feat(inception): README

feat(inception): kernel checks + sbpb support detection
feat(inception): Zen1/2 IBPB and SMT checks
2025-12-15 07:13:53 +01:00 · 2023-08-14 16:43:10 +00:00 · 2023-08-14 16:37:51 +00:00 · 2023-08-14 09:34:48 +00:00 · 2023-08-12 12:19:05 +02:00 · 2023-08-11 17:21:01 +00:00
3 changed files with 195 additions and 28 deletions
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -24,7 +24,7 @@ jobs:
        fi
    - name: check direct execution
      run: |
-        expected=17
+        expected=18
        nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
          echo "Invalid number of CVEs reported: $nb instead of $expected"
@@ -34,7 +34,7 @@ jobs:
        fi
    - name: check docker-compose run execution
      run: |
-        expected=17
+        expected=18
        docker-compose build
        nb=$(docker-compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
@@ -45,7 +45,7 @@ jobs:
        fi
    - name: check docker run execution
      run: |
-        expected=17
+        expected=18
        docker build -t spectre-meltdown-checker .
        nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
--- a/README.md
+++ b/README.md
@@ -21,6 +21,7 @@ CVE
 [CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | Machine Check Exception on Page Size Changes        | MCEPSC, No eXcuses, iTLB Multihit
 [CVE-2020-0543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543)   | Special Register Buffer Data Sampling               | SRBDS
 [CVE-2022-40982](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982) | Gather Data Sampling                                | GDS, Downfall
+[CVE-2023-20569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569) | Return Address Security                             | Inception, RAS, SRSO
 [CVE-2023-20593](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593) | Cross-Process Information Leak                      | Zenbleed

 Supported operating systems:
@@ -187,6 +188,12 @@ docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/m
   - Mitigation: either microcode update or disabling AVX feature
   - Performance impact of the mitigation: TBD

+**CVE-2023-20569** Return Address Security (Inception)
+
+   - Impact: Kernel & all software
+   - Mitigation: updated kernel & microcode
+   - Performance impact of the mitigation: low to significant depending on the mitigation
+
 **CVE-2023-20593** Cross-Process Information Leak (Zenbleed)

   - Impact: Kernel & all software
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -177,7 +177,7 @@ global_critical=0
 global_unknown=0
 nrpe_vuln=''

-supported_cve_list='CVE-2017-5753 CVE-2017-5715 CVE-2017-5754 CVE-2018-3640 CVE-2018-3639 CVE-2018-3615 CVE-2018-3620 CVE-2018-3646 CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091 CVE-2019-11135 CVE-2018-12207 CVE-2020-0543 CVE-2023-20593 CVE-2022-40982'
+supported_cve_list='CVE-2017-5753 CVE-2017-5715 CVE-2017-5754 CVE-2018-3640 CVE-2018-3639 CVE-2018-3615 CVE-2018-3620 CVE-2018-3646 CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091 CVE-2019-11135 CVE-2018-12207 CVE-2020-0543 CVE-2023-20593 CVE-2022-40982 CVE-2023-20569'

 # find a sane command to print colored messages, we prefer `printf` over `echo`
 # because `printf` behavior is more standard across Linux/BSD
@@ -304,6 +304,7 @@ cve2name()
 		CVE-2020-0543) echo "Special Register Buffer Data Sampling (SRBDS)";;
 		CVE-2023-20593) echo "Zenbleed, cross-process information leak";;
 		CVE-2022-40982) echo "Downfall, gather data sampling (GDS)";;
+		CVE-2023-20569) echo "Inception, return address security (RAS)";;
 		*) echo "$0: error: invalid CVE '$1' passed to cve2name()" >&2; exit 255;;
 	esac
 }
@@ -330,6 +331,7 @@ _is_cpu_affected_cached()
 		CVE-2020-0543) return $variant_srbds;;
 		CVE-2023-20593) return $variant_zenbleed;;
 		CVE-2022-40982) return $variant_downfall;;
+		CVE-2023-20569) return $variant_inception;;
 		*) echo "$0: error: invalid variant '$1' passed to is_cpu_affected()" >&2; exit 255;;
 	esac
 }
@@ -397,8 +399,9 @@ is_cpu_affected()
 	variant_taa=''
 	variant_itlbmh=''
 	variant_srbds=''
-	# Zenbleed is AMD specific, look for "is_amd" below:
+	# Zenbleed and Inception are both AMD specific, look for "is_amd" below:
 	variant_zenbleed=immune
+	variant_inception=immune
 	# Downfall is Intel specific, look for "is_intel" below:
 	variant_downfall=immune

@@ -560,6 +563,12 @@ is_cpu_affected()
 		amd_legacy_erratum "$(amd_model_range 0x17 0x30 0x0 0x4f 0xf)" && variant_zenbleed=vuln
 		amd_legacy_erratum "$(amd_model_range 0x17 0x60 0x0 0x7f 0xf)" && variant_zenbleed=vuln
 		amd_legacy_erratum "$(amd_model_range 0x17 0xa0 0x0 0xaf 0xf)" && variant_zenbleed=vuln
+
+		# Inception (according to kernel, zen 1 to 4)
+		if [ "$cpu_family" = $(( 0x17 )) ] || [ "$cpu_family" = $(( 0x19 )) ]; then
+			variant_inception=vuln
+		fi
+
 	elif [ "$cpu_vendor" = CAVIUM ]; then
 		variant3=immune
 		variant3a=immune
@@ -702,21 +711,22 @@ is_cpu_affected()
 	fi

 	_debug "is_cpu_affected: temp results are <$variant1> <$variant2> <$variant3> <$variant3a> <$variant4> <$variantl1tf>"
-	[ "$variant1"         = "immune" ] && variant1=1       || variant1=0
-	[ "$variant2"         = "immune" ] && variant2=1       || variant2=0
-	[ "$variant3"         = "immune" ] && variant3=1       || variant3=0
-	[ "$variant3a"        = "immune" ] && variant3a=1      || variant3a=0
-	[ "$variant4"         = "immune" ] && variant4=1       || variant4=0
-	[ "$variantl1tf"      = "immune" ] && variantl1tf=1    || variantl1tf=0
-	[ "$variant_msbds"    = "immune" ] && variant_msbds=1  || variant_msbds=0
-	[ "$variant_mfbds"    = "immune" ] && variant_mfbds=1  || variant_mfbds=0
-	[ "$variant_mlpds"    = "immune" ] && variant_mlpds=1  || variant_mlpds=0
-	[ "$variant_mdsum"    = "immune" ] && variant_mdsum=1  || variant_mdsum=0
-	[ "$variant_taa"      = "immune" ] && variant_taa=1    || variant_taa=0
-	[ "$variant_itlbmh"   = "immune" ] && variant_itlbmh=1 || variant_itlbmh=0
-	[ "$variant_srbds"    = "immune" ] && variant_srbds=1 || variant_srbds=0
-	[ "$variant_zenbleed" = "immune" ] && variant_zenbleed=1 || variant_zenbleed=0
-	[ "$variant_downfall" = "immune" ] && variant_downfall=1 || variant_downfall=0
+	[ "$variant1"          = "immune" ] && variant1=1       || variant1=0
+	[ "$variant2"          = "immune" ] && variant2=1       || variant2=0
+	[ "$variant3"          = "immune" ] && variant3=1       || variant3=0
+	[ "$variant3a"         = "immune" ] && variant3a=1      || variant3a=0
+	[ "$variant4"          = "immune" ] && variant4=1       || variant4=0
+	[ "$variantl1tf"       = "immune" ] && variantl1tf=1    || variantl1tf=0
+	[ "$variant_msbds"     = "immune" ] && variant_msbds=1  || variant_msbds=0
+	[ "$variant_mfbds"     = "immune" ] && variant_mfbds=1  || variant_mfbds=0
+	[ "$variant_mlpds"     = "immune" ] && variant_mlpds=1  || variant_mlpds=0
+	[ "$variant_mdsum"     = "immune" ] && variant_mdsum=1  || variant_mdsum=0
+	[ "$variant_taa"       = "immune" ] && variant_taa=1    || variant_taa=0
+	[ "$variant_itlbmh"    = "immune" ] && variant_itlbmh=1 || variant_itlbmh=0
+	[ "$variant_srbds"     = "immune" ] && variant_srbds=1  || variant_srbds=0
+	[ "$variant_zenbleed"  = "immune" ] && variant_zenbleed=1  || variant_zenbleed=0
+	[ "$variant_downfall"  = "immune" ] && variant_downfall=1  || variant_downfall=0
+	[ "$variant_inception" = "immune" ] && variant_inception=1 || variant_inception=0
 	variantl1tf_sgx="$variantl1tf"
 	# even if we are affected to L1TF, if there's no SGX, we're not affected to the original foreshadow
 	[ "$cpuid_sgx" = 0 ] && variantl1tf_sgx=1
@@ -1291,7 +1301,7 @@ while [ -n "${1:-}" ]; do
 		fi
 		case "$2" in
 			help)	echo "The following parameters are supported for --variant (can be used multiple times):";
-					echo "1, 2, 3, 3a, 4, msbds, mfbds, mlpds, mdsum, l1tf, taa, mcepsc, srbds, zenbleed, downfall";
+					echo "1, 2, 3, 3a, 4, msbds, mfbds, mlpds, mdsum, l1tf, taa, mcepsc, srbds, zenbleed, downfall, inception";
 					exit 0;;
 			1)			opt_cve_list="$opt_cve_list CVE-2017-5753"; opt_cve_all=0;;
 			2)			opt_cve_list="$opt_cve_list CVE-2017-5715"; opt_cve_all=0;;
@@ -1308,6 +1318,7 @@ while [ -n "${1:-}" ]; do
 			srbds)		opt_cve_list="$opt_cve_list CVE-2020-0543"; opt_cve_all=0;;
 			zenbleed)	opt_cve_list="$opt_cve_list CVE-2023-20593"; opt_cve_all=0;;
 			downfall)   opt_cve_list="$opt_cve_list CVE-2022-40982"; opt_cve_all=0;;
+			inception)  opt_cve_list="$opt_cve_list CVE-2023-20569"; opt_cve_all=0;;
 			*)
 				echo "$0: error: invalid parameter '$2' for --variant, see --variant help for a list" >&2;
 				exit 255
@@ -1402,6 +1413,7 @@ pvulnstatus()
 			CVE-2020-0543) aka="SRBDS";;
 			CVE-2023-20593) aka="ZENBLEED";;
 			CVE-2022-40982) aka="DOWNFALL";;
+			CVE-2023-20569) aka="INCEPTION";;
 			*) echo "$0: error: invalid CVE '$1' passed to pvulnstatus()" >&2; exit 255;;
 		esac

@@ -2692,7 +2704,8 @@ sys_interface_check()

 # write_msr
 # param1 (mandatory): MSR, can be in hex or decimal.
-# param2 (optional): CPU index, starting from 0. Default 0.
+# param2 (optional): value to write, can be in hex or decimal.
+# param3 (optional): CPU index, starting from 0. Default 0.
 WRITE_MSR_RET_OK=0
 WRITE_MSR_RET_KO=1
 WRITE_MSR_RET_ERR=2
@@ -2728,6 +2741,8 @@ write_msr_one_core()
 	_core="$1"
 	_msr_dec=$(( $2 ))
 	_msr=$(printf "0x%x" "$_msr_dec")
+	_value_dec=$(( $3 ))
+	_value=$(printf "0x%x" "$_value_dec")

 	write_msr_msg='unknown error'
 	: "${msr_locked_down:=0}"
@@ -2752,7 +2767,7 @@ write_msr_one_core()

 	_write_denied=0
 	if [ "$os" != Linux ]; then
-		cpucontrol -m "$_msr=0" "/dev/cpuctl$_core" >/dev/null 2>&1; ret=$?
+		cpucontrol -m "$_msr=$_value" "/dev/cpuctl$_core" >/dev/null 2>&1; ret=$?
 	else
 		# for Linux
 		# convert to decimal
@@ -2762,16 +2777,16 @@ write_msr_one_core()
 		# if wrmsr is available, use it
 		elif command -v wrmsr >/dev/null 2>&1 && [ "${SMC_NO_WRMSR:-}" != 1 ]; then
 			_debug "write_msr: using wrmsr"
-			wrmsr $_msr_dec 0 2>/dev/null; ret=$?
+			wrmsr $_msr_dec $_value_dec 2>/dev/null; ret=$?
 			# ret=4: msr doesn't exist, ret=127: msr.allow_writes=off
 			[ "$ret" = 127 ] && _write_denied=1
 		# or fallback to dd if it supports seek_bytes, we prefer it over perl because we can tell the difference between EPERM and EIO
 		elif dd if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then
 			_debug "write_msr: using dd"
-			dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
+			awk "BEGIN{printf \"\%c\", $_value_dec}" | dd of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
 			# if it failed, inspect stderrto look for EPERM
 			if [ "$ret" != 0 ]; then
-				if dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then
+				if aws "BEGIN{printf \"%c\", $_value_dec}" | dd of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then
 					_write_denied=1
 				fi
 			fi
@@ -2779,7 +2794,7 @@ write_msr_one_core()
 		elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
 			_debug "write_msr: using perl"
 			ret=1
-			perl -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0
+			perl -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack(v4,$_value_dec)))"; [ $? -eq 8 ] && ret=0
 		else
 			_debug "write_msr: got no wrmsr, perl or recent enough dd!"
 			mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR")
@@ -2824,7 +2839,7 @@ write_msr_one_core()
 	else
 		ret=$WRITE_MSR_RET_KO
 	fi
-	_debug "write_msr: for cpu $_core on msr $_msr, ret=$ret"
+	_debug "write_msr: for cpu $_core on msr $_msr, value=$_value, ret=$ret"
 	mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$ret")
 	return $ret
 }
@@ -3518,6 +3533,28 @@ check_cpu()

 	fi

+	if is_amd || is_hygon; then
+		_info "  * Selective Branch Predictor Barrier (SBPB)"
+		_info_nol "    * PRED_CMD MSR is available: "
+
+		if [ "$opt_allow_msr_write" = 1 ]; then
+			# the MSR PRED_SBPB is at offset 0x49, BIT(7), write-only
+			write_msr 0x49 128; ret=$?
+			if [ $ret = $WRITE_MSR_RET_OK ]; then
+				pstatus green YES
+				cpuid_sbpb=1
+			elif [ $ret = $WRITE_MSR_RET_KO ]; then
+				pstatus yellow NO
+			else
+				pstatus yellow UNKNOWN "$write_msr_msg"
+				cpuid_sbpb=3
+			fi
+		else
+			pstatus yellow UNKNOWN "not allowed to write msr"
+			cpuid_sbpb=3
+		fi
+	fi
+
 	_info_nol "  * CPU supports Transactional Synchronization Extensions (TSX): "
 	ret=$READ_CPUID_RET_KO
 	cpuid_rtm=0
@@ -6283,6 +6320,129 @@ check_CVE_2022_40982_linux() {
 	fi
 }

+#######################
+# Inception section
+
+check_CVE_2023_20569() {
+	cve='CVE-2023-20569'
+	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+	if [ "$os" = Linux ]
+	then
+		check_CVE_2023_20569_linux
+	else
+		_warn "Unsupported OS ($os)."
+	fi
+}
+
+check_CVE_2023_20569_linux() {
+	status=UNK
+	sys_interface_available=0
+	msg=''
+
+	if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow"; then
+		# this kernel has the /sys interface, trust it over everything
+		sys_interface_available=1
+	fi
+
+	if [ "$opt_sysfs_only" != 1 ]; then
+		_info_nol "* Kernel supports mitigation: "
+		if [ -n "$kernel_err" ]; then
+			kernel_sro_err="$kernel_err"
+		elif grep -q 'spec_rstack_overflow' "$kernel"; then
+			kernel_sro="found spec_rstack_overflow in kernel image"
+		fi
+		if [ -n "$kernel_sro" ]; then
+			pstatus green YES "$kernel_sro"
+		elif [ -n "$kernel_sro_err" ]; then
+			pstatus yellow UNKNOWN "$kernel_sro_err"
+		else
+			pstatus yellow NO
+		fi
+
+		_info_nol "* Kernel compiled with SRSO support "
+		if [ -r "$opt_config" ]; then
+			if grep -q '^CONFIG_CPU_SRSO=y' "$opt_config"; then
+				pstatus green YES
+			else
+				pstatus yellow NO "required for safe RET and ibpb_on_vmexit mitigations"
+			fi
+		else
+			pstatus yellow UNKNOWN "couldn't read your kernel configuration"
+		fi
+
+		_info_nol "* Kernel compiled with IBPB support "
+		if [ -r "$opt_config" ]; then
+			if grep -q '^CONFIG_CPU_IBPB_ENTRY=y' "$opt_config"; then
+				pstatus green YES
+			else
+				pstatus yellow NO "required for ibpb mitigation"
+			fi
+		else
+			pstatus yellow UNKNOWN "couldn't read your kernel configuration"
+		fi
+
+		if [ -n "$kernel_sro" ]; then	
+
+			# TODO check mitigation
+			:
+		fi
+
+		# Zen & Zen2 : if the right IBPB microcode applied + SMT off --> not vuln
+		if [ "$cpu_family" = $(( 0x17 )) ]; then
+			_info_nol "  * IBPB support: "
+			if [ -n "$cpuid_ibpb" ]; then
+				pstatus green YES "$cpuid_ibpb"
+			else
+				pstatus red NO
+			fi
+
+			_info_nol "  * SMT is enabled: "
+			is_cpu_smt_enabled; smt_enabled=$?
+			if [ "$smt_enabled" = 0 ]; then
+				pstatus red YES
+			else
+				pstatus green NO
+			fi
+		# Zen 3/4 microcode brings SBPB mitigation
+		elif [ "$cpu_family" = $(( 0x19 )) ]; then
+			_info_nol "* CPU supports SBPB: "
+			if [ "$cpuid_sbpb" = 1 ]; then
+				pstatus green YES
+			elif [ "$cpuid_sbpb" = 3 ]; then
+				pstatus yellow UNKNOWN "cannot write MSR"
+			else
+				pstatus yellow NO
+			fi
+		fi
+
+	elif [ "$sys_interface_available" = 0 ]; then
+		# we have no sysfs but were asked to use it only!
+		msg="/sys vulnerability interface use forced, but it's not available!"
+		status=UNK
+	fi
+
+	if ! is_cpu_affected "$cve" ; then
+		# override status & msg in case CPU is not vulnerable after all
+		pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+	elif [ "$cpu_family" = $(( 0x17 )) ]; then
+		if [ "$smt_enabled" = 1 ] && [ -n "$cpuid_ibpb" ]; then
+			pvulnstatus "$cve" OK "IBPB supported and SMT is off"
+		elif [ "$smt_enabled" != 1 ] && [ -n "$cpuid_ibpb" ]; then
+			pvulnstatus "$cve" VULN "SMT is enabled"
+		elif [ "$smt_enabled" = 1 ]; then
+			pvulnstatus "$cve" VULN "IBPB is not supported by your current microcode"
+		else
+			pvulnstatus "$cve" VULN "SMT is enabled and IBPB is not support by your current microcode"
+		fi
+		explain "Zen1/2 with SMT off aren't vulnerable after the right IBPB microcode has been applied. (https://github.com/torvalds/linux/commit/138bcddb86d8a4f842e4ed6f0585abc9b1a764ff#diff-17bd24a7a7850613cced545790ac30646097e8d6207348c2bd1845f397acb390R2272)"
+	elif [ -z "$msg" ]; then
+		# if msg is empty, sysfs check didn't fill it. If the kernel does not bring the mitigation, system vuln.
+		pvulnstatus $cve VULN "upgrade your kernel"
+	else
+		pvulnstatus $cve "$status" "$msg"
+	fi
+}
+
 #######################
 # END OF VULNS SECTIONS
Author	SHA1	Message	Date
Sébastien Mériot	a55378d439	feat(inception): README	2023-08-14 16:43:10 +00:00
Sébastien Mériot	637de90bd9	feat(inception): kernel checks + sbpb support detection	2023-08-14 16:37:51 +00:00
Sébastien Mériot	0b70d8da79	feat(inception): Zen1/2 IBPB and SMT checks	2023-08-14 09:34:48 +00:00
Stéphane Lesimple	23f720cc82	feat(inception): handle sysfs interface	2023-08-12 12:19:05 +02:00
Sébastien Mériot	444876f8ec	feat(inception): start supporting AMD inception	2023-08-11 17:21:01 +00:00