1
0
mirror of https://github.com/speed47/spectre-meltdown-checker synced 2024-12-23 04:43:37 +01:00

feat(cpu) add STIBP, RDCL_NO, IBRS_ALL checks

Move all the CPU checks to their own section,
for clarity. We now check for IBRS, IBPB, STIBP,
RDCL_NO and IBRS_ALL. We also show whether the
system CPU is vulnerable to the three variants,
regardless of the fact that mitigations are in
place or not, which is determined in each vuln-
specific section.
This commit is contained in:
Stéphane Lesimple 2018-01-24 14:44:16 +01:00
parent b45e40bec8
commit acf12a6d2d

View File

@ -199,6 +199,8 @@ is_cpu_vulnerable()
variant3='' variant3=''
# we also set a friendly name for the CPU to be used in the script if needed # we also set a friendly name for the CPU to be used in the script if needed
cpu_friendly_name=$(grep '^model name' /proc/cpuinfo | cut -d: -f2- | head -1 | sed -e 's/^ *//') cpu_friendly_name=$(grep '^model name' /proc/cpuinfo | cut -d: -f2- | head -1 | sed -e 's/^ *//')
# variant 0 is just for us to fill the cpu_friendly_name var
[ "$1" = 0 ] && return 0
if grep -q GenuineIntel /proc/cpuinfo; then if grep -q GenuineIntel /proc/cpuinfo; then
# Intel # Intel
@ -217,6 +219,13 @@ is_cpu_vulnerable()
[ -z "$variant2" ] && variant2=immune [ -z "$variant2" ] && variant2=immune
[ -z "$variant3" ] && variant3=immune [ -z "$variant3" ] && variant3=immune
fi fi
if [ "$capabilities_rdcl_no" = 1 ]; then
# capability bit for future Intel processor that will explicitly state
# that they're not vulnerable to Meltdown
# this var is set in check_cpu()
[ -z "$variant3" ] && variant3=immune
_debug "is_cpu_vulnerable: RDCL_NO is set so not vuln to meltdown"
fi
elif grep -q AuthenticAMD /proc/cpuinfo; then elif grep -q AuthenticAMD /proc/cpuinfo; then
# AMD revised their statement about variant2 => vulnerable # AMD revised their statement about variant2 => vulnerable
# https://www.amd.com/en/corporate/speculative-execution # https://www.amd.com/en/corporate/speculative-execution
@ -664,7 +673,7 @@ if [ "$opt_live" = 1 ]; then
_info "Checking for vulnerabilities on current system" _info "Checking for vulnerabilities on current system"
_info "Kernel is \033[35m"$(uname -s) $(uname -r) $(uname -v) $(uname -m)"\033[0m" _info "Kernel is \033[35m"$(uname -s) $(uname -r) $(uname -v) $(uname -m)"\033[0m"
# call is_cpu_vulnerable to fill the cpu_friendly_name var # call is_cpu_vulnerable to fill the cpu_friendly_name var
is_cpu_vulnerable 1 is_cpu_vulnerable 0
_info "CPU is \033[35m$cpu_friendly_name\033[0m" _info "CPU is \033[35m$cpu_friendly_name\033[0m"
# try to find the image of the current running kernel # try to find the image of the current running kernel
@ -804,80 +813,11 @@ sys_interface_check()
return 0 return 0
} }
################### check_cpu()
# SPECTRE VARIANT 1
check_variant1()
{ {
_info "\033[1;34mCVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'\033[0m" _info "\033[1;34mHardware check\033[0m"
status=UNK _info "* Hardware support (CPU microcode) for mitigation techniques"
sys_interface_available=0
msg=''
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spectre_v1"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
elif [ "$opt_sysfs_only" != 1 ]; then
# no /sys interface (or offline mode), fallback to our own ways
_info_nol "* Checking count of LFENCE opcodes in kernel: "
if [ -n "$vmlinux_err" ]; then
msg="couldn't check ($vmlinux_err)"
status=UNK
pstatus yellow UNKNOWN
else
if ! which objdump >/dev/null 2>&1; then
msg="missing 'objdump' tool, please install it, usually it's in the binutils package"
status=UNK
pstatus yellow UNKNOWN
else
# here we disassemble the kernel and count the number of occurrences of the LFENCE opcode
# in non-patched kernels, this has been empirically determined as being around 40-50
# in patched kernels, this is more around 70-80, sometimes way higher (100+)
# v0.13: 68 found in a 3.10.23-xxxx-std-ipv6-64 (with lots of modules compiled-in directly), which doesn't have the LFENCE patches,
# so let's push the threshold to 70.
nb_lfence=$(objdump -d "$vmlinux" | grep -wc lfence)
if [ "$nb_lfence" -lt 70 ]; then
msg="only $nb_lfence opcodes found, should be >= 70, heuristic to be improved when official patches become available"
status=VULN
pstatus red NO
else
msg="$nb_lfence opcodes found, which is >= 70, heuristic to be improved when official patches become available"
status=OK
pstatus green YES
fi
fi
fi
else
# we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!"
status=UNK
fi
if ! is_cpu_vulnerable 1; then
# override status & msg in case CPU is not vulnerable after all
msg="your CPU vendor reported your CPU model as not vulnerable"
status=OK
fi
# report status
pvulnstatus CVE-2017-5753 "$status" "$msg"
}
###################
# SPECTRE VARIANT 2
check_variant2()
{
_info "\033[1;34mCVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'\033[0m"
status=UNK
sys_interface_available=0
msg=''
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spectre_v2"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
fi
if [ "$opt_sysfs_only" != 1 ]; then
_info "* Mitigation 1"
_info " * Hardware support (CPU microcode)"
_info " * Indirect Branch Restricted Speculation (IBRS)" _info " * Indirect Branch Restricted Speculation (IBRS)"
_info_nol " * SPEC_CTRL MSR is available: " _info_nol " * SPEC_CTRL MSR is available: "
if [ ! -e /dev/cpu/0/msr ]; then if [ ! -e /dev/cpu/0/msr ]; then
@ -966,7 +906,7 @@ check_variant2()
_info_nol " * CPU indicates IBPB capability: " _info_nol " * CPU indicates IBPB capability: "
if [ ! -e /dev/cpu/0/cpuid ]; then if [ ! -e /dev/cpu/0/cpuid ]; then
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/cpuidr, is cpuid support enabled in your kernel?" pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?"
else else
# CPUID EAX=0x80000008, ECX=0x00 return EBX[12] indicates support for just IBPB. # CPUID EAX=0x80000008, ECX=0x00 return EBX[12] indicates support for just IBPB.
if [ "$opt_verbose" -ge 3 ]; then if [ "$opt_verbose" -ge 3 ]; then
@ -1003,7 +943,7 @@ check_variant2()
_info_nol " * CPU indicates STIBP capability: " _info_nol " * CPU indicates STIBP capability: "
if [ ! -e /dev/cpu/0/cpuid ]; then if [ ! -e /dev/cpu/0/cpuid ]; then
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/cpuidr, is cpuid support enabled in your kernel?" pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?"
else else
# A processor supports STIBP if it enumerates CPUID (EAX=7H,ECX=0):EDX[27] as 1 # A processor supports STIBP if it enumerates CPUID (EAX=7H,ECX=0):EDX[27] as 1
if [ "$opt_verbose" -ge 3 ]; then if [ "$opt_verbose" -ge 3 ]; then
@ -1018,13 +958,158 @@ check_variant2()
edx_bit27=$(( edx_hb & 8 )) edx_bit27=$(( edx_hb & 8 ))
_debug "cpuid: edx_bit27=$edx_bit27" _debug "cpuid: edx_bit27=$edx_bit27"
if [ "$edx_bit27" -eq 8 ]; then if [ "$edx_bit27" -eq 8 ]; then
pstatus green YES "STIBP feature bit" pstatus green YES
cpuid_stibp=1 cpuid_stibp=1
else else
pstatus red NO pstatus red NO
fi fi
fi fi
_info " * Enhanced IBRS (IBRS_ALL)"
_info_nol " * CPU indicates ARCH_CAPABILITIES MSR availability: "
if [ ! -e /dev/cpu/0/cpuid ]; then
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?"
else
# A processor supports STIBP if it enumerates CPUID (EAX=7H,ECX=0):EDX[27] as 1
if [ "$opt_verbose" -ge 3 ]; then
dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 >/dev/null 2>/dev/null
_debug "cpuid: reading leaf7 of cpuid on cpu0, ret=$?"
_debug "cpuid: leaf7 eax-ebx-ecx-edx: "$(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | od -x -A n)
_debug "cpuid: leaf7 edx higher byte is: "$(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip=15 count=1 2>/dev/null | od -x -A n)
fi
# getting high byte of edx on leaf7 of cpuinfo in decimal
edx_hb=$(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip=15 count=1 2>/dev/null | od -t u -A n | awk '{print $1}')
_debug "cpuid: leaf7 edx higher byte: $edx_hb (decimal)"
edx_bit29=$(( edx_hb & 32 ))
_debug "cpuid: edx_bit29=$edx_bit29"
if [ "$edx_bit27" -eq 32 ]; then
pstatus green YES
cpuid_arch_capabilities=1
else
pstatus red NO
fi
fi
_info_nol " * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: "
if [ "$cpuid_arch_capabilities" != 1 ]; then
pstatus red NO
elif [ ! -e /dev/cpu/0/msr ]; then
spec_ctrl_msr=-1
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?"
else
# the new MSR 'ARCH_CAPABILITIES' is at offset 0x10a
# here we use dd, it's the same as using 'rdmsr 0x10a' but without needing the rdmsr tool
# if we get a read error, the MSR is not there. bs has to be 8 for msr
capabilities=$(dd if=/dev/cpu/0/msr bs=8 count=1 skip=266 iflag=skip_bytes 2>/dev/null | od -t u1 -A n | awk '{print $8}')
if [ $? -eq 0 ]; then
_debug "capabilities MSR lower byte is $capabilities (decimal)"
capabilities_rdcl_no=0
[ $(( capabilities & 1 )) -eq 1 ] && capabilities_rdcl_no=1
[ $(( capabilities & 2 )) -eq 2 ] && capabilities_ibrs_all=1
_debug "capabilities says rdcl_no=$capabilities_rdcl_no ibrs_all=$capabilities_ibrs_all"
if [ "$capabilities_ibrs_all" = 1 ]; then
pstatus green YES
else
pstatus red NO
fi
else
pstatus yellow UNKNOWN
fi
fi
_info_nol " * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): "
if [ "$capabilities_rdcl_no" = 1 ]; then
pstatus green YES
else
pstatus blue NO
fi
_info "* CPU vulnerability to the three speculative execution attacks variants"
for v in 1 2 3; do
_info_nol " * Vulnerable to Variant $v: "
if is_cpu_vulnerable $v; then
pstatus red YES
else
pstatus green NO
fi
done
_info
}
###################
# SPECTRE VARIANT 1
check_variant1()
{
_info "\033[1;34mCVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'\033[0m"
status=UNK
sys_interface_available=0
msg=''
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spectre_v1"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
elif [ "$opt_sysfs_only" != 1 ]; then
# no /sys interface (or offline mode), fallback to our own ways
_info_nol "* Checking count of LFENCE opcodes in kernel: "
if [ -n "$vmlinux_err" ]; then
msg="couldn't check ($vmlinux_err)"
status=UNK
pstatus yellow UNKNOWN
else
if ! which objdump >/dev/null 2>&1; then
msg="missing 'objdump' tool, please install it, usually it's in the binutils package"
status=UNK
pstatus yellow UNKNOWN
else
# here we disassemble the kernel and count the number of occurrences of the LFENCE opcode
# in non-patched kernels, this has been empirically determined as being around 40-50
# in patched kernels, this is more around 70-80, sometimes way higher (100+)
# v0.13: 68 found in a 3.10.23-xxxx-std-ipv6-64 (with lots of modules compiled-in directly), which doesn't have the LFENCE patches,
# so let's push the threshold to 70.
nb_lfence=$(objdump -d "$vmlinux" | grep -wc lfence)
if [ "$nb_lfence" -lt 70 ]; then
msg="only $nb_lfence opcodes found, should be >= 70, heuristic to be improved when official patches become available"
status=VULN
pstatus red NO
else
msg="$nb_lfence opcodes found, which is >= 70, heuristic to be improved when official patches become available"
status=OK
pstatus green YES
fi
fi
fi
else
# we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!"
status=UNK
fi
if ! is_cpu_vulnerable 1; then
# override status & msg in case CPU is not vulnerable after all
msg="your CPU vendor reported your CPU model as not vulnerable"
status=OK
fi
# report status
pvulnstatus CVE-2017-5753 "$status" "$msg"
}
###################
# SPECTRE VARIANT 2
check_variant2()
{
_info "\033[1;34mCVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'\033[0m"
status=UNK
sys_interface_available=0
msg=''
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spectre_v2"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
fi
if [ "$opt_sysfs_only" != 1 ]; then
_info "* Mitigation 1"
_info_nol " * Kernel is compiled with IBRS/IBPB support: " _info_nol " * Kernel is compiled with IBRS/IBPB support: "
ibrs_can_tell=0 ibrs_can_tell=0
@ -1429,6 +1514,7 @@ check_variant3()
fi fi
} }
check_cpu
# now run the checks the user asked for # now run the checks the user asked for
if [ "$opt_variant1" = 1 -o "$opt_allvariants" = 1 ]; then if [ "$opt_variant1" = 1 -o "$opt_allvariants" = 1 ]; then
check_variant1 check_variant1