From b8d28e7f61d6c1ae62a86e0f051a57c0c8dbbdf8 Mon Sep 17 00:00:00 2001 From: Simon Vasseur Date: Wed, 10 Jan 2018 14:55:58 +0100 Subject: [PATCH] added some style --- README.md | 70 ++++--------------------------------------------------- 1 file changed, 4 insertions(+), 66 deletions(-) diff --git a/README.md b/README.md index 2089d4f..b77b6f4 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,10 @@ You can also specify a kernel image on the command line, if you'd like to inspec The script will do its best to detect mitigations, including backported non-vanilla patches, regardless of the advertised kernel version number. +## Example of script output + +![checker](https://framapic.org/FjroIZximyoM/EO5msoSMKb6L.png) + ## Quick summary of the CVEs **CVE-2017-5753** bounds check bypass (Spectre Variant 1) @@ -28,69 +32,3 @@ The script will do its best to detect mitigations, including backported non-vani - Impact: Kernel - Mitigation: updated kernel (with PTI/KPTI patches), updating the kernel is enough - Performance impact of the mitigation: low to medium - -## Example of script output - -### Ubuntu LTS (before official patches) - -``` -$ sudo ./spectre-and-meltdown.sh -Spectre and Meltdown mitigation detection tool v0.16 - -Checking for vulnerabilities against live running kernel Linux 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 -Will use vmlinux image /boot/vmlinuz-4.4.0-104-generic -Will use kconfig /boot/config-4.4.0-104-generic -Will use System.map file /boot/System.map-4.4.0-104-generic - -CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' -* Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 38 opcodes found, should be >= 70) -> STATUS: VULNERABLE - -CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' -* Mitigation 1 -* Hardware (CPU microcode) support for mitigation: NO -* Kernel support for IBRS: NO -* IBRS enabled for Kernel space: NO -* IBRS enabled for User space: NO -* Mitigation 2 -* Kernel compiled with retpoline option: NO -* Kernel compiled with a retpoline-aware compiler: NO -> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability) - -CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3' -* Kernel supports Page Table Isolation (PTI): NO -* PTI enabled and active: NO -> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability) -``` - -### First patched kernel of RHEL6 - -``` -$ sudo ./spectre-meltdown-checker.sh --kernel /tmp/vmlinuz-2.6.32-696.18.7.el6.x86_64 --config /tmp/config-2.6.32-696.18.7.el6.x86_64 --map /tmp/System.map-2.6.32-696.18.7.el6.x86_64 -Spectre and Meltdown mitigation detection tool v0.16 - -Checking for vulnerabilities against specified kernel -Will use vmlinux image /tmp/vmlinuz-2.6.32-696.18.7.el6.x86_64 -Will use kconfig /tmp/config-2.6.32-696.18.7.el6.x86_64 -Will use System.map file /tmp/System.map-2.6.32-696.18.7.el6.x86_64 - -CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' -* Kernel compiled with LFENCE opcode inserted at the proper places: YES (84 opcodes found, which is >= 70) -> STATUS: NOT VULNERABLE - -CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' -* Mitigation 1 -* Hardware (CPU microcode) support for mitigation: NO -* Kernel support for IBRS: YES -* IBRS enabled for Kernel space: N/A (not testable in offline mode) -* IBRS enabled for User space: N/A (not testable in offline mode) -* Mitigation 2 -* Kernel compiled with retpoline option: NO -* Kernel compiled with a retpoline-aware compiler: NO -> STATUS: NOT VULNERABLE (offline mode: IBRS will mitigate the vulnerability if enabled at runtime) - -CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3' -* Kernel supports Page Table Isolation (PTI): YES -* PTI enabled and active: N/A (can't verify if PTI is enabled in offline mode) -> STATUS: NOT VULNERABLE (offline mode: PTI will mitigate the vulnerability if enabled at runtime) -```