-compose build docker compose build
docker-compose run --rm spectre-meltdown-checker docker compose run --rm spectre-meltdown-checker
``` ```
Note that on older versions of docker, `docker-compose` is a separate command, so you might
need to replace the two `docker compose` occurences above by `docker-compose`.
#### Without docker-compose #### Without docker-compose
```shell ```shell
@ -187,8 +192,20 @@ docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/m
- Mitigation: either microcode update or disabling AVX feature - Mitigation: either microcode update or disabling AVX feature
- Performance impact of the mitigation: TBD - Performance impact of the mitigation: TBD
**CVE-2023-20569** Return Address Security (Inception)
- Impact: Kernel & all software
- Mitigation: updated kernel & microcode
- Performance impact of the mitigation: low to significant depending on the mitigation
**CVE-2023-20593** Cross-Process Information Leak (Zenbleed) **CVE-2023-20593** Cross-Process Information Leak (Zenbleed)
- Impact: Kernel & all software - Impact: Kernel & all software
- Mitigation: either kernel mitigation by disabling a CPU optimization through an MSR bit, or CPU microcode mitigation - Mitigation: either kernel mitigation by disabling a CPU optimization through an MSR bit, or CPU microcode mitigation
- Performance impact of the mitigation: TBD - Performance impact of the mitigation: TBD
**CVE-2023-23583** Redundant Prefix issue (Reptar)
- Impact: All software
- Mitigation: microcode update for the affected CPU
- Performance impact of the mitigation: low

2
docker-compose.yml
View File

@ -1,5 +1,3 @@
version: '2'
services: services:
spectre-meltdown-checker: spectre-meltdown-checker:
build: build:

2042
spectre-meltdown-checker.sh
View File

File diff suppressed because it is too large Load Diff