mirror of
https://github.com/speed47/spectre-meltdown-checker
synced 2024-12-22 12:23:36 +01:00
feat(variant4): detect SSBD-aware kernel
This commit is contained in:
parent
19be8f79eb
commit
68af5c5f92
@ -1673,7 +1673,7 @@ check_cpu()
|
||||
_info_nol " * CPU indicates SSBD capability: "
|
||||
read_cpuid 0x7 $EDX 31 1 1; ret=$?
|
||||
if [ $ret -eq 0 ]; then
|
||||
#cpuid_ng1=1
|
||||
cpuid_ssbd=1
|
||||
pstatus green YES "SSBD feature bit"
|
||||
elif [ $ret -eq 1 ]; then
|
||||
pstatus yellow NO
|
||||
@ -2890,7 +2890,7 @@ check_variant3a()
|
||||
sys_interface_available=0
|
||||
msg=''
|
||||
|
||||
_info_nol " * CPU microcode mitigates the vulnerability:"
|
||||
_info_nol " * CPU microcode mitigates the vulnerability: "
|
||||
pstatus yellow UNKNOWN "an up to date microcode is sufficient to mitigate this vulnerability, detection will be implemented soon"
|
||||
|
||||
cve='CVE-2018-3640'
|
||||
@ -2914,7 +2914,28 @@ check_variant4()
|
||||
sys_interface_available=1
|
||||
fi
|
||||
if [ "$opt_sysfs_only" != 1 ]; then
|
||||
:
|
||||
_info_nol " * Kernel supports speculation store bypass: "
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
if grep -q 'Speculation.Store.Bypass:' /proc/self/status 2>/dev/null; then
|
||||
kernel_ssb='found in /proc/self/status'
|
||||
_debug "found Speculation.Store.Bypass: in /proc/self/status"
|
||||
fi
|
||||
fi
|
||||
if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then
|
||||
kernel_ssb=$("${opt_arch_prefix}strings" "$kernel" | grep spec_store_bypass | head -n1);
|
||||
[ -n "$kernel_ssb" ] && _debug "found $kernel_ssb in kernel"
|
||||
fi
|
||||
if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ]; then
|
||||
kernel_ssb=$(grep spec_store_bypass "$opt_map" | head -n1)
|
||||
[ -n "$kernel_ssb" ] && _debug "found $kernel_ssb in System.map"
|
||||
fi
|
||||
|
||||
if [ -n "$kernel_ssb" ]; then
|
||||
pstatus green YES "$kernel_ssb"
|
||||
else
|
||||
pstatus yellow NO
|
||||
fi
|
||||
|
||||
elif [ "$sys_interface_available" = 0 ]; then
|
||||
# we have no sysfs but were asked to use it only!
|
||||
msg="/sys vulnerability interface use forced, but it's not available!"
|
||||
@ -2925,13 +2946,26 @@ check_variant4()
|
||||
if ! is_cpu_vulnerable 4; then
|
||||
# override status & msg in case CPU is not vulnerable after all
|
||||
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
|
||||
elif [ -z "$msg" ]; then
|
||||
elif [ -z "$msg" ] || [ "$msg" = "Vulnerable" ]; then
|
||||
# if msg is empty, sysfs check didn't fill it, rely on our own test
|
||||
pvulnstatus $cve VULN "your CPU microcode needs to be updated"
|
||||
explain "A new microcode is needed for your CPU to provide mitigation tools that software running on your machine can use to protect itself against the vulnerability."
|
||||
if [ "$cpuid_ssbd" = 1 ]; then
|
||||
if [ -n "$kernel_ssb" ]; then
|
||||
pvulnstatus $cve OK "your system provides the necessary tools for software mitigation"
|
||||
else
|
||||
pvulnstatus $cve VULN "your kernel needs to be updated"
|
||||
explain "You have a recent-enough microcode but your kernel is too old to use the new features exported by your CPU's microcode"
|
||||
fi
|
||||
else
|
||||
if [ -n "$kernel_ssb" ]; then
|
||||
pvulnstatus $cve VULN "Your CPU doesn't support SSBD"
|
||||
explain "Your kernel is recent enough to be able to export features for mitigation, but your CPU microcode doesn't provide the necessary tools"
|
||||
else
|
||||
pvulnstatus $cve VULN "Neither your CPU nor your kernel support SSBD"
|
||||
explain "You need to update your CPU microcode and use a more recent kernel to provide the necessary mitigation tools to the software running on your machine"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
pvulnstatus $cve "$status" "$msg"
|
||||
[ "$msg" = "Vulnerable" ] && explain "A new microcode is needed for your CPU to provide mitigation tools that software running on your machine can use to protect itself against the vulnerability."
|
||||
fi
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user