peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2025-07-15 23:31:22 +02:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: peter:v0.27
Branches Tags
peter:master
peter:v0.46 peter:v0.45 peter:v0.44 peter:v0.43 peter:v0.42 peter:v0.41 peter:v0.40 peter:v0.39 peter:v0.38 peter:v0.37 peter:v0.36 peter:v0.35 peter:v0.34 peter:v0.33 peter:v0.32 peter:v0.31 peter:v0.30 peter:v0.29 peter:v0.28 peter:v0.27 peter:v0.26 peter:v0.25 peter:v0.24 peter:v0.23 peter:v0.22 peter:v0.21 peter:v0.20 peter:v0.19 peter:v0.18 peter:v0.17 peter:v0.16 peter:v0.15 peter:v0.14 peter:v0.13 peter:v0.12 peter:v0.11 peter:v0.10 peter:v0.09 peter:v0.08 peter:v0.07 peter:v0.06 peter:v0.05 peter:v0.04 peter:v0.03 peter:v0.02 peter:v0.01
..
compare: peter:v0.28
Branches Tags
peter:master
peter:v0.46 peter:v0.45 peter:v0.44 peter:v0.43 peter:v0.42 peter:v0.41 peter:v0.40 peter:v0.39 peter:v0.38 peter:v0.37 peter:v0.36 peter:v0.35 peter:v0.34 peter:v0.33 peter:v0.32 peter:v0.31 peter:v0.30 peter:v0.29 peter:v0.28 peter:v0.27 peter:v0.26 peter:v0.25 peter:v0.24 peter:v0.23 peter:v0.22 peter:v0.21 peter:v0.20 peter:v0.19 peter:v0.18 peter:v0.17 peter:v0.16 peter:v0.15 peter:v0.14 peter:v0.13 peter:v0.12 peter:v0.11 peter:v0.10 peter:v0.09 peter:v0.08 peter:v0.07 peter:v0.06 peter:v0.05 peter:v0.04 peter:v0.03 peter:v0.02 peter:v0.01

5 Commits
v0.27 ... v0.28

Author SHA1 Message Date
Stéphane Lesimple
dce917bfbb add --version, bump to v0.28 2018-01-12 19:10:44 +01:00
Stéphane Lesimple
8f18f53aba add cpu model in output 2018-01-12 19:08:12 +01:00
M. Willis Monroe
d3f102b3b3 Typofix in readme (#61) 2018-01-12 13:58:04 +01:00
M. Willis Monroe
8bd093173d Fixed a few spelling errors (#60) 2018-01-12 11:46:36 +01:00
Stéphane Lesimple
bfe5a3b840 add some debug 2018-01-12 10:53:19 +01:00
2 changed files with 30 additions and 7 deletions
Expand all files Collapse all files

2
README.md
View File

@ -40,6 +40,6 @@ However, some mitigations could also exist in your kernel that this script doesn
Your system exposure also depends on your CPU. As of now, AMD and ARM processors are marked as immune to some or all of these vulnerabilities (except some specific ARM models). All Intel processors manufactured since circa 1995 are thought to be vulnerable. Whatever processor one uses, one might seek more information from the manufacturer of that processor and/or of the device in which it runs. Your system exposure also depends on your CPU. As of now, AMD and ARM processors are marked as immune to some or all of these vulnerabilities (except some specific ARM models). All Intel processors manufactured since circa 1995 are thought to be vulnerable. Whatever processor one uses, one might seek more information from the manufacturer of that processor and/or of the device in which it runs.
The nature of the discovered vulnerabilities being quite new, the landscape of vulnerable processors can be expected to change over time, which is why this script makes the assumption that all CPUs are vulnerable, except if the manufacturer explicitely stated otherwise in a verifiable public announcement. The nature of the discovered vulnerabilities being quite new, the landscape of vulnerable processors can be expected to change over time, which is why this script makes the assumption that all CPUs are vulnerable, except if the manufacturer explicitly stated otherwise in a verifiable public announcement.
This tool has been released in the hope that it'll be useful, but don't use it to jump to conclusions about your security. This tool has been released in the hope that it'll be useful, but don't use it to jump to conclusions about your security.

35
spectre-meltdown-checker.sh
View File

@ -8,7 +8,7 @@
# #
# Stephane Lesimple # Stephane Lesimple
# #
VERSION=0.27 VERSION=0.28
# Script configuration # Script configuration
show_usage() show_usage()
@ -22,7 +22,7 @@ show_usage()
Two modes are available. Two modes are available.
First mode is the "live" mode (default), it does its best to find information about the currently running kernel. First mode is the "live" mode (default), it does its best to find information about the currently running kernel.
To run under this mode, just start the script without any option (you can also use --live explicitely) To run under this mode, just start the script without any option (you can also use --live explicitly)
Second mode is the "offline" mode, where you can inspect a non-running kernel. Second mode is the "offline" mode, where you can inspect a non-running kernel.
You'll need to specify the location of the vmlinux file, and if possible, the corresponding config and System.map files: You'll need to specify the location of the vmlinux file, and if possible, the corresponding config and System.map files:
@ -41,6 +41,7 @@ show_usage()
--variant [1,2,3] Specify which variant you'd like to check, by default all variants are checked --variant [1,2,3] Specify which variant you'd like to check, by default all variants are checked
Can be specified multiple times (e.g. --variant 2 --variant 3) Can be specified multiple times (e.g. --variant 2 --variant 3)
IMPORTANT: IMPORTANT:
A false sense of security is worse than no security at all. A false sense of security is worse than no security at all.
Please use the --disclaimer option to understand exactly what this script does. Please use the --disclaimer option to understand exactly what this script does.
@ -66,7 +67,7 @@ in which it runs.
The nature of the discovered vulnerabilities being quite new, the landscape of vulnerable processors can be expected The nature of the discovered vulnerabilities being quite new, the landscape of vulnerable processors can be expected
to change over time, which is why this script makes the assumption that all CPUs are vulnerable, except if the manufacturer to change over time, which is why this script makes the assumption that all CPUs are vulnerable, except if the manufacturer
explicitely stated otherwise in a verifiable public announcement. explicitly stated otherwise in a verifiable public announcement.
This tool has been released in the hope that it'll be useful, but don't use it to jump to conclusions about your security. This tool has been released in the hope that it'll be useful, but don't use it to jump to conclusions about your security.
@ -144,7 +145,7 @@ _verbose()
_debug() _debug()
{ {
_echo 3 "(debug) $@" _echo 3 "\033[34m(debug) $@\033[0m"
} }
is_cpu_vulnerable() is_cpu_vulnerable()
@ -290,6 +291,10 @@ while [ -n "$1" ]; do
show_header show_header
show_usage show_usage
exit 0 exit 0
elif [ "$1" = "--version" ]; then
opt_no_color=1
show_header
exit 1
elif [ "$1" = "--disclaimer" ]; then elif [ "$1" = "--disclaimer" ]; then
show_header show_header
show_disclaimer show_disclaimer
@ -457,7 +462,8 @@ if [ "$opt_live" = 1 ]; then
_warn "To run it as root, you can try the following command: sudo $0" _warn "To run it as root, you can try the following command: sudo $0"
_warn _warn
fi fi
_info "Checking for vulnerabilities against live running kernel \033[35m"$(uname -s) $(uname -r) $(uname -v) $(uname -m)"\033[0m" _info "Checking for vulnerabilities against running kernel \033[35m"$(uname -s) $(uname -r) $(uname -v) $(uname -m)"\033[0m"
_info "CPU is\033[35m"$(grep '^model name' /proc/cpuinfo | cut -d: -f2 | head -1)"\033[0m"
# try to find the image of the current running kernel # try to find the image of the current running kernel
# first, look for the BOOT_IMAGE hint in the kernel cmdline # first, look for the BOOT_IMAGE hint in the kernel cmdline
@ -556,7 +562,7 @@ umount_debugfs()
sys_interface_check() sys_interface_check()
{ {
[ "$opt_live" = 1 -a "$opt_no_sysfs" = 0 -a -r "$1" ] || return 1 [ "$opt_live" = 1 -a "$opt_no_sysfs" = 0 -a -r "$1" ] || return 1
_info_nol "* Checking wheter we're safe according to the /sys interface: " _info_nol "* Checking whether we're safe according to the /sys interface: "
if grep -qi '^not affected' "$1"; then if grep -qi '^not affected' "$1"; then
# Not affected # Not affected
status=OK status=OK
@ -574,6 +580,7 @@ sys_interface_check()
pstatus yellow UNKNOWN "unknown value reported by kernel" pstatus yellow UNKNOWN "unknown value reported by kernel"
fi fi
msg=$(cat "$1") msg=$(cat "$1")
_debug "sys_interface_check: $1=$msg"
return 0 return 0
} }
@ -650,6 +657,7 @@ check_variant2()
if [ ! -e /dev/cpu/0/msr ]; then if [ ! -e /dev/cpu/0/msr ]; then
# try to load the module ourselves (and remember it so we can rmmod it afterwards) # try to load the module ourselves (and remember it so we can rmmod it afterwards)
modprobe msr 2>/dev/null && insmod_msr=1 modprobe msr 2>/dev/null && insmod_msr=1
_debug "attempted to load module msr, ret=$insmod_msr"
fi fi
if [ ! -e /dev/cpu/0/msr ]; then if [ ! -e /dev/cpu/0/msr ]; then
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?" pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?"
@ -668,6 +676,7 @@ check_variant2()
if [ "$insmod_msr" = 1 ]; then if [ "$insmod_msr" = 1 ]; then
# if we used modprobe ourselves, rmmod the module # if we used modprobe ourselves, rmmod the module
rmmod msr 2>/dev/null rmmod msr 2>/dev/null
_debug "attempted to unload module msr, ret=$?"
fi fi
_info_nol "* Kernel support for IBRS: " _info_nol "* Kernel support for IBRS: "
@ -685,7 +694,10 @@ check_variant2()
pstatus green YES pstatus green YES
ibrs_supported=1 ibrs_supported=1
ibrs_enabled=$(cat "$ibrs_file" 2>/dev/null) ibrs_enabled=$(cat "$ibrs_file" 2>/dev/null)
_debug "ibrs: found $ibrs_file=$ibrs_enabled"
break break
else
_debug "ibrs: file $ibrs_file doesn't exist"
fi fi
done done
fi fi
@ -693,6 +705,7 @@ check_variant2()
if grep -q spec_ctrl "$opt_map"; then if grep -q spec_ctrl "$opt_map"; then
pstatus green YES pstatus green YES
ibrs_supported=1 ibrs_supported=1
_debug "ibrs: found '*spec_ctrl*' symbol in $opt_map"
fi fi
fi fi
if [ "$ibrs_supported" != 1 ]; then if [ "$ibrs_supported" != 1 ]; then
@ -733,6 +746,7 @@ check_variant2()
if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
pstatus green YES pstatus green YES
retpoline=1 retpoline=1
_debug "retpoline: found "$(grep '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
else else
pstatus red NO pstatus red NO
fi fi
@ -822,6 +836,7 @@ check_variant3()
if [ -n "$opt_config" ]; then if [ -n "$opt_config" ]; then
kpti_can_tell=1 kpti_can_tell=1
if grep -Eq '^(CONFIG_PAGE_TABLE_ISOLATION|CONFIG_KAISER)=y' "$opt_config"; then if grep -Eq '^(CONFIG_PAGE_TABLE_ISOLATION|CONFIG_KAISER)=y' "$opt_config"; then
_debug "kpti_support: found option "$(grep -E '^(CONFIG_PAGE_TABLE_ISOLATION|CONFIG_KAISER)=y' "$opt_config")" in $opt_config"
kpti_support=1 kpti_support=1
fi fi
fi fi
@ -830,6 +845,7 @@ check_variant3()
# so we try to find an exported symbol that is part of the PTI patch in System.map # so we try to find an exported symbol that is part of the PTI patch in System.map
kpti_can_tell=1 kpti_can_tell=1
if grep -qw kpti_force_enabled "$opt_map"; then if grep -qw kpti_force_enabled "$opt_map"; then
_debug "kpti_support: found kpti_force_enabled in $opt_map"
kpti_support=1 kpti_support=1
fi fi
fi fi
@ -841,6 +857,7 @@ check_variant3()
pstatus yellow UNKNOWN "missing 'strings' tool, please install it, usually it's in the binutils package" pstatus yellow UNKNOWN "missing 'strings' tool, please install it, usually it's in the binutils package"
else else
if strings "$vmlinux" | grep -qw nopti; then if strings "$vmlinux" | grep -qw nopti; then
_debug "kpti_support: found nopti string in $vmlinux"
kpti_support=1 kpti_support=1
fi fi
fi fi
@ -862,20 +879,26 @@ check_variant3()
dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace" dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
if grep ^flags /proc/cpuinfo | grep -qw pti; then if grep ^flags /proc/cpuinfo | grep -qw pti; then
# vanilla PTI patch sets the 'pti' flag in cpuinfo # vanilla PTI patch sets the 'pti' flag in cpuinfo
_debug "kpti_enabled: found 'pti' flag in /proc/cpuinfo"
kpti_enabled=1 kpti_enabled=1
elif grep ^flags /proc/cpuinfo | grep -qw kaiser; then elif grep ^flags /proc/cpuinfo | grep -qw kaiser; then
# kernel line 4.9 sets the 'kaiser' flag in cpuinfo # kernel line 4.9 sets the 'kaiser' flag in cpuinfo
_debug "kpti_enabled: found 'kaiser' flag in /proc/cpuinfo"
kpti_enabled=1 kpti_enabled=1
elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then
# RedHat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301 # RedHat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301
kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null) kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
_debug "kpti_enabled: file /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled"
elif dmesg | grep -Eq "$dmesg_grep"; then elif dmesg | grep -Eq "$dmesg_grep"; then
# if we can't find the flag, grep dmesg output # if we can't find the flag, grep dmesg output
_debug "kpti_enabled: found hint in dmesg: "$(dmesg | grep -E "$dmesg_grep")
kpti_enabled=1 kpti_enabled=1
elif [ -r /var/log/dmesg ] && grep -Eq "$dmesg_grep" /var/log/dmesg; then elif [ -r /var/log/dmesg ] && grep -Eq "$dmesg_grep" /var/log/dmesg; then
# if we can't find the flag in dmesg output, grep in /var/log/dmesg when readable # if we can't find the flag in dmesg output, grep in /var/log/dmesg when readable
_debug "kpti_enabled: found hint in /var/log/dmesg: "$(grep -E "$dmesg_grep" /var/log/dmesg)
kpti_enabled=1 kpti_enabled=1
else else
_debug "kpti_enabled: couldn't find any hint that PTI is enabled"
kpti_enabled=0 kpti_enabled=0
fi fi
if [ "$kpti_enabled" = 1 ]; then if [ "$kpti_enabled" = 1 ]; then