fix: Linux 6.9+ changed some config options names (#490 )

Issue #490 is about retpoline but other options have also changed, as reported by a comment on the issue, this commit fixes these other options: Breno Leitao (10): x86/bugs: Rename CONFIG_GDS_FORCE_MITIGATION => CONFIG_MITIGATION_GDS_FORCE x86/bugs: Rename CONFIG_CPU_IBPB_ENTRY => CONFIG_MITIGATION_IBPB_ENTRY x86/bugs: Rename CONFIG_CALL_DEPTH_TRACKING => CONFIG_MITIGATION_CALL_DEPTH_TRACKING x86/bugs: Rename CONFIG_PAGE_TABLE_ISOLATION => CONFIG_MITIGATION_PAGE_TABLE_ISOLATION x86/bugs: Rename CONFIG_RETPOLINE => CONFIG_MITIGATION_RETPOLINE x86/bugs: Rename CONFIG_SLS => CONFIG_MITIGATION_SLS x86/bugs: Rename CONFIG_CPU_UNRET_ENTRY => CONFIG_MITIGATION_UNRET_ENTRY x86/bugs: Rename CONFIG_CPU_IBRS_ENTRY => CONFIG_MITIGATION_IBRS_ENTRY x86/bugs: Rename CONFIG_CPU_SRSO => CONFIG_MITIGATION_SRSO x86/bugs: Rename CONFIG_RETHUNK => CONFIG_MITIGATION_RETHUNK
chore: docker compose v2
2025-07-15 23:31:22 +02:00 · 2024-08-04 15:15:45 +02:00 · 2024-08-04 13:53:36 +02:00 · 2024-08-04 13:41:01 +02:00 · 2024-05-18 13:01:48 +02:00 · 2024-05-18 13:01:48 +02:00
4 changed files with 1289 additions and 788 deletions
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@ -24,7 +24,7 @@ jobs:
        fi
    - name: check direct execution
      run: |
-        expected=17
+        expected=19
        nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
          echo "Invalid number of CVEs reported: $nb instead of $expected"
@ -32,11 +32,11 @@ jobs:
        else
          echo "OK $nb CVEs reported"
        fi
-    - name: check docker-compose run execution
+    - name: check docker compose run execution
      run: |
-        expected=17
-        docker-compose build
-        nb=$(docker-compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
+        expected=19
+        docker compose build
+        nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
          echo "Invalid number of CVEs reported: $nb instead of $expected"
          exit 1
@ -45,7 +45,7 @@ jobs:
        fi
    - name: check docker run execution
      run: |
-        expected=17
+        expected=19
        docker build -t spectre-meltdown-checker .
        nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
--- a/README.md
+++ b/README.md
@ -21,7 +21,9 @@ CVE
 [CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | Machine Check Exception on Page Size Changes        | MCEPSC, No eXcuses, iTLB Multihit
 [CVE-2020-0543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543)   | Special Register Buffer Data Sampling               | SRBDS
 [CVE-2022-40982](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982) | Gather Data Sampling                                | GDS, Downfall
+[CVE-2023-20569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569) | Return Address Security                             | Inception, RAS, SRSO
 [CVE-2023-20593](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593) | Cross-Process Information Leak                      | Zenbleed
+[CVE-2023-23583](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23583) | Redundant Prefix issue                              | Reptar

 Supported operating systems:
 - Linux (all versions, flavors and distros)
@ -74,10 +76,13 @@ sudo ./spectre-meltdown-checker.sh
 #### With docker-compose

 ```shell
-docker-compose build
-docker-compose run --rm spectre-meltdown-checker
+docker compose build
+docker compose run --rm spectre-meltdown-checker
 ```

+Note that on older versions of docker, `docker-compose` is a separate command, so you might
+need to replace the two `docker compose` occurences above by `docker-compose`.
+
 #### Without docker-compose

 ```shell
@ -187,8 +192,20 @@ docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/m
   - Mitigation: either microcode update or disabling AVX feature
   - Performance impact of the mitigation: TBD

+**CVE-2023-20569** Return Address Security (Inception)
+
+   - Impact: Kernel & all software
+   - Mitigation: updated kernel & microcode
+   - Performance impact of the mitigation: low to significant depending on the mitigation
+
 **CVE-2023-20593** Cross-Process Information Leak (Zenbleed)

   - Impact: Kernel & all software
   - Mitigation: either kernel mitigation by disabling a CPU optimization through an MSR bit, or CPU microcode mitigation
   - Performance impact of the mitigation: TBD
+
+**CVE-2023-23583** Redundant Prefix issue (Reptar)
+
+   - Impact: All software
+   - Mitigation: microcode update for the affected CPU
+   - Performance impact of the mitigation: low
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,5 +1,3 @@
-version: '2'
-
 services:
  spectre-meltdown-checker:
    build:
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
Author	SHA1	Message	Date
Stéphane Lesimple	34c6095912	fix: Linux 6.9+ changed some config options names (#490 ) Issue #490 is about retpoline but other options have also changed, as reported by a comment on the issue, this commit fixes these other options: Breno Leitao (10): x86/bugs: Rename CONFIG_GDS_FORCE_MITIGATION => CONFIG_MITIGATION_GDS_FORCE x86/bugs: Rename CONFIG_CPU_IBPB_ENTRY => CONFIG_MITIGATION_IBPB_ENTRY x86/bugs: Rename CONFIG_CALL_DEPTH_TRACKING => CONFIG_MITIGATION_CALL_DEPTH_TRACKING x86/bugs: Rename CONFIG_PAGE_TABLE_ISOLATION => CONFIG_MITIGATION_PAGE_TABLE_ISOLATION x86/bugs: Rename CONFIG_RETPOLINE => CONFIG_MITIGATION_RETPOLINE x86/bugs: Rename CONFIG_SLS => CONFIG_MITIGATION_SLS x86/bugs: Rename CONFIG_CPU_UNRET_ENTRY => CONFIG_MITIGATION_UNRET_ENTRY x86/bugs: Rename CONFIG_CPU_IBRS_ENTRY => CONFIG_MITIGATION_IBRS_ENTRY x86/bugs: Rename CONFIG_CPU_SRSO => CONFIG_MITIGATION_SRSO x86/bugs: Rename CONFIG_RETHUNK => CONFIG_MITIGATION_RETHUNK	2024-08-04 15:15:45 +02:00
Stéphane Lesimple	e806e4bc41	chore: docker compose v2 The `docker-compose` command has been replaced by `docker compose`. The "version" tag has also been deprecated in docker-compose.yml.	2024-08-04 13:53:36 +02:00
Ivan Zahariev	388d44edbd	Fix Retpoline detection for Linux 6.9+ (issue #490 )	2024-08-04 13:41:01 +02:00
Stéphane Lesimple	bd0c7c94b5	fix: typo introduced by #483 , fixes #486	2024-05-18 13:01:48 +02:00
Stéphane Lesimple	d70e4c2974	fwdb: update to v296+i20240514+988c	2024-05-18 13:01:48 +02:00
Stéphane Lesimple	4e29fb5a21	fix: ucode_platformid_mask is hexa (fixes #485 )	2024-02-15 17:27:12 +01:00
Stephane Lesimple	0f2edb1a71	feat: blacklist some more microcodes (fixes #475 )	2024-01-09 18:54:39 +01:00
Stephane Lesimple	8ac2539a2a	fix: microcode check now supports pf_mask (fixes #482 )	2024-01-09 17:05:18 +01:00
Stéphane Lesimple	97f4d5f2bc	feat(reptar): add detection and mitigation of Reptar	2024-01-09 15:38:16 +01:00
Stéphane Lesimple	9b7b09ada3	fix(inception): continued mitigation detection	2023-08-25 18:50:53 +02:00
Sébastien Mériot	c94811e63d	fix(inception): Zen1/2 results based on kernel mitigations	2023-08-25 18:50:53 +02:00
Sébastien Mériot	3e67047c73	feat(inception): README	2023-08-25 18:50:53 +02:00
Sébastien Mériot	ecee75716e	feat(inception): kernel checks + sbpb support detection	2023-08-25 18:50:53 +02:00
Sébastien Mériot	fb6933dc64	feat(inception): Zen1/2 IBPB and SMT checks	2023-08-25 18:50:53 +02:00
Stéphane Lesimple	dc6921a1ac	feat(inception): handle sysfs interface	2023-08-25 18:50:53 +02:00
Sébastien Mériot	3167762cfd	feat(inception): start supporting AMD inception	2023-08-25 18:50:53 +02:00
Stéphane Lesimple	44223c5308	fix: bsd: kernel version detection	2023-08-11 18:41:35 +02:00
Stéphane Lesimple	dbe208fc48	enh: downfall: detect kernel mitigation without sysfs	2023-08-11 18:10:27 +02:00
Stéphane Lesimple	aca4e2a9b1	enh: move root warning to the bottom	2023-08-11 18:10:27 +02:00