mirror of
https://github.com/speed47/spectre-meltdown-checker.git
synced 2025-07-15 07:11:22 +02:00
Compare commits
11 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 34656827f5 | |||
| 206e4b7fbc | |||
| 207168e097 | |||
| f8ca11e56a | |||
| c88acdd31d | |||
| 88df48f4a7 | |||
| 124ce8e27a | |||
| 7bbcfe0df7 | |||
| a792348928 | |||
| 66f7708095 | |||
| 34ef5ef21b |
@ -1,7 +1,7 @@
|
||||
#! /bin/sh
|
||||
# Spectre & Meltdown checker
|
||||
# Stephane Lesimple
|
||||
VERSION=0.13
|
||||
VERSION=0.15
|
||||
|
||||
# print status function
|
||||
pstatus()
|
||||
@ -171,15 +171,20 @@ if [ ! -e /sys/kernel/debug/sched_features ]; then
|
||||
# try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
|
||||
mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
|
||||
fi
|
||||
if [ -e /sys/kernel/debug/ibrs_enabled -o -e /sys/kernel/debug/x86/ibrs_enabled ]; then
|
||||
if [ -e /sys/kernel/debug/ibrs_enabled ]; then
|
||||
# if the file is there, we have IBRS compiled-in
|
||||
pstatus green YES
|
||||
ibrs_supported=1
|
||||
ibrs_enabled=$(cat /sys/kernel/debug/ibrs_enabled 2>/dev/null)
|
||||
elif [ -e /sys/kernel/debug/x86/ibrs_enabled ]; then
|
||||
# RedHat uses a different path (see https://access.redhat.com/articles/3311301)
|
||||
pstatus green YES
|
||||
ibrs_supported=1
|
||||
ibrs_enabled=$(cat /sys/kernel/debug/x86/ibrs_enabled 2>/dev/null)
|
||||
else
|
||||
pstatus red NO
|
||||
fi
|
||||
|
||||
[ -f /sys/kernel/debug/ibrs_enabled ] && ibrs_enabled=$(cat /sys/kernel/debug/ibrs_enabled 2>/dev/null) || ibrs_enabled=$(cat /sys/kernel/debug/x86/ibrs_enabled 2>/dev/null)
|
||||
/bin/echo -n "* IBRS enabled for Kernel space: "
|
||||
# 0 means disabled
|
||||
# 1 is enabled only for kernel space
|
||||
@ -196,19 +201,12 @@ case "$ibrs_enabled" in
|
||||
"") [ "$ibrs_supported" = 1 ] && pstatus yellow UNKNOWN || pstatus red NO;;
|
||||
0 | 1) pstatus red NO;;
|
||||
2) pstatus green YES;;
|
||||
*) pstatus yellow unknown;;
|
||||
*) pstatus yellow UNKNOWN;;
|
||||
esac
|
||||
|
||||
if [ "$mounted_debugfs" = 1 ]; then
|
||||
# umount debugfs if we did mount it ourselves
|
||||
umount /sys/kernel/debug
|
||||
fi
|
||||
|
||||
/bin/echo "* Mitigation 2"
|
||||
/bin/echo -n "* Kernel compiled with retpolines: "
|
||||
/bin/echo -n "* Kernel compiled with retpoline option: "
|
||||
# We check the RETPOLINE kernel options
|
||||
# XXX this doesn't mean the kernel has been compiled with a retpoline-aware gcc
|
||||
# still looking for a way do detect that ...
|
||||
if [ -e /proc/config.gz ]; then
|
||||
# either the running kernel exports his own config
|
||||
if zgrep -q '^CONFIG_RETPOLINE=y' /proc/config.gz; then
|
||||
@ -229,15 +227,48 @@ else
|
||||
pstatus yellow UNKNOWN "couldn't read your kernel configuration"
|
||||
fi
|
||||
|
||||
/bin/echo -n "* Kernel compiled with a retpoline-aware compiler: "
|
||||
# Now check if the compiler used to compile the kernel knows how to insert retpolines in generated asm
|
||||
# For gcc, this is -mindirect-branch=thunk-extern (detected by the kernel makefiles)
|
||||
# See gcc commit https://github.com/hjl-tools/gcc/commit/23b517d4a67c02d3ef80b6109218f2aadad7bd79
|
||||
# In latest retpoline LKML patches, the noretpoline_setup symbol exists only if CONFIG_RETPOLINE is set
|
||||
# *AND* if the compiler is retpoline-compliant, so look for that symbol
|
||||
if [ -n "$vmlinux" ]; then
|
||||
# look for the symbol
|
||||
if [ -e /boot/System.map-$(uname -r) ]; then
|
||||
if grep -qw noretpoline_setup /boot/System.map-$(uname -r); then
|
||||
retpoline_compiler=1
|
||||
pstatus green YES "noretpoline_setup symbol found in System.map"
|
||||
fi
|
||||
elif which nm >/dev/null 2>&1; then
|
||||
# the proper way: use nm and look for the symbol
|
||||
if nm "$vmlinux" 2>/dev/null | grep -qw 'noretpoline_setup'; then
|
||||
retpoline_compiler=1
|
||||
pstatus green YES "noretpoline_setup symbol found in vmlinux"
|
||||
fi
|
||||
elif grep -q noretpoline_setup "$vmlinux"; then
|
||||
# if we don't have nm, nevermind, the symbol name is long enough to not have
|
||||
# any false positive using good old grep directly on the binary
|
||||
retpoline_compiler=1
|
||||
pstatus green YES "noretpoline_setup symbol found in vmlinux"
|
||||
fi
|
||||
if [ "$retpoline_compiler" != 1 ]; then
|
||||
pstatus red NO
|
||||
fi
|
||||
else
|
||||
pstatus yellow UNKNOWN "couldn't find your kernel image"
|
||||
fi
|
||||
|
||||
|
||||
/bin/echo -ne "> \033[46m\033[30mSTATUS:\033[0m "
|
||||
if grep -q AMD /proc/cpuinfo; then
|
||||
pstatus green "NOT VULNERABLE" "your CPU is not vulnerable as per the vendor"
|
||||
elif [ "$ibrs_enabled" = 1 -o "$ibrs_enabled" = 2 ]; then
|
||||
pstatus green "NOT VULNERABLE" "IBRS mitigates the vulnerability"
|
||||
elif [ "$retpoline" = 1 ]; then
|
||||
pstatus green "NOT VULNERABLE" "retpolines mitigate the vulnerability"
|
||||
elif [ "$retpoline" = 1 -a "$retpoline_compiler" = 1 ]; then
|
||||
pstatus green "NOT VULNERABLE" "retpoline mitigate the vulnerability"
|
||||
else
|
||||
pstatus red VULNERABLE "IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability"
|
||||
pstatus red VULNERABLE "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability"
|
||||
fi
|
||||
|
||||
##########
|
||||
@ -250,13 +281,13 @@ kpti_can_tell=0
|
||||
if [ -e /proc/config.gz ]; then
|
||||
# either the running kernel exports his own config
|
||||
kpti_can_tell=1
|
||||
if zgrep -q '^CONFIG_PAGE_TABLE_ISOLATION=y' /proc/config.gz; then
|
||||
if zgrep -q '^\(CONFIG_PAGE_TABLE_ISOLATION=y\|CONFIG_KAISER=y\)' /proc/config.gz; then
|
||||
kpti_support=1
|
||||
fi
|
||||
elif [ -e /boot/config-$(uname -r) ]; then
|
||||
# or we can find a config file in /root with the kernel release name
|
||||
kpti_can_tell=1
|
||||
if grep -q '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/config-$(uname -r); then
|
||||
if grep -q '^\(CONFIG_PAGE_TABLE_ISOLATION=y\|CONFIG_KAISER=y\)' /boot/config-$(uname -r); then
|
||||
kpti_support=1
|
||||
fi
|
||||
fi
|
||||
@ -288,19 +319,30 @@ fi
|
||||
/bin/echo -n "* PTI enabled and active: "
|
||||
if grep ^flags /proc/cpuinfo | grep -qw pti; then
|
||||
# vanilla PTI patch sets the 'pti' flag in cpuinfo
|
||||
pstatus green YES
|
||||
kpti_enabled=1
|
||||
elif grep ^flags /proc/cpuinfo | grep -qw kaiser; then
|
||||
# kernel line 4.9 sets the 'kaiser' flag in cpuinfo
|
||||
kpti_enabled=1
|
||||
elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then
|
||||
# RedHat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301
|
||||
kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
|
||||
elif dmesg | grep -Eq 'Kernel/User page tables isolation: enabled|Kernel page table isolation enabled'; then
|
||||
# if we can't find the flag, grep in dmesg
|
||||
pstatus green YES
|
||||
kpti_enabled=1
|
||||
elif [ -e /sys/kernel/debug/x86/pti_enabled -a "$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)" = 1 ]; then
|
||||
pstatus green YES
|
||||
kpti_enabled=1
|
||||
else
|
||||
kpti_enabled=0
|
||||
fi
|
||||
if [ "$kpti_enabled" = 1 ]; then
|
||||
pstatus green YES
|
||||
else
|
||||
pstatus red NO
|
||||
fi
|
||||
|
||||
if [ "$mounted_debugfs" = 1 ]; then
|
||||
# umount debugfs if we did mount it ourselves
|
||||
umount /sys/kernel/debug
|
||||
fi
|
||||
|
||||
/bin/echo -ne "> \033[46m\033[30mSTATUS:\033[0m "
|
||||
if grep -q AMD /proc/cpuinfo; then
|
||||
pstatus green "NOT VULNERABLE" "your CPU is not vulnerable as per the vendor"
|
||||
|
||||
Reference in New Issue
Block a user