1
0
mirror of https://github.com/speed47/spectre-meltdown-checker synced 2024-12-22 20:33:56 +01:00

xen: detect if the host is a Xen Dom0 or PV DomU (fixes #83)

This commit is contained in:
Matthieu Cerda 2018-01-24 17:14:04 +01:00 committed by Stéphane Lesimple
parent d1c1f0f0f0
commit 7f0d80b305

View File

@ -1456,31 +1456,39 @@ check_variant3()
pstatus blue NO 'no security impact but performance will be degraded with PTI' pstatus blue NO 'no security impact but performance will be degraded with PTI'
fi fi
fi fi
if [ "$opt_live" = 1 ]; then
# checking whether we're running under Xen PV 64 bits. If yes, we're not affected by variant3
_info_nol "* Running under Xen PV (64 bits): "
if [ "$(uname -m)" = "x86_64" ]; then
# XXX do we have a better way that relying on dmesg?
dmesg_grep 'Booting paravirtualized kernel on Xen$'; ret=$?
if [ $ret -eq 0 ]; then
pstatus green YES 'Xen PV is not vulnerable'
xen_pv=1
elif [ $ret -eq 2 ]; then
pstatus yellow UNKNOWN "dmesg truncated, please reboot and relaunch this script"
else
pstatus blue NO
fi
else
pstatus blue NO
fi
fi
elif [ "$sys_interface_available" = 0 ]; then elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only! # we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!" msg="/sys vulnerability interface use forced, but it's not available!"
status=UNK status=UNK
fi fi
# Test if the current host is a Xen PV Dom0 / DomU
if [ -d "/proc/xen" ]; then
# XXX do we have a better way that relying on dmesg?
dmesg_grep 'Booting paravirtualized kernel on Xen$'; ret=$?
if [ $ret -eq 2 ]; then
_warn "dmesg truncated, Xen detection will be unreliable. Please reboot and relaunch this script"
elif [ $ret -eq 0 ]; then
if [ -e /proc/xen/capabilities ] && grep -q "control_d" /proc/xen/capabilities; then
xen_pv_domo=1
else
xen_pv_domu=1
fi
fi
fi
if [ "$opt_live" = 1 ]; then
# checking whether we're running under Xen PV 64 bits. If yes, we are affected by variant3
# (unless we are a Dom0)
_info_nol "* Running as a Xen PV DomU: "
if [ "$xen_pv_domu" = 1 ]; then
pstatus red YES
else
pstatus green NO
fi
fi
cve='CVE-2017-5754' cve='CVE-2017-5754'
if ! is_cpu_vulnerable 3; then if ! is_cpu_vulnerable 3; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
@ -1490,8 +1498,10 @@ check_variant3()
if [ "$opt_live" = 1 ]; then if [ "$opt_live" = 1 ]; then
if [ "$kpti_enabled" = 1 ]; then if [ "$kpti_enabled" = 1 ]; then
pvulnstatus $cve OK "PTI mitigates the vulnerability" pvulnstatus $cve OK "PTI mitigates the vulnerability"
elif [ "$xen_pv" = 1 ]; then elif [ "$xen_pv_domo" = 1 ]; then
pvulnstatus $cve OK "Xen PV 64 bits is not vulnerable" pvulnstatus $cve OK "Xen Dom0s are safe and do not require PTI"
elif [ "$xen_pv_domu" = 1 ]; then
pvulnstatus $cve VULN "Xen PV DomUs are vulnerable and need to be run in HVM, PVHVM or PVH mode"
else else
pvulnstatus $cve VULN "PTI is needed to mitigate the vulnerability" pvulnstatus $cve VULN "PTI is needed to mitigate the vulnerability"
fi fi
@ -1505,9 +1515,26 @@ check_variant3()
fi fi
fi fi
else else
[ "$msg" = "Vulnerable" ] && msg="PTI is needed to mitigate the vulnerability" if [ "$xen_pv_domo" = 1 ]; then
msg="Xen Dom0s are safe and do not require PTI"
status="OK"
elif [ "$xen_pv_domu" = 1 ]; then
msg="Xen PV DomUs are vulnerable and need to be run in HVM, PVHVM or PVH mode"
status="VULN"
elif [ "$msg" = "Vulnerable" ]; then
msg="PTI is needed to mitigate the vulnerability"
fi
pvulnstatus $cve "$status" "$msg" pvulnstatus $cve "$status" "$msg"
fi fi
# Warn the user about XSA-254 recommended mitigations
if [ "$xen_pv_domo" = 1 ]; then
_warn
_warn "This host is a Xen Dom0. Please make sure that you are running your DomUs"
_warn "in HVM, PVHVM or PVH mode to prevent any guest-to-host / host-to-guest attacks."
_warn
_warn "See https://blog.xenproject.org/2018/01/22/xen-project-spectre-meltdown-faq-jan-22-update/ and XSA-254 for details."
fi
} }
check_cpu check_cpu