mirror of
https://github.com/speed47/spectre-meltdown-checker.git
synced 2025-07-15 15:21:23 +02:00
Compare commits
14 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| edbdf0da1f | |||
| 68adbfdf14 | |||
| 47c30babf1 | |||
| ef7a5c4cf6 | |||
| 4406910bea | |||
| b7197d6f54 | |||
| c792fa35bf | |||
| d1498fe03f | |||
| 12bdd0e412 | |||
| 89f9bef577 | |||
| 0f50e04dab | |||
| bf056ae73d | |||
| 623e180ae1 | |||
| 40a9d43c44 |
@ -1,7 +1,7 @@
|
|||||||
#! /bin/sh
|
#! /bin/sh
|
||||||
# Spectre & Meltdown checker
|
# Spectre & Meltdown checker
|
||||||
# Stephane Lesimple
|
# Stephane Lesimple
|
||||||
VERSION=0.10
|
VERSION=0.13
|
||||||
|
|
||||||
# print status function
|
# print status function
|
||||||
pstatus()
|
pstatus()
|
||||||
@ -78,7 +78,19 @@ extract_vmlinux()
|
|||||||
|
|
||||||
# end of extract-vmlinux functions
|
# end of extract-vmlinux functions
|
||||||
|
|
||||||
/bin/echo "Spectre and Meltdown mitigation detection tool v$VERSION"
|
/bin/echo -e "\033[1;34mSpectre and Meltdown mitigation detection tool v$VERSION\033[0m"
|
||||||
|
/bin/echo
|
||||||
|
|
||||||
|
# root check
|
||||||
|
|
||||||
|
if [ "$(id -u)" -ne 0 ]; then
|
||||||
|
/bin/echo -e "\033[31mNote that you should launch this script with root privileges to get accurate information.\033[0m"
|
||||||
|
/bin/echo -e "\033[31mWe'll proceed but you might see permission denied errors.\033[0m"
|
||||||
|
/bin/echo -e "\033[31mTo run it as root, you can try the following command: sudo $0\033[0m"
|
||||||
|
/bin/echo
|
||||||
|
fi
|
||||||
|
|
||||||
|
/bin/echo -e "Checking vulnerabilities against \033[35m"$(uname -s) $(uname -r) $(uname -v) $(uname -m)"\033[0m"
|
||||||
/bin/echo
|
/bin/echo
|
||||||
|
|
||||||
###########
|
###########
|
||||||
@ -89,10 +101,11 @@ extract_vmlinux()
|
|||||||
status=0
|
status=0
|
||||||
img=''
|
img=''
|
||||||
# try to find the image of the current running kernel
|
# try to find the image of the current running kernel
|
||||||
|
[ -e /boot/vmlinuz-linux ] && img=/boot/vmlinuz-linux
|
||||||
[ -e /boot/vmlinuz-$(uname -r) ] && img=/boot/vmlinuz-$(uname -r)
|
[ -e /boot/vmlinuz-$(uname -r) ] && img=/boot/vmlinuz-$(uname -r)
|
||||||
[ -e /boot/vmlinux-$(uname -r) ] && img=/boot/vmlinux-$(uname -r)
|
|
||||||
[ -e /boot/kernel-$( uname -r) ] && img=/boot/kernel-$( uname -r)
|
[ -e /boot/kernel-$( uname -r) ] && img=/boot/kernel-$( uname -r)
|
||||||
[ -e /boot/bzImage-$(uname -r) ] && img=/boot/bzImage-$(uname -r)
|
[ -e /boot/bzImage-$(uname -r) ] && img=/boot/bzImage-$(uname -r)
|
||||||
|
[ -e /boot/kernel-genkernel-$(uname -m)-$(uname -r) ] && img=/boot/kernel-genkernel-$(uname -m)-$(uname -r)
|
||||||
if [ -z "$img" ]; then
|
if [ -z "$img" ]; then
|
||||||
pstatus yellow UNKNOWN "couldn't find your kernel image in /boot, if you used netboot, this is normal"
|
pstatus yellow UNKNOWN "couldn't find your kernel image in /boot, if you used netboot, this is normal"
|
||||||
else
|
else
|
||||||
@ -104,13 +117,16 @@ else
|
|||||||
else
|
else
|
||||||
# here we disassemble the kernel and count the number of occurences of the LFENCE opcode
|
# here we disassemble the kernel and count the number of occurences of the LFENCE opcode
|
||||||
# in non-patched kernels, this has been empirically determined as being around 40-50
|
# in non-patched kernels, this has been empirically determined as being around 40-50
|
||||||
# in patched kernels, this is more around 70-80
|
# in patched kernels, this is more around 70-80, sometimes way higher (100+)
|
||||||
|
# v0.13: 68 found in a 3.10.23-xxxx-std-ipv6-64 (with lots of modules compiled-in directly), which doesn't have the LFENCE patches,
|
||||||
|
# so let's push the threshold to 70.
|
||||||
|
# TODO LKML patch is starting to dump LFENCE in favor of the PAUSE opcode, we might need to check that (patch not stabilized yet)
|
||||||
nb_lfence=$(objdump -D "$vmlinux" | grep -wc lfence)
|
nb_lfence=$(objdump -D "$vmlinux" | grep -wc lfence)
|
||||||
if [ "$nb_lfence" -lt 60 ]; then
|
if [ "$nb_lfence" -lt 70 ]; then
|
||||||
pstatus red NO "only $nb_lfence opcodes found, should be >= 60"
|
pstatus red NO "only $nb_lfence opcodes found, should be >= 70"
|
||||||
status=1
|
status=1
|
||||||
else
|
else
|
||||||
pstatus green YES "$nb_lfence opcodes found, which is >= 60"
|
pstatus green YES "$nb_lfence opcodes found, which is >= 70"
|
||||||
status=2
|
status=2
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -151,11 +167,11 @@ if [ "$insmod_msr" = 1 ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
/bin/echo -n "* Kernel support for IBRS: "
|
/bin/echo -n "* Kernel support for IBRS: "
|
||||||
if [ -e /sys/kernel/debug/sched_features ]; then
|
if [ ! -e /sys/kernel/debug/sched_features ]; then
|
||||||
# try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
|
# try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
|
||||||
mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
|
mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
|
||||||
fi
|
fi
|
||||||
if [ -e /sys/kernel/debug/ibrs_enabled ]; then
|
if [ -e /sys/kernel/debug/ibrs_enabled -o -e /sys/kernel/debug/x86/ibrs_enabled ]; then
|
||||||
# if the file is there, we have IBRS compiled-in
|
# if the file is there, we have IBRS compiled-in
|
||||||
pstatus green YES
|
pstatus green YES
|
||||||
ibrs_supported=1
|
ibrs_supported=1
|
||||||
@ -163,7 +179,7 @@ else
|
|||||||
pstatus red NO
|
pstatus red NO
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ibrs_enabled=$(cat /sys/kernel/debug/ibrs_enabled 2>/dev/null)
|
[ -f /sys/kernel/debug/ibrs_enabled ] && ibrs_enabled=$(cat /sys/kernel/debug/ibrs_enabled 2>/dev/null) || ibrs_enabled=$(cat /sys/kernel/debug/x86/ibrs_enabled 2>/dev/null)
|
||||||
/bin/echo -n "* IBRS enabled for Kernel space: "
|
/bin/echo -n "* IBRS enabled for Kernel space: "
|
||||||
# 0 means disabled
|
# 0 means disabled
|
||||||
# 1 is enabled only for kernel space
|
# 1 is enabled only for kernel space
|
||||||
@ -278,6 +294,9 @@ elif dmesg | grep -Eq 'Kernel/User page tables isolation: enabled|Kernel page ta
|
|||||||
# if we can't find the flag, grep in dmesg
|
# if we can't find the flag, grep in dmesg
|
||||||
pstatus green YES
|
pstatus green YES
|
||||||
kpti_enabled=1
|
kpti_enabled=1
|
||||||
|
elif [ -e /sys/kernel/debug/x86/pti_enabled -a "$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)" = 1 ]; then
|
||||||
|
pstatus green YES
|
||||||
|
kpti_enabled=1
|
||||||
else
|
else
|
||||||
pstatus red NO
|
pstatus red NO
|
||||||
fi
|
fi
|
||||||
@ -292,9 +311,5 @@ else
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
/bin/echo
|
/bin/echo
|
||||||
if [ "$(id -u)" -ne 0 ]; then
|
|
||||||
/bin/echo "Note that you should launch this script with root privileges to get accurate information"
|
|
||||||
/bin/echo "You can try the following command: sudo $0"
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ -n "$vmlinux" -a -f "$vmlinux" ] && rm -f "$vmlinux"
|
[ -n "$vmlinux" -a -f "$vmlinux" ] && rm -f "$vmlinux"
|
||||||
|
|||||||
Reference in New Issue
Block a user