1
0
mirror of https://github.com/speed47/spectre-meltdown-checker synced 2024-11-06 22:23:41 +01:00

cosmetic + v0.02

This commit is contained in:
Stéphane Lesimple 2018-01-07 16:22:30 +01:00
parent ef7c0d7ec5
commit 9ed1fcd98a
2 changed files with 27 additions and 22 deletions

View File

@ -5,29 +5,34 @@ A simple shell script to tell if your Linux installation is vulnerable
against the 3 "speculative execution" CVEs: against the 3 "speculative execution" CVEs:
CVE-2017-5753 bounds check bypass (Spectre Variant 1) CVE-2017-5753 bounds check bypass (Spectre Variant 1)
Impact: Kernel & all software
Mitigation: recompile software *and* kernel with a modified compiler that introduces the LFENCE opcode at the proper positions in the resulting code - Impact: Kernel & all software
Performance impact of the mitigation: negligible - Mitigation: recompile software *and* kernel with a modified compiler that introduces the LFENCE opcode at the proper positions in the resulting code
- Performance impact of the mitigation: negligible
CVE-2017-5715: branch target injection (Spectre Variant 2) CVE-2017-5715: branch target injection (Spectre Variant 2)
Impact: Kernel
Mitigation 1: new opcode via microcode update that should be used by up to date compilers to protect the BTB (by flushing indirect branch predictors) - Impact: Kernel
Mitigation 2: introducing "retpoline" into compilers, and recompile software/OS with it - Mitigation 1: new opcode via microcode update that should be used by up to date compilers to protect the BTB (by flushing indirect branch predictors)
Performance impact of the mitigation: high for mitigation 1, medium for mitigation 2, depending on your CPU - Mitigation 2: introducing "retpoline" into compilers, and recompile software/OS with it
- Performance impact of the mitigation: high for mitigation 1, medium for mitigation 2, depending on your CPU
CVE-2017-5754: rogue data cache load (Meltdown) CVE-2017-5754: rogue data cache load (Meltdown)
Impact: Kernel
Mitigation: updated kernel (with PTI/KPTI patches), updating the kernel is enough - Impact: Kernel
Performance impact of the mitigation: low to medium - Mitigation: updated kernel (with PTI/KPTI patches), updating the kernel is enough
- Performance impact of the mitigation: low to medium
Example of the output of the script: Example of the output of the script:
Spectre and Meltdown mitigation detection tool v0.01
``` ```
$ sudo ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.02
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel recompiled with LFENCE opcode insertion: UNKNOWN (check not yet implemented) * Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 38 opcodes found, should be >= 60)
> STATUS: UNKNOWN (not implemented, but real answer is most probably VULNERABLE at this stage) > STATUS: VULNERABLE
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1 * Mitigation 1
@ -36,8 +41,8 @@ CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* IBRS enabled for Kernel space: NO * IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO * IBRS enabled for User space: NO
* Mitigation 2 * Mitigation 2
* Kernel recompiled with retpoline: UNKNOWN (check not yet implemented) * Kernel recompiled with retpolines: UNKNOWN (check not yet implemented)
> STATUS: VULNERABLE (IBRS hardware + kernel support OR retpoline-compiled kernel are needed to mitigate the vulnerability) > STATUS: VULNERABLE (IBRS hardware + kernel support OR retpolines-compiled kernel are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3' CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES * Kernel supports Page Table Isolation (PTI): YES

View File

@ -1,7 +1,7 @@
#! /bin/sh #! /bin/sh
# Spectre & Meltdown checker # Spectre & Meltdown checker
# Stephane Lesimple, v0.00.01 # Stephane Lesimple
VERSION=0.01 VERSION=0.02
pstatus() pstatus()
{ {
@ -81,11 +81,11 @@ elif ! which objdump >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing 'objdump' tool, please install it, usually it's in the binutils package" pstatus yellow UNKNOWN "missing 'objdump' tool, please install it, usually it's in the binutils package"
else else
nb_lfence=$(objdump -D "$vmlinux" | grep -wc lfence) nb_lfence=$(objdump -D "$vmlinux" | grep -wc lfence)
if [ "$nb_lfence" -lt 50 ]; then if [ "$nb_lfence" -lt 60 ]; then
pstatus red NO "only $nb_lfence lfence opcodes found, should be >= 50" pstatus red NO "only $nb_lfence opcodes found, should be >= 60"
status=1 status=1
else else
pstatus green YES "$nb_lfence opcodes found, which is >= 50" pstatus green YES "$nb_lfence opcodes found, which is >= 60"
status=2 status=2
fi fi
rm -f $vmlinux rm -f $vmlinux
@ -155,7 +155,7 @@ if [ "$mounted_debugfs" = 1 ]; then
fi fi
/bin/echo "* Mitigation 2" /bin/echo "* Mitigation 2"
/bin/echo -n "* Kernel recompiled with retpoline: " /bin/echo -n "* Kernel recompiled with retpolines: "
pstatus yellow UNKNOWN "check not yet implemented" pstatus yellow UNKNOWN "check not yet implemented"
/bin/echo -ne "> \033[46m\033[30mSTATUS:\033[0m " /bin/echo -ne "> \033[46m\033[30mSTATUS:\033[0m "
@ -164,7 +164,7 @@ if grep -q AMD /proc/cpuinfo; then
elif [ "$ibrs_enabled" = 1 -o "$ibrs_enabled" = 2 ]; then elif [ "$ibrs_enabled" = 1 -o "$ibrs_enabled" = 2 ]; then
pstatus green "NOT VULNERABLE" "IBRS mitigates the vulnerability" pstatus green "NOT VULNERABLE" "IBRS mitigates the vulnerability"
else else
pstatus red VULNERABLE "IBRS hardware + kernel support OR retpoline-compiled kernel are needed to mitigate the vulnerability" pstatus red VULNERABLE "IBRS hardware + kernel support OR retpolines-compiled kernel are needed to mitigate the vulnerability"
fi fi
# MELTDOWN # MELTDOWN