detect kpti directly in vmlinux if option is not there

update readme
add couple missing elses
2025-07-15 07:11:22 +02:00 · 2018-01-07 22:47:41 +01:00 · 2018-01-07 20:13:10 +01:00 · 2018-01-07 18:49:15 +01:00
2 changed files with 27 additions and 16 deletions
--- a/README.md
+++ b/README.md
@ -28,24 +28,24 @@ Example of the output of the script:

 ```
 $ sudo ./spectre-meltdown-checker.sh
-Spectre and Meltdown mitigation detection tool v0.02
+Spectre and Meltdown mitigation detection tool v0.07

 CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
-* Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 38 opcodes found, should be >= 60)
-> STATUS: VULNERABLE
+* Kernel compiled with LFENCE opcode inserted at the proper places:  NO  (only 38 opcodes found, should be >= 60)
+> STATUS:  VULNERABLE

 CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
 * Mitigation 1
-*   Hardware (CPU microcode) support for mitigation: NO
-*   Kernel support for IBRS: NO
-*   IBRS enabled for Kernel space: NO
-*   IBRS enabled for User space: NO
+*   Hardware (CPU microcode) support for mitigation:  NO
+*   Kernel support for IBRS:  NO
+*   IBRS enabled for Kernel space:  NO
+*   IBRS enabled for User space:  NO
 * Mitigation 2
-*   Kernel recompiled with retpolines: UNKNOWN (check not yet implemented)
-> STATUS: VULNERABLE (IBRS hardware + kernel support OR retpolines-compiled kernel are needed to mitigate the vulnerability)
+*   Kernel compiled with retpolines:  NO
+> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability)

 CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
-* Kernel supports Page Table Isolation (PTI): YES
-* PTI enabled and active: YES
-> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
+* Kernel supports Page Table Isolation (PTI):  YES
+* PTI enabled and active:  YES
+> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)
 ```
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@ -1,7 +1,7 @@
 #! /bin/sh
 # Spectre & Meltdown checker
 # Stephane Lesimple
-VERSION=0.06
+VERSION=0.08

 pstatus()
 {
@ -95,7 +95,6 @@ else
 			pstatus green YES "$nb_lfence opcodes found, which is >= 60"
 			status=2
 		fi
-		rm -f $vmlinux
 	fi
 fi

@ -178,6 +177,8 @@ elif [ -e /boot/config-$(uname -r) ]; then
 	else
 		pstatus red NO
 	fi
+else
+	pstatus yellow UNKNOWN "couldn't read your kernel configuration"
 fi

 /bin/echo -ne "> \033[46m\033[30mSTATUS:\033[0m "
@ -216,15 +217,23 @@ elif [ -e /boot/System.map-$(uname -r) ]; then
 	else
 		pstatus red NO
 	fi
+elif [ -n "$vmlinux" ]; then
+	# some backports don't have the option but still have the patch, try to find out
+	if strings "$vmlinux" | grep -qw nopti; then
+		pstatus green YES
+		kpti_support=1
+	else
+		pstatus red NO
+	fi
 else
-	pstatus yellow UNKNOWN
+	pstatus yellow UNKNOWN "couldn't read your kernel configuration"
 fi

 /bin/echo -n "* PTI enabled and active: "
 if grep ^flags /proc/cpuinfo | grep -qw pti; then
 	pstatus green YES
 	kpti_enabled=1
-elif dmesg | grep -q 'Kernel/User page tables isolation: enabled'; then
+elif dmesg | grep -Eq 'Kernel/User page tables isolation: enabled|Kernel page table isolation enabled'; then
 	pstatus green YES
 	kpti_enabled=1
 else
@ -247,3 +256,5 @@ if [ "$USER" != root ]; then
 	/bin/echo "You can try the following command: sudo $0"
 fi

+[ -n "$vmlinux" ] && rm -f "$vmlinux"
+
Author	SHA1	Message	Date
Stéphane Lesimple	05c79425ab	detect kpti directly in vmlinux if option is not there	2018-01-07 22:47:41 +01:00
Stéphane Lesimple	9def0c949a	update readme	2018-01-07 20:13:10 +01:00
Stéphane Lesimple	64eb1d005c	add couple missing elses	2018-01-07 18:49:15 +01:00