From 34ef5ef21b35342801a45f8f00ca43059846bad4 Mon Sep 17 00:00:00 2001 From: Vincent Brillault Date: Mon, 8 Jan 2018 12:41:02 +0100 Subject: [PATCH 1/3] Delay umount (for RedHat access to pti_enable) --- spectre-meltdown-checker.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index 9b78da3..367b3e0 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -199,11 +199,6 @@ case "$ibrs_enabled" in *) pstatus yellow unknown;; esac -if [ "$mounted_debugfs" = 1 ]; then - # umount debugfs if we did mount it ourselves - umount /sys/kernel/debug -fi - /bin/echo "* Mitigation 2" /bin/echo -n "* Kernel compiled with retpolines: " # We check the RETPOLINE kernel options @@ -301,6 +296,11 @@ else pstatus red NO fi +if [ "$mounted_debugfs" = 1 ]; then + # umount debugfs if we did mount it ourselves + umount /sys/kernel/debug +fi + /bin/echo -ne "> \033[46m\033[30mSTATUS:\033[0m " if grep -q AMD /proc/cpuinfo; then pstatus green "NOT VULNERABLE" "your CPU is not vulnerable as per the vendor" From 66f77080950dceffef6023054629a208a15220cd Mon Sep 17 00:00:00 2001 From: Vincent Brillault Date: Mon, 8 Jan 2018 12:39:03 +0100 Subject: [PATCH 2/3] Refactor RedHat support: - Isolate file check to different elif (allowing to add more) - Do the PTI debugfs check first (faster and supposed to be dynamic) - If pti_enable is 0, don't trust dmesg (supposed to be dynamic) --- spectre-meltdown-checker.sh | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index 367b3e0..f809e0d 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -171,15 +171,20 @@ if [ ! -e /sys/kernel/debug/sched_features ]; then # try to mount the debugfs hierarchy ourselves and remember it to umount afterwards mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1 fi -if [ -e /sys/kernel/debug/ibrs_enabled -o -e /sys/kernel/debug/x86/ibrs_enabled ]; then +if [ -e /sys/kernel/debug/ibrs_enabled ]; then # if the file is there, we have IBRS compiled-in pstatus green YES ibrs_supported=1 + ibrs_enabled=$(cat /sys/kernel/debug/ibrs_enabled 2>/dev/null) +elif [ -e /sys/kernel/debug/x86/ibrs_enabled ]; then + # RedHat uses a different path (see https://access.redhat.com/articles/3311301) + pstatus green YES + ibrs_supported=1 + ibrs_enabled=$(cat /sys/kernel/debug/x86/ibrs_enabled 2>/dev/null) else pstatus red NO fi -[ -f /sys/kernel/debug/ibrs_enabled ] && ibrs_enabled=$(cat /sys/kernel/debug/ibrs_enabled 2>/dev/null) || ibrs_enabled=$(cat /sys/kernel/debug/x86/ibrs_enabled 2>/dev/null) /bin/echo -n "* IBRS enabled for Kernel space: " # 0 means disabled # 1 is enabled only for kernel space @@ -285,13 +290,17 @@ if grep ^flags /proc/cpuinfo | grep -qw pti; then # vanilla PTI patch sets the 'pti' flag in cpuinfo pstatus green YES kpti_enabled=1 +elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then + # RedHat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301 + kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null) elif dmesg | grep -Eq 'Kernel/User page tables isolation: enabled|Kernel page table isolation enabled'; then # if we can't find the flag, grep in dmesg - pstatus green YES kpti_enabled=1 -elif [ -e /sys/kernel/debug/x86/pti_enabled -a "$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)" = 1 ]; then +else + kpti_enabled=0 +fi +if [ "$kpti_enabled" = 1 ]; then pstatus green YES - kpti_enabled=1 else pstatus red NO fi From a7923489287a2626590f7cecab7f59ea524641c5 Mon Sep 17 00:00:00 2001 From: Vincent Brillault Date: Mon, 8 Jan 2018 12:54:16 +0100 Subject: [PATCH 3/3] RedHat uses a different configuration name --- spectre-meltdown-checker.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index f809e0d..3be2418 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -250,13 +250,13 @@ kpti_can_tell=0 if [ -e /proc/config.gz ]; then # either the running kernel exports his own config kpti_can_tell=1 - if zgrep -q '^CONFIG_PAGE_TABLE_ISOLATION=y' /proc/config.gz; then + if zgrep -q '^\(CONFIG_PAGE_TABLE_ISOLATION=y\|CONFIG_KAISER=y\)' /proc/config.gz; then kpti_support=1 fi elif [ -e /boot/config-$(uname -r) ]; then # or we can find a config file in /root with the kernel release name kpti_can_tell=1 - if grep -q '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/config-$(uname -r); then + if grep -q '^\(CONFIG_PAGE_TABLE_ISOLATION=y\|CONFIG_KAISER=y\)' /boot/config-$(uname -r); then kpti_support=1 fi fi