peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2025-11-09 10:10:53 +01:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: peter:c1c1ac4dbb4270781a04384e3c4126581d9fd637
Branches Tags
peter:master peter:autoupdate-fwdb
peter:v0.46 peter:v0.45 peter:v0.44 peter:v0.43 peter:v0.42 peter:v0.41 peter:v0.40 peter:v0.39 peter:v0.38 peter:v0.37 peter:v0.36 peter:v0.35 peter:v0.34 peter:v0.33 peter:v0.32 peter:v0.31 peter:v0.30 peter:v0.29 peter:v0.28 peter:v0.27 peter:v0.26 peter:v0.25 peter:v0.24 peter:v0.23 peter:v0.22 peter:v0.21 peter:v0.20 peter:v0.19 peter:v0.18 peter:v0.17 peter:v0.16 peter:v0.15 peter:v0.14 peter:v0.13 peter:v0.12 peter:v0.11 peter:v0.10 peter:v0.09 peter:v0.08 peter:v0.07 peter:v0.06 peter:v0.05 peter:v0.04 peter:v0.03 peter:v0.02 peter:v0.01
..
compare: peter:autoupdate-fwdb
Branches Tags
peter:master peter:autoupdate-fwdb
peter:v0.46 peter:v0.45 peter:v0.44 peter:v0.43 peter:v0.42 peter:v0.41 peter:v0.40 peter:v0.39 peter:v0.38 peter:v0.37 peter:v0.36 peter:v0.35 peter:v0.34 peter:v0.33 peter:v0.32 peter:v0.31 peter:v0.30 peter:v0.29 peter:v0.28 peter:v0.27 peter:v0.26 peter:v0.25 peter:v0.24 peter:v0.23 peter:v0.22 peter:v0.21 peter:v0.20 peter:v0.19 peter:v0.18 peter:v0.17 peter:v0.16 peter:v0.15 peter:v0.14 peter:v0.13 peter:v0.12 peter:v0.11 peter:v0.10 peter:v0.09 peter:v0.08 peter:v0.07 peter:v0.06 peter:v0.05 peter:v0.04 peter:v0.03 peter:v0.02 peter:v0.01

26 Commits
c1c1ac4dbb ... autoupdate

Author SHA1 Message Date
speed47
f5d12b0f4a update: fwdb from v344+i20250811+1523 to v344+i20250811+7486, 1 microcode changes 2025-10-31 09:47:19 +00:00
Stéphane Lesimple
5f18e67f6f chore: fix autoupdate workflow 2025-10-30 23:57:05 +01:00
Gabriel Francisco
a8466b74fe fix CVE-2017-5715 reporting when IBRS_FW is enabled 2025-10-27 08:42:51 +01:00
speed47
b99be2363c update: fwdb from v296+i20240514+988c to v344+i20250811+1523, 128 microcode changes 2025-10-26 22:08:07 +01:00
Stéphane Lesimple
ee4cfd00b8 chore: add autoupdate workflow for fwdb 2025-10-25 20:48:38 +02:00
Stéphane Lesimple
c2c60e0161 chore: fix recent shellcheck warnings 2025-10-25 20:48:38 +02:00
Jörg Sommer
bae43d8370 Replace head -1 by head -n1 
The info page of GNU head says:

> For compatibility 'head' also supports an obsolete option syntax
> '-[NUM][bkm][cqv]', [...] Scripts intended for standard hosts should use
> '-c NUM' or '-n NUM' instead.

At least busybox's head does not support the `-NUM` syntax.
 2025-10-25 20:45:24 +02:00
Stéphane Lesimple
34c6095912 fix: Linux 6.9+ changed some config options names (#490) 
Issue #490 is about retpoline but other options have also changed,
as reported by a comment on the issue, this commit fixes these
other options:

Breno Leitao (10):
      x86/bugs: Rename CONFIG_GDS_FORCE_MITIGATION => CONFIG_MITIGATION_GDS_FORCE
      x86/bugs: Rename CONFIG_CPU_IBPB_ENTRY       => CONFIG_MITIGATION_IBPB_ENTRY
      x86/bugs: Rename CONFIG_CALL_DEPTH_TRACKING  => CONFIG_MITIGATION_CALL_DEPTH_TRACKING
      x86/bugs: Rename CONFIG_PAGE_TABLE_ISOLATION => CONFIG_MITIGATION_PAGE_TABLE_ISOLATION
      x86/bugs: Rename CONFIG_RETPOLINE            => CONFIG_MITIGATION_RETPOLINE
      x86/bugs: Rename CONFIG_SLS                  => CONFIG_MITIGATION_SLS
      x86/bugs: Rename CONFIG_CPU_UNRET_ENTRY      => CONFIG_MITIGATION_UNRET_ENTRY
      x86/bugs: Rename CONFIG_CPU_IBRS_ENTRY       => CONFIG_MITIGATION_IBRS_ENTRY
      x86/bugs: Rename CONFIG_CPU_SRSO             => CONFIG_MITIGATION_SRSO
      x86/bugs: Rename CONFIG_RETHUNK              => CONFIG_MITIGATION_RETHUNK
 2024-08-04 15:15:45 +02:00
Stéphane Lesimple
e806e4bc41 chore: docker compose v2 
The `docker-compose` command has been replaced by `docker compose`.
The "version" tag has also been deprecated in docker-compose.yml.
 2024-08-04 13:53:36 +02:00
Ivan Zahariev
388d44edbd Fix Retpoline detection for Linux 6.9+ (issue #490) 2024-08-04 13:41:01 +02:00
Stéphane Lesimple
bd0c7c94b5 fix: typo introduced by #483, fixes #486 2024-05-18 13:01:48 +02:00
Stéphane Lesimple
d70e4c2974 fwdb: update to v296+i20240514+988c 2024-05-18 13:01:48 +02:00
Stéphane Lesimple
4e29fb5a21 fix: ucode_platformid_mask is hexa (fixes #485) 2024-02-15 17:27:12 +01:00
Stephane Lesimple
0f2edb1a71 feat: blacklist some more microcodes (fixes #475) 2024-01-09 18:54:39 +01:00
Stephane Lesimple
8ac2539a2a fix: microcode check now supports pf_mask (fixes #482) 2024-01-09 17:05:18 +01:00
Stéphane Lesimple
97f4d5f2bc feat(reptar): add detection and mitigation of Reptar 2024-01-09 15:38:16 +01:00
Stéphane Lesimple
9b7b09ada3 fix(inception): continued mitigation detection 2023-08-25 18:50:53 +02:00
Sébastien Mériot
c94811e63d fix(inception): Zen1/2 results based on kernel mitigations 2023-08-25 18:50:53 +02:00
Sébastien Mériot
3e67047c73 feat(inception): README 2023-08-25 18:50:53 +02:00
Sébastien Mériot
ecee75716e feat(inception): kernel checks + sbpb support detection 2023-08-25 18:50:53 +02:00
Sébastien Mériot
fb6933dc64 feat(inception): Zen1/2 IBPB and SMT checks 2023-08-25 18:50:53 +02:00
Stéphane Lesimple
dc6921a1ac feat(inception): handle sysfs interface 2023-08-25 18:50:53 +02:00
Sébastien Mériot
3167762cfd feat(inception): start supporting AMD inception 2023-08-25 18:50:53 +02:00
Stéphane Lesimple
44223c5308 fix: bsd: kernel version detection 2023-08-11 18:41:35 +02:00
Stéphane Lesimple
dbe208fc48 enh: downfall: detect kernel mitigation without sysfs 2023-08-11 18:10:27 +02:00
Stéphane Lesimple
aca4e2a9b1 enh: move root warning to the bottom 2023-08-11 18:10:27 +02:00
5 changed files with 1531 additions and 956 deletions
Expand all files Collapse all files

34
.github/workflows/autoupdate.yml vendored Normal file
View File

@@ -0,0 +1,34 @@
name: autoupdate
on:
workflow_dispatch:
schedule:
- cron: '42 9 * * *'
jobs:
autoupdate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install prerequisites
run: sudo apt-get update && sudo apt-get install -y --no-install-recommends iucode-tool sqlite3 unzip
- name: Update microcode versions
run: ./spectre-meltdown-checker.sh --update-builtin-fwdb
- name: Check git diff
id: diff
run: |
echo change="$(git diff spectre-meltdown-checker.sh | awk '/MCEDB/ { if(V) { print V" to "$4; exit } else { V=$4 } }')" >> "$GITHUB_OUTPUT"
echo nbdiff="$(git diff --numstat spectre-meltdown-checker.sh | awk '{print $1}')" >> "$GITHUB_OUTPUT"
git diff
cat "$GITHUB_OUTPUT"
- name: Create Pull Request if needed
if: steps.diff.outputs.nbdiff != '0'
uses: peter-evans/create-pull-request@v7
with:
token: ${{ secrets.SMC_PR_PAT }}
branch: autoupdate-fwdb
commit-message: "update: fwdb from ${{ steps.diff.outputs.change }}, ${{ steps.diff.outputs.nbdiff }} microcode changes"
title: "[Auto] Update fwdb from ${{ steps.diff.outputs.change }}"
body: |
Automated PR to update fwdb from ${{ steps.diff.outputs.change }}
Detected ${{ steps.diff.outputs.nbdiff }} microcode changes

12
.github/workflows/check.yml vendored
View File

@@ -24,7 +24,7 @@ jobs:
fi fi
- name: check direct execution - name: check direct execution
run: | run: |
expected=17 expected=19
nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l) nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
if [ "$nb" -ne "$expected" ]; then if [ "$nb" -ne "$expected" ]; then
echo "Invalid number of CVEs reported: $nb instead of $expected" echo "Invalid number of CVEs reported: $nb instead of $expected"
@@ -32,11 +32,11 @@ jobs:
else else
echo "OK $nb CVEs reported" echo "OK $nb CVEs reported"
fi fi
- name: check docker-compose run execution - name: check docker compose run execution
run: | run: |
expected=17 expected=19
docker-compose build docker compose build
nb=$(docker-compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
if [ "$nb" -ne "$expected" ]; then if [ "$nb" -ne "$expected" ]; then
echo "Invalid number of CVEs reported: $nb instead of $expected" echo "Invalid number of CVEs reported: $nb instead of $expected"
exit 1 exit 1
@@ -45,7 +45,7 @@ jobs:
fi fi
- name: check docker run execution - name: check docker run execution
run: | run: |
expected=17 expected=19
docker build -t spectre-meltdown-checker . docker build -t spectre-meltdown-checker .
nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
if [ "$nb" -ne "$expected" ]; then if [ "$nb" -ne "$expected" ]; then

21
README.md
View File

@@ -21,7 +21,9 @@ CVE
[CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | Machine Check Exception on Page Size Changes | MCEPSC, No eXcuses, iTLB Multihit [CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | Machine Check Exception on Page Size Changes | MCEPSC, No eXcuses, iTLB Multihit
[CVE-2020-0543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543) | Special Register Buffer Data Sampling | SRBDS [CVE-2020-0543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543) | Special Register Buffer Data Sampling | SRBDS
[CVE-2022-40982](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982) | Gather Data Sampling | GDS, Downfall [CVE-2022-40982](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982) | Gather Data Sampling | GDS, Downfall
[CVE-2023-20569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569) | Return Address Security | Inception, RAS, SRSO
[CVE-2023-20593](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593) | Cross-Process Information Leak | Zenbleed [CVE-2023-20593](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593) | Cross-Process Information Leak | Zenbleed
[CVE-2023-23583](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23583) | Redundant Prefix issue | Reptar
Supported operating systems: Supported operating systems:
- Linux (all versions, flavors and distros) - Linux (all versions, flavors and distros)
@@ -74,10 +76,13 @@ sudo ./spectre-meltdown-checker.sh
#### With docker-compose #### With docker-compose
```shell ```shell
docker-compose build docker compose build
docker-compose run --rm spectre-meltdown-checker docker compose run --rm spectre-meltdown-checker
``` ```
Note that on older versions of docker, `docker-compose` is a separate command, so you might
need to replace the two `docker compose` occurences above by `docker-compose`.
#### Without docker-compose #### Without docker-compose
```shell ```shell
@@ -187,8 +192,20 @@ docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/m
- Mitigation: either microcode update or disabling AVX feature - Mitigation: either microcode update or disabling AVX feature
- Performance impact of the mitigation: TBD - Performance impact of the mitigation: TBD
**CVE-2023-20569** Return Address Security (Inception)
- Impact: Kernel & all software
- Mitigation: updated kernel & microcode
- Performance impact of the mitigation: low to significant depending on the mitigation
**CVE-2023-20593** Cross-Process Information Leak (Zenbleed) **CVE-2023-20593** Cross-Process Information Leak (Zenbleed)
- Impact: Kernel & all software - Impact: Kernel & all software
- Mitigation: either kernel mitigation by disabling a CPU optimization through an MSR bit, or CPU microcode mitigation - Mitigation: either kernel mitigation by disabling a CPU optimization through an MSR bit, or CPU microcode mitigation
- Performance impact of the mitigation: TBD - Performance impact of the mitigation: TBD
**CVE-2023-23583** Redundant Prefix issue (Reptar)
- Impact: All software
- Mitigation: microcode update for the affected CPU
- Performance impact of the mitigation: low

2
docker-compose.yml
View File

@@ -1,5 +1,3 @@
version: '2'
services: services:
spectre-meltdown-checker: spectre-meltdown-checker:
build: build:

2388
spectre-meltdown-checker.sh
View File

File diff suppressed because it is too large Load Diff