mirror of
https://github.com/speed47/spectre-meltdown-checker
synced 2024-12-23 04:43:37 +01:00
adjust README
This commit is contained in:
parent
8e870db4f5
commit
1d13a423b8
24
README.md
24
README.md
@ -10,10 +10,10 @@ A shell script to tell if your system is vulnerable against the several "specula
|
|||||||
- CVE-2018-3615 [L1 terminal fault] aka 'Foreshadow (SGX)'
|
- CVE-2018-3615 [L1 terminal fault] aka 'Foreshadow (SGX)'
|
||||||
- CVE-2018-3620 [L1 terminal fault] aka 'Foreshadow-NG (OS)'
|
- CVE-2018-3620 [L1 terminal fault] aka 'Foreshadow-NG (OS)'
|
||||||
- CVE-2018-3646 [L1 terminal fault] aka 'Foreshadow-NG (VMM)'
|
- CVE-2018-3646 [L1 terminal fault] aka 'Foreshadow-NG (VMM)'
|
||||||
- CVE-2018-12126 [MSBDS] Microarchitectural Store Buffer Data Sampling
|
- CVE-2018-12126 [microarchitectural store buffer data sampling (MSBDS)] aka 'Fallout'
|
||||||
- CVE-2018-12130 [MFBDS] Microarchitectural Fill Buffer Data Sampling
|
- CVE-2018-12130 [microarchitectural fill buffer data sampling (MFBDS)] aka 'RIDL'
|
||||||
- CVE-2018-12127 [MLPDS] Microarchitectural Load Port Data Sampling
|
- CVE-2018-12127 [microarchitectural load port data sampling (MLPDS)] aka 'RIDL'
|
||||||
- CVE-2019-11091 [MDSUM] Microarchitectural Data Sampling Uncacheable Memory
|
- CVE-2019-11091 [microarchitectural data sampling uncacheable memory (MDSUM)] aka 'RIDL'
|
||||||
|
|
||||||
Supported operating systems:
|
Supported operating systems:
|
||||||
- Linux (all versions, flavors and distros)
|
- Linux (all versions, flavors and distros)
|
||||||
@ -129,17 +129,21 @@ docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/m
|
|||||||
**CVE-2018-3646** l1 terminal fault (Foreshadow-NG VMM)
|
**CVE-2018-3646** l1 terminal fault (Foreshadow-NG VMM)
|
||||||
|
|
||||||
- Impact: Virtualization software and Virtual Machine Monitors
|
- Impact: Virtualization software and Virtual Machine Monitors
|
||||||
- Mitigation: disable ept (extended page tables), disable hyper-threading (SMT), or
|
- Mitigation: disable ept (extended page tables), disable hyper-threading (SMT), or updated kernel (with L1d flush)
|
||||||
updated kernel (with L1d flush)
|
|
||||||
- Performance impact of the mitigation: low to significant
|
- Performance impact of the mitigation: low to significant
|
||||||
|
|
||||||
**CVE-2018-12126** [MSBDS] Microarchitectural Store Buffer Data Sampling
|
**CVE-2018-12126** [MSBDS] Microarchitectural Store Buffer Data Sampling (Fallout)
|
||||||
**CVE-2018-12130** [MFBDS] Microarchitectural Fill Buffer Data Sampling
|
|
||||||
**CVE-2018-12127** [MLPDS] Microarchitectural Load Port Data Sampling
|
**CVE-2018-12130** [MFBDS] Microarchitectural Fill Buffer Data Sampling (RIDL)
|
||||||
**CVE-2019-11091** [MDSUM] Microarchitectural Data Sampling Uncacheable Memory
|
|
||||||
|
**CVE-2018-12127** [MLPDS] Microarchitectural Load Port Data Sampling (RIDL)
|
||||||
|
|
||||||
|
**CVE-2019-11091** [MDSUM] Microarchitectural Data Sampling Uncacheable Memory (RIDL)
|
||||||
|
|
||||||
- Impact: Kernel
|
- Impact: Kernel
|
||||||
- Mitigation: microcode update + kernel update making possible to protect various CPU internal buffers from unprivilaged speculative access to data
|
- Mitigation: microcode update + kernel update making possible to protect various CPU internal buffers from unprivilaged speculative access to data
|
||||||
|
- Performance impact of the mitigation: TBC
|
||||||
|
- Note: These 4 CVEs are similar and collectively named "MDS" vulnerabilities, the mitigation is identical same for all
|
||||||
|
|
||||||
## Understanding what this script does and doesn't
|
## Understanding what this script does and doesn't
|
||||||
|
|
||||||
|
@ -2354,7 +2354,6 @@ check_cpu()
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
_info_nol " * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: "
|
_info_nol " * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: "
|
||||||
mds_no=-1
|
|
||||||
capabilities_mds_no=-1
|
capabilities_mds_no=-1
|
||||||
capabilities_rdcl_no=-1
|
capabilities_rdcl_no=-1
|
||||||
capabilities_ibrs_all=-1
|
capabilities_ibrs_all=-1
|
||||||
@ -4269,13 +4268,13 @@ check_mds()
|
|||||||
|
|
||||||
if [ "$opt_live" != 1 ]; then
|
if [ "$opt_live" != 1 ]; then
|
||||||
pstatus blue N/A "not testable in offline mode"
|
pstatus blue N/A "not testable in offline mode"
|
||||||
pvulnstatus $cve UNK
|
pvulnstatus "$cve" UNK
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! is_cpu_vulnerable "$cve" ; then
|
if ! is_cpu_vulnerable "$cve" ; then
|
||||||
# override status & msg in case CPU is not vulnerable after all
|
# override status & msg in case CPU is not vulnerable after all
|
||||||
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
|
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not vulnerable"
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -4312,11 +4311,11 @@ check_mds()
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $mds_mitigated = 0 ];then
|
if [ $mds_mitigated = 0 ];then
|
||||||
pvulnstatus $cve VULN
|
pvulnstatus "$cve" VULN
|
||||||
elif [ $mds_mitigated = 1 ]; then
|
elif [ $mds_mitigated = 1 ]; then
|
||||||
pvulnstatus $cve OK
|
pvulnstatus "$cve" OK
|
||||||
else
|
else
|
||||||
pvulnstatus $cve UNK "further action may be needed to mitigate this vulnerability. For more info check Linux kernel Documentation/admin-guide/hw-vuln/mds.rst"
|
pvulnstatus "$cve" UNK "further action may be needed to mitigate this vulnerability. For more info check Linux kernel Documentation/admin-guide/hw-vuln/mds.rst"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user