bump to v0.31 to reflect changes

v0.30, cpuid spec ctrl and other enhancements

spectre-meltdown-checker.sh

@@ -8,15 +8,14 @@
 #
 # Stephane Lesimple
 #
-VERSION=0.28
+VERSION=0.31
 
-# Script configuration
 show_usage()
 {
 	cat <<EOF
 	Usage:
-		Live mode:    $0 [options] [--live]
+		Live mode:    `basename $0` [options] [--live]
-		Offline mode: $0 [options] [--kernel <vmlinux_file>] [--config <kernel_config>] [--map <kernel_map_file>]
+		Offline mode: `basename $0` [options] [--kernel <vmlinux_file>] [--config <kernel_config>] [--map <kernel_map_file>]
 
 	Modes:
 		Two modes are available.
@@ -90,8 +89,8 @@ opt_variant3=0
 opt_allvariants=1
 opt_no_sysfs=0
 
-nrpe_critical=0
+global_critical=0
-nrpe_unknown=0
+global_unknown=0
 nrpe_vuln=""
 
 __echo()
@@ -103,7 +102,7 @@ __echo()
 		# strip ANSI color codes
 		_msg=$(/bin/echo -e  "$_msg" | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g")
 	fi
-	# explicitely call /bin/echo to avoid shell builtins that might not take options
+	# explicitly call /bin/echo to avoid shell builtins that might not take options
 	/bin/echo $opt -e "$_msg"
 }
 
@@ -143,6 +142,11 @@ _verbose()
 	_echo 2 "$@"
 }
 
+_verbose_nol()
+{
+	_echo_nol 2 "$@"
+}
+
 _debug()
 {
 	_echo 3 "\033[34m(debug) $@\033[0m"
@@ -151,16 +155,26 @@ _debug()
 is_cpu_vulnerable()
 {
 	# param: 1, 2 or 3 (variant)
-	# returns 1 if vulnerable, 0 if not vulnerable, 255 on error
+	# returns 0 if vulnerable, 1 if not vulnerable
+	# (note that in shell, a return of 0 is success)
 	# by default, everything is vulnerable, we work in a "whitelist" logic here.
 	# usage: is_cpu_vulnerable 2 && do something if vulnerable
 	variant1=0
 	variant2=0
 	variant3=0
-	if grep -q AMD /proc/cpuinfo; then
+
-		variant1=0
+	if grep -q GenuineIntel /proc/cpuinfo; then
+		# Intel
+		# Old Atoms are not vulnerable to spectre 2 nor meltdown
+		# https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
+		if grep -qE '^model name.+ Atom\(TM\) CPU +(S|D|N|230|330)' /proc/cpuinfo; then
 			variant2=1
 			variant3=1
+		fi
+	elif grep -q AuthenticAMD /proc/cpuinfo; then
+		# AMD revised their statement about variant2 => vulnerable
+		# https://www.amd.com/en/corporate/speculative-execution
+		variant3=1
 	elif grep -qi 'CPU implementer\s*:\s*0x41' /proc/cpuinfo; then
 		# ARM
 		# reference: https://developer.arm.com/support/security-update
@@ -174,28 +188,27 @@ is_cpu_vulnerable()
 			# arch  7? 7? 7     7     7     8     8      8      8
 			if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -Eq '^0x(c09|c0f|c0e)$'; then
 				# armv7 vulnerable chips
-				variant1=0
+				:
-				variant2=0
 			elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(d07|d08|d09|d0a)$'; then
 				# armv8 vulnerable chips
-				variant1=0
+				:
-				variant2=0
 			else
+				# others are not vulnerable
 				variant1=1
 				variant2=1
 			fi
 			# for variant3, only A75 is vulnerable
-			if [ "$cpuarch" = 8 -a "$cpupart" = 0xd0a ]; then
+			if ! [ "$cpuarch" = 8 -a "$cpupart" = 0xd0a ]; then
-				variant3=0
-			else
 				variant3=1
 			fi
 		fi
 	fi
+
 	[ "$1" = 1 ] && return $variant1
 	[ "$1" = 2 ] && return $variant2
 	[ "$1" = 3 ] && return $variant3
-	return 255
+	echo "$0: error: invalid variant '$1' passed to is_cpu_vulnerable()" >&2
+	exit 255
 }
 
 show_header()
@@ -234,17 +247,17 @@ parse_opt_file()
 while [ -n "$1" ]; do
 	if [ "$1" = "--kernel" ]; then
 		opt_kernel=$(parse_opt_file kernel "$2")
-		[ $? -ne 0 ] && exit $?
+		[ $? -ne 0 ] && exit 255
 		shift 2
 		opt_live=0
 	elif [ "$1" = "--config" ]; then
 		opt_config=$(parse_opt_file config "$2")
-		[ $? -ne 0 ] && exit $?
+		[ $? -ne 0 ] && exit 255
 		shift 2
 		opt_live=0
 	elif [ "$1" = "--map" ]; then
 		opt_map=$(parse_opt_file map "$2")
-		[ $? -ne 0 ] && exit $?
+		[ $? -ne 0 ] && exit 255
 		shift 2
 		opt_live=0
 	elif [ "$1" = "--live" ]; then
@@ -265,9 +278,9 @@ while [ -n "$1" ]; do
 			--*) ;;    # allow subsequent flags
 			'') ;;     # allow nothing at all
 			*)
-				echo "$0: error: unknown batch format '$1'"
+				echo "$0: error: unknown batch format '$1'" >&2
-				echo "$0: error: --batch expects a format from: text, nrpe, json"
+				echo "$0: error: --batch expects a format from: text, nrpe, json" >&2
-				exit 1 >&2
+				exit 255
 				;;
 		esac
 	elif [ "$1" = "-v" -o "$1" = "--verbose" ]; then
@@ -276,7 +289,7 @@ while [ -n "$1" ]; do
 	elif [ "$1" = "--variant" ]; then
 		if [ -z "$2" ]; then
 			echo "$0: error: option --variant expects a parameter (1, 2 or 3)" >&2
-			exit 1
+			exit 255
 		fi
 		case "$2" in
 			1) opt_variant1=1; opt_allvariants=0;;
@@ -284,7 +297,8 @@ while [ -n "$1" ]; do
 			3) opt_variant3=1; opt_allvariants=0;;
 			*)
 				echo "$0: error: invalid parameter '$2' for --variant, expected either 1, 2 or 3" >&2;
-				exit 1;;
+				exit 255
+				;;
 		esac
 		shift 2
 	elif [ "$1" = "-h" -o "$1" = "--help" ]; then
@@ -294,7 +308,7 @@ while [ -n "$1" ]; do
 	elif [ "$1" = "--version" ]; then
 		opt_no_color=1
 		show_header
-		exit 1
+		exit 0
 	elif [ "$1" = "--disclaimer" ]; then
 		show_header
 		show_disclaimer
@@ -303,7 +317,7 @@ while [ -n "$1" ]; do
 		show_header
 		show_usage
 		echo "$0: error: unknown option '$1'"
-		exit 1
+		exit 255
 	fi
 done
 
@@ -335,12 +349,6 @@ pvulnstatus()
 	if [ "$opt_batch" = 1 ]; then
 		case "$opt_batch_format" in
 			text) _echo 0 "$1: $2 ($3)";;
-                        nrpe)
-                              case "$2" in
-                                       UKN) nrpe_unknown="1";;
-                                       VULN) nrpe_critical="1"; nrpe_vuln="$nrpe_vuln $1";;
-                              esac
-                              ;;
 			json)
 				case "$1" in
 					CVE-2017-5753) aka="SPECTRE VARIANT 1";;
@@ -348,20 +356,29 @@ pvulnstatus()
 					CVE-2017-5754) aka="MELTDOWN";;
 				esac
 				case "$2" in
-                                       UKN)  is_vuln="unknown";;
+					UNK)  is_vuln="null";;
 					VULN) is_vuln="true";;
 					OK)   is_vuln="false";;
 				esac
 				json_output="${json_output:-[}{\"NAME\":\""$aka"\",\"CVE\":\""$1"\",\"VULNERABLE\":$is_vuln,\"INFOS\":\""$3"\"},"
 				;;
+
+			nrpe)	[ "$2" = VULN ] && nrpe_vuln="$nrpe_vuln $1";;
 		esac
 	fi
 
-	_info_nol "> \033[46m\033[30mSTATUS:\033[0m "
+	# always fill global_* vars because we use that do decide the program exit code
+	case "$2" in
+		UNK)  global_unknown="1";;
+		VULN) global_critical="1";;
+	esac
+
+	# display info if we're not in quiet/batch mode
 	vulnstatus="$2"
 	shift 2
+	_info_nol "> \033[46m\033[30mSTATUS:\033[0m "
 	case "$vulnstatus" in
-		UNK) pstatus yellow UNKNOWN "$@";;
+		UNK)  pstatus yellow 'UNKNOWN'        "$@";;
 		VULN) pstatus red    'VULNERABLE'     "$@";;
 		OK)   pstatus green  'NOT VULNERABLE' "$@";;
 	esac
@@ -448,8 +465,8 @@ extract_vmlinux()
 if [ "$opt_live_explicit" = 1 ]; then
 	if [ -n "$opt_kernel" -o -n "$opt_config" -o -n "$opt_map" ]; then
 		show_usage
-		echo "$0: error: incompatible modes specified, use either --live or --kernel/--config/--map"
+		echo "$0: error: incompatible modes specified, use either --live or --kernel/--config/--map" >&2
-		exit 1
+		exit 255
 	fi
 fi
 
@@ -484,6 +501,7 @@ if [ "$opt_live" = 1 ]; then
 		[ -e /boot/kernel-$( uname -r) ] && opt_kernel=/boot/kernel-$( uname -r)
 		[ -e /boot/bzImage-$(uname -r) ] && opt_kernel=/boot/bzImage-$(uname -r)
 		[ -e /boot/kernel-genkernel-$(uname -m)-$(uname -r) ] && opt_kernel=/boot/kernel-genkernel-$(uname -m)-$(uname -r)
+		[ -e /run/booted-system/kernel ] && opt_kernel=/run/booted-system/kernel
 	fi
 
 	# system.map
@@ -505,10 +523,12 @@ if [ "$opt_live" = 1 ]; then
 else
 	_info "Checking for vulnerabilities against specified kernel"
 fi
+
 if [ -n "$opt_kernel" ]; then
 	_verbose "Will use vmlinux image \033[35m$opt_kernel\033[0m"
 else
 	_verbose "Will use no vmlinux image (accuracy might be reduced)"
+	bad_accuracy=1
 fi
 if [ -n "$dumped_config" ]; then
 	_verbose "Will use kconfig \033[35m/proc/config.gz\033[0m"
@@ -516,11 +536,17 @@ elif [ -n "$opt_config" ]; then
 	_verbose "Will use kconfig \033[35m$opt_config\033[0m"
 else
 	_verbose "Will use no kconfig (accuracy might be reduced)"
+	bad_accuracy=1
 fi
 if [ -n "$opt_map" ]; then
 	_verbose "Will use System.map file \033[35m$opt_map\033[0m"
 else
 	_verbose "Will use no System.map file (accuracy might be reduced)"
+	bad_accuracy=1
+fi
+
+if [ "$bad_accuracy" = 1 ]; then
+	_info "We're missing some kernel info (see -v), accuracy might be reduced"
 fi
 
 if [ -e "$opt_kernel" ]; then
@@ -609,7 +635,7 @@ check_variant1()
 				status=UNK
 				pstatus yellow UNKNOWN
 			else
-				# here we disassemble the kernel and count the number of occurences of the LFENCE opcode
+				# here we disassemble the kernel and count the number of occurrences of the LFENCE opcode
 				# in non-patched kernels, this has been empirically determined as being around 40-50
 				# in patched kernels, this is more around 70-80, sometimes way higher (100+)
 				# v0.13: 68 found in a 3.10.23-xxxx-std-ipv6-64 (with lots of modules compiled-in directly), which doesn't have the LFENCE patches,
@@ -653,11 +679,12 @@ check_variant2()
 		sys_interface_available=1
 	else
 		_info "* Mitigation 1"
-		_info_nol "*   Hardware (CPU microcode) support for mitigation: "
+		_info "*   Hardware (CPU microcode) support for mitigation"
+		_info_nol "*     The SPEC_CTRL MSR is available: "
 		if [ ! -e /dev/cpu/0/msr ]; then
 			# try to load the module ourselves (and remember it so we can rmmod it afterwards)
 			modprobe msr 2>/dev/null && insmod_msr=1
-			_debug "attempted to load module msr, ret=$insmod_msr"
+			_debug "attempted to load module msr, insmod_msr=$insmod_msr"
 		fi
 		if [ ! -e /dev/cpu/0/msr ]; then
 			pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?"
@@ -679,6 +706,49 @@ check_variant2()
 			_debug "attempted to unload module msr, ret=$?"
 		fi
 
+		# CPUID test
+		_info_nol "*     The SPEC_CTRL CPUID feature bit is set: "
+		if [ ! -e /dev/cpu/0/cpuid ]; then
+			# try to load the module ourselves (and remember it so we can rmmod it afterwards)
+			modprobe cpuid 2>/dev/null && insmod_cpuid=1
+			_debug "attempted to load module cpuid, insmod_cpuid=$insmod_cpuid"
+		fi
+		if [ ! -e /dev/cpu/0/cpuid ]; then
+			pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/cpuidr, is cpuid support enabled in your kernel?"
+		else
+			# from kernel src: { X86_FEATURE_SPEC_CTRL,        CPUID_EDX,26, 0x00000007, 0 },
+			if [ "$opt_verbose" -ge 3 ]; then
+				dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 >/dev/null 2>/dev/null
+				_debug "cpuid: reading leaf7 of cpuid on cpu0, ret=$?"
+				_debug "cpuid: leaf7 eax-ebx-ecd-edx: "$(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | od -x -A n)
+				_debug "cpuid: leaf7 edx higher-half is: "$(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip=15 count=1 2>/dev/null | od -x -A n)
+			fi
+			# getting high byte of edx on leaf7 of cpuinfo in decimal
+			edx_hb=$(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip=15 count=1 2>/dev/null | od -t u -A n | awk '{print $1}')
+			_debug "cpuid: leaf7 edx higher byte: $edx_hb (decimal)"
+			edx_bit26=$(( edx_hb & 8 ))
+			_debug "cpuid: edx_bit26=$edx_bit26"
+			if [ "$edx_bit26" -eq 8 ]; then
+				pstatus green YES
+			else
+				pstatus red NO
+			fi
+		fi
+
+		# hardware support according to kernel
+		if [ "$opt_verbose" -ge 2 ]; then
+			_verbose_nol "*     The kernel has set the spec_ctrl flag in cpuinfo: "
+			if [ "$opt_live" = 1 ]; then
+				if grep ^flags /proc/cpuinfo | grep -qw spec_ctrl; then
+					pstatus green YES
+				else
+					pstatus red NO
+				fi
+			else
+				pstatus blue N/A "not testable in offline mode"
+			fi
+		fi
+
 		_info_nol "*   Kernel support for IBRS: "
 		if [ "$opt_live" = 1 ]; then
 			mount_debugfs
@@ -700,6 +770,18 @@ check_variant2()
 					_debug "ibrs: file $ibrs_file doesn't exist"
 				fi
 			done
+			# on some newer kernels, the spec_ctrl_ibrs flag in /proc/cpuinfo
+			# is set when ibrs has been administratively enabled (usually from cmdline)
+			# which in that case means ibrs is supported *and* enabled for kernel & user
+			# as per the ibrs patch series v3
+			if [ "$ibrs_supported" = 0 ]; then
+				if grep ^flags /proc/cpuinfo | grep -qw spec_ctrl_ibrs; then
+					_debug "ibrs: found spec_ctrl_ibrs flag in /proc/cpuinfo"
+					ibrs_supported=1
+					# enabled=2 -> kernel & user
+					ibrs_enabled=2
+				fi
+			fi
 		fi
 		if [ "$ibrs_supported" != 1 -a -n "$opt_map" ]; then
 			if grep -q spec_ctrl "$opt_map"; then
@@ -909,6 +991,47 @@ check_variant3()
 		else
 			pstatus blue N/A "can't verify if PTI is enabled in offline mode"
 		fi
+
+		# no security impact but give a hint to the user in verbose mode
+		# about PCID/INVPCID cpuid features that must be present to avoid
+		# too big a performance impact with PTI
+		# refs:
+		# https://marc.info/?t=151532047900001&r=1&w=2
+		# https://groups.google.com/forum/m/#!topic/mechanical-sympathy/L9mHTbeQLNU
+		if [ "$opt_verbose" -ge 2 ]; then
+			_info "* Performance impact if PTI is enabled"
+			_info_nol "*   CPU supports PCID: "
+			if grep ^flags /proc/cpuinfo | grep -qw pcid; then
+				pstatus green YES 'performance degradation with PTI will be limited'
+			else
+				pstatus blue NO 'no security impact but performance will be degraded with PTI'
+			fi
+			_info_nol "*   CPU supports INVPCID: "
+			if grep ^flags /proc/cpuinfo | grep -qw invpcid; then
+				pstatus green YES 'performance degradation with PTI will be limited'
+			else
+				pstatus blue NO 'no security impact but performance will be degraded with PTI'
+			fi
+		fi
+
+		if [ "$opt_live" = 1 ]; then
+			# checking whether we're running under Xen PV 64 bits. If yes, we're not affected by variant3
+			_info_nol "* Checking if we're running under Xen PV (64 bits): "
+			if [ "$(uname -m)" = "x86_64" ]; then
+				# XXX do we have a better way that relying on dmesg?
+				if dmesg | grep -q 'Booting paravirtualized kernel on Xen$' ; then
+					pstatus green YES 'Xen PV is not vulnerable'
+					xen_pv=1
+				elif [ -r /var/log/dmesg ] && grep -q 'Booting paravirtualized kernel on Xen$' /var/log/dmesg; then
+					pstatus green YES 'Xen PV is not vulnerable'
+					xen_pv=1
+				else
+					pstatus blue NO
+				fi
+			else
+				pstatus blue NO
+			fi
+		fi
 	fi
 
 	# if we have the /sys interface, don't even check is_cpu_vulnerable ourselves, the kernel already does it
@@ -921,6 +1044,8 @@ check_variant3()
 		if [ "$opt_live" = 1 ]; then
 			if [ "$kpti_enabled" = 1 ]; then
 				pvulnstatus $cve OK "PTI mitigates the vulnerability"
+			elif [ "$xen_pv" = 1 ]; then
+				pvulnstatus $cve OK "Xen PV 64 bits is not vulnerable"
 			else
 				pvulnstatus $cve VULN "PTI is needed to mitigate the vulnerability"
 			fi
@@ -964,11 +1089,13 @@ if [ "$opt_batch" = 1 -a "$opt_batch_format" = "nrpe" ]; then
 	else
 		echo "OK"
 	fi
-	[ "$nrpe_critical" = 1 ] && exit 2  # critical
-	[ "$nrpe_unknown" = 1 ] && exit 3  # unknown
-	exit 0  # ok
 fi
 
 if [ "$opt_batch" = 1 -a "$opt_batch_format" = "json" ]; then
-	_echo 0 ${json_output%?}]
+	_echo 0 ${json_output%?}']'
 fi
+
+# exit with the proper exit code
+[ "$global_critical" = 1 ] && exit 2  # critical
+[ "$global_unknown"  = 1 ] && exit 3  # unknown
+exit 0  # ok