bump to v0.32

On Fedora machines /lib/modules/$(uname -r) has all the files.

spectre-meltdown-checker.sh

@@ -8,7 +8,7 @@
 #
 # Stephane Lesimple
 #
-VERSION=0.31
+VERSION=0.32
 
 show_usage()
 {
@@ -24,7 +24,7 @@ show_usage()
 		To run under this mode, just start the script without any option (you can also use --live explicitly)
 
 		Second mode is the "offline" mode, where you can inspect a non-running kernel.
-		You'll need to specify the location of the vmlinux file, and if possible, the corresponding config and System.map files:
+		You'll need to specify the location of the vmlinux file, config and System.map files:
 
 		--kernel vmlinux_file		Specify a (possibly compressed) vmlinux file
 		--config kernel_config		Specify a kernel config file
@@ -34,12 +34,15 @@ show_usage()
 		--no-color			Don't use color codes
 		--verbose, -v			Increase verbosity level
 		--no-sysfs			Don't use the /sys interface even if present
+		--coreos			Special mode for CoreOS (use an ephemeral toolbox to inspect kernel)
 		--batch text			Produce machine readable output, this is the default if --batch is specified alone
 		--batch json			Produce JSON output formatted for Puppet, Ansible, Chef...
 		--batch nrpe			Produce machine readable output formatted for NRPE
 		--variant [1,2,3]		Specify which variant you'd like to check, by default all variants are checked
 						Can be specified multiple times (e.g. --variant 2 --variant 3)
 
+	Return codes:
+		0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error)
 
 	IMPORTANT:
 	A false sense of security is worse than no security at all.
@@ -88,22 +91,37 @@ opt_variant2=0
 opt_variant3=0
 opt_allvariants=1
 opt_no_sysfs=0
+opt_coreos=0
 
 global_critical=0
 global_unknown=0
 nrpe_vuln=""
 
+echo_cmd=''
 __echo()
 {
 	opt="$1"
 	shift
 	_msg="$@"
+
+	if [ -z "$echo_cmd" ]; then
+		# find a sane `echo` command
+		# we'll try to avoid using shell builtins that might not take options
+		if which echo >/dev/null 2>&1; then
+			echo_cmd=`which echo`
+		else
+			[ -x /bin/echo        ] && echo_cmd=/bin/echo
+			[ -x /system/bin/echo ] && echo_cmd=/system/bin/echo
+		fi
+		# still empty ? fallback to builtin
+		[ -z "$echo_cmd" ] && echo_cmd=echo
+	fi
+
 	if [ "$opt_no_color" = 1 ] ; then
 		# strip ANSI color codes
-		_msg=$(/bin/echo -e  "$_msg" | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g")
+		_msg=$($echo_cmd -e  "$_msg" | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g")
 	fi
-	# explicitly call /bin/echo to avoid shell builtins that might not take options
-	/bin/echo $opt -e "$_msg"
+	$echo_cmd $opt -e "$_msg"
 }
 
 _echo()
@@ -152,6 +170,16 @@ _debug()
 	_echo 3 "\033[34m(debug) $@\033[0m"
 }
 
+is_cpu_vulnerable_cached=0
+_is_cpu_vulnerable_cached()
+{
+	[ "$1" = 1 ] && return $variant1
+	[ "$1" = 2 ] && return $variant2
+	[ "$1" = 3 ] && return $variant3
+	echo "$0: error: invalid variant '$1' passed to is_cpu_vulnerable()" >&2
+	exit 255
+}
+
 is_cpu_vulnerable()
 {
 	# param: 1, 2 or 3 (variant)
@@ -159,56 +187,97 @@ is_cpu_vulnerable()
 	# (note that in shell, a return of 0 is success)
 	# by default, everything is vulnerable, we work in a "whitelist" logic here.
 	# usage: is_cpu_vulnerable 2 && do something if vulnerable
-	variant1=0
-	variant2=0
-	variant3=0
+	if [ "$is_cpu_vulnerable_cached" = 1 ]; then
+		_is_cpu_vulnerable_cached "$1"
+		return $?
+	fi
+
+	variant1=''
+	variant2=''
+	variant3=''
+	# we also set a friendly name for the CPU to be used in the script if needed
+	cpu_friendly_name=$(grep '^model name' /proc/cpuinfo | cut -d: -f2- | head -1)
 
 	if grep -q GenuineIntel /proc/cpuinfo; then
 		# Intel
 		# Old Atoms are not vulnerable to spectre 2 nor meltdown
 		# https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
-		if grep -qE '^model name.+ Atom\(TM\) CPU +(S|D|N|230|330)' /proc/cpuinfo; then
-			variant2=1
-			variant3=1
+		# model name : Genuine Intel(R) CPU N270 @ 1.60GHz
+		# model name : Intel(R) Atom(TM) CPU N270 @ 1.60GHz
+		# model name : Intel(R) Atom(TM) CPU 330 @ 1.60GHz
+		if grep -qE '^model name.+ Intel\(R\) (Atom\(TM\) CPU +(S|D|N|230|330)|CPU N[0-9]{3} )' /proc/cpuinfo; then
+			variant1=vuln
+			[ -z "$variant2" ] && variant2=immune
+			[ -z "$variant3" ] && variant3=immune
 		fi
 	elif grep -q AuthenticAMD /proc/cpuinfo; then
 		# AMD revised their statement about variant2 => vulnerable
 		# https://www.amd.com/en/corporate/speculative-execution
-		variant3=1
-	elif grep -qi 'CPU implementer\s*:\s*0x41' /proc/cpuinfo; then
+		variant1=vuln
+		variant2=vuln
+		[ -z "$variant3" ] && variant3=immune
+	elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' /proc/cpuinfo; then
 		# ARM
 		# reference: https://developer.arm.com/support/security-update
-		cpupart=$(awk '/CPU part/         {print $4;exit}' /proc/cpuinfo)
-		cpuarch=$(awk '/CPU architecture/ {print $3;exit}' /proc/cpuinfo)
-		if [ -n "$cpupart" -a -n "$cpuarch" ]; then
-			# Cortex-R7 and Cortex-R8 are real-time and only used in medical devices or such
-			# I can't find their CPU part number, but it's probably not that useful anyway
-			# model R7 R8 A9    A15   A17   A57   A72    A73    A75
-			# part   ?  ? 0xc09 0xc0f 0xc0e 0xd07 0xd08  0xd09  0xd0a
-			# arch  7? 7? 7     7     7     8     8      8      8
-			if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -Eq '^0x(c09|c0f|c0e)$'; then
-				# armv7 vulnerable chips
-				:
-			elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(d07|d08|d09|d0a)$'; then
-				# armv8 vulnerable chips
-				:
-			else
-				# others are not vulnerable
-				variant1=1
-				variant2=1
-			fi
-			# for variant3, only A75 is vulnerable
-			if ! [ "$cpuarch" = 8 -a "$cpupart" = 0xd0a ]; then
-				variant3=1
-			fi
-		fi
-	fi
+		# some devices (phones or other) have several ARMs and as such different part numbers,
+		# an example is "bigLITTLE". we shouldn't rely on the first CPU only, so we check the whole list
+		cpupart_list=$(awk '/CPU part/         {print $4}' /proc/cpuinfo)
+		cpuarch_list=$(awk '/CPU architecture/ {print $3}' /proc/cpuinfo)
+		i=0
+		for cpupart in $cpupart_list
+		do
+			i=$(( i + 1 ))
+			cpuarch=$(echo $cpuarch_list | awk '{ print $'$i' }')
+			_debug "checking cpu$i: <$cpupart> <$cpuarch>"
+			# some kernels report AArch64 instead of 8
+			[ "$cpuarch" = "AArch64" ] && cpuarch=8
+			if [ -n "$cpupart" -a -n "$cpuarch" ]; then
+				cpu_friendly_name="ARM v$cpuarch model $cpupart"
+				# Cortex-R7 and Cortex-R8 are real-time and only used in medical devices or such
+				# I can't find their CPU part number, but it's probably not that useful anyway
+				# model R7 R8 A9    A15   A17   A57   A72    A73    A75
+				# part   ?  ? 0xc09 0xc0f 0xc0e 0xd07 0xd08  0xd09  0xd0a
+				# arch  7? 7? 7     7     7     8     8      8      8
+				#
+				# variant 1 & variant 2
+				if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -Eq '^0x(c09|c0f|c0e)$'; then
+					# armv7 vulnerable chips
+					_debug "checking cpu$i: this armv7 vulnerable to spectre 1 & 2"
+					variant1=vuln
+					variant2=vuln
+				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(d07|d08|d09|d0a)$'; then
+					# armv8 vulnerable chips
+					_debug "checking cpu$i: this armv8 vulnerable to spectre 1 & 2"
+					variant1=vuln
+					variant2=vuln
+				else
+					_debug "checking cpu$i: this arm non vulnerable to 1 & 2"
+					# others are not vulnerable
+					[ -z "$variant1" ] && variant1=immune
+					[ -z "$variant2" ] && variant2=immune
+				fi
 
-	[ "$1" = 1 ] && return $variant1
-	[ "$1" = 2 ] && return $variant2
-	[ "$1" = 3 ] && return $variant3
-	echo "$0: error: invalid variant '$1' passed to is_cpu_vulnerable()" >&2
-	exit 255
+				# for variant3, only A75 is vulnerable
+				if [ "$cpuarch" = 8 -a "$cpupart" = 0xd0a ]; then
+					_debug "checking cpu$i: arm A75 vulnerable to meltdown"
+					variant3=vuln
+				else
+					_debug "checking cpu$i: this arm non vulnerable to meltdown"
+					[ -z "$variant3" ] && variant3=immune
+				fi
+			fi
+			_debug "is_cpu_vulnerable: for cpu$i and so far, we have <$variant1> <$variant2> <$variant3>"
+		done
+	fi
+	_debug "is_cpu_vulnerable: temp results are <$variant1> <$variant2> <$variant3>"
+	# if at least one of the cpu is vulnerable, then the system is vulnerable
+	[ "$variant1" = "immune" ] && variant1=1 || variant1=0
+	[ "$variant2" = "immune" ] && variant2=1 || variant2=0
+	[ "$variant3" = "immune" ] && variant3=1 || variant3=0
+	_debug "is_cpu_vulnerable: final results are <$variant1> <$variant2> <$variant3>"
+	is_cpu_vulnerable_cached=1
+	_is_cpu_vulnerable_cached "$1"
+	return $?
 }
 
 show_header()
@@ -269,6 +338,13 @@ while [ -n "$1" ]; do
 	elif [ "$1" = "--no-sysfs" ]; then
 		opt_no_sysfs=1
 		shift
+	elif [ "$1" = "--coreos" ]; then
+		opt_coreos=1
+		shift
+	elif [ "$1" = "--coreos-within-toolbox" ]; then
+		# don't use directly: used internally by --coreos
+		opt_coreos=0
+		shift
 	elif [ "$1" = "--batch" ]; then
 		opt_batch=1
 		opt_verbose=0
@@ -405,8 +481,8 @@ vmlinux=''
 vmlinux_err=''
 check_vmlinux()
 {
-	readelf -h "$1" > /dev/null 2>&1 || return 1
-	return 0
+	readelf -h "$1" >/dev/null 2>&1 && return 0
+	return 1
 }
 
 try_decompress()
@@ -461,6 +537,58 @@ extract_vmlinux()
 
 # end of extract-vmlinux functions
 
+mount_debugfs()
+{
+	if [ ! -e /sys/kernel/debug/sched_features ]; then
+		# try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
+		mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
+	fi
+}
+
+umount_debugfs()
+{
+	if [ "$mounted_debugfs" = 1 ]; then
+		# umount debugfs if we did mount it ourselves
+		umount /sys/kernel/debug
+	fi
+}
+
+load_msr()
+{
+	modprobe msr 2>/dev/null && insmod_msr=1
+	_debug "attempted to load module msr, insmod_msr=$insmod_msr"
+}
+
+unload_msr()
+{
+	if [ "$insmod_msr" = 1 ]; then
+		# if we used modprobe ourselves, rmmod the module
+		rmmod msr 2>/dev/null
+		_debug "attempted to unload module msr, ret=$?"
+	fi
+}
+
+load_cpuid()
+{
+	modprobe cpuid 2>/dev/null && insmod_cpuid=1
+	_debug "attempted to load module cpuid, insmod_cpuid=$insmod_cpuid"
+}
+
+unload_cpuid()
+{
+	if [ "$insmod_cpuid" = 1 ]; then
+		# if we used modprobe ourselves, rmmod the module
+		rmmod cpuid 2>/dev/null
+		_debug "attempted to unload module cpuid, ret=$?"
+	fi
+}
+
+is_coreos()
+{
+	which coreos-install >/dev/null 2>&1 && which toolbox >/dev/null 2>&1 && return 0
+	return 1
+}
+
 # check for mode selection inconsistency
 if [ "$opt_live_explicit" = 1 ]; then
 	if [ -n "$opt_kernel" -o -n "$opt_config" -o -n "$opt_map" ]; then
@@ -470,6 +598,29 @@ if [ "$opt_live_explicit" = 1 ]; then
 	fi
 fi
 
+# coreos mode
+if [ "$opt_coreos" = 1 ]; then
+	if ! is_coreos; then
+		_warn "CoreOS mode asked, but we're not under CoreOS!"
+		exit 255
+	fi
+	_warn "CoreOS mode, starting an ephemeral toolbox to launch the script"
+	load_msr
+	load_cpuid
+	mount_debugfs
+	toolbox --ephemeral --bind-ro /dev/cpu:/dev/cpu -- sh -c "dnf install -y binutils which && /media/root$PWD/$0 $@ --coreos-within-toolbox"
+	exitcode=$?
+	mount_debugfs
+	unload_cpuid
+	unload_msr
+	exit $exitcode
+else
+	if is_coreos; then
+		_warn "You seem to be running CoreOS, you might want to use the --coreos option for better results"
+		_warn
+	fi
+fi
+
 # root check (only for live mode, for offline mode, we already checked if we could read the files)
 
 if [ "$opt_live" = 1 ]; then
@@ -480,7 +631,9 @@ if [ "$opt_live" = 1 ]; then
 		_warn
 	fi
 	_info "Checking for vulnerabilities against running kernel \033[35m"$(uname -s) $(uname -r) $(uname -v) $(uname -m)"\033[0m"
-	_info "CPU is\033[35m"$(grep '^model name' /proc/cpuinfo | cut -d: -f2 | head -1)"\033[0m"
+	# call is_cpu_vulnerable to fill the cpu_friendly_name var
+	is_cpu_vulnerable 1
+	_info "CPU is \033[35m$cpu_friendly_name\033[0m"
 
 	# try to find the image of the current running kernel
 	# first, look for the BOOT_IMAGE hint in the kernel cmdline
@@ -490,23 +643,36 @@ if [ "$opt_live" = 1 ]; then
 		# if we have a dedicated /boot partition, our bootloader might have just called it /
 		# so try to prepend /boot and see if we find anything
 		[ -e "/boot/$opt_kernel" ] && opt_kernel="/boot/$opt_kernel"
+		# special case for CoreOS if we're inside the toolbox
+		[ -e "/media/root/boot/$opt_kernel" ] && opt_kernel="/media/root/boot/$opt_kernel"
 		_debug "opt_kernel is now $opt_kernel"
 		# else, the full path is already there (most probably /boot/something)
 	fi
 	# if we didn't find a kernel, default to guessing
 	if [ ! -e "$opt_kernel" ]; then
+		# Fedora:
+		[ -e /lib/modules/$(uname -r)/vmlinuz ] && opt_kernel=/lib/modules/$(uname -r)/vmlinuz
+		# Slackare:
+		[ -e /boot/vmlinuz             ] && opt_kernel=/boot/vmlinuz
+		# Arch:
 		[ -e /boot/vmlinuz-linux       ] && opt_kernel=/boot/vmlinuz-linux
+		# Linux-Libre:
 		[ -e /boot/vmlinuz-linux-libre ] && opt_kernel=/boot/vmlinuz-linux-libre
+		# generic:
 		[ -e /boot/vmlinuz-$(uname -r) ] && opt_kernel=/boot/vmlinuz-$(uname -r)
 		[ -e /boot/kernel-$( uname -r) ] && opt_kernel=/boot/kernel-$( uname -r)
 		[ -e /boot/bzImage-$(uname -r) ] && opt_kernel=/boot/bzImage-$(uname -r)
+		# Gentoo:
 		[ -e /boot/kernel-genkernel-$(uname -m)-$(uname -r) ] && opt_kernel=/boot/kernel-genkernel-$(uname -m)-$(uname -r)
+		# NixOS:
 		[ -e /run/booted-system/kernel ] && opt_kernel=/run/booted-system/kernel
 	fi
 
 	# system.map
 	if [ -e /proc/kallsyms ] ; then
 		opt_map="/proc/kallsyms"
+	elif [ -e /lib/modules/$(uname -r)/System.map ] ; then
+		opt_map=/lib/modules/$(uname -r)/System.map
 	elif [ -e /boot/System.map-$(uname -r) ] ; then
 		opt_map=/boot/System.map-$(uname -r)
 	fi
@@ -517,6 +683,8 @@ if [ "$opt_live" = 1 ]; then
 		gunzip -c /proc/config.gz > $dumped_config
 		# dumped_config will be deleted at the end of the script
 		opt_config=$dumped_config
+	elif [ -e /lib/modules/$(uname -r)/config ]; then
+		opt_config=/lib/modules/$(uname -r)/config
 	elif [ -e /boot/config-$(uname -r) ]; then
 		opt_config=/boot/config-$(uname -r)
 	fi
@@ -551,11 +719,13 @@ fi
 
 if [ -e "$opt_kernel" ]; then
 	if ! which readelf >/dev/null 2>&1; then
+		_debug "readelf not found"
 		vmlinux_err="missing 'readelf' tool, please install it, usually it's in the 'binutils' package"
 	else
 		extract_vmlinux "$opt_kernel"
 	fi
 else
+	_debug "no opt_kernel defined"
 	vmlinux_err="couldn't find your kernel image in /boot, if you used netboot, this is normal"
 fi
 if [ -z "$vmlinux" -o ! -r "$vmlinux" ]; then
@@ -569,22 +739,6 @@ _info
 # now we define some util functions and the check_*() funcs, as
 # the user can choose to execute only some of those
 
-mount_debugfs()
-{
-	if [ ! -e /sys/kernel/debug/sched_features ]; then
-		# try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
-		mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
-	fi
-}
-
-umount_debugfs()
-{
-	if [ "$mounted_debugfs" = 1 ]; then
-		# umount debugfs if we did mount it ourselves
-		umount /sys/kernel/debug
-	fi
-}
-
 sys_interface_check()
 {
 	[ "$opt_live" = 1 -a "$opt_no_sysfs" = 0 -a -r "$1" ] || return 1
@@ -683,8 +837,7 @@ check_variant2()
 		_info_nol "*     The SPEC_CTRL MSR is available: "
 		if [ ! -e /dev/cpu/0/msr ]; then
 			# try to load the module ourselves (and remember it so we can rmmod it afterwards)
-			modprobe msr 2>/dev/null && insmod_msr=1
-			_debug "attempted to load module msr, insmod_msr=$insmod_msr"
+			load_msr
 		fi
 		if [ ! -e /dev/cpu/0/msr ]; then
 			pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?"
@@ -700,18 +853,13 @@ check_variant2()
 			fi
 		fi
 
-		if [ "$insmod_msr" = 1 ]; then
-			# if we used modprobe ourselves, rmmod the module
-			rmmod msr 2>/dev/null
-			_debug "attempted to unload module msr, ret=$?"
-		fi
+		unload_msr
 
 		# CPUID test
 		_info_nol "*     The SPEC_CTRL CPUID feature bit is set: "
 		if [ ! -e /dev/cpu/0/cpuid ]; then
 			# try to load the module ourselves (and remember it so we can rmmod it afterwards)
-			modprobe cpuid 2>/dev/null && insmod_cpuid=1
-			_debug "attempted to load module cpuid, insmod_cpuid=$insmod_cpuid"
+			load_cpuid
 		fi
 		if [ ! -e /dev/cpu/0/cpuid ]; then
 			pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/cpuidr, is cpuid support enabled in your kernel?"
@@ -734,6 +882,7 @@ check_variant2()
 				pstatus red NO
 			fi
 		fi
+		unload_cpuid
 
 		# hardware support according to kernel
 		if [ "$opt_verbose" -ge 2 ]; then
@@ -979,6 +1128,10 @@ check_variant3()
 				# if we can't find the flag in dmesg output, grep in /var/log/dmesg when readable
 				_debug "kpti_enabled: found hint in /var/log/dmesg: "$(grep -E "$dmesg_grep" /var/log/dmesg)
 				kpti_enabled=1
+			elif [ -r /var/log/kern.log ] && grep -Eq "$dmesg_grep" /var/log/kern.log; then
+				# if we can't find the flag in dmesg output, grep in /var/log/kern.log when readable
+				_debug "kpti_enabled: found hint in /var/log/kern.log: "$(grep -E "$dmesg_grep" /var/log/kern.log)
+				kpti_enabled=1
 			else
 				_debug "kpti_enabled: couldn't find any hint that PTI is enabled"
 				kpti_enabled=0
@@ -1025,6 +1178,9 @@ check_variant3()
 				elif [ -r /var/log/dmesg ] && grep -q 'Booting paravirtualized kernel on Xen$' /var/log/dmesg; then
 					pstatus green YES 'Xen PV is not vulnerable'
 					xen_pv=1
+				elif [ -r /var/log/kern.log ] && grep -q 'Booting paravirtualized kernel on Xen$' /var/log/kern.log; then
+					pstatus green YES 'Xen PV is not vulnerable'
+					xen_pv=1
 				else
 					pstatus blue NO
 				fi