1
0
mirror of https://github.com/speed47/spectre-meltdown-checker synced 2025-01-03 01:55:51 +01:00

feat: add TSX_CTRL MSR detection in hardware info

This commit is contained in:
Stéphane Lesimple 2019-11-25 20:58:49 +01:00
parent bd47275501
commit 4fc2afe1bc

View File

@ -2319,15 +2319,15 @@ read_msr()
return 200 # permission error return 200 # permission error
# if rdmsr is available, use it # if rdmsr is available, use it
elif command -v rdmsr >/dev/null 2>&1 && [ "$SMC_NO_RDMSR" != 1 ]; then elif command -v rdmsr >/dev/null 2>&1 && [ "$SMC_NO_RDMSR" != 1 ]; then
_debug "read_msr: using rdmsr" _debug "read_msr: using rdmsr on $_msr"
read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | od -t u8 -A n) read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | od -t u8 -A n)
# or if we have perl, use it, any 5.x version will work # or if we have perl, use it, any 5.x version will work
elif command -v perl >/dev/null 2>&1 && [ "$SMC_NO_PERL" != 1 ]; then elif command -v perl >/dev/null 2>&1 && [ "$SMC_NO_PERL" != 1 ]; then
_debug "read_msr: using perl" _debug "read_msr: using perl on $_msr"
read_msr_value=$(perl -e "open(M,'<','/dev/cpu/$_cpu/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | od -t u8 -A n) read_msr_value=$(perl -e "open(M,'<','/dev/cpu/$_cpu/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | od -t u8 -A n)
# fallback to dd if it supports skip_bytes # fallback to dd if it supports skip_bytes
elif dd if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then elif dd if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
_debug "read_msr: using dd" _debug "read_msr: using dd on $_msr"
read_msr_value=$(dd if=/dev/cpu/"$_cpu"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8 -A n) read_msr_value=$(dd if=/dev/cpu/"$_cpu"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8 -A n)
else else
_debug "read_msr: got no rdmsr, perl or recent enough dd!" _debug "read_msr: got no rdmsr, perl or recent enough dd!"
@ -2709,22 +2709,6 @@ check_cpu()
fi fi
fi fi
if is_intel; then
_info " * TSX Asynchronous Abort"
_info_nol " * TSX support is available: "
read_cpuid 0x7 $EDX 11 1 1; ret=$?
if [ $ret -eq 0 ]; then
cpuid_rtm=1
pstatus green YES "TSX RTM feature bit"
elif [ $ret -eq 2 ]; then
cpuid_rtm=-1
pstatus yellow UNKNOWN "is cpuid kernel module available?"
else
cpuid_rtm=0
pstatus yellow NO
fi
fi
if is_intel; then if is_intel; then
_info " * Enhanced IBRS (IBRS_ALL)" _info " * Enhanced IBRS (IBRS_ALL)"
_info_nol " * CPU indicates ARCH_CAPABILITIES MSR availability: " _info_nol " * CPU indicates ARCH_CAPABILITIES MSR availability: "
@ -2750,6 +2734,7 @@ check_cpu()
capabilities_l1dflush_no=-1 capabilities_l1dflush_no=-1
capabilities_ssb_no=-1 capabilities_ssb_no=-1
capabilities_pschange_msc_no=-1 capabilities_pschange_msc_no=-1
capabilities_tsx_ctrl_msr=-1
if [ "$cpuid_arch_capabilities" = -1 ]; then if [ "$cpuid_arch_capabilities" = -1 ]; then
pstatus yellow UNKNOWN pstatus yellow UNKNOWN
elif [ "$cpuid_arch_capabilities" != 1 ]; then elif [ "$cpuid_arch_capabilities" != 1 ]; then
@ -2761,6 +2746,7 @@ check_cpu()
capabilities_l1dflush_no=0 capabilities_l1dflush_no=0
capabilities_ssb_no=0 capabilities_ssb_no=0
capabilities_pschange_msc_no=0 capabilities_pschange_msc_no=0
capabilities_tsx_ctrl_msr=0
pstatus yellow NO pstatus yellow NO
elif [ ! -e /dev/cpu/0/msr ] && [ ! -e /dev/cpuctl0 ]; then elif [ ! -e /dev/cpu/0/msr ] && [ ! -e /dev/cpuctl0 ]; then
spec_ctrl_msr=-1 spec_ctrl_msr=-1
@ -2795,7 +2781,9 @@ check_cpu()
capabilities_l1dflush_no=0 capabilities_l1dflush_no=0
capabilities_ssb_no=0 capabilities_ssb_no=0
capabilities_pschange_msc_no=0 capabilities_pschange_msc_no=0
capabilities_tsx_ctrl_msr=0
if [ $val -eq 0 ]; then if [ $val -eq 0 ]; then
# https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/arch/x86/include/asm/msr-index.h#n82
_debug "capabilities MSR is $capabilities (decimal)" _debug "capabilities MSR is $capabilities (decimal)"
[ $(( capabilities >> 0 & 1 )) -eq 1 ] && capabilities_rdcl_no=1 [ $(( capabilities >> 0 & 1 )) -eq 1 ] && capabilities_rdcl_no=1
[ $(( capabilities >> 1 & 1 )) -eq 1 ] && capabilities_ibrs_all=1 [ $(( capabilities >> 1 & 1 )) -eq 1 ] && capabilities_ibrs_all=1
@ -2804,6 +2792,7 @@ check_cpu()
[ $(( capabilities >> 4 & 1 )) -eq 1 ] && capabilities_ssb_no=1 [ $(( capabilities >> 4 & 1 )) -eq 1 ] && capabilities_ssb_no=1
[ $(( capabilities >> 5 & 1 )) -eq 1 ] && capabilities_mds_no=1 [ $(( capabilities >> 5 & 1 )) -eq 1 ] && capabilities_mds_no=1
[ $(( capabilities >> 6 & 1 )) -eq 1 ] && capabilities_pschange_msc_no=1 [ $(( capabilities >> 6 & 1 )) -eq 1 ] && capabilities_pschange_msc_no=1
[ $(( capabilities >> 7 & 1 )) -eq 1 ] && capabilities_tsx_ctrl_msr=1
[ $(( capabilities >> 8 & 1 )) -eq 1 ] && capabilities_taa_no=1 [ $(( capabilities >> 8 & 1 )) -eq 1 ] && capabilities_taa_no=1
_debug "capabilities says rdcl_no=$capabilities_rdcl_no ibrs_all=$capabilities_ibrs_all rsba=$capabilities_rsba l1dflush_no=$capabilities_l1dflush_no ssb_no=$capabilities_ssb_no mds_no=$capabilities_mds_no taa_no=$capabilities_taa_no pschange_msc_no=$capabilities_pschange_msc_no" _debug "capabilities says rdcl_no=$capabilities_rdcl_no ibrs_all=$capabilities_ibrs_all rsba=$capabilities_rsba l1dflush_no=$capabilities_l1dflush_no ssb_no=$capabilities_ssb_no mds_no=$capabilities_mds_no taa_no=$capabilities_taa_no pschange_msc_no=$capabilities_pschange_msc_no"
if [ "$capabilities_ibrs_all" = 1 ]; then if [ "$capabilities_ibrs_all" = 1 ]; then
@ -2888,6 +2877,58 @@ check_cpu()
else else
pstatus yellow NO pstatus yellow NO
fi fi
_info_nol " * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): "
if [ "$capabilities_tsx_ctrl_msr" = -1 ]; then
pstatus yellow UNKNOWN
elif [ "$capabilities_tsx_ctrl_msr" = 1 ]; then
pstatus green YES
else
pstatus yellow NO
fi
if [ "$capabilities_tsx_ctrl_msr" = 1 ]; then
read_msr 0x122 0; ret=$?
if [ "$ret" = 0 ]; then
tsx_ctrl_msr=$read_msr_value
tsx_ctrl_msr_rtm_disable=$(( tsx_ctrl_msr >> 0 & 1 ))
tsx_ctrl_msr_cpuid_clear=$(( tsx_ctrl_msr >> 1 & 1 ))
fi
_info_nol " * TSX_CTRL MSR indicates TSX RTM is disabled: "
if [ "$tsx_ctrl_msr_rtm_disable" = 1 ]; then
pstatus blue YES
elif [ "$tsx_ctrl_msr_rtm_disable" = 0 ]; then
pstatus blue NO
else
pstatus yellow UNKNOWN "couldn't read MSR"
fi
_info_nol " * TSX_CTRL MSR indicates TSX CPUID bit is cleared: "
if [ "$tsx_ctrl_msr_cpuid_clear" = 1 ]; then
pstatus blue YES
elif [ "$tsx_ctrl_msr_cpuid_clear" = 0 ]; then
pstatus blue NO
else
pstatus yellow UNKNOWN "couldn't read MSR"
fi
fi
fi
_info_nol " * CPU supports Transactional Synchronization Extensions (TSX): "
ret=1
cpuid_rtm=0
if is_intel; then
read_cpuid 0x7 $EDX 11 1 1; ret=$?
fi
if [ $ret -eq 0 ]; then
cpuid_rtm=1
pstatus green YES
elif [ $ret -eq 2 ]; then
cpuid_rtm=-1
pstatus yellow UNKNOWN "is cpuid kernel module available?"
else
pstatus yellow NO
fi fi
_info_nol " * CPU supports Software Guard Extensions (SGX): " _info_nol " * CPU supports Software Guard Extensions (SGX): "
@ -4285,7 +4326,8 @@ check_CVE_2018_3639_bsd()
pvulnstatus $cve OK "SSBD mitigates the vulnerability" pvulnstatus $cve OK "SSBD mitigates the vulnerability"
elif [ -n "$cpuid_ssbd" ]; then elif [ -n "$cpuid_ssbd" ]; then
if [ "$kernel_ssb" = 1 ]; then if [ "$kernel_ssb" = 1 ]; then
pvulnstatus $cve VULN "you need to enable ssbd through sysctl to mitigate the vulnerability" pvulnstatus $cve VULN "you need to enable SSBD through sysctl to mitigate the vulnerability"
explain "To enable SSBD right now, you can run \`sysctl hw.spec_store_bypass_disable=2'. To make this change persistent across reboots, you can add 'sysctl hw.spec_store_bypass_disable=2' to /etc/sysctl.conf."
else else
pvulnstatus $cve VULN "your kernel needs to be updated" pvulnstatus $cve VULN "your kernel needs to be updated"
fi fi
@ -4804,6 +4846,7 @@ check_mds_bsd()
fi fi
else else
pvulnstatus "$cve" VULN "Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active" pvulnstatus "$cve" VULN "Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active"
explain "To enable mitigation, run \`sysctl hw.mds_disable=1'. To make this change persistent across reboots, you can add 'hw.mds_disable=1' to /etc/sysctl.conf."
fi fi
else else
pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for this mitigation" pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for this mitigation"