1
0
mirror of https://github.com/speed47/spectre-meltdown-checker synced 2024-12-22 20:33:56 +01:00

add --variant to specify what check we want to run

This commit is contained in:
Stéphane Lesimple 2018-01-10 12:24:16 +01:00
parent 5389ac6844
commit 74bc7ba637

View File

@ -8,7 +8,7 @@
#
# Stephane Lesimple
#
VERSION=0.21
VERSION=0.22
# Script configuration
show_usage()
@ -34,8 +34,10 @@ show_usage()
Options:
--no-color Don't use color codes
-v, --verbose Increase verbosity level
--batch Produce machine readable output
--batch text Produce machine readable output, this is the default if --batch is specified alone
--batch nrpe Produce machine readable output formatted for NRPE
--variant [1,2,3] Specify which variant you'd like to check, by default all variants are checked
Can be specified multiple times (e.g. --variant 2 --variant 3)
IMPORTANT:
A false sense of security is worse than no security at all.
@ -79,6 +81,10 @@ opt_no_color=0
opt_batch=0
opt_batch_format="text"
opt_verbose=1
opt_variant1=0
opt_variant2=0
opt_variant3=0
opt_allvariants=1
nrpe_critical=0
nrpe_unknown=0
@ -255,6 +261,20 @@ while [ -n "$1" ]; do
elif [ "$1" = "-v" -o "$1" = "--verbose" ]; then
opt_verbose=$(expr $opt_verbose + 1)
shift
elif [ "$1" = "--variant" ]; then
if [ -z "$2" ]; then
echo "$0: error: option --variant expects a parameter (1, 2 or 3)" >&2
exit 1
fi
case "$2" in
1) opt_variant1=1; opt_allvariants=0;;
2) opt_variant2=1; opt_allvariants=0;;
3) opt_variant3=1; opt_allvariants=0;;
*)
echo "$0: error: invalid parameter '$2' for --variant, expected either 1, 2 or 3" >&2;
exit 1;;
esac
shift 2
elif [ "$1" = "-h" -o "$1" = "--help" ]; then
show_header
show_usage
@ -467,8 +487,31 @@ fi
_info
###########
# SPECTRE 1
# end of header stuff
# now we define some util functions and the check_*() funcs, as
# the user can choose to execute only some of those
mount_debugfs()
{
if [ ! -e /sys/kernel/debug/sched_features ]; then
# try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
fi
}
umount_debugfs()
{
if [ "$mounted_debugfs" = 1 ]; then
# umount debugfs if we did mount it ourselves
umount /sys/kernel/debug
fi
}
###################
# SPECTRE VARIANT 1
check_variant1()
{
_info "\033[1;34mCVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'\033[0m"
_info_nol "* Checking count of LFENCE opcodes in kernel: "
@ -505,10 +548,12 @@ else
2) pvulnstatus CVE-2017-5753 OK 'heuristic to be improved when official patches become available';;
esac
fi
}
###########
# VARIANT 2
_info
###################
# SPECTRE VARIANT 2
check_variant2()
{
_info "\033[1;34mCVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'\033[0m"
_info "* Mitigation 1"
_info_nol "* Hardware (CPU microcode) support for mitigation: "
@ -537,10 +582,7 @@ fi
_info_nol "* Kernel support for IBRS: "
if [ "$opt_live" = 1 ]; then
if [ ! -e /sys/kernel/debug/sched_features ]; then
# try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
fi
mount_debugfs
if [ -e /sys/kernel/debug/ibrs_enabled ]; then
# if the file is there, we have IBRS compiled-in
pstatus green YES
@ -657,10 +699,12 @@ else
pvulnstatus CVE-2017-5715 VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability"
fi
fi
}
##########
# MELTDOWN
_info
########################
# MELTDOWN aka VARIANT 3
check_variant3()
{
_info "\033[1;34mCVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'\033[0m"
_info_nol "* Kernel supports Page Table Isolation (PTI): "
kpti_support=0
@ -700,6 +744,7 @@ else
pstatus yellow UNKNOWN "couldn't read your kernel configuration nor System.map file"
fi
mount_debugfs
_info_nol "* PTI enabled and active: "
if [ "$opt_live" = 1 ]; then
if grep ^flags /proc/cpuinfo | grep -qw pti; then
@ -729,11 +774,6 @@ else
pstatus blue N/A "can't verify if PTI is enabled in offline mode"
fi
if [ "$mounted_debugfs" = 1 ]; then
# umount debugfs if we did mount it ourselves
umount /sys/kernel/debug
fi
if ! is_cpu_vulnerable 3; then
pvulnstatus CVE-2017-5754 OK "your CPU vendor reported your CPU model as not vulnerable"
elif [ "$opt_live" = 1 ]; then
@ -749,11 +789,28 @@ else
pvulnstatus CVE-2017-5754 VULN "PTI is needed to mitigate the vulnerability"
fi
fi
}
# now run the checks the user asked for
if [ "$opt_variant1" = 1 -o "$opt_allvariants" = 1 ]; then
check_variant1
_info
fi
if [ "$opt_variant2" = 1 -o "$opt_allvariants" = 1 ]; then
check_variant2
_info
fi
if [ "$opt_variant3" = 1 -o "$opt_allvariants" = 1 ]; then
check_variant3
_info
fi
_info "A false sense of security is worse than no security at all, see --disclaimer"
# this'll umount only if we mounted debugfs ourselves
umount_debugfs
# cleanup the temp decompressed config
[ -n "$dumped_config" ] && rm -f "$dumped_config"
if [ "$opt_batch" = 1 -a "$opt_batch_format" = "nrpe" ]; then