bump to v0.40

Correct aarch64 KPTI dmesg message
As it's seen in unmap_kernel_at_el0 (both the function definition and its usage in arm64_features[]) from arch/arm64/kernel/cpufeature.c the kernel reports this string: CPU features: detected: Kernel page table isolation (KPTI) or (before commit e0f6429dc1c0 ("arm64: cpufeature: Remove redundant "feature" in reports")): CPU features: detected feature: Kernel page table isolation (KPTI) if KPTI is enabled on the system. So on let's adjust check_variant3_linux() to make it grep these strings if executed on an aarch64 platform. Tested on a Cavium ThunderX2 machine. Signed-off-by: Stanislav Kholmanskikh <stanislav.kholmanskikh@oracle.com>
2025-07-15 07:11:22 +02:00 · 2018-10-03 20:56:46 +02:00 · 2018-10-03 20:49:55 +02:00 · 2018-10-03 20:49:55 +02:00 · 2018-09-30 16:57:35 +02:00 · 2018-09-30 16:56:58 +02:00
4 changed files with 1735 additions and 192 deletions
--- a/11
+++ b/11
@ -0,0 +1,11 @@
+FROM alpine:3.7
+
+RUN apk --update --no-cache add kmod binutils grep perl
+
+COPY . /check
+
+ENTRYPOINT ["/check/spectre-meltdown-checker.sh"]
+
+VOLUME /boot
+VOLUME /dev/cpu
+VOLUME /lib/modules
--- a/README.md
+++ b/README.md
@ -1,7 +1,15 @@
 Spectre & Meltdown Checker
 ==========================

-A shell script to tell if your system is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
+A shell script to tell if your system is vulnerable against the several "speculative execution" CVEs that were made public in 2018.
+- CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
+- CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
+- CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
+- CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
+- CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
+- CVE-2018-3615 [L1 terminal fault] aka 'Foreshadow (SGX)'
+- CVE-2018-3620 [L1 terminal fault] aka 'Foreshadow-NG (OS)'
+- CVE-2018-3646 [L1 terminal fault] aka 'Foreshadow-NG (VMM)'

 Supported operating systems:
 - Linux (all versions, flavors and distros)
@ -39,6 +47,22 @@ chmod +x spectre-meltdown-checker.sh
 sudo ./spectre-meltdown-checker.sh
 ```

+### Run the script in a docker container
+
+#### With docker-compose
+
+```shell
+docker-compose build
+docker-compose run --rm spectre-meltdown-checker
+```
+
+#### Without docker-compose
+
+```shell
+docker build -t spectre-meltdown-checker .
+docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker
+```
+
 ## Example of script output

 - Intel Haswell CPU running under Ubuntu 16.04 LTS
@ -74,7 +98,31 @@ sudo ./spectre-meltdown-checker.sh
   - Mitigation: updated kernel (with PTI/KPTI patches), updating the kernel is enough
   - Performance impact of the mitigation: low to medium

-## Disclaimer
+**CVE-2018-3640** rogue system register read (Variant 3a)
+
+   - Impact: TBC
+   - Mitigation: microcode update only
+   - Performance impact of the mitigation: negligible
+
+**CVE-2018-3639** speculative store bypass (Variant 4)
+
+   - Impact: software using JIT (no known exploitation against kernel)
+   - Mitigation: microcode update + kernel update making possible for affected software to protect itself
+   - Performance impact of the mitigation: low to medium
+
+**CVE-2018-3615** l1 terminal fault (Foreshadow)
+
+   - TBC
+
+**CVE-2018-3620** l1 terminal fault (Foreshadow-NG)
+
+   - TBC
+
+**CVE-2018-3646** l1 terminal fault (Foreshadow-NG)
+
+   - TBC
+
+## Understanding what this script does and doesn't

 This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the collectively named "speculative execution" vulnerabilities. It doesn't attempt to run any kind of exploit, and can't guarantee that your system is secure, but rather helps you verifying whether your system has the known correct mitigations in place.
 However, some mitigations could also exist in your kernel that this script doesn't know (yet) how to detect, or it might falsely detect mitigations that in the end don't work as expected (for example, on backported or modified kernels).
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,15 @@
+version: '2'
+
+services:
+  spectre-meltdown-checker:
+    build:
+      context: ./
+      dockerfile: ./Dockerfile
+    image: spectre-meltdown-checker:latest
+    container_name: spectre-meltdown-checker
+    privileged: true
+    network_mode: none
+    volumes:
+      - /boot:/boot:ro
+      - /dev/cpu:/dev/cpu:ro
+      - /lib/modules:/lib/modules:ro
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
Author	SHA1	Message	Date
Stéphane Lesimple	c705afe764	bump to v0.40	2018-10-03 20:56:46 +02:00
Stanislav Kholmanskikh	401ccd4b14	Correct aarch64 KPTI dmesg message As it's seen in unmap_kernel_at_el0 (both the function definition and its usage in arm64_features[]) from arch/arm64/kernel/cpufeature.c the kernel reports this string: CPU features: detected: Kernel page table isolation (KPTI) or (before commit e0f6429dc1c0 ("arm64: cpufeature: Remove redundant "feature" in reports")): CPU features: detected feature: Kernel page table isolation (KPTI) if KPTI is enabled on the system. So on let's adjust check_variant3_linux() to make it grep these strings if executed on an aarch64 platform. Tested on a Cavium ThunderX2 machine. Signed-off-by: Stanislav Kholmanskikh <stanislav.kholmanskikh@oracle.com>	2018-10-03 20:49:55 +02:00
Stanislav Kholmanskikh	55120839dd	Fix a typo in check_variant3_linux() Signed-off-by: Stanislav Kholmanskikh <stanislav.kholmanskikh@oracle.com>	2018-10-03 20:49:55 +02:00
Stéphane Lesimple	f5106b3c02	update MCEDB from v83 to v84 (no actual change)	2018-09-30 16:57:35 +02:00
Stéphane Lesimple	68289dae1e	feat: add --update-builtin-mcedb to update the DB inside the script	2018-09-30 16:56:58 +02:00
Stéphane Lesimple	3b2d529654	feat(l1tf): read & report ARCH_CAPABILITIES bit 3 (SKIP_VMENTRY_L1DFLUSH)	2018-09-29 13:16:07 +02:00
Stéphane Lesimple	cbb18cb6b6	fix(l1tf): properly detect status under Red Hat/CentOS kernels	2018-09-29 13:01:13 +02:00
Stéphane Lesimple	299103a3ae	some fixes when script is not started as root	2018-09-29 13:01:13 +02:00
Stéphane Lesimple	dc5402b349	chore: speed optimization of hw check and indentation fixes	2018-09-29 13:01:13 +02:00
Stéphane Lesimple	90c2ae5de2	feat: use the MCExtractor DB as the reference for the microcode versions Use platomav's MCExtractor DB as the reference to decide whether our CPU microcode is the latest or not. We have a builtin version of the DB in the script, but an updated version can be fetched and stored locally with --update-mcedb	2018-09-29 13:01:13 +02:00
Michael Lass	53d6a44754	Fix detection of CVE-2018-3615 (L1TF_SGX) (#253 ) * Add another location of Arch Linux ARM kernel * Fix detection of CVE-2018-3615 We change the value of variantl1tf in the line directly before so its value will never be "immune". Instead we can directly use the value of variantl1tf to initialize variantl1tf_sgx.	2018-09-29 11:35:10 +02:00
Stéphane Lesimple	297d890ce9	fix ucode version check regression introduced by `fbbb19f` under BSD	2018-09-23 15:00:39 +02:00
Stéphane Lesimple	0252e74f94	feat(bsd): implement CVE-2018-3620 and CVE-2018-3646 mitigation detection	2018-09-22 12:26:56 +02:00
Nicolas Sauzede	fbbb19f244	Fix cases where a CPU ucode version is not found in $procfs/cpuinfo. (#246 ) * Fix cases where a CPU ucode version is not found in $procfs/cpuinfo. When running whithin a virtual machine, it seems like $procfs/cpuinfo doesn't contain a 'microcode' line, which triggers a script runtime error. Fall back to '0x0' in this case, as other part of the script seems to already this as a default value anyway. * Double quote to prevent globbing and word splitting.	2018-09-19 22:00:59 +02:00
Stéphane Lesimple	1571a56ce2	feat: add L1D flush cpuid feature bit detection	2018-09-19 09:05:23 +02:00
Stéphane Lesimple	3cf9141601	fix: don't display summary if no CVE was tested (e.g. --hw-only)	2018-09-19 09:04:52 +02:00
Stéphane Lesimple	bff38f1b26	BSD: add not-implemented-yet notice for Foreshadow-NG	2018-09-18 22:06:01 +02:00
Stéphane Lesimple	b419fe7c63	feat(variant4): properly detect SSBD under BSD	2018-09-18 22:00:32 +02:00
alexvong1995	f193484a4a	chore: fix deprecated SPDX license identifier (#249 ) (#251 ) The SPDX license identifier 'GPL-3.0' has been deprecated according to <https://spdx.org/licenses/GPL-3.0.html>.	2018-09-18 20:00:53 +02:00
Laszlo Toth	349d77b3b6	Fix kernel detection when /lib/kernel exists on a distro (#252 ) Commit `b48b2177b7` ("feat: Add Clear Linux Distro (#244)") broke kernel detection for distros using that directory for other purposes than storing the kernel image. Example: # pacman -Qo /lib/kernel /usr/lib/kernel/ is owned by mkinitcpio 24-2 /usr/lib/kernel/ is owned by systemd 239.2-1 Signed-off-by: Laszlo Toth <laszlth@gmail.com>	2018-09-18 20:00:20 +02:00
Stéphane Lesimple	e589ed7f02	fix: don't test SGX again in check_CVE_2018_3615, already done by is_cpu_vulnerable	2018-09-17 22:28:04 +02:00
Stéphane Lesimple	ae1206288f	fix: remove some harcoded /proc paths, use $procfs instead	2018-09-17 22:26:20 +02:00
Stéphane Lesimple	b44d2b5470	chore: remove 'experimental' notice of Foreshadow from README	2018-09-17 21:48:20 +02:00
Stéphane Lesimple	7b72c20f89	feat(l1tf): explode L1TF in its 3 distinct CVEs	2018-09-17 21:44:48 +02:00
Luis Ponce	b48b2177b7	feat: Add Clear Linux Distro (#244 ) Add path of Clear Linux kernel binary and kernel config file.	2018-09-15 15:51:49 +02:00
Pierre Gaxatte	8f31634df6	feat(batch): Add a batch short option for one line result (#243 ) When using this script on a large amount a machine (via clustershell or instance) it can be easier to have a very short result on one line showing only the vulnerabilities	2018-09-15 15:45:10 +02:00
Luis Ponce	96798b1932	chore: add SPDX GPL-3.0 license identifier (#245 ) The spectre-meltdown-checker.sh file is missing licensing information. The SPDX identifier is a legally binding shorthand, which can be used instead of the full boiler plate text.	2018-09-15 15:33:41 +02:00
Stéphane Lesimple	687ce1a7fa	fix: load cpuid module if absent even when /dev/cpu/0/cpuid is there	2018-09-08 23:15:50 +02:00
Stéphane Lesimple	80e0db7cc4	fix: don't show erroneous ucode version when latest version is unknown (fixes #238 )	2018-08-28 20:51:46 +02:00
David Guglielmi	e8890ffac6	feat(config): support for genkernel kernel config file (#239 ) Add support for distributions using genkernel.	2018-08-28 20:24:37 +02:00
Stéphane Lesimple	b2f64e1132	fix README after merge	2018-08-18 12:09:34 +02:00
unrealization	42a3a61f1d	Slightly improved Docker configuration (#230 ) * Listed the required volumes in the Dockerfile. * Added docker-compose.yml for convenience as users won't need to manually specify volumes and stuff when running through docker-compose. Adjusted README.md to reflect this change.	2018-08-18 12:06:16 +02:00
Karsten Weiss	afb36c519d	Fix typo: 'RBS filling' => 'RSB filling' (#237 )	2018-08-18 12:05:17 +02:00
Stéphane Lesimple	0009c0d473	fix: --batch now implies --no-color to avoid colored warnings	2018-08-18 12:04:18 +02:00
Stéphane Lesimple	dd67fd94d7	feat: add FLUSH_CMD MSR availability detection (part of L1TF mitigation)	2018-08-16 19:05:09 +02:00
Stéphane Lesimple	339ad31757	fix: add missing l1tf CPU vulnerability display in hw section	2018-08-16 15:19:29 +02:00
Stéphane Lesimple	794c5be1d2	feat: add optional git describe support to display inter-release version numbers	2018-08-16 15:18:47 +02:00
Stéphane Lesimple	a7afc585a9	fix several incorrect ucode version numbers	2018-08-16 10:51:55 +02:00
Stéphane Lesimple	fc1dffd09a	feat: implement detection of latest known versions of intel microcodes	2018-08-15 12:53:49 +02:00
Stéphane Lesimple	e942616189	feat: initial support for L1TF	2018-08-15 12:05:08 +02:00
Stéphane Lesimple	360be7b35f	fix: hide arch_capabilities_msr_not_read warning under !intel	2018-08-13 15:42:56 +02:00
Stéphane Lesimple	5f59257826	bump to v0.39	2018-08-13 15:33:03 +02:00
Stéphane Lesimple	92d59cbdc1	chore: adjust some comments, add 2 missing inits	2018-08-11 10:31:10 +02:00
Stéphane Lesimple	4747b932e7	feat: add detection of RSBA feature bit and adjust logic accordingly	2018-08-10 10:26:23 +02:00
Stéphane Lesimple	860023a806	fix: ARCH MSR was not read correctly, preventing proper SSB_NO and RDCL_NO detection	2018-08-10 10:26:23 +02:00
Stéphane Lesimple	ab67a9221d	feat: read/write msr now supports msr-tools or perl as dd fallback	2018-08-10 10:26:23 +02:00
0x9fff00	f4592bf3a8	Add Arch armv5/armv7 kernel image location (#227 )	2018-08-09 22:13:30 +02:00
Stéphane Lesimple	be15e47671	chore: setting master to v0.38+	2018-08-09 14:25:22 +02:00
Nathan Parsons	d3481d9524	Add support for the kernel being within a btrfs subvolume (#226 ) - /boot may be within a named root subvolume (eg. "/@/boot") - /boot may be in its own subvolume (eg. "/@boot")	2018-08-09 14:00:35 +02:00
Stéphane Lesimple	21af561148	bump to v0.38	2018-08-07 10:55:50 +02:00
Stéphane Lesimple	cb740397f3	feat(arm32): add spectrev1 mitigation detection	2018-08-07 10:42:03 +02:00
Stéphane Lesimple	84195689af	change: default to --no-explain, use --explain to get detailed mitigation help	2018-08-04 16:31:41 +02:00
Stéphane Lesimple	b637681fa8	fix: debug output: msg inaccuracy for ARM checks	2018-08-04 16:19:54 +02:00
Stéphane Lesimple	9316c30577	fix: armv8: models < 0xd07 are not vulnerable	2018-08-04 16:19:54 +02:00
Lily Wilson	f9dd9d8cb9	add guess for archlinuxarm aarch64 kernel image on raspberry pi 3 (#222 )	2018-08-01 00:15:52 +02:00
Stéphane Lesimple	0f0d103a89	fix: correctly init capabilities_ssb_no var in all cases	2018-07-26 10:18:14 +02:00
Stéphane Lesimple	b262c40541	fix: remove spurious character after an else statement	2018-07-25 21:55:50 +02:00
Stéphane Lesimple	cc2910fbbc	fix: read_cpuid: don't use iflag=skip_bytes for compat with old dd versions This closes #215 #199 #193	2018-07-23 09:12:30 +02:00
manish jaggi	30c4a1f6d2	arm64: cavium: Add CPU Implementer Cavium (#216 ) This patch adds 0x43 check for cavium implementor id in function parse_cpu_details. Also adds that Cavium Soc is not vulnerable to variant 3/3a Signed-off-by: Manish Jaggi <manish.jagg@cavium.com>	2018-07-22 19:06:19 +02:00
Stéphane Lesimple	cf06636a3f	fix: prometheus output: use printf for proper \n interpretation (#204 )	2018-06-21 23:35:51 +02:00
Stéphane Lesimple	60077c8d12	fix(arm): rewrite vuln logic from latest arm statement for Cortex A8 to A76	2018-06-21 23:24:18 +02:00
Rob Gill	c181978d7c	fix(arm): Updated arm cortex status (#209 ) * Cortex A8 Vulnerable Arm Cortex A8 is vulnerable to variants 1 & 2 (https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability) Part number is 0xc08 (https://developer.arm.com/docs/ddi0344/b/system-control-coprocessor/system-control-coprocessorregisters/c0-main-id-register) False negative reported by @V10lator in #206 * ARM Cortex A12 Vulnerable to 1&2 https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability * A76 vulnerable to variant 4 All arch 8 cortex A57-A76 are vulnerable to variant 4. https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability * Whitelist variant4 nonvuln Arms * ARM Cortex Whitelist & Cumulative Blacklist Applies all information about vulnerabilities of ARM Cortex processors (from https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability). Whitelist & blacklist approach, using both vulnerable and non vulnerable status for each identified CPU, with vulnerabilities tracked cumulatively for multi CPU systems.	2018-06-16 12:14:39 +02:00
Jan	9a6406a9a2	chore: add docker support (#203 )	2018-06-14 20:25:35 +02:00
Rob Gill	5962d20ba7	fix(variant4): whitelist from common.c::cpu_no_spec_store_bypass (#202 ) * variant4 from common.c::cpu_no_spec_store_bypass Variant 4 - Add function to 'whitelist' the hand-full of CPUs unaffected by speculative store bypass. This would allow improved determination of variant 4 status ( #189 ) of immune CPUs while waiting for the 4.17/stable patches to be backported to distro kernels. Source of cpu list : https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/cpu/common.c#n945) Modeled after is_cpu_specex_free() * amd families fix amd families are reported by parse_cpu_details() in decimal * remove duplicates Only list processors which speculate and are immune to variant 4. Avoids duplication with non-speculating CPUs listed in is_cpu_specex_free()	2018-05-27 15:14:29 +02:00
Rob Gill	17a3488505	fix(help): add missing references to variants 3a & 4 (#201 )	2018-05-24 16:35:57 +02:00
Stéphane Lesimple	e54e8b3e84	chore: remove warning in README, fix display indentation	2018-05-24 16:32:53 +02:00
Stéphane Lesimple	39c778e3ac	fix(amd): AMD families 0x15-0x17 non-arch MSRs are a valid way to control SSB	2018-05-23 23:08:07 +02:00
Stéphane Lesimple	2cde6e4649	feat(ssbd): add detection of proper CPUID bits on AMD	2018-05-23 22:50:52 +02:00
Stéphane Lesimple	f4d51e7e53	fix(variant4): add another detection way for Red Hat kernel	2018-05-23 22:47:54 +02:00
Stéphane Lesimple	85d46b2799	feat(variant4): add more detailed explanations	2018-05-23 21:08:58 +02:00
Stéphane Lesimple	61e02abd0c	feat(variant3a): detect up to date microcode	2018-05-23 21:08:08 +02:00
Stéphane Lesimple	114756fab7	fix(amd): not vulnerable to variant3a	2018-05-23 20:38:43 +02:00
Rob Gill	ea75969eb7	fix(help): Update variant options in usage message (#200 )	2018-05-22 15:54:25 +02:00
Stéphane Lesimple	ca391cbfc9	fix(variant2): correctly detect IBRS/IBPB in SLES kernels	2018-05-22 12:06:46 +02:00
Stéphane Lesimple	68af5c5f92	feat(variant4): detect SSBD-aware kernel	2018-05-22 12:05:46 +02:00
Stéphane Lesimple	19be8f79eb	doc: update README with some info about variant3 and variant4	2018-05-22 09:43:29 +02:00
Stéphane Lesimple	f75cc0bb6f	feat(variant4): add sysfs mitigation hint and some explanation about the vuln	2018-05-22 09:39:11 +02:00
Stéphane Lesimple	f33d65ff71	feat(variant3a): add information about microcode-sufficient mitigation	2018-05-22 09:38:29 +02:00
Stéphane Lesimple	725eaa8bf5	feat(arm): adjust vulnerable ARM CPUs for variant3a and variant4	2018-05-22 09:19:29 +02:00
Stéphane Lesimple	c6ee0358d1	feat(variant4): report SSB_NO CPUs as not vulnerable	2018-05-22 09:18:30 +02:00
Stéphane Lesimple	22d0b203da	fix(ssb_no): rename ssbd_no to ssb_no and fix shift	2018-05-22 00:38:31 +02:00
Stéphane Lesimple	3062a8416a	fix(msg): add missing words	2018-05-22 00:10:08 +02:00
Stéphane Lesimple	6a4318addf	feat(variant3a/4): initial support for 2 new CVEs	2018-05-22 00:06:56 +02:00
Stéphane Lesimple	c19986188f	fix(variant2): adjust detection for SLES kernels	2018-05-19 09:53:12 +02:00
Rob Gill	7e4899bcb8	ibrs can't be enabled on no ibrs cpu (#195 ) * ibrs can't be enabled on no ibrs cpu If the cpu is identified, and does not support SPEC_CTRL or IBRS, then ibrs can't be enabled, even if supported by the kernel. Instead of reporting IBRS enabled and active UNKNOWN, report IBRS enabled and active NO.	2018-05-17 15:39:48 +02:00
rrobgill	5cc77741af	Update spectre-meltdown-checker.sh	2018-05-05 13:00:44 +02:00
rrobgill	1c0f6d9580	cpuid and msr module check This adds a check before loading the cpuid and msr modules under linux, ensuring they are not unloaded in exit_cleanup() if they were initially present.	2018-05-05 13:00:44 +02:00
Onno Zweers	4acd0f647a	Suggestion to change VM to a CPU with IBRS capability	2018-04-20 20:35:12 +02:00
Stéphane Lesimple	fb52dbe7bf	set master branch to v0.37+	2018-04-20 20:34:42 +02:00