detect kpti directly in vmlinux if option is not there

update readme
add couple missing elses
2025-07-15 23:31:22 +02:00 · 2018-01-07 22:47:41 +01:00 · 2018-01-07 20:13:10 +01:00 · 2018-01-07 18:49:15 +01:00 · 2018-01-07 18:36:56 +01:00 · 2018-01-07 18:14:08 +01:00
2 changed files with 69 additions and 34 deletions
--- a/README.md
+++ b/README.md
@ -28,24 +28,24 @@ Example of the output of the script:
 ```
 $ sudo ./spectre-meltdown-checker.sh
-Spectre and Meltdown mitigation detection tool v0.02
+Spectre and Meltdown mitigation detection tool v0.07
 CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
-* Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 38 opcodes found, should be >= 60)
+* Kernel compiled with LFENCE opcode inserted at the proper places:  NO  (only 38 opcodes found, should be >= 60)
-> STATUS: VULNERABLE
+> STATUS:  VULNERABLE
 CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
 * Mitigation 1
-*   Hardware (CPU microcode) support for mitigation: NO
+*   Hardware (CPU microcode) support for mitigation:  NO
-*   Kernel support for IBRS: NO
+*   Kernel support for IBRS:  NO
-*   IBRS enabled for Kernel space: NO
+*   IBRS enabled for Kernel space:  NO
-*   IBRS enabled for User space: NO
+*   IBRS enabled for User space:  NO
 * Mitigation 2
-*   Kernel recompiled with retpolines: UNKNOWN (check not yet implemented)
+*   Kernel compiled with retpolines:  NO
-> STATUS: VULNERABLE (IBRS hardware + kernel support OR retpolines-compiled kernel are needed to mitigate the vulnerability)
+> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability)
 CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
-* Kernel supports Page Table Isolation (PTI): YES
+* Kernel supports Page Table Isolation (PTI):  YES
-* PTI enabled and active: YES
+* PTI enabled and active:  YES
-> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
+> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)
 ```
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@ -1,7 +1,7 @@
 #! /bin/sh
 # Spectre & Meltdown checker
 # Stephane Lesimple
-VERSION=0.02
+VERSION=0.08
 pstatus()
 {
@ -11,7 +11,7 @@ pstatus()
 		yellow) col="\033[103m\033[30m";;
 		*)      col="";;
 	esac
-	/bin/echo -ne "$col$2\033[0m"
+	/bin/echo -ne "$col $2 \033[0m"
 	[ -n "$3" ] && /bin/echo -n " ($3)"
 	/bin/echo
 }
@ -73,22 +73,29 @@ extract_vmlinux()
 /bin/echo -e "\033[1;34mCVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'\033[0m"
 /bin/echo -n "* Kernel compiled with LFENCE opcode inserted at the proper places: "
 vmlinux=$(extract_vmlinux /boot/vmlinuz-4.4.110)
 status=0
-if [ -z "$vmlinux" -o ! -r "$vmlinux" ]; then
+img=''
-	pstatus yellow UNKNOWN "couldn't extract your kernel"
+[ -e /boot/vmlinuz-$(uname -r) ] && img=/boot/vmlinuz-$(uname -r)
-elif ! which objdump >/dev/null 2>&1; then
+[ -e /boot/vmlinux-$(uname -r) ] && img=/boot/vmlinux-$(uname -r)
-	pstatus yellow UNKNOWN "missing 'objdump' tool, please install it, usually it's in the binutils package"
+[ -e /boot/bzImage-$(uname -r) ] && img=/boot/bzImage-$(uname -r)
 if [ -z "$img" ]; then
 	pstatus yellow UNKNOWN "couldn't find your kernel image in /boot"
 else
-	nb_lfence=$(objdump -D "$vmlinux" | grep -wc lfence)
+	vmlinux=$(extract_vmlinux $img)
-	if [ "$nb_lfence" -lt 60 ]; then
+	if [ -z "$vmlinux" -o ! -r "$vmlinux" ]; then
-		pstatus red NO "only $nb_lfence opcodes found, should be >= 60"
+		pstatus yellow UNKNOWN "couldn't extract your kernel"
-		status=1
+	elif ! which objdump >/dev/null 2>&1; then
 		pstatus yellow UNKNOWN "missing 'objdump' tool, please install it, usually it's in the binutils package"
 	else
-		pstatus green YES "$nb_lfence opcodes found, which is >= 60"
+		nb_lfence=$(objdump -D "$vmlinux" | grep -wc lfence)
-		status=2
+		if [ "$nb_lfence" -lt 60 ]; then
 			pstatus red NO "only $nb_lfence opcodes found, should be >= 60"
 			status=1
 		else
 			pstatus green YES "$nb_lfence opcodes found, which is >= 60"
 			status=2
 		fi
 	fi
 	rm -f $vmlinux
 fi
 /bin/echo -ne "> \033[46m\033[30mSTATUS:\033[0m "
@ -108,14 +115,13 @@ fi
 if [ ! -e /dev/cpu/0/msr ]; then
 	pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?"
 else
-	dd if=/dev/cpu/0/msr of=/dev/null bs=1 count=8 skip=72 2>/dev/null
+	# same that rdmsr 0x48 but without needing the rdmsr tool
 	dd if=/dev/cpu/0/msr of=/dev/null bs=8 count=1 skip=9 2>/dev/null
 	if [ $? -eq 0 ]; then
 		pstatus green YES
 	else
 		pstatus red NO
 	fi
 	#dd if=/dev/cpu/0/msr of=/dev/null bs=1 count=8 skip=73 2>/dev/null
 	#/bin/echo $?
 fi
 if [ "$insmod_msr" = 1 ]; then
@ -155,16 +161,35 @@ if [ "$mounted_debugfs" = 1 ]; then
 fi
 /bin/echo "* Mitigation 2"
-/bin/echo -n "*   Kernel recompiled with retpolines: "
+/bin/echo -n "*   Kernel compiled with retpolines: "
-pstatus yellow UNKNOWN "check not yet implemented"
+# XXX this doesn't mean the kernel has been compiled with a retpoline-aware gcc
 if [ -e /proc/config.gz ]; then
 	if zgrep -q '^CONFIG_RETPOLINE=y' /proc/config.gz; then
 		pstatus green YES
 		retpoline=1
 	else
 		pstatus red NO
 	fi
 elif [ -e /boot/config-$(uname -r) ]; then
 	if grep  -q '^CONFIG_RETPOLINE=y' /boot/config-$(uname -r); then
 		pstatus green YES
 		retpoline=1
 	else
 		pstatus red NO
 	fi
 else
 	pstatus yellow UNKNOWN "couldn't read your kernel configuration"
 fi
 /bin/echo -ne "> \033[46m\033[30mSTATUS:\033[0m "
 if grep -q AMD /proc/cpuinfo; then
 	pstatus green "NOT VULNERABLE" "your CPU is not vulnerable as per the vendor"
 elif [ "$ibrs_enabled" = 1 -o "$ibrs_enabled" = 2 ]; then
 	pstatus green "NOT VULNERABLE" "IBRS mitigates the vulnerability"
 elif [ "$retpoline" = 1 ]; then
 	pstatus green "NOT VULNERABLE" "retpolines mitigate the vulnerability"
 else
-	pstatus red VULNERABLE "IBRS hardware + kernel support OR retpolines-compiled kernel are needed to mitigate the vulnerability"
+	pstatus red VULNERABLE "IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability"
 fi
 # MELTDOWN
@ -192,15 +217,23 @@ elif [ -e /boot/System.map-$(uname -r) ]; then
 	else
 		pstatus red NO
 	fi
 elif [ -n "$vmlinux" ]; then
 	# some backports don't have the option but still have the patch, try to find out
 	if strings "$vmlinux" | grep -qw nopti; then
 		pstatus green YES
 		kpti_support=1
 	else
 		pstatus red NO
 	fi
 else
-	pstatus yellow UNKNOWN
+	pstatus yellow UNKNOWN "couldn't read your kernel configuration"
 fi
 /bin/echo -n "* PTI enabled and active: "
 if grep ^flags /proc/cpuinfo | grep -qw pti; then
 	pstatus green YES
 	kpti_enabled=1
-elif dmesg | grep -q 'Kernel/User page tables isolation: enabled'; then
+elif dmesg | grep -Eq 'Kernel/User page tables isolation: enabled|Kernel page table isolation enabled'; then
 	pstatus green YES
 	kpti_enabled=1
 else
@ -223,3 +256,5 @@ if [ "$USER" != root ]; then
 	/bin/echo "You can try the following command: sudo $0"
 fi
 [ -n "$vmlinux" ] && rm -f "$vmlinux"
Author	SHA1	Message	Date
Stéphane Lesimple	05c79425ab	detect kpti directly in vmlinux if option is not there	2018-01-07 22:47:41 +01:00
Stéphane Lesimple	9def0c949a	update readme	2018-01-07 20:13:10 +01:00
Stéphane Lesimple	64eb1d005c	add couple missing elses	2018-01-07 18:49:15 +01:00
Stéphane Lesimple	bffda8b3e7	remove dependency on rdmsr	2018-01-07 18:36:56 +01:00
Stéphane Lesimple	13f2133a97	cosmetic fix	2018-01-07 18:14:08 +01:00
Stéphane Lesimple	8c2fd0f0bb	fix MSR reading, need rdmsr for now	2018-01-07 18:13:25 +01:00
Stéphane Lesimple	761c2b80e4	cosmetic fix	2018-01-07 17:19:37 +01:00
Stéphane Lesimple	d6977928e5	msg fix	2018-01-07 17:15:08 +01:00
Stéphane Lesimple	bd4c74331e	add retpolines check	2018-01-07 16:57:14 +01:00
Stéphane Lesimple	82972f8790	fix status unknown for variant 1	2018-01-07 16:32:34 +01:00
Stéphane Lesimple	30de4f6336	remove hardcoded kernel image path	2018-01-07 16:25:50 +01:00