mirror of
https://github.com/speed47/spectre-meltdown-checker
synced 2025-01-07 03:43:06 +01:00
feat: add --paranoid to choose whether we require IBPB
This commit is contained in:
parent
c0108b9690
commit
223f5028df
@ -51,6 +51,7 @@ show_usage()
|
|||||||
--no-color don't use color codes
|
--no-color don't use color codes
|
||||||
--verbose, -v increase verbosity level, possibly several times
|
--verbose, -v increase verbosity level, possibly several times
|
||||||
--no-explain don't produce a human-readable explanation of actions to take to mitigate a vulnerability
|
--no-explain don't produce a human-readable explanation of actions to take to mitigate a vulnerability
|
||||||
|
--paranoid require IBPB to deem Variant 2 as mitigated
|
||||||
|
|
||||||
--no-sysfs don't use the /sys interface even if present [Linux]
|
--no-sysfs don't use the /sys interface even if present [Linux]
|
||||||
--sysfs-only only use the /sys interface, don't run our own checks [Linux]
|
--sysfs-only only use the /sys interface, don't run our own checks [Linux]
|
||||||
@ -131,6 +132,7 @@ opt_arch_prefix=''
|
|||||||
opt_hw_only=0
|
opt_hw_only=0
|
||||||
opt_no_hw=0
|
opt_no_hw=0
|
||||||
opt_no_explain=0
|
opt_no_explain=0
|
||||||
|
opt_paranoid=0
|
||||||
|
|
||||||
global_critical=0
|
global_critical=0
|
||||||
global_unknown=0
|
global_unknown=0
|
||||||
@ -459,6 +461,9 @@ while [ -n "$1" ]; do
|
|||||||
# don't use directly: used internally by --coreos
|
# don't use directly: used internally by --coreos
|
||||||
opt_coreos=0
|
opt_coreos=0
|
||||||
shift
|
shift
|
||||||
|
elif [ "$1" = "--paranoid" ]; then
|
||||||
|
opt_paranoid=1
|
||||||
|
shift
|
||||||
elif [ "$1" = "--hw-only" ]; then
|
elif [ "$1" = "--hw-only" ]; then
|
||||||
opt_hw_only=1
|
opt_hw_only=1
|
||||||
shift
|
shift
|
||||||
@ -2322,6 +2327,9 @@ check_variant2_linux()
|
|||||||
else
|
else
|
||||||
if [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" != 0 ] && [ -n "$ibpb_enabled" ] && [ "$ibpb_enabled" -ge 1 ] && ( ! is_skylake_cpu || [ -n "$rsb_filling" ] ); then
|
if [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" != 0 ] && [ -n "$ibpb_enabled" ] && [ "$ibpb_enabled" -ge 1 ] && ( ! is_skylake_cpu || [ -n "$rsb_filling" ] ); then
|
||||||
pvulnstatus $cve OK "Full retpoline + IBPB are mitigating the vulnerability"
|
pvulnstatus $cve OK "Full retpoline + IBPB are mitigating the vulnerability"
|
||||||
|
elif [ "$retpoline" = 1 ] && [ "$retpoline_compiler" = 1 ] && [ "$retp_enabled" != 0 ] && [ "$opt_paranoid" = 0 ] && ( ! is_skylake_cpu || [ -n "$rsb_filling" ] ); then
|
||||||
|
pvulnstatus $cve OK "Full retpoline is mitigating the vulnerability"
|
||||||
|
_warn "You might want to enable IBPB to complete retpoline as a Variant 2 mitigation"
|
||||||
elif [ -n "$ibrs_enabled" ] && [ -n "$ibpb_enabled" ] && [ "$ibrs_enabled" -ge 1 ] && [ "$ibpb_enabled" -ge 1 ]; then
|
elif [ -n "$ibrs_enabled" ] && [ -n "$ibpb_enabled" ] && [ "$ibrs_enabled" -ge 1 ] && [ "$ibpb_enabled" -ge 1 ]; then
|
||||||
pvulnstatus $cve OK "IBRS + IBPB are mitigating the vulnerability"
|
pvulnstatus $cve OK "IBRS + IBPB are mitigating the vulnerability"
|
||||||
elif [ "$ibpb_enabled" = 2 ] && ! is_cpu_smt_enabled; then
|
elif [ "$ibpb_enabled" = 2 ] && ! is_cpu_smt_enabled; then
|
||||||
|
Loading…
Reference in New Issue
Block a user