bump to v0.40

Correct aarch64 KPTI dmesg message
As it's seen in unmap_kernel_at_el0 (both the function definition and its usage in arm64_features[]) from arch/arm64/kernel/cpufeature.c the kernel reports this string: CPU features: detected: Kernel page table isolation (KPTI) or (before commit e0f6429dc1c0 ("arm64: cpufeature: Remove redundant "feature" in reports")): CPU features: detected feature: Kernel page table isolation (KPTI) if KPTI is enabled on the system. So on let's adjust check_variant3_linux() to make it grep these strings if executed on an aarch64 platform. Tested on a Cavium ThunderX2 machine. Signed-off-by: Stanislav Kholmanskikh <stanislav.kholmanskikh@oracle.com>
2025-07-15 15:21:23 +02:00 · 2018-10-03 20:56:46 +02:00 · 2018-10-03 20:49:55 +02:00 · 2018-10-03 20:49:55 +02:00 · 2018-09-30 16:57:35 +02:00 · 2018-09-30 16:56:58 +02:00
4 changed files with 1379 additions and 189 deletions
--- a/4
+++ b/4
@ -5,3 +5,7 @@ RUN apk --update --no-cache add kmod binutils grep perl
 COPY . /check

 ENTRYPOINT ["/check/spectre-meltdown-checker.sh"]
+
+VOLUME /boot
+VOLUME /dev/cpu
+VOLUME /lib/modules
--- a/README.md
+++ b/README.md
@ -2,11 +2,14 @@ Spectre & Meltdown Checker
 ==========================

 A shell script to tell if your system is vulnerable against the several "speculative execution" CVEs that were made public in 2018.
- CVE-2017-5753 aka Spectre Variant 1
- CVE-2017-5715 aka Spectre Variant 2
- CVE-2017-5754 aka Meltdown or Variant 3
- CVE-2018-3640 aka Variant 3a
- CVE-2018-3639 aka Variant 4
+- CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
+- CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
+- CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
+- CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
+- CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
+- CVE-2018-3615 [L1 terminal fault] aka 'Foreshadow (SGX)'
+- CVE-2018-3620 [L1 terminal fault] aka 'Foreshadow-NG (OS)'
+- CVE-2018-3646 [L1 terminal fault] aka 'Foreshadow-NG (VMM)'

 Supported operating systems:
 - Linux (all versions, flavors and distros)
@ -46,9 +49,18 @@ sudo ./spectre-meltdown-checker.sh

 ### Run the script in a docker container

+#### With docker-compose
+
+```shell
+docker-compose build
+docker-compose run --rm spectre-meltdown-checker
+```
+
+#### Without docker-compose
+
 ```shell
 docker build -t spectre-meltdown-checker .
-docker run --rm --privileged -v /boot:/boot:ro -v /lib/modules:/lib/modules:ro -v /dev/cpu:/dev/cpu:ro spectre-meltdown-checker
+docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker
 ```

 ## Example of script output
@ -98,6 +110,18 @@ docker run --rm --privileged -v /boot:/boot:ro -v /lib/modules:/lib/modules:ro -
   - Mitigation: microcode update + kernel update making possible for affected software to protect itself
   - Performance impact of the mitigation: low to medium

+**CVE-2018-3615** l1 terminal fault (Foreshadow)
+
+   - TBC
+
+**CVE-2018-3620** l1 terminal fault (Foreshadow-NG)
+
+   - TBC
+
+**CVE-2018-3646** l1 terminal fault (Foreshadow-NG)
+
+   - TBC
+
 ## Understanding what this script does and doesn't

 This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the collectively named "speculative execution" vulnerabilities. It doesn't attempt to run any kind of exploit, and can't guarantee that your system is secure, but rather helps you verifying whether your system has the known correct mitigations in place.
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,15 @@
+version: '2'
+
+services:
+  spectre-meltdown-checker:
+    build:
+      context: ./
+      dockerfile: ./Dockerfile
+    image: spectre-meltdown-checker:latest
+    container_name: spectre-meltdown-checker
+    privileged: true
+    network_mode: none
+    volumes:
+      - /boot:/boot:ro
+      - /dev/cpu:/dev/cpu:ro
+      - /lib/modules:/lib/modules:ro
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
Author	SHA1	Message	Date
Stéphane Lesimple	c705afe764	bump to v0.40	2018-10-03 20:56:46 +02:00
Stanislav Kholmanskikh	401ccd4b14	Correct aarch64 KPTI dmesg message As it's seen in unmap_kernel_at_el0 (both the function definition and its usage in arm64_features[]) from arch/arm64/kernel/cpufeature.c the kernel reports this string: CPU features: detected: Kernel page table isolation (KPTI) or (before commit e0f6429dc1c0 ("arm64: cpufeature: Remove redundant "feature" in reports")): CPU features: detected feature: Kernel page table isolation (KPTI) if KPTI is enabled on the system. So on let's adjust check_variant3_linux() to make it grep these strings if executed on an aarch64 platform. Tested on a Cavium ThunderX2 machine. Signed-off-by: Stanislav Kholmanskikh <stanislav.kholmanskikh@oracle.com>	2018-10-03 20:49:55 +02:00
Stanislav Kholmanskikh	55120839dd	Fix a typo in check_variant3_linux() Signed-off-by: Stanislav Kholmanskikh <stanislav.kholmanskikh@oracle.com>	2018-10-03 20:49:55 +02:00
Stéphane Lesimple	f5106b3c02	update MCEDB from v83 to v84 (no actual change)	2018-09-30 16:57:35 +02:00
Stéphane Lesimple	68289dae1e	feat: add --update-builtin-mcedb to update the DB inside the script	2018-09-30 16:56:58 +02:00
Stéphane Lesimple	3b2d529654	feat(l1tf): read & report ARCH_CAPABILITIES bit 3 (SKIP_VMENTRY_L1DFLUSH)	2018-09-29 13:16:07 +02:00
Stéphane Lesimple	cbb18cb6b6	fix(l1tf): properly detect status under Red Hat/CentOS kernels	2018-09-29 13:01:13 +02:00
Stéphane Lesimple	299103a3ae	some fixes when script is not started as root	2018-09-29 13:01:13 +02:00
Stéphane Lesimple	dc5402b349	chore: speed optimization of hw check and indentation fixes	2018-09-29 13:01:13 +02:00
Stéphane Lesimple	90c2ae5de2	feat: use the MCExtractor DB as the reference for the microcode versions Use platomav's MCExtractor DB as the reference to decide whether our CPU microcode is the latest or not. We have a builtin version of the DB in the script, but an updated version can be fetched and stored locally with --update-mcedb	2018-09-29 13:01:13 +02:00
Michael Lass	53d6a44754	Fix detection of CVE-2018-3615 (L1TF_SGX) (#253 ) * Add another location of Arch Linux ARM kernel * Fix detection of CVE-2018-3615 We change the value of variantl1tf in the line directly before so its value will never be "immune". Instead we can directly use the value of variantl1tf to initialize variantl1tf_sgx.	2018-09-29 11:35:10 +02:00
Stéphane Lesimple	297d890ce9	fix ucode version check regression introduced by `fbbb19f` under BSD	2018-09-23 15:00:39 +02:00
Stéphane Lesimple	0252e74f94	feat(bsd): implement CVE-2018-3620 and CVE-2018-3646 mitigation detection	2018-09-22 12:26:56 +02:00
Nicolas Sauzede	fbbb19f244	Fix cases where a CPU ucode version is not found in $procfs/cpuinfo. (#246 ) * Fix cases where a CPU ucode version is not found in $procfs/cpuinfo. When running whithin a virtual machine, it seems like $procfs/cpuinfo doesn't contain a 'microcode' line, which triggers a script runtime error. Fall back to '0x0' in this case, as other part of the script seems to already this as a default value anyway. * Double quote to prevent globbing and word splitting.	2018-09-19 22:00:59 +02:00
Stéphane Lesimple	1571a56ce2	feat: add L1D flush cpuid feature bit detection	2018-09-19 09:05:23 +02:00
Stéphane Lesimple	3cf9141601	fix: don't display summary if no CVE was tested (e.g. --hw-only)	2018-09-19 09:04:52 +02:00
Stéphane Lesimple	bff38f1b26	BSD: add not-implemented-yet notice for Foreshadow-NG	2018-09-18 22:06:01 +02:00
Stéphane Lesimple	b419fe7c63	feat(variant4): properly detect SSBD under BSD	2018-09-18 22:00:32 +02:00
alexvong1995	f193484a4a	chore: fix deprecated SPDX license identifier (#249 ) (#251 ) The SPDX license identifier 'GPL-3.0' has been deprecated according to <https://spdx.org/licenses/GPL-3.0.html>.	2018-09-18 20:00:53 +02:00
Laszlo Toth	349d77b3b6	Fix kernel detection when /lib/kernel exists on a distro (#252 ) Commit `b48b2177b7` ("feat: Add Clear Linux Distro (#244)") broke kernel detection for distros using that directory for other purposes than storing the kernel image. Example: # pacman -Qo /lib/kernel /usr/lib/kernel/ is owned by mkinitcpio 24-2 /usr/lib/kernel/ is owned by systemd 239.2-1 Signed-off-by: Laszlo Toth <laszlth@gmail.com>	2018-09-18 20:00:20 +02:00
Stéphane Lesimple	e589ed7f02	fix: don't test SGX again in check_CVE_2018_3615, already done by is_cpu_vulnerable	2018-09-17 22:28:04 +02:00
Stéphane Lesimple	ae1206288f	fix: remove some harcoded /proc paths, use $procfs instead	2018-09-17 22:26:20 +02:00
Stéphane Lesimple	b44d2b5470	chore: remove 'experimental' notice of Foreshadow from README	2018-09-17 21:48:20 +02:00
Stéphane Lesimple	7b72c20f89	feat(l1tf): explode L1TF in its 3 distinct CVEs	2018-09-17 21:44:48 +02:00
Luis Ponce	b48b2177b7	feat: Add Clear Linux Distro (#244 ) Add path of Clear Linux kernel binary and kernel config file.	2018-09-15 15:51:49 +02:00
Pierre Gaxatte	8f31634df6	feat(batch): Add a batch short option for one line result (#243 ) When using this script on a large amount a machine (via clustershell or instance) it can be easier to have a very short result on one line showing only the vulnerabilities	2018-09-15 15:45:10 +02:00
Luis Ponce	96798b1932	chore: add SPDX GPL-3.0 license identifier (#245 ) The spectre-meltdown-checker.sh file is missing licensing information. The SPDX identifier is a legally binding shorthand, which can be used instead of the full boiler plate text.	2018-09-15 15:33:41 +02:00
Stéphane Lesimple	687ce1a7fa	fix: load cpuid module if absent even when /dev/cpu/0/cpuid is there	2018-09-08 23:15:50 +02:00
Stéphane Lesimple	80e0db7cc4	fix: don't show erroneous ucode version when latest version is unknown (fixes #238 )	2018-08-28 20:51:46 +02:00
David Guglielmi	e8890ffac6	feat(config): support for genkernel kernel config file (#239 ) Add support for distributions using genkernel.	2018-08-28 20:24:37 +02:00
Stéphane Lesimple	b2f64e1132	fix README after merge	2018-08-18 12:09:34 +02:00
unrealization	42a3a61f1d	Slightly improved Docker configuration (#230 ) * Listed the required volumes in the Dockerfile. * Added docker-compose.yml for convenience as users won't need to manually specify volumes and stuff when running through docker-compose. Adjusted README.md to reflect this change.	2018-08-18 12:06:16 +02:00
Karsten Weiss	afb36c519d	Fix typo: 'RBS filling' => 'RSB filling' (#237 )	2018-08-18 12:05:17 +02:00
Stéphane Lesimple	0009c0d473	fix: --batch now implies --no-color to avoid colored warnings	2018-08-18 12:04:18 +02:00
Stéphane Lesimple	dd67fd94d7	feat: add FLUSH_CMD MSR availability detection (part of L1TF mitigation)	2018-08-16 19:05:09 +02:00
Stéphane Lesimple	339ad31757	fix: add missing l1tf CPU vulnerability display in hw section	2018-08-16 15:19:29 +02:00
Stéphane Lesimple	794c5be1d2	feat: add optional git describe support to display inter-release version numbers	2018-08-16 15:18:47 +02:00
Stéphane Lesimple	a7afc585a9	fix several incorrect ucode version numbers	2018-08-16 10:51:55 +02:00
Stéphane Lesimple	fc1dffd09a	feat: implement detection of latest known versions of intel microcodes	2018-08-15 12:53:49 +02:00
Stéphane Lesimple	e942616189	feat: initial support for L1TF	2018-08-15 12:05:08 +02:00
Stéphane Lesimple	360be7b35f	fix: hide arch_capabilities_msr_not_read warning under !intel	2018-08-13 15:42:56 +02:00
Stéphane Lesimple	5f59257826	bump to v0.39	2018-08-13 15:33:03 +02:00
Stéphane Lesimple	92d59cbdc1	chore: adjust some comments, add 2 missing inits	2018-08-11 10:31:10 +02:00
Stéphane Lesimple	4747b932e7	feat: add detection of RSBA feature bit and adjust logic accordingly	2018-08-10 10:26:23 +02:00
Stéphane Lesimple	860023a806	fix: ARCH MSR was not read correctly, preventing proper SSB_NO and RDCL_NO detection	2018-08-10 10:26:23 +02:00
Stéphane Lesimple	ab67a9221d	feat: read/write msr now supports msr-tools or perl as dd fallback	2018-08-10 10:26:23 +02:00
0x9fff00	f4592bf3a8	Add Arch armv5/armv7 kernel image location (#227 )	2018-08-09 22:13:30 +02:00
Stéphane Lesimple	be15e47671	chore: setting master to v0.38+	2018-08-09 14:25:22 +02:00
Nathan Parsons	d3481d9524	Add support for the kernel being within a btrfs subvolume (#226 ) - /boot may be within a named root subvolume (eg. "/@/boot") - /boot may be in its own subvolume (eg. "/@boot")	2018-08-09 14:00:35 +02:00