dsanchez/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker synced 2024-11-19 04:22:22 +01:00
Code Issues Releases Wiki Activity

refacto: create a dedicated func to read cpuid bits

Browse Source
This commit is contained in:
Stéphane Lesimple 2018-01-31 13:54:59 +01:00
parent 71e7109c22
commit bcae8824ec
1 changed files with 63 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

123
spectre-meltdown-checker.sh
View File

@ -610,6 +610,36 @@ unload_cpuid()
fi fi
} }
read_cpuid()
{
_leaf="$1"
_bytenum="$2"
_and_operand="$3"
if [ ! -e /dev/cpu/0/cpuid ]; then
# try to load the module ourselves (and remember it so we can rmmod it afterwards)
load_cpuid
fi
if [ ! -e /dev/cpu/0/cpuid ]; then
return 2
fi
if [ "$opt_verbose" -ge 3 ]; then
dd if=/dev/cpu/0/cpuid bs=16 skip="$_leaf" iflag=skip_bytes count=1 >/dev/null 2>/dev/null
_debug "cpuid: reading leaf$_leaf of cpuid on cpu0, ret=$?"
_debug "cpuid: leaf$_leaf eax-ebx-ecx-edx: $( dd if=/dev/cpu/0/cpuid bs=16 skip="$_leaf" iflag=skip_bytes count=1 2>/dev/null | od -x -A n)"
_debug "cpuid: leaf$_leaf edx higher byte is: $(dd if=/dev/cpu/0/cpuid bs=16 skip="$_leaf" iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip=$_bytenum count=1 2>/dev/null | od -x -A n)"
fi
# getting proper byte of edx on leaf$_leaf of cpuinfo in decimal
_reg_byte=$(dd if=/dev/cpu/0/cpuid bs=16 skip="$_leaf" iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip="$_bytenum" count=1 2>/dev/null | od -t u1 -A n | awk '{print $1}')
_debug "cpuid: leaf$_leaf byte $_bytenum: $_reg_byte (decimal)"
_reg_bit=$(( _reg_byte & _and_operand ))
_debug "cpuid: leaf$_leaf byte $_bytenum & $_and_operand = $_reg_bit"
[ "$_reg_bit" -eq 0 ] && return 1
# $_reg_bit is > 0, so the bit was found: return true (aka 0)
return 0
}
dmesg_grep() dmesg_grep()
{ {
# grep for something in dmesg, ensuring that the dmesg buffer # grep for something in dmesg, ensuring that the dmesg buffer
@ -982,32 +1012,16 @@ check_cpu()
fi fi
_info_nol " * CPU indicates IBRS capability: " _info_nol " * CPU indicates IBRS capability: "
if [ ! -e /dev/cpu/0/cpuid ]; then
# try to load the module ourselves (and remember it so we can rmmod it afterwards)
load_cpuid
fi
if [ ! -e /dev/cpu/0/cpuid ]; then
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?"
else
# from kernel src: { X86_FEATURE_SPEC_CTRL, CPUID_EDX,26, 0x00000007, 0 }, # from kernel src: { X86_FEATURE_SPEC_CTRL, CPUID_EDX,26, 0x00000007, 0 },
if [ "$opt_verbose" -ge 3 ]; then read_cpuid 7 15 4; ret=$?
dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 >/dev/null 2>/dev/null if [ $ret -eq 0 ]; then
_debug "cpuid: reading leaf7 of cpuid on cpu0, ret=$?"
_debug "cpuid: leaf7 eax-ebx-ecx-edx: $(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | od -x -A n)"
_debug "cpuid: leaf7 edx higher byte is: $(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip=15 count=1 2>/dev/null | od -x -A n)"
fi
# getting high byte of edx on leaf7 of cpuinfo in decimal
edx_hb=$(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip=15 count=1 2>/dev/null | od -t u -A n | awk '{print $1}')
_debug "cpuid: leaf7 edx higher byte: $edx_hb (decimal)"
edx_bit26=$(( edx_hb & 4 ))
_debug "cpuid: edx_bit26=$edx_bit26"
if [ "$edx_bit26" -eq 4 ]; then
pstatus green YES "SPEC_CTRL feature bit" pstatus green YES "SPEC_CTRL feature bit"
cpuid_spec_ctrl=1 cpuid_spec_ctrl=1
elif [ $ret -eq 2 ]; then
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?"
else else
pstatus red NO pstatus red NO
fi fi
fi
# hardware support according to kernel # hardware support according to kernel
if [ "$opt_verbose" -ge 2 ]; then if [ "$opt_verbose" -ge 2 ]; then
@ -1043,30 +1057,19 @@ check_cpu()
fi fi
fi fi
_info_nol " * CPU indicates IBPB capability: " _info_nol " * CPU indicates IBPB capability: "
if [ ! -e /dev/cpu/0/cpuid ]; then
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?"
else
# CPUID EAX=0x80000008, ECX=0x00 return EBX[12] indicates support for just IBPB. # CPUID EAX=0x80000008, ECX=0x00 return EBX[12] indicates support for just IBPB.
if [ "$opt_verbose" -ge 3 ]; then read_cpuid 2147483656 5 16; ret=$?
dd if=/dev/cpu/0/cpuid bs=16 skip=2147483656 iflag=skip_bytes count=1 >/dev/null 2>/dev/null if [ $ret -eq 0 ]; then
_debug "cpuid: reading leaf80000008 of cpuid on cpu0, ret=$?"
_debug "cpuid: leaf80000008 eax-ebx-ecx-edx: $(dd if=/dev/cpu/0/cpuid bs=16 skip=2147483656 iflag=skip_bytes count=1 2>/dev/null | od -x -A n)"
_debug "cpuid: leaf80000008 ebx 3rd byte is: $(dd if=/dev/cpu/0/cpuid bs=16 skip=2147483656 iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip=5 count=1 2>/dev/null | od -x -A n)"
fi
# getting high byte of edx on leaf7 of cpuinfo in decimal
ebx_b3=$(dd if=/dev/cpu/0/cpuid bs=16 skip=2147483656 iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip=5 count=1 2>/dev/null | od -t u -A n | awk '{print $1}')
_debug "cpuid: leaf80000008 ebx 3rd byte: $ebx_b3 (decimal)"
ebx_bit12=$(( ebx_b3 & 16 ))
_debug "cpuid: ebx_bit12=$ebx_bit12"
if [ "$ebx_bit12" -eq 16 ]; then
pstatus green YES "IBPB_SUPPORT feature bit" pstatus green YES "IBPB_SUPPORT feature bit"
elif [ "$cpuid_spec_ctrl" = 1 ]; then elif [ "$cpuid_spec_ctrl" = 1 ]; then
pstatus green YES "SPEC_CTRL feature bit" pstatus green YES "SPEC_CTRL feature bit"
elif [ $ret -eq 2 ]; then
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?"
else else
pstatus red NO pstatus red NO
fi fi
fi
# STIBP # STIBP
_info " * Single Thread Indirect Branch Predictors (STIBP)" _info " * Single Thread Indirect Branch Predictors (STIBP)"
@ -1080,54 +1083,30 @@ check_cpu()
fi fi
_info_nol " * CPU indicates STIBP capability: " _info_nol " * CPU indicates STIBP capability: "
if [ ! -e /dev/cpu/0/cpuid ]; then # A processor supports STIBP if it enumerates CPUID (EAX=7H,ECX=0):EDX[27] as 1
read_cpuid 7 15 8; ret=$?
if [ $ret -eq 0 ]; then
pstatus green YES
elif [ $ret -eq 2 ]; then
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?" pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?"
else
# A processor supports STIBP if it enumerates CPUID (EAX=7H,ECX=0):EDX[27] as 1
if [ "$opt_verbose" -ge 3 ]; then
dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 >/dev/null 2>/dev/null
_debug "cpuid: reading leaf7 of cpuid on cpu0, ret=$?"
_debug "cpuid: leaf7 eax-ebx-ecx-edx: $(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | od -x -A n)"
_debug "cpuid: leaf7 edx higher byte is: $(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip=15 count=1 2>/dev/null | od -x -A n)"
fi
# getting high byte of edx on leaf7 of cpuinfo in decimal
edx_hb=$(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip=15 count=1 2>/dev/null | od -t u -A n | awk '{print $1}')
_debug "cpuid: leaf7 edx higher byte: $edx_hb (decimal)"
edx_bit27=$(( edx_hb & 8 ))
_debug "cpuid: edx_bit27=$edx_bit27"
if [ "$edx_bit27" -eq 8 ]; then
pstatus green YES
else else
pstatus red NO pstatus red NO
fi fi
fi
_info " * Enhanced IBRS (IBRS_ALL)" _info " * Enhanced IBRS (IBRS_ALL)"
_info_nol " * CPU indicates ARCH_CAPABILITIES MSR availability: " _info_nol " * CPU indicates ARCH_CAPABILITIES MSR availability: "
cpuid_arch_capabilities=-1 cpuid_arch_capabilities=-1
if [ ! -e /dev/cpu/0/cpuid ]; then
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?"
else
# A processor supports STIBP if it enumerates CPUID (EAX=7H,ECX=0):EDX[27] as 1 # A processor supports STIBP if it enumerates CPUID (EAX=7H,ECX=0):EDX[27] as 1
if [ "$opt_verbose" -ge 3 ]; then read_cpuid 7 15 32; ret=$?
dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 >/dev/null 2>/dev/null if [ $ret -eq 0 ]; then
_debug "cpuid: reading leaf7 of cpuid on cpu0, ret=$?"
_debug "cpuid: leaf7 eax-ebx-ecx-edx: $(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | od -x -A n)"
_debug "cpuid: leaf7 edx higher byte is: $(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip=15 count=1 2>/dev/null | od -x -A n)"
fi
# getting high byte of edx on leaf7 of cpuinfo in decimal
edx_hb=$(dd if=/dev/cpu/0/cpuid bs=16 skip=7 iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip=15 count=1 2>/dev/null | od -t u -A n | awk '{print $1}')
_debug "cpuid: leaf7 edx higher byte: $edx_hb (decimal)"
edx_bit29=$(( edx_hb & 32 ))
_debug "cpuid: edx_bit29=$edx_bit29"
if [ "$edx_bit27" -eq 32 ]; then
pstatus green YES pstatus green YES
cpuid_arch_capabilities=1 cpuid_arch_capabilities=1
elif [ $ret -eq 2 ]; then
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?"
else else
pstatus red NO pstatus red NO
cpuid_arch_capabilities=0 cpuid_arch_capabilities=0
fi fi
fi
_info_nol " * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: " _info_nol " * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: "
capabilities_rdcl_no=-1 capabilities_rdcl_no=-1
@ -1470,9 +1449,6 @@ check_variant2()
pstatus blue N/A "not testable in offline mode" pstatus blue N/A "not testable in offline mode"
fi fi
unload_msr
unload_cpuid
_info "* Mitigation 2" _info "* Mitigation 2"
_info_nol " * Kernel compiled with retpoline option: " _info_nol " * Kernel compiled with retpoline option: "
# We check the RETPOLINE kernel options # We check the RETPOLINE kernel options
@ -1827,6 +1803,9 @@ _info "A false sense of security is worse than no security at all, see --disclai
# this'll umount only if we mounted debugfs ourselves # this'll umount only if we mounted debugfs ourselves
umount_debugfs umount_debugfs
# same for modules
unload_msr
unload_cpuid
# cleanup the temp decompressed config # cleanup the temp decompressed config
[ -n "$dumped_config" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config" [ -n "$dumped_config" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"