Compare commits
26 Commits
Author | SHA1 | Date |
---|---|---|
Stéphane Lesimple | bd0c7c94b5 | |
Stéphane Lesimple | d70e4c2974 | |
Stéphane Lesimple | 4e29fb5a21 | |
Stephane Lesimple | 0f2edb1a71 | |
Stephane Lesimple | 8ac2539a2a | |
Stéphane Lesimple | 97f4d5f2bc | |
Stéphane Lesimple | 9b7b09ada3 | |
Sébastien Mériot | c94811e63d | |
Sébastien Mériot | 3e67047c73 | |
Sébastien Mériot | ecee75716e | |
Sébastien Mériot | fb6933dc64 | |
Stéphane Lesimple | dc6921a1ac | |
Sébastien Mériot | 3167762cfd | |
Stéphane Lesimple | 44223c5308 | |
Stéphane Lesimple | dbe208fc48 | |
Stéphane Lesimple | aca4e2a9b1 | |
Sébastien Mériot | c1c1ac4dbb | |
Stéphane Lesimple | ba0daa6769 | |
Sébastien Mériot | 227c0aab1e | |
Stéphane Lesimple | 8ba3751cf7 | |
Stéphane Lesimple | d013c0a7d2 | |
Stéphane Lesimple | cbe8ba10ce | |
Stéphane Lesimple | 9c2587bca5 | |
Stéphane Lesimple | 2a5ddc87bf | |
Stéphane Lesimple | 2ef6c1c80e | |
Stéphane Lesimple | 3c224018f4 |
|
@ -24,7 +24,7 @@ jobs:
|
|||
fi
|
||||
- name: check direct execution
|
||||
run: |
|
||||
expected=16
|
||||
expected=19
|
||||
nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
|
||||
if [ "$nb" -ne "$expected" ]; then
|
||||
echo "Invalid number of CVEs reported: $nb instead of $expected"
|
||||
|
@ -34,7 +34,7 @@ jobs:
|
|||
fi
|
||||
- name: check docker-compose run execution
|
||||
run: |
|
||||
expected=16
|
||||
expected=19
|
||||
docker-compose build
|
||||
nb=$(docker-compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
|
||||
if [ "$nb" -ne "$expected" ]; then
|
||||
|
@ -45,7 +45,7 @@ jobs:
|
|||
fi
|
||||
- name: check docker run execution
|
||||
run: |
|
||||
expected=16
|
||||
expected=19
|
||||
docker build -t spectre-meltdown-checker .
|
||||
nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
|
||||
if [ "$nb" -ne "$expected" ]; then
|
||||
|
|
12
FAQ.md
12
FAQ.md
|
@ -45,9 +45,9 @@ Software vulnerability:
|
|||
|
||||
Hardware vulnerability:
|
||||
- Can be fixed? No, only mitigated (or buy new hardware!)
|
||||
- How to ~~fix~~ mitigate? In the worst case scenario, 5 "layers" need to be updated: the microcode/firmware, the host OS kernel, the hypervisor, the VM OS kernel, and possibly all the software running on the VM.
|
||||
- How to ~~fix~~ mitigate? In the worst case scenario, 5 "layers" need to be updated: the microcode/firmware, the host OS kernel, the hypervisor, the VM OS kernel, and possibly all the software running on the machine. Sometimes only a subset of those layers need to be updated. In yet other cases, there can be several possible mitigations for the same vulnerability, implying different layers. Yes, it can get horribly complicated.
|
||||
|
||||
A more detailed video explanation is available here: https://youtu.be/2gB9U1EcCss?t=85
|
||||
A more detailed video explanation is available here: https://youtu.be/2gB9U1EcCss?t=425
|
||||
|
||||
## What do "affected", "vulnerable" and "mitigated" mean exactly?
|
||||
|
||||
|
@ -75,7 +75,7 @@ There are a few rules that govern how this tool is written.
|
|||
|
||||
A lot as changed since 2018. Nowadays, the industry adapted and this range of vulnerabilities is almost "business as usual", as software vulnerabilities are. However, due to their complexity, it's still not as easy as just checking a version number to ensure a vulnerability is closed.
|
||||
|
||||
Granted, we now have a standard way under Linux to check whether our system is affected, vulnerable, mitigated against most of these vulnerabilities. By having a look at the `sysfs` hierarchy, and more precisely the `/sys/devices/system/cpu/vulnerabilities/` folder, one can have a pretty good insight about its system state for each of the listed vulnerabilities. Note that the output can be a little different with some vendors (e.g. Red Hat has some slightly different output than the vanilla kernel for some vulnerabilities), but it's still a gigantic leap forward, given where we were in 2018 when this script was started, and it's very good news. The kernel is the proper place to have this because the kernel knows everything about itself (the mitigations it might have), and the CPU (its model, and microcode features that are exposed).
|
||||
Granted, we now have a standard way under Linux to check whether our system is affected, vulnerable, mitigated against most of these vulnerabilities. By having a look at the `sysfs` hierarchy, and more precisely the `/sys/devices/system/cpu/vulnerabilities/` folder, one can have a pretty good insight about its system state for each of the listed vulnerabilities. Note that the output can be a little different with some vendors (e.g. Red Hat has some slightly different output than the vanilla kernel for some vulnerabilities), but it's still a gigantic leap forward, given where we were in 2018 when this script was started, and it's very good news. The kernel is the proper place to have this because the kernel knows everything about itself (the mitigations it might have), and the CPU (its model, and microcode features that are exposed). Note however that some vulnerabilities are not reported through this file hierarchy at all, such as Zenbleed.
|
||||
|
||||
However I see a few reasons why this script might still be useful to you, and that's why its development has not halted when the `sysfs` hierarchy came out:
|
||||
|
||||
|
@ -109,12 +109,14 @@ This tool only supports Linux, and [some flavors of BSD](#which-bsd-oses-are-sup
|
|||
|
||||
## The tool says there is an updated microcode for my CPU, but I don't have it!
|
||||
|
||||
Even if your operating system is fully up to date, the tool might still tell you that there is a more recent microcode version for your CPU. Currently, it uses (and merges) information from two sources:
|
||||
Even if your operating system is fully up to date, the tool might still tell you that there is a more recent microcode version for your CPU. Currently, it uses (and merges) information from 4 sources:
|
||||
|
||||
- The official [Intel microcode repository](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files)
|
||||
- The awesome platomav's [MCExtractor database](https://github.com/platomav/MCExtractor) for non-Intel CPUs
|
||||
- The official [linux-firmware](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git) repository for AMD
|
||||
- Specific Linux kernel commits that sometimes hardcode microcode versions, such as for [Zenbleed](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=522b1d69219d8f083173819fde04f994aa051a98) or for the bad [Spectre](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/cpu/intel.c#n141) microcodes
|
||||
|
||||
Generally, for Intel CPUs it means that Intel does have a more recent version for your CPU, and for other CPUs it means that a more recent version has already been seen in the wild. However, your OS vendor might have chosen not to ship this new version (yet), maybe because it's currently being tested, or for other reasons. This tool can't tell you when or if this will be the case. You should ask your vendor about it. Technically, you can still go and upgrade your microcode yourself, and use this tool to confirm whether you did it successfully. Updating the microcode for you is out of the scope of this tool, as this would violate [rule 1b](#what-are-the-main-design-decisions-regarding-this-script).
|
||||
Generally, it means a more recent version of the microcode has been seen in the wild. However, fully public availability of this microcode might be limited yet, or your OS vendor might have chosen not to ship this new version (yet), maybe because it's currently being tested, or for other reasons. This tool can't tell you when or if this will be the case. You should ask your vendor about it. Technically, you can still go and upgrade your microcode yourself, and use this tool to confirm whether you did it successfully. Updating the microcode for you is out of the scope of this tool, as this would violate [rule 1b](#what-are-the-main-design-decisions-regarding-this-script).
|
||||
|
||||
## The tool says that I need a more up-to-date microcode, but I have the more recent version!
|
||||
|
||||
|
|
21
README.md
21
README.md
|
@ -20,7 +20,10 @@ CVE
|
|||
[CVE-2019-11135](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135) | TSX asynchronous abort | TAA, ZombieLoad V2
|
||||
[CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | Machine Check Exception on Page Size Changes | MCEPSC, No eXcuses, iTLB Multihit
|
||||
[CVE-2020-0543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543) | Special Register Buffer Data Sampling | SRBDS
|
||||
[CVE-2022-40982](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982) | Gather Data Sampling | GDS, Downfall
|
||||
[CVE-2023-20569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569) | Return Address Security | Inception, RAS, SRSO
|
||||
[CVE-2023-20593](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593) | Cross-Process Information Leak | Zenbleed
|
||||
[CVE-2023-23583](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23583) | Redundant Prefix issue | Reptar
|
||||
|
||||
Supported operating systems:
|
||||
- Linux (all versions, flavors and distros)
|
||||
|
@ -180,8 +183,26 @@ docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/m
|
|||
- Mitigation: microcode update + kernel update helping to protect various CPU internal buffers from unprivileged speculative access to data
|
||||
- Performance impact of the mitigation: low
|
||||
|
||||
**CVE-2022-40982** Gather Data Sampling (GDS, Downfall)
|
||||
|
||||
- Impact: Kernel & all software
|
||||
- Mitigation: either microcode update or disabling AVX feature
|
||||
- Performance impact of the mitigation: TBD
|
||||
|
||||
**CVE-2023-20569** Return Address Security (Inception)
|
||||
|
||||
- Impact: Kernel & all software
|
||||
- Mitigation: updated kernel & microcode
|
||||
- Performance impact of the mitigation: low to significant depending on the mitigation
|
||||
|
||||
**CVE-2023-20593** Cross-Process Information Leak (Zenbleed)
|
||||
|
||||
- Impact: Kernel & all software
|
||||
- Mitigation: either kernel mitigation by disabling a CPU optimization through an MSR bit, or CPU microcode mitigation
|
||||
- Performance impact of the mitigation: TBD
|
||||
|
||||
**CVE-2023-23583** Redundant Prefix issue (Reptar)
|
||||
|
||||
- Impact: All software
|
||||
- Mitigation: microcode update for the affected CPU
|
||||
- Performance impact of the mitigation: low
|
||||
|
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue