bump to v0.32

On Fedora machines /lib/modules/$(uname -r) has all the files.

spectre-meltdown-checker.sh

@@ -8,15 +8,14 @@
 #
 # Stephane Lesimple
 #
-VERSION=0.28
+VERSION=0.32
 
-# Script configuration
 show_usage()
 {
 	cat <<EOF
 	Usage:
-		Live mode:    $0 [options] [--live]
-		Offline mode: $0 [options] [--kernel <vmlinux_file>] [--config <kernel_config>] [--map <kernel_map_file>]
+		Live mode:    `basename $0` [options] [--live]
+		Offline mode: `basename $0` [options] [--kernel <vmlinux_file>] [--config <kernel_config>] [--map <kernel_map_file>]
 
 	Modes:
 		Two modes are available.
@@ -25,7 +24,7 @@ show_usage()
 		To run under this mode, just start the script without any option (you can also use --live explicitly)
 
 		Second mode is the "offline" mode, where you can inspect a non-running kernel.
-		You'll need to specify the location of the vmlinux file, and if possible, the corresponding config and System.map files:
+		You'll need to specify the location of the vmlinux file, config and System.map files:
 
 		--kernel vmlinux_file		Specify a (possibly compressed) vmlinux file
 		--config kernel_config		Specify a kernel config file
@@ -35,12 +34,15 @@ show_usage()
 		--no-color			Don't use color codes
 		--verbose, -v			Increase verbosity level
 		--no-sysfs			Don't use the /sys interface even if present
+		--coreos			Special mode for CoreOS (use an ephemeral toolbox to inspect kernel)
 		--batch text			Produce machine readable output, this is the default if --batch is specified alone
 		--batch json			Produce JSON output formatted for Puppet, Ansible, Chef...
 		--batch nrpe			Produce machine readable output formatted for NRPE
 		--variant [1,2,3]		Specify which variant you'd like to check, by default all variants are checked
 						Can be specified multiple times (e.g. --variant 2 --variant 3)
 
+	Return codes:
+		0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error)
 
 	IMPORTANT:
 	A false sense of security is worse than no security at all.
@@ -89,22 +91,37 @@ opt_variant2=0
 opt_variant3=0
 opt_allvariants=1
 opt_no_sysfs=0
+opt_coreos=0
 
-nrpe_critical=0
-nrpe_unknown=0
+global_critical=0
+global_unknown=0
 nrpe_vuln=""
 
+echo_cmd=''
 __echo()
 {
 	opt="$1"
 	shift
 	_msg="$@"
+
+	if [ -z "$echo_cmd" ]; then
+		# find a sane `echo` command
+		# we'll try to avoid using shell builtins that might not take options
+		if which echo >/dev/null 2>&1; then
+			echo_cmd=`which echo`
+		else
+			[ -x /bin/echo        ] && echo_cmd=/bin/echo
+			[ -x /system/bin/echo ] && echo_cmd=/system/bin/echo
+		fi
+		# still empty ? fallback to builtin
+		[ -z "$echo_cmd" ] && echo_cmd=echo
+	fi
+
 	if [ "$opt_no_color" = 1 ] ; then
 		# strip ANSI color codes
-		_msg=$(/bin/echo -e  "$_msg" | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g")
+		_msg=$($echo_cmd -e  "$_msg" | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g")
 	fi
-	# explicitely call /bin/echo to avoid shell builtins that might not take options
-	/bin/echo $opt -e "$_msg"
+	$echo_cmd $opt -e "$_msg"
 }
 
 _echo()
@@ -143,59 +160,124 @@ _verbose()
 	_echo 2 "$@"
 }
 
+_verbose_nol()
+{
+	_echo_nol 2 "$@"
+}
+
 _debug()
 {
 	_echo 3 "\033[34m(debug) $@\033[0m"
 }
 
-is_cpu_vulnerable()
+is_cpu_vulnerable_cached=0
+_is_cpu_vulnerable_cached()
 {
-	# param: 1, 2 or 3 (variant)
-	# returns 1 if vulnerable, 0 if not vulnerable, 255 on error
-	# by default, everything is vulnerable, we work in a "whitelist" logic here.
-	# usage: is_cpu_vulnerable 2 && do something if vulnerable
-	variant1=0
-	variant2=0
-	variant3=0
-	if grep -q AMD /proc/cpuinfo; then
-		variant1=0
-		variant2=1
-		variant3=1
-	elif grep -qi 'CPU implementer\s*:\s*0x41' /proc/cpuinfo; then
-		# ARM
-		# reference: https://developer.arm.com/support/security-update
-		cpupart=$(awk '/CPU part/         {print $4;exit}' /proc/cpuinfo)
-		cpuarch=$(awk '/CPU architecture/ {print $3;exit}' /proc/cpuinfo)
-		if [ -n "$cpupart" -a -n "$cpuarch" ]; then
-			# Cortex-R7 and Cortex-R8 are real-time and only used in medical devices or such
-			# I can't find their CPU part number, but it's probably not that useful anyway
-			# model R7 R8 A9    A15   A17   A57   A72    A73    A75
-			# part   ?  ? 0xc09 0xc0f 0xc0e 0xd07 0xd08  0xd09  0xd0a
-			# arch  7? 7? 7     7     7     8     8      8      8
-			if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -Eq '^0x(c09|c0f|c0e)$'; then
-				# armv7 vulnerable chips
-				variant1=0
-				variant2=0
-			elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(d07|d08|d09|d0a)$'; then
-				# armv8 vulnerable chips
-				variant1=0
-				variant2=0
-			else
-				variant1=1
-				variant2=1
-			fi
-			# for variant3, only A75 is vulnerable
-			if [ "$cpuarch" = 8 -a "$cpupart" = 0xd0a ]; then
-				variant3=0
-			else
-				variant3=1
-			fi
-		fi
-	fi
 	[ "$1" = 1 ] && return $variant1
 	[ "$1" = 2 ] && return $variant2
 	[ "$1" = 3 ] && return $variant3
-	return 255
+	echo "$0: error: invalid variant '$1' passed to is_cpu_vulnerable()" >&2
+	exit 255
+}
+
+is_cpu_vulnerable()
+{
+	# param: 1, 2 or 3 (variant)
+	# returns 0 if vulnerable, 1 if not vulnerable
+	# (note that in shell, a return of 0 is success)
+	# by default, everything is vulnerable, we work in a "whitelist" logic here.
+	# usage: is_cpu_vulnerable 2 && do something if vulnerable
+	if [ "$is_cpu_vulnerable_cached" = 1 ]; then
+		_is_cpu_vulnerable_cached "$1"
+		return $?
+	fi
+
+	variant1=''
+	variant2=''
+	variant3=''
+	# we also set a friendly name for the CPU to be used in the script if needed
+	cpu_friendly_name=$(grep '^model name' /proc/cpuinfo | cut -d: -f2- | head -1)
+
+	if grep -q GenuineIntel /proc/cpuinfo; then
+		# Intel
+		# Old Atoms are not vulnerable to spectre 2 nor meltdown
+		# https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
+		# model name : Genuine Intel(R) CPU N270 @ 1.60GHz
+		# model name : Intel(R) Atom(TM) CPU N270 @ 1.60GHz
+		# model name : Intel(R) Atom(TM) CPU 330 @ 1.60GHz
+		if grep -qE '^model name.+ Intel\(R\) (Atom\(TM\) CPU +(S|D|N|230|330)|CPU N[0-9]{3} )' /proc/cpuinfo; then
+			variant1=vuln
+			[ -z "$variant2" ] && variant2=immune
+			[ -z "$variant3" ] && variant3=immune
+		fi
+	elif grep -q AuthenticAMD /proc/cpuinfo; then
+		# AMD revised their statement about variant2 => vulnerable
+		# https://www.amd.com/en/corporate/speculative-execution
+		variant1=vuln
+		variant2=vuln
+		[ -z "$variant3" ] && variant3=immune
+	elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' /proc/cpuinfo; then
+		# ARM
+		# reference: https://developer.arm.com/support/security-update
+		# some devices (phones or other) have several ARMs and as such different part numbers,
+		# an example is "bigLITTLE". we shouldn't rely on the first CPU only, so we check the whole list
+		cpupart_list=$(awk '/CPU part/         {print $4}' /proc/cpuinfo)
+		cpuarch_list=$(awk '/CPU architecture/ {print $3}' /proc/cpuinfo)
+		i=0
+		for cpupart in $cpupart_list
+		do
+			i=$(( i + 1 ))
+			cpuarch=$(echo $cpuarch_list | awk '{ print $'$i' }')
+			_debug "checking cpu$i: <$cpupart> <$cpuarch>"
+			# some kernels report AArch64 instead of 8
+			[ "$cpuarch" = "AArch64" ] && cpuarch=8
+			if [ -n "$cpupart" -a -n "$cpuarch" ]; then
+				cpu_friendly_name="ARM v$cpuarch model $cpupart"
+				# Cortex-R7 and Cortex-R8 are real-time and only used in medical devices or such
+				# I can't find their CPU part number, but it's probably not that useful anyway
+				# model R7 R8 A9    A15   A17   A57   A72    A73    A75
+				# part   ?  ? 0xc09 0xc0f 0xc0e 0xd07 0xd08  0xd09  0xd0a
+				# arch  7? 7? 7     7     7     8     8      8      8
+				#
+				# variant 1 & variant 2
+				if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -Eq '^0x(c09|c0f|c0e)$'; then
+					# armv7 vulnerable chips
+					_debug "checking cpu$i: this armv7 vulnerable to spectre 1 & 2"
+					variant1=vuln
+					variant2=vuln
+				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(d07|d08|d09|d0a)$'; then
+					# armv8 vulnerable chips
+					_debug "checking cpu$i: this armv8 vulnerable to spectre 1 & 2"
+					variant1=vuln
+					variant2=vuln
+				else
+					_debug "checking cpu$i: this arm non vulnerable to 1 & 2"
+					# others are not vulnerable
+					[ -z "$variant1" ] && variant1=immune
+					[ -z "$variant2" ] && variant2=immune
+				fi
+
+				# for variant3, only A75 is vulnerable
+				if [ "$cpuarch" = 8 -a "$cpupart" = 0xd0a ]; then
+					_debug "checking cpu$i: arm A75 vulnerable to meltdown"
+					variant3=vuln
+				else
+					_debug "checking cpu$i: this arm non vulnerable to meltdown"
+					[ -z "$variant3" ] && variant3=immune
+				fi
+			fi
+			_debug "is_cpu_vulnerable: for cpu$i and so far, we have <$variant1> <$variant2> <$variant3>"
+		done
+	fi
+	_debug "is_cpu_vulnerable: temp results are <$variant1> <$variant2> <$variant3>"
+	# if at least one of the cpu is vulnerable, then the system is vulnerable
+	[ "$variant1" = "immune" ] && variant1=1 || variant1=0
+	[ "$variant2" = "immune" ] && variant2=1 || variant2=0
+	[ "$variant3" = "immune" ] && variant3=1 || variant3=0
+	_debug "is_cpu_vulnerable: final results are <$variant1> <$variant2> <$variant3>"
+	is_cpu_vulnerable_cached=1
+	_is_cpu_vulnerable_cached "$1"
+	return $?
 }
 
 show_header()
@@ -234,17 +316,17 @@ parse_opt_file()
 while [ -n "$1" ]; do
 	if [ "$1" = "--kernel" ]; then
 		opt_kernel=$(parse_opt_file kernel "$2")
-		[ $? -ne 0 ] && exit $?
+		[ $? -ne 0 ] && exit 255
 		shift 2
 		opt_live=0
 	elif [ "$1" = "--config" ]; then
 		opt_config=$(parse_opt_file config "$2")
-		[ $? -ne 0 ] && exit $?
+		[ $? -ne 0 ] && exit 255
 		shift 2
 		opt_live=0
 	elif [ "$1" = "--map" ]; then
 		opt_map=$(parse_opt_file map "$2")
-		[ $? -ne 0 ] && exit $?
+		[ $? -ne 0 ] && exit 255
 		shift 2
 		opt_live=0
 	elif [ "$1" = "--live" ]; then
@@ -256,6 +338,13 @@ while [ -n "$1" ]; do
 	elif [ "$1" = "--no-sysfs" ]; then
 		opt_no_sysfs=1
 		shift
+	elif [ "$1" = "--coreos" ]; then
+		opt_coreos=1
+		shift
+	elif [ "$1" = "--coreos-within-toolbox" ]; then
+		# don't use directly: used internally by --coreos
+		opt_coreos=0
+		shift
 	elif [ "$1" = "--batch" ]; then
 		opt_batch=1
 		opt_verbose=0
@@ -265,9 +354,9 @@ while [ -n "$1" ]; do
 			--*) ;;    # allow subsequent flags
 			'') ;;     # allow nothing at all
 			*)
-				echo "$0: error: unknown batch format '$1'"
-				echo "$0: error: --batch expects a format from: text, nrpe, json"
-				exit 1 >&2
+				echo "$0: error: unknown batch format '$1'" >&2
+				echo "$0: error: --batch expects a format from: text, nrpe, json" >&2
+				exit 255
 				;;
 		esac
 	elif [ "$1" = "-v" -o "$1" = "--verbose" ]; then
@@ -276,7 +365,7 @@ while [ -n "$1" ]; do
 	elif [ "$1" = "--variant" ]; then
 		if [ -z "$2" ]; then
 			echo "$0: error: option --variant expects a parameter (1, 2 or 3)" >&2
-			exit 1
+			exit 255
 		fi
 		case "$2" in
 			1) opt_variant1=1; opt_allvariants=0;;
@@ -284,7 +373,8 @@ while [ -n "$1" ]; do
 			3) opt_variant3=1; opt_allvariants=0;;
 			*)
 				echo "$0: error: invalid parameter '$2' for --variant, expected either 1, 2 or 3" >&2;
-				exit 1;;
+				exit 255
+				;;
 		esac
 		shift 2
 	elif [ "$1" = "-h" -o "$1" = "--help" ]; then
@@ -294,7 +384,7 @@ while [ -n "$1" ]; do
 	elif [ "$1" = "--version" ]; then
 		opt_no_color=1
 		show_header
-		exit 1
+		exit 0
 	elif [ "$1" = "--disclaimer" ]; then
 		show_header
 		show_disclaimer
@@ -303,7 +393,7 @@ while [ -n "$1" ]; do
 		show_header
 		show_usage
 		echo "$0: error: unknown option '$1'"
-		exit 1
+		exit 255
 	fi
 done
 
@@ -333,37 +423,40 @@ pstatus()
 pvulnstatus()
 {
 	if [ "$opt_batch" = 1 ]; then
-                case "$opt_batch_format" in
-                        text) _echo 0 "$1: $2 ($3)";;
-                        nrpe)
-                              case "$2" in
-                                       UKN) nrpe_unknown="1";;
-                                       VULN) nrpe_critical="1"; nrpe_vuln="$nrpe_vuln $1";;
-                              esac
-                              ;;
-                        json)
-                              case "$1" in
-                                       CVE-2017-5753) aka="SPECTRE VARIANT 1";;
-                                       CVE-2017-5715) aka="SPECTRE VARIANT 2";;
-                                       CVE-2017-5754) aka="MELTDOWN";;
-                              esac
-                              case "$2" in
-                                       UKN)  is_vuln="unknown";;
-                                       VULN) is_vuln="true";;
-                                       OK)   is_vuln="false";;
-                              esac
-                              json_output="${json_output:-[}{\"NAME\":\""$aka"\",\"CVE\":\""$1"\",\"VULNERABLE\":$is_vuln,\"INFOS\":\""$3"\"},"
-                              ;;
+		case "$opt_batch_format" in
+			text) _echo 0 "$1: $2 ($3)";;
+			json)
+				case "$1" in
+					CVE-2017-5753) aka="SPECTRE VARIANT 1";;
+					CVE-2017-5715) aka="SPECTRE VARIANT 2";;
+					CVE-2017-5754) aka="MELTDOWN";;
+				esac
+				case "$2" in
+					UNK)  is_vuln="null";;
+					VULN) is_vuln="true";;
+					OK)   is_vuln="false";;
+				esac
+				json_output="${json_output:-[}{\"NAME\":\""$aka"\",\"CVE\":\""$1"\",\"VULNERABLE\":$is_vuln,\"INFOS\":\""$3"\"},"
+				;;
+
+			nrpe)	[ "$2" = VULN ] && nrpe_vuln="$nrpe_vuln $1";;
 		esac
 	fi
 
-	_info_nol "> \033[46m\033[30mSTATUS:\033[0m "
+	# always fill global_* vars because we use that do decide the program exit code
+	case "$2" in
+		UNK)  global_unknown="1";;
+		VULN) global_critical="1";;
+	esac
+
+	# display info if we're not in quiet/batch mode
 	vulnstatus="$2"
 	shift 2
+	_info_nol "> \033[46m\033[30mSTATUS:\033[0m "
 	case "$vulnstatus" in
-		UNK) pstatus yellow UNKNOWN "$@";;
-		VULN) pstatus red 'VULNERABLE' "$@";;
-		OK) pstatus green 'NOT VULNERABLE' "$@";;
+		UNK)  pstatus yellow 'UNKNOWN'        "$@";;
+		VULN) pstatus red    'VULNERABLE'     "$@";;
+		OK)   pstatus green  'NOT VULNERABLE' "$@";;
 	esac
 }
 
@@ -388,8 +481,8 @@ vmlinux=''
 vmlinux_err=''
 check_vmlinux()
 {
-	readelf -h "$1" > /dev/null 2>&1 || return 1
-	return 0
+	readelf -h "$1" >/dev/null 2>&1 && return 0
+	return 1
 }
 
 try_decompress()
@@ -444,105 +537,6 @@ extract_vmlinux()
 
 # end of extract-vmlinux functions
 
-# check for mode selection inconsistency
-if [ "$opt_live_explicit" = 1 ]; then
-	if [ -n "$opt_kernel" -o -n "$opt_config" -o -n "$opt_map" ]; then
-		show_usage
-		echo "$0: error: incompatible modes specified, use either --live or --kernel/--config/--map"
-		exit 1
-	fi
-fi
-
-# root check (only for live mode, for offline mode, we already checked if we could read the files)
-
-if [ "$opt_live" = 1 ]; then
-	if [ "$(id -u)" -ne 0 ]; then
-		_warn "Note that you should launch this script with root privileges to get accurate information."
-		_warn "We'll proceed but you might see permission denied errors."
-		_warn "To run it as root, you can try the following command: sudo $0"
-		_warn
-	fi
-	_info "Checking for vulnerabilities against running kernel \033[35m"$(uname -s) $(uname -r) $(uname -v) $(uname -m)"\033[0m"
-	_info "CPU is\033[35m"$(grep '^model name' /proc/cpuinfo | cut -d: -f2 | head -1)"\033[0m"
-
-	# try to find the image of the current running kernel
-	# first, look for the BOOT_IMAGE hint in the kernel cmdline
-	if [ -r /proc/cmdline ] && grep -q 'BOOT_IMAGE=' /proc/cmdline; then
-		opt_kernel=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2)
-		_debug "found opt_kernel=$opt_kernel in /proc/cmdline"
-		# if we have a dedicated /boot partition, our bootloader might have just called it /
-		# so try to prepend /boot and see if we find anything
-		[ -e "/boot/$opt_kernel" ] && opt_kernel="/boot/$opt_kernel"
-		_debug "opt_kernel is now $opt_kernel"
-		# else, the full path is already there (most probably /boot/something)
-	fi
-	# if we didn't find a kernel, default to guessing
-	if [ ! -e "$opt_kernel" ]; then
-		[ -e /boot/vmlinuz-linux       ] && opt_kernel=/boot/vmlinuz-linux
-		[ -e /boot/vmlinuz-linux-libre ] && opt_kernel=/boot/vmlinuz-linux-libre
-		[ -e /boot/vmlinuz-$(uname -r) ] && opt_kernel=/boot/vmlinuz-$(uname -r)
-		[ -e /boot/kernel-$( uname -r) ] && opt_kernel=/boot/kernel-$( uname -r)
-		[ -e /boot/bzImage-$(uname -r) ] && opt_kernel=/boot/bzImage-$(uname -r)
-		[ -e /boot/kernel-genkernel-$(uname -m)-$(uname -r) ] && opt_kernel=/boot/kernel-genkernel-$(uname -m)-$(uname -r)
-	fi
-
-	# system.map
-	if [ -e /proc/kallsyms ] ; then
-		opt_map="/proc/kallsyms"
-	elif [ -e /boot/System.map-$(uname -r) ] ; then
-		opt_map=/boot/System.map-$(uname -r)
-	fi
-
-	# config
-	if [ -e /proc/config.gz ] ; then
-		dumped_config="$(mktemp /tmp/config-XXXXXX)"
-		gunzip -c /proc/config.gz > $dumped_config
-		# dumped_config will be deleted at the end of the script
-		opt_config=$dumped_config
-	elif [ -e /boot/config-$(uname -r) ]; then
-		opt_config=/boot/config-$(uname -r)
-	fi
-else
-	_info "Checking for vulnerabilities against specified kernel"
-fi
-if [ -n "$opt_kernel" ]; then
-	_verbose "Will use vmlinux image \033[35m$opt_kernel\033[0m"
-else
-	_verbose "Will use no vmlinux image (accuracy might be reduced)"
-fi
-if [ -n "$dumped_config" ]; then
-	_verbose "Will use kconfig \033[35m/proc/config.gz\033[0m"
-elif [ -n "$opt_config" ]; then
-	_verbose "Will use kconfig \033[35m$opt_config\033[0m"
-else
-	_verbose "Will use no kconfig (accuracy might be reduced)"
-fi
-if [ -n "$opt_map" ]; then
-	_verbose "Will use System.map file \033[35m$opt_map\033[0m"
-else
-	_verbose "Will use no System.map file (accuracy might be reduced)"
-fi
-
-if [ -e "$opt_kernel" ]; then
-	if ! which readelf >/dev/null 2>&1; then
-		vmlinux_err="missing 'readelf' tool, please install it, usually it's in the 'binutils' package"
-	else
-		extract_vmlinux "$opt_kernel"
-	fi
-else
-	vmlinux_err="couldn't find your kernel image in /boot, if you used netboot, this is normal"
-fi
-if [ -z "$vmlinux" -o ! -r "$vmlinux" ]; then
-	[ -z "$vmlinux_err" ] && vmlinux_err="couldn't extract your kernel from $opt_kernel"
-fi
-
-_info
-
-# end of header stuff
-
-# now we define some util functions and the check_*() funcs, as
-# the user can choose to execute only some of those
-
 mount_debugfs()
 {
 	if [ ! -e /sys/kernel/debug/sched_features ]; then
@@ -559,6 +553,192 @@ umount_debugfs()
 	fi
 }
 
+load_msr()
+{
+	modprobe msr 2>/dev/null && insmod_msr=1
+	_debug "attempted to load module msr, insmod_msr=$insmod_msr"
+}
+
+unload_msr()
+{
+	if [ "$insmod_msr" = 1 ]; then
+		# if we used modprobe ourselves, rmmod the module
+		rmmod msr 2>/dev/null
+		_debug "attempted to unload module msr, ret=$?"
+	fi
+}
+
+load_cpuid()
+{
+	modprobe cpuid 2>/dev/null && insmod_cpuid=1
+	_debug "attempted to load module cpuid, insmod_cpuid=$insmod_cpuid"
+}
+
+unload_cpuid()
+{
+	if [ "$insmod_cpuid" = 1 ]; then
+		# if we used modprobe ourselves, rmmod the module
+		rmmod cpuid 2>/dev/null
+		_debug "attempted to unload module cpuid, ret=$?"
+	fi
+}
+
+is_coreos()
+{
+	which coreos-install >/dev/null 2>&1 && which toolbox >/dev/null 2>&1 && return 0
+	return 1
+}
+
+# check for mode selection inconsistency
+if [ "$opt_live_explicit" = 1 ]; then
+	if [ -n "$opt_kernel" -o -n "$opt_config" -o -n "$opt_map" ]; then
+		show_usage
+		echo "$0: error: incompatible modes specified, use either --live or --kernel/--config/--map" >&2
+		exit 255
+	fi
+fi
+
+# coreos mode
+if [ "$opt_coreos" = 1 ]; then
+	if ! is_coreos; then
+		_warn "CoreOS mode asked, but we're not under CoreOS!"
+		exit 255
+	fi
+	_warn "CoreOS mode, starting an ephemeral toolbox to launch the script"
+	load_msr
+	load_cpuid
+	mount_debugfs
+	toolbox --ephemeral --bind-ro /dev/cpu:/dev/cpu -- sh -c "dnf install -y binutils which && /media/root$PWD/$0 $@ --coreos-within-toolbox"
+	exitcode=$?
+	mount_debugfs
+	unload_cpuid
+	unload_msr
+	exit $exitcode
+else
+	if is_coreos; then
+		_warn "You seem to be running CoreOS, you might want to use the --coreos option for better results"
+		_warn
+	fi
+fi
+
+# root check (only for live mode, for offline mode, we already checked if we could read the files)
+
+if [ "$opt_live" = 1 ]; then
+	if [ "$(id -u)" -ne 0 ]; then
+		_warn "Note that you should launch this script with root privileges to get accurate information."
+		_warn "We'll proceed but you might see permission denied errors."
+		_warn "To run it as root, you can try the following command: sudo $0"
+		_warn
+	fi
+	_info "Checking for vulnerabilities against running kernel \033[35m"$(uname -s) $(uname -r) $(uname -v) $(uname -m)"\033[0m"
+	# call is_cpu_vulnerable to fill the cpu_friendly_name var
+	is_cpu_vulnerable 1
+	_info "CPU is \033[35m$cpu_friendly_name\033[0m"
+
+	# try to find the image of the current running kernel
+	# first, look for the BOOT_IMAGE hint in the kernel cmdline
+	if [ -r /proc/cmdline ] && grep -q 'BOOT_IMAGE=' /proc/cmdline; then
+		opt_kernel=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2)
+		_debug "found opt_kernel=$opt_kernel in /proc/cmdline"
+		# if we have a dedicated /boot partition, our bootloader might have just called it /
+		# so try to prepend /boot and see if we find anything
+		[ -e "/boot/$opt_kernel" ] && opt_kernel="/boot/$opt_kernel"
+		# special case for CoreOS if we're inside the toolbox
+		[ -e "/media/root/boot/$opt_kernel" ] && opt_kernel="/media/root/boot/$opt_kernel"
+		_debug "opt_kernel is now $opt_kernel"
+		# else, the full path is already there (most probably /boot/something)
+	fi
+	# if we didn't find a kernel, default to guessing
+	if [ ! -e "$opt_kernel" ]; then
+		# Fedora:
+		[ -e /lib/modules/$(uname -r)/vmlinuz ] && opt_kernel=/lib/modules/$(uname -r)/vmlinuz
+		# Slackare:
+		[ -e /boot/vmlinuz             ] && opt_kernel=/boot/vmlinuz
+		# Arch:
+		[ -e /boot/vmlinuz-linux       ] && opt_kernel=/boot/vmlinuz-linux
+		# Linux-Libre:
+		[ -e /boot/vmlinuz-linux-libre ] && opt_kernel=/boot/vmlinuz-linux-libre
+		# generic:
+		[ -e /boot/vmlinuz-$(uname -r) ] && opt_kernel=/boot/vmlinuz-$(uname -r)
+		[ -e /boot/kernel-$( uname -r) ] && opt_kernel=/boot/kernel-$( uname -r)
+		[ -e /boot/bzImage-$(uname -r) ] && opt_kernel=/boot/bzImage-$(uname -r)
+		# Gentoo:
+		[ -e /boot/kernel-genkernel-$(uname -m)-$(uname -r) ] && opt_kernel=/boot/kernel-genkernel-$(uname -m)-$(uname -r)
+		# NixOS:
+		[ -e /run/booted-system/kernel ] && opt_kernel=/run/booted-system/kernel
+	fi
+
+	# system.map
+	if [ -e /proc/kallsyms ] ; then
+		opt_map="/proc/kallsyms"
+	elif [ -e /lib/modules/$(uname -r)/System.map ] ; then
+		opt_map=/lib/modules/$(uname -r)/System.map
+	elif [ -e /boot/System.map-$(uname -r) ] ; then
+		opt_map=/boot/System.map-$(uname -r)
+	fi
+
+	# config
+	if [ -e /proc/config.gz ] ; then
+		dumped_config="$(mktemp /tmp/config-XXXXXX)"
+		gunzip -c /proc/config.gz > $dumped_config
+		# dumped_config will be deleted at the end of the script
+		opt_config=$dumped_config
+	elif [ -e /lib/modules/$(uname -r)/config ]; then
+		opt_config=/lib/modules/$(uname -r)/config
+	elif [ -e /boot/config-$(uname -r) ]; then
+		opt_config=/boot/config-$(uname -r)
+	fi
+else
+	_info "Checking for vulnerabilities against specified kernel"
+fi
+
+if [ -n "$opt_kernel" ]; then
+	_verbose "Will use vmlinux image \033[35m$opt_kernel\033[0m"
+else
+	_verbose "Will use no vmlinux image (accuracy might be reduced)"
+	bad_accuracy=1
+fi
+if [ -n "$dumped_config" ]; then
+	_verbose "Will use kconfig \033[35m/proc/config.gz\033[0m"
+elif [ -n "$opt_config" ]; then
+	_verbose "Will use kconfig \033[35m$opt_config\033[0m"
+else
+	_verbose "Will use no kconfig (accuracy might be reduced)"
+	bad_accuracy=1
+fi
+if [ -n "$opt_map" ]; then
+	_verbose "Will use System.map file \033[35m$opt_map\033[0m"
+else
+	_verbose "Will use no System.map file (accuracy might be reduced)"
+	bad_accuracy=1
+fi
+
+if [ "$bad_accuracy" = 1 ]; then
+	_info "We're missing some kernel info (see -v), accuracy might be reduced"
+fi
+
+if [ -e "$opt_kernel" ]; then
+	if ! which readelf >/dev/null 2>&1; then
+		_debug "readelf not found"
+		vmlinux_err="missing 'readelf' tool, please install it, usually it's in the 'binutils' package"
+	else
+		extract_vmlinux "$opt_kernel"
+	fi
+else
+	_debug "no opt_kernel defined"
+	vmlinux_err="couldn't find your kernel image in /boot, if you used netboot, this is normal"
+fi
+if [ -z "$vmlinux" -o ! -r "$vmlinux" ]; then
+	[ -z "$vmlinux_err" ] && vmlinux_err="couldn't extract your kernel from $opt_kernel"
+fi
+
+_info
+
+# end of header stuff
+
+# now we define some util functions and the check_*() funcs, as
+# the user can choose to execute only some of those
+
 sys_interface_check()
 {
 	[ "$opt_live" = 1 -a "$opt_no_sysfs" = 0 -a -r "$1" ] || return 1
@@ -609,7 +789,7 @@ check_variant1()
 				status=UNK
 				pstatus yellow UNKNOWN
 			else
-				# here we disassemble the kernel and count the number of occurences of the LFENCE opcode
+				# here we disassemble the kernel and count the number of occurrences of the LFENCE opcode
 				# in non-patched kernels, this has been empirically determined as being around 40-50
 				# in patched kernels, this is more around 70-80, sometimes way higher (100+)
 				# v0.13: 68 found in a 3.10.23-xxxx-std-ipv6-64 (with lots of modules compiled-in directly), which doesn't have the LFENCE patches,
@@ -653,11 +833,11 @@ check_variant2()
 		sys_interface_available=1
 	else
 		_info "* Mitigation 1"
-		_info_nol "*   Hardware (CPU microcode) support for mitigation: "
+		_info "*   Hardware (CPU microcode) support for mitigation"
+		_info_nol "*     The SPEC_CTRL MSR is available: "
 		if [ ! -e /dev/cpu/0/msr ]; then
 			# try to load the module ourselves (and remember it so we can rmmod it afterwards)
-			modprobe msr 2>/dev/null && insmod_msr=1
-			_debug "attempted to load module msr, ret=$insmod_msr"
+			load_msr
 		fi
 		if [ ! -e /dev/cpu/0/msr ]; then
 			pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?"
@@ -673,10 +853,49 @@ check_variant2()
 			fi
 		fi
 
-		if [ "$insmod_msr" = 1 ]; then
-			# if we used modprobe ourselves, rmmod the module
-			rmmod msr 2>/dev/null
-			_debug "attempted to unload module msr, ret=$?"
+		unload_msr
+
+		# CPUID test
+		_info_nol "*     The SPEC_CTRL CPUID feature bit is set: "
+		if [ ! -e /dev/cpu/0/cpuid ]; then
+			# try to load the module ourselves (and remember it so we can rmmod it afterwards)
+			load_cpuid
+		fi
+		if [ ! -e /dev/cpu/0/cpuid ]; then
+			pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/cpuidr, is cpuid support enabled in your kernel?"
+		else
+			# from kernel src: { X86_FEATURE_SPEC_CTRL,        CPUID_EDX,26, 0x00000007, 0 },
+			if [ "$opt_verbose" -ge 3 ]; then
+				dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 >/dev/null 2>/dev/null
+				_debug "cpuid: reading leaf7 of cpuid on cpu0, ret=$?"
+				_debug "cpuid: leaf7 eax-ebx-ecd-edx: "$(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | od -x -A n)
+				_debug "cpuid: leaf7 edx higher-half is: "$(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip=15 count=1 2>/dev/null | od -x -A n)
+			fi
+			# getting high byte of edx on leaf7 of cpuinfo in decimal
+			edx_hb=$(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip=15 count=1 2>/dev/null | od -t u -A n | awk '{print $1}')
+			_debug "cpuid: leaf7 edx higher byte: $edx_hb (decimal)"
+			edx_bit26=$(( edx_hb & 8 ))
+			_debug "cpuid: edx_bit26=$edx_bit26"
+			if [ "$edx_bit26" -eq 8 ]; then
+				pstatus green YES
+			else
+				pstatus red NO
+			fi
+		fi
+		unload_cpuid
+
+		# hardware support according to kernel
+		if [ "$opt_verbose" -ge 2 ]; then
+			_verbose_nol "*     The kernel has set the spec_ctrl flag in cpuinfo: "
+			if [ "$opt_live" = 1 ]; then
+				if grep ^flags /proc/cpuinfo | grep -qw spec_ctrl; then
+					pstatus green YES
+				else
+					pstatus red NO
+				fi
+			else
+				pstatus blue N/A "not testable in offline mode"
+			fi
 		fi
 
 		_info_nol "*   Kernel support for IBRS: "
@@ -700,6 +919,18 @@ check_variant2()
 					_debug "ibrs: file $ibrs_file doesn't exist"
 				fi
 			done
+			# on some newer kernels, the spec_ctrl_ibrs flag in /proc/cpuinfo
+			# is set when ibrs has been administratively enabled (usually from cmdline)
+			# which in that case means ibrs is supported *and* enabled for kernel & user
+			# as per the ibrs patch series v3
+			if [ "$ibrs_supported" = 0 ]; then
+				if grep ^flags /proc/cpuinfo | grep -qw spec_ctrl_ibrs; then
+					_debug "ibrs: found spec_ctrl_ibrs flag in /proc/cpuinfo"
+					ibrs_supported=1
+					# enabled=2 -> kernel & user
+					ibrs_enabled=2
+				fi
+			fi
 		fi
 		if [ "$ibrs_supported" != 1 -a -n "$opt_map" ]; then
 			if grep -q spec_ctrl "$opt_map"; then
@@ -897,6 +1128,10 @@ check_variant3()
 				# if we can't find the flag in dmesg output, grep in /var/log/dmesg when readable
 				_debug "kpti_enabled: found hint in /var/log/dmesg: "$(grep -E "$dmesg_grep" /var/log/dmesg)
 				kpti_enabled=1
+			elif [ -r /var/log/kern.log ] && grep -Eq "$dmesg_grep" /var/log/kern.log; then
+				# if we can't find the flag in dmesg output, grep in /var/log/kern.log when readable
+				_debug "kpti_enabled: found hint in /var/log/kern.log: "$(grep -E "$dmesg_grep" /var/log/kern.log)
+				kpti_enabled=1
 			else
 				_debug "kpti_enabled: couldn't find any hint that PTI is enabled"
 				kpti_enabled=0
@@ -909,6 +1144,50 @@ check_variant3()
 		else
 			pstatus blue N/A "can't verify if PTI is enabled in offline mode"
 		fi
+
+		# no security impact but give a hint to the user in verbose mode
+		# about PCID/INVPCID cpuid features that must be present to avoid
+		# too big a performance impact with PTI
+		# refs:
+		# https://marc.info/?t=151532047900001&r=1&w=2
+		# https://groups.google.com/forum/m/#!topic/mechanical-sympathy/L9mHTbeQLNU
+		if [ "$opt_verbose" -ge 2 ]; then
+			_info "* Performance impact if PTI is enabled"
+			_info_nol "*   CPU supports PCID: "
+			if grep ^flags /proc/cpuinfo | grep -qw pcid; then
+				pstatus green YES 'performance degradation with PTI will be limited'
+			else
+				pstatus blue NO 'no security impact but performance will be degraded with PTI'
+			fi
+			_info_nol "*   CPU supports INVPCID: "
+			if grep ^flags /proc/cpuinfo | grep -qw invpcid; then
+				pstatus green YES 'performance degradation with PTI will be limited'
+			else
+				pstatus blue NO 'no security impact but performance will be degraded with PTI'
+			fi
+		fi
+
+		if [ "$opt_live" = 1 ]; then
+			# checking whether we're running under Xen PV 64 bits. If yes, we're not affected by variant3
+			_info_nol "* Checking if we're running under Xen PV (64 bits): "
+			if [ "$(uname -m)" = "x86_64" ]; then
+				# XXX do we have a better way that relying on dmesg?
+				if dmesg | grep -q 'Booting paravirtualized kernel on Xen$' ; then
+					pstatus green YES 'Xen PV is not vulnerable'
+					xen_pv=1
+				elif [ -r /var/log/dmesg ] && grep -q 'Booting paravirtualized kernel on Xen$' /var/log/dmesg; then
+					pstatus green YES 'Xen PV is not vulnerable'
+					xen_pv=1
+				elif [ -r /var/log/kern.log ] && grep -q 'Booting paravirtualized kernel on Xen$' /var/log/kern.log; then
+					pstatus green YES 'Xen PV is not vulnerable'
+					xen_pv=1
+				else
+					pstatus blue NO
+				fi
+			else
+				pstatus blue NO
+			fi
+		fi
 	fi
 
 	# if we have the /sys interface, don't even check is_cpu_vulnerable ourselves, the kernel already does it
@@ -921,6 +1200,8 @@ check_variant3()
 		if [ "$opt_live" = 1 ]; then
 			if [ "$kpti_enabled" = 1 ]; then
 				pvulnstatus $cve OK "PTI mitigates the vulnerability"
+			elif [ "$xen_pv" = 1 ]; then
+				pvulnstatus $cve OK "Xen PV 64 bits is not vulnerable"
 			else
 				pvulnstatus $cve VULN "PTI is needed to mitigate the vulnerability"
 			fi
@@ -964,11 +1245,13 @@ if [ "$opt_batch" = 1 -a "$opt_batch_format" = "nrpe" ]; then
 	else
 		echo "OK"
 	fi
-	[ "$nrpe_critical" = 1 ] && exit 2  # critical
-	[ "$nrpe_unknown" = 1 ] && exit 3  # unknown
-	exit 0  # ok
 fi
 
 if [ "$opt_batch" = 1 -a "$opt_batch_format" = "json" ]; then
-	_echo 0 ${json_output%?}]
+	_echo 0 ${json_output%?}']'
 fi
+
+# exit with the proper exit code
+[ "$global_critical" = 1 ] && exit 2  # critical
+[ "$global_unknown"  = 1 ] && exit 3  # unknown
+exit 0  # ok