mirror of
https://github.com/speed47/spectre-meltdown-checker.git
synced 2025-07-15 15:21:23 +02:00
Compare commits
11 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 96dfa03c00 | |||
| 05c79425ab | |||
| 9def0c949a | |||
| 64eb1d005c | |||
| bffda8b3e7 | |||
| 13f2133a97 | |||
| 8c2fd0f0bb | |||
| 761c2b80e4 | |||
| d6977928e5 | |||
| bd4c74331e | |||
| 82972f8790 |
24
README.md
24
README.md
@ -28,24 +28,24 @@ Example of the output of the script:
|
||||
|
||||
```
|
||||
$ sudo ./spectre-meltdown-checker.sh
|
||||
Spectre and Meltdown mitigation detection tool v0.02
|
||||
Spectre and Meltdown mitigation detection tool v0.07
|
||||
|
||||
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
|
||||
* Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 38 opcodes found, should be >= 60)
|
||||
> STATUS: VULNERABLE
|
||||
* Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 38 opcodes found, should be >= 60)
|
||||
> STATUS: VULNERABLE
|
||||
|
||||
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
|
||||
* Mitigation 1
|
||||
* Hardware (CPU microcode) support for mitigation: NO
|
||||
* Kernel support for IBRS: NO
|
||||
* IBRS enabled for Kernel space: NO
|
||||
* IBRS enabled for User space: NO
|
||||
* Hardware (CPU microcode) support for mitigation: NO
|
||||
* Kernel support for IBRS: NO
|
||||
* IBRS enabled for Kernel space: NO
|
||||
* IBRS enabled for User space: NO
|
||||
* Mitigation 2
|
||||
* Kernel recompiled with retpolines: UNKNOWN (check not yet implemented)
|
||||
> STATUS: VULNERABLE (IBRS hardware + kernel support OR retpolines-compiled kernel are needed to mitigate the vulnerability)
|
||||
* Kernel compiled with retpolines: NO
|
||||
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability)
|
||||
|
||||
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
|
||||
* Kernel supports Page Table Isolation (PTI): YES
|
||||
* PTI enabled and active: YES
|
||||
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
|
||||
* Kernel supports Page Table Isolation (PTI): YES
|
||||
* PTI enabled and active: YES
|
||||
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
|
||||
```
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#! /bin/sh
|
||||
# Spectre & Meltdown checker
|
||||
# Stephane Lesimple
|
||||
VERSION=0.03
|
||||
VERSION=0.09
|
||||
|
||||
pstatus()
|
||||
{
|
||||
@ -11,7 +11,7 @@ pstatus()
|
||||
yellow) col="\033[103m\033[30m";;
|
||||
*) col="";;
|
||||
esac
|
||||
/bin/echo -ne "$col$2\033[0m"
|
||||
/bin/echo -ne "$col $2 \033[0m"
|
||||
[ -n "$3" ] && /bin/echo -n " ($3)"
|
||||
/bin/echo
|
||||
}
|
||||
@ -43,7 +43,7 @@ try_decompress()
|
||||
do
|
||||
pos=${pos%%:*}
|
||||
tail -c+$pos "$img" | $3 > $vmlinuxtmp 2> /dev/null
|
||||
check_vmlinux $vmlinuxtmp && echo $vmlinuxtmp || rm -f $vmlinuxtmp
|
||||
check_vmlinux $vmlinuxtmp && echo $vmlinuxtmp && return 0
|
||||
done
|
||||
}
|
||||
|
||||
@ -55,7 +55,11 @@ extract_vmlinux()
|
||||
vmlinuxtmp=$(mktemp /tmp/vmlinux-XXX)
|
||||
|
||||
# Initial attempt for uncompressed images or objects:
|
||||
check_vmlinux $img
|
||||
if check_vmlinux $img; then
|
||||
cat $img > $vmlinuxtmp
|
||||
echo $vmlinuxtmp
|
||||
return 0
|
||||
fi
|
||||
|
||||
# That didn't work, so retry after decompression.
|
||||
try_decompress '\037\213\010' xy gunzip || \
|
||||
@ -73,9 +77,11 @@ extract_vmlinux()
|
||||
/bin/echo -e "\033[1;34mCVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'\033[0m"
|
||||
/bin/echo -n "* Kernel compiled with LFENCE opcode inserted at the proper places: "
|
||||
|
||||
status=0
|
||||
img=''
|
||||
[ -e /boot/vmlinuz-$(uname -r) ] && img=/boot/vmlinuz-$(uname -r)
|
||||
[ -e /boot/vmlinux-$(uname -r) ] && img=/boot/vmlinux-$(uname -r)
|
||||
[ -e /boot/kernel-$( uname -r) ] && img=/boot/kernel-$( uname -r)
|
||||
[ -e /boot/bzImage-$(uname -r) ] && img=/boot/bzImage-$(uname -r)
|
||||
if [ -z "$img" ]; then
|
||||
pstatus yellow UNKNOWN "couldn't find your kernel image in /boot"
|
||||
@ -94,7 +100,6 @@ else
|
||||
pstatus green YES "$nb_lfence opcodes found, which is >= 60"
|
||||
status=2
|
||||
fi
|
||||
rm -f $vmlinux
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -115,14 +120,13 @@ fi
|
||||
if [ ! -e /dev/cpu/0/msr ]; then
|
||||
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?"
|
||||
else
|
||||
dd if=/dev/cpu/0/msr of=/dev/null bs=1 count=8 skip=72 2>/dev/null
|
||||
# same that rdmsr 0x48 but without needing the rdmsr tool
|
||||
dd if=/dev/cpu/0/msr of=/dev/null bs=8 count=1 skip=9 2>/dev/null
|
||||
if [ $? -eq 0 ]; then
|
||||
pstatus green YES
|
||||
else
|
||||
pstatus red NO
|
||||
fi
|
||||
#dd if=/dev/cpu/0/msr of=/dev/null bs=1 count=8 skip=73 2>/dev/null
|
||||
#/bin/echo $?
|
||||
fi
|
||||
|
||||
if [ "$insmod_msr" = 1 ]; then
|
||||
@ -162,16 +166,35 @@ if [ "$mounted_debugfs" = 1 ]; then
|
||||
fi
|
||||
|
||||
/bin/echo "* Mitigation 2"
|
||||
/bin/echo -n "* Kernel recompiled with retpolines: "
|
||||
pstatus yellow UNKNOWN "check not yet implemented"
|
||||
/bin/echo -n "* Kernel compiled with retpolines: "
|
||||
# XXX this doesn't mean the kernel has been compiled with a retpoline-aware gcc
|
||||
if [ -e /proc/config.gz ]; then
|
||||
if zgrep -q '^CONFIG_RETPOLINE=y' /proc/config.gz; then
|
||||
pstatus green YES
|
||||
retpoline=1
|
||||
else
|
||||
pstatus red NO
|
||||
fi
|
||||
elif [ -e /boot/config-$(uname -r) ]; then
|
||||
if grep -q '^CONFIG_RETPOLINE=y' /boot/config-$(uname -r); then
|
||||
pstatus green YES
|
||||
retpoline=1
|
||||
else
|
||||
pstatus red NO
|
||||
fi
|
||||
else
|
||||
pstatus yellow UNKNOWN "couldn't read your kernel configuration"
|
||||
fi
|
||||
|
||||
/bin/echo -ne "> \033[46m\033[30mSTATUS:\033[0m "
|
||||
if grep -q AMD /proc/cpuinfo; then
|
||||
pstatus green "NOT VULNERABLE" "your CPU is not vulnerable as per the vendor"
|
||||
elif [ "$ibrs_enabled" = 1 -o "$ibrs_enabled" = 2 ]; then
|
||||
pstatus green "NOT VULNERABLE" "IBRS mitigates the vulnerability"
|
||||
elif [ "$retpoline" = 1 ]; then
|
||||
pstatus green "NOT VULNERABLE" "retpolines mitigate the vulnerability"
|
||||
else
|
||||
pstatus red VULNERABLE "IBRS hardware + kernel support OR retpolines-compiled kernel are needed to mitigate the vulnerability"
|
||||
pstatus red VULNERABLE "IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability"
|
||||
fi
|
||||
|
||||
# MELTDOWN
|
||||
@ -199,15 +222,23 @@ elif [ -e /boot/System.map-$(uname -r) ]; then
|
||||
else
|
||||
pstatus red NO
|
||||
fi
|
||||
elif [ -n "$vmlinux" ]; then
|
||||
# some backports don't have the option but still have the patch, try to find out
|
||||
if strings "$vmlinux" | grep -qw nopti; then
|
||||
pstatus green YES
|
||||
kpti_support=1
|
||||
else
|
||||
pstatus red NO
|
||||
fi
|
||||
else
|
||||
pstatus yellow UNKNOWN
|
||||
pstatus yellow UNKNOWN "couldn't read your kernel configuration"
|
||||
fi
|
||||
|
||||
/bin/echo -n "* PTI enabled and active: "
|
||||
if grep ^flags /proc/cpuinfo | grep -qw pti; then
|
||||
pstatus green YES
|
||||
kpti_enabled=1
|
||||
elif dmesg | grep -q 'Kernel/User page tables isolation: enabled'; then
|
||||
elif dmesg | grep -Eq 'Kernel/User page tables isolation: enabled|Kernel page table isolation enabled'; then
|
||||
pstatus green YES
|
||||
kpti_enabled=1
|
||||
else
|
||||
@ -230,3 +261,5 @@ if [ "$USER" != root ]; then
|
||||
/bin/echo "You can try the following command: sudo $0"
|
||||
fi
|
||||
|
||||
[ -n "$vmlinux" -a -f "$vmlinux" ] && rm -f "$vmlinux"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user