bump to v0.31 to reflect changes

spectre-meltdown-checker.sh

@@ -8,7 +8,7 @@
 #
 # Stephane Lesimple
 #
-VERSION=0.30
+VERSION=0.31
 
 show_usage()
 {
@@ -163,7 +163,15 @@ is_cpu_vulnerable()
 	variant2=0
 	variant3=0
 
-	if grep -q AMD /proc/cpuinfo; then
+	if grep -q GenuineIntel /proc/cpuinfo; then
+		# Intel
+		# Old Atoms are not vulnerable to spectre 2 nor meltdown
+		# https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
+		if grep -qE '^model name.+ Atom\(TM\) CPU +(S|D|N|230|330)' /proc/cpuinfo; then
+			variant2=1
+			variant3=1
+		fi
+	elif grep -q AuthenticAMD /proc/cpuinfo; then
 		# AMD revised their statement about variant2 => vulnerable
 		# https://www.amd.com/en/corporate/speculative-execution
 		variant3=1
@@ -185,6 +193,7 @@ is_cpu_vulnerable()
 				# armv8 vulnerable chips
 				:
 			else
+				# others are not vulnerable
 				variant1=1
 				variant2=1
 			fi
@@ -730,7 +739,7 @@ check_variant2()
 		if [ "$opt_verbose" -ge 2 ]; then
 			_verbose_nol "*     The kernel has set the spec_ctrl flag in cpuinfo: "
 			if [ "$opt_live" = 1 ]; then
-				if grep -qw spec_ctrl /proc/cpuinfo; then
+				if grep ^flags /proc/cpuinfo | grep -qw spec_ctrl; then
 					pstatus green YES
 				else
 					pstatus red NO
@@ -766,7 +775,7 @@ check_variant2()
 			# which in that case means ibrs is supported *and* enabled for kernel & user
 			# as per the ibrs patch series v3
 			if [ "$ibrs_supported" = 0 ]; then
-				if grep -qw spec_ctrl_ibrs /proc/cpuinfo; then
+				if grep ^flags /proc/cpuinfo | grep -qw spec_ctrl_ibrs; then
 					_debug "ibrs: found spec_ctrl_ibrs flag in /proc/cpuinfo"
 					ibrs_supported=1
 					# enabled=2 -> kernel & user
@@ -982,6 +991,47 @@ check_variant3()
 		else
 			pstatus blue N/A "can't verify if PTI is enabled in offline mode"
 		fi
+
+		# no security impact but give a hint to the user in verbose mode
+		# about PCID/INVPCID cpuid features that must be present to avoid
+		# too big a performance impact with PTI
+		# refs:
+		# https://marc.info/?t=151532047900001&r=1&w=2
+		# https://groups.google.com/forum/m/#!topic/mechanical-sympathy/L9mHTbeQLNU
+		if [ "$opt_verbose" -ge 2 ]; then
+			_info "* Performance impact if PTI is enabled"
+			_info_nol "*   CPU supports PCID: "
+			if grep ^flags /proc/cpuinfo | grep -qw pcid; then
+				pstatus green YES 'performance degradation with PTI will be limited'
+			else
+				pstatus blue NO 'no security impact but performance will be degraded with PTI'
+			fi
+			_info_nol "*   CPU supports INVPCID: "
+			if grep ^flags /proc/cpuinfo | grep -qw invpcid; then
+				pstatus green YES 'performance degradation with PTI will be limited'
+			else
+				pstatus blue NO 'no security impact but performance will be degraded with PTI'
+			fi
+		fi
+
+		if [ "$opt_live" = 1 ]; then
+			# checking whether we're running under Xen PV 64 bits. If yes, we're not affected by variant3
+			_info_nol "* Checking if we're running under Xen PV (64 bits): "
+			if [ "$(uname -m)" = "x86_64" ]; then
+				# XXX do we have a better way that relying on dmesg?
+				if dmesg | grep -q 'Booting paravirtualized kernel on Xen$' ; then
+					pstatus green YES 'Xen PV is not vulnerable'
+					xen_pv=1
+				elif [ -r /var/log/dmesg ] && grep -q 'Booting paravirtualized kernel on Xen$' /var/log/dmesg; then
+					pstatus green YES 'Xen PV is not vulnerable'
+					xen_pv=1
+				else
+					pstatus blue NO
+				fi
+			else
+				pstatus blue NO
+			fi
+		fi
 	fi
 
 	# if we have the /sys interface, don't even check is_cpu_vulnerable ourselves, the kernel already does it
@@ -994,6 +1044,8 @@ check_variant3()
 		if [ "$opt_live" = 1 ]; then
 			if [ "$kpti_enabled" = 1 ]; then
 				pvulnstatus $cve OK "PTI mitigates the vulnerability"
+			elif [ "$xen_pv" = 1 ]; then
+				pvulnstatus $cve OK "Xen PV 64 bits is not vulnerable"
 			else
 				pvulnstatus $cve VULN "PTI is needed to mitigate the vulnerability"
 			fi