dsanchez/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker synced 2025-01-03 10:05:44 +01:00
Code Issues Releases Wiki Activity

enh(l1tf): in paranoid mode, assume we're running a hypervisor unless stated otherwise

Browse Source 
This change ensures we check for SMT and advise the user to disable it for maximum security.
Doing this, we'll help users mitigate a whole range of vulnerabilities taking advantage of SMT to attack purely from userland other userland processes, as seen in CVE-2018-5407 (also see #261)
This commit is contained in:
Stéphane Lesimple 2019-04-21 14:03:48 +02:00
parent b022b27a51
commit bfa4de96e6
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
spectre-meltdown-checker.sh
View File

@ -3835,7 +3835,12 @@ check_CVE_2018_3646_linux()
if [ "$opt_sysfs_only" != 1 ]; then if [ "$opt_sysfs_only" != 1 ]; then
_info_nol "* This system is a host running a hypervisor: " _info_nol "* This system is a host running a hypervisor: "
has_vmm=$opt_vmm has_vmm=$opt_vmm
if [ "$has_vmm" = -1 ]; then if [ "$has_vmm" = -1 ] && [ "$opt_paranoid" = 1 ]; then
# In paranoid mode, if --vmm was not specified on the command-line,
# we want to be secure before everything else, so assume we're running
# a hypervisor, as this requires more mitigations
has_vmm=2
elif [ "$has_vmm" = -1 ]; then
# Assumed to be running on bare metal unless evidence of vm is found. # Assumed to be running on bare metal unless evidence of vm is found.
has_vmm=0 has_vmm=0
# test for presence of hypervisor flag - definitive if set # test for presence of hypervisor flag - definitive if set
@ -3878,6 +3883,8 @@ check_CVE_2018_3646_linux()
else else
if [ "$opt_vmm" != -1 ]; then if [ "$opt_vmm" != -1 ]; then
pstatus blue YES "forced from command line" pstatus blue YES "forced from command line"
elif [ "$has_vmm" = 2 ]; then
pstatus blue YES "paranoid mode"
else else
pstatus blue YES pstatus blue YES
fi fi