mirror of
https://github.com/speed47/spectre-meltdown-checker
synced 2024-12-22 20:33:56 +01:00
enh(mock): avoid reading the sysfs interface outside sys_interface_check() for higher mocking coverage
This commit is contained in:
parent
afbb26277f
commit
ccb4dbef7c
@ -1910,6 +1910,8 @@ sys_interface_check()
|
|||||||
file="$1"
|
file="$1"
|
||||||
regex="$2"
|
regex="$2"
|
||||||
mode="$3"
|
mode="$3"
|
||||||
|
msg=''
|
||||||
|
fullmsg=''
|
||||||
[ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r "$file" ] || return 1
|
[ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r "$file" ] || return 1
|
||||||
[ -n "$regex" ] || regex='.*'
|
[ -n "$regex" ] || regex='.*'
|
||||||
_mockvarname="SMC_MOCK_SYSFS_$(basename "$file")"
|
_mockvarname="SMC_MOCK_SYSFS_$(basename "$file")"
|
||||||
@ -1924,7 +1926,9 @@ sys_interface_check()
|
|||||||
msg=$(grep -Eo "$regex" "$file")
|
msg=$(grep -Eo "$regex" "$file")
|
||||||
fi
|
fi
|
||||||
if [ "$mode" = silent ]; then
|
if [ "$mode" = silent ]; then
|
||||||
_info "* Information from the /sys interface: $msg"
|
return 0
|
||||||
|
elif [ "$mode" = quiet ]; then
|
||||||
|
_info "* Information from the /sys interface: $fullmsg"
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
_info_nol "* Mitigated according to the /sys interface: "
|
_info_nol "* Mitigated according to the /sys interface: "
|
||||||
@ -2913,21 +2917,21 @@ check_CVE_2017_5715_linux()
|
|||||||
# XXX and what about ibpb ?
|
# XXX and what about ibpb ?
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ -e "/sys/devices/system/cpu/vulnerabilities/spectre_v2" ]; then
|
if [ -n "$fullmsg" ]; then
|
||||||
# when IBPB is enabled on 4.15+, we can see it in sysfs
|
# when IBPB is enabled on 4.15+, we can see it in sysfs
|
||||||
if grep -q 'IBPB' "/sys/devices/system/cpu/vulnerabilities/spectre_v2"; then
|
if echo "$fullmsg" | grep -q 'IBPB'; then
|
||||||
_debug "ibpb: found enabled in sysfs"
|
_debug "ibpb: found enabled in sysfs"
|
||||||
[ -z "$ibpb_supported" ] && ibpb_supported='IBPB found enabled in sysfs'
|
[ -z "$ibpb_supported" ] && ibpb_supported='IBPB found enabled in sysfs'
|
||||||
[ -z "$ibpb_enabled" ] && ibpb_enabled=1
|
[ -z "$ibpb_enabled" ] && ibpb_enabled=1
|
||||||
fi
|
fi
|
||||||
# when IBRS_FW is enabled on 4.15+, we can see it in sysfs
|
# when IBRS_FW is enabled on 4.15+, we can see it in sysfs
|
||||||
if grep -q ', IBRS_FW' "/sys/devices/system/cpu/vulnerabilities/spectre_v2"; then
|
if echo "$fullmsg" | grep -q ', IBRS_FW'; then
|
||||||
_debug "ibrs: found IBRS_FW in sysfs"
|
_debug "ibrs: found IBRS_FW in sysfs"
|
||||||
[ -z "$ibrs_supported" ] && ibrs_supported='found IBRS_FW in sysfs'
|
[ -z "$ibrs_supported" ] && ibrs_supported='found IBRS_FW in sysfs'
|
||||||
ibrs_fw_enabled=1
|
ibrs_fw_enabled=1
|
||||||
fi
|
fi
|
||||||
# when IBRS is enabled on 4.15+, we can see it in sysfs
|
# when IBRS is enabled on 4.15+, we can see it in sysfs
|
||||||
if grep -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation' "/sys/devices/system/cpu/vulnerabilities/spectre_v2"; then
|
if echo "$fullmsg" | grep -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
|
||||||
_debug "ibrs: found IBRS in sysfs"
|
_debug "ibrs: found IBRS in sysfs"
|
||||||
[ -z "$ibrs_supported" ] && ibrs_supported='found IBRS in sysfs'
|
[ -z "$ibrs_supported" ] && ibrs_supported='found IBRS in sysfs'
|
||||||
[ -z "$ibrs_enabled" ] && ibrs_enabled=3
|
[ -z "$ibrs_enabled" ] && ibrs_enabled=3
|
||||||
@ -3112,9 +3116,9 @@ check_CVE_2017_5715_linux()
|
|||||||
#
|
#
|
||||||
# if there is "retpoline" in the file and NOT "minimal", then it's full retpoline
|
# if there is "retpoline" in the file and NOT "minimal", then it's full retpoline
|
||||||
# (works for vanilla and Red Hat variants)
|
# (works for vanilla and Red Hat variants)
|
||||||
if [ "$opt_live" = 1 ] && [ -e "/sys/devices/system/cpu/vulnerabilities/spectre_v2" ]; then
|
if [ "$opt_live" = 1 ] && [ -n "$fullmsg" ]; then
|
||||||
if grep -qwi retpoline /sys/devices/system/cpu/vulnerabilities/spectre_v2; then
|
if echo "$fullmsg" | grep -qwi retpoline; then
|
||||||
if grep -qwi minimal /sys/devices/system/cpu/vulnerabilities/spectre_v2; then
|
if echo "$fullmsg" | grep -qwi minimal; then
|
||||||
retpoline_compiler=0
|
retpoline_compiler=0
|
||||||
retpoline_compiler_reason="kernel reports minimal retpoline compilation"
|
retpoline_compiler_reason="kernel reports minimal retpoline compilation"
|
||||||
else
|
else
|
||||||
@ -3935,7 +3939,7 @@ check_CVE_2018_3620_linux()
|
|||||||
status=UNK
|
status=UNK
|
||||||
sys_interface_available=0
|
sys_interface_available=0
|
||||||
msg=''
|
msg=''
|
||||||
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/l1tf" '^[^;]+'; then
|
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/l1tf"; then
|
||||||
# this kernel has the /sys interface, trust it over everything
|
# this kernel has the /sys interface, trust it over everything
|
||||||
sys_interface_available=1
|
sys_interface_available=1
|
||||||
fi
|
fi
|
||||||
@ -3956,8 +3960,8 @@ check_CVE_2018_3620_linux()
|
|||||||
|
|
||||||
_info_nol "* PTE inversion enabled and active: "
|
_info_nol "* PTE inversion enabled and active: "
|
||||||
if [ "$opt_live" = 1 ]; then
|
if [ "$opt_live" = 1 ]; then
|
||||||
if [ "$sys_interface_available" = 1 ]; then
|
if [ -n "$fullmsg" ]; then
|
||||||
if grep -q 'Mitigation: PTE Inversion' /sys/devices/system/cpu/vulnerabilities/l1tf; then
|
if echo "$fullmsg" | grep -q 'Mitigation: PTE Inversion'; then
|
||||||
pstatus green YES
|
pstatus green YES
|
||||||
pteinv_active=1
|
pteinv_active=1
|
||||||
else
|
else
|
||||||
@ -4047,7 +4051,7 @@ check_CVE_2018_3646_linux()
|
|||||||
status=UNK
|
status=UNK
|
||||||
sys_interface_available=0
|
sys_interface_available=0
|
||||||
msg=''
|
msg=''
|
||||||
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/l1tf" 'VMX:.*' silent; then
|
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/l1tf" '.*' quiet; then
|
||||||
# this kernel has the /sys interface, trust it over everything
|
# this kernel has the /sys interface, trust it over everything
|
||||||
sys_interface_available=1
|
sys_interface_available=1
|
||||||
fi
|
fi
|
||||||
@ -4136,18 +4140,19 @@ check_CVE_2018_3646_linux()
|
|||||||
|
|
||||||
_info_nol " * L1D flush enabled: "
|
_info_nol " * L1D flush enabled: "
|
||||||
if [ "$opt_live" = 1 ]; then
|
if [ "$opt_live" = 1 ]; then
|
||||||
if [ -r "/sys/devices/system/cpu/vulnerabilities/l1tf" ]; then
|
if [ -n "$fullmsg" ]; then
|
||||||
# vanilla: VMX: $l1dstatus, SMT $smtstatus
|
# vanilla: VMX: $l1dstatus, SMT $smtstatus
|
||||||
# Red Hat: VMX: SMT $smtstatus, L1D $l1dstatus
|
# Red Hat: VMX: SMT $smtstatus, L1D $l1dstatus
|
||||||
# $l1dstatus is one of (auto|vulnerable|conditional cache flushes|cache flushes|EPT disabled|flush not necessary)
|
# $l1dstatus is one of (auto|vulnerable|conditional cache flushes|cache flushes|EPT disabled|flush not necessary)
|
||||||
# $smtstatus is one of (vulnerable|disabled)
|
# $smtstatus is one of (vulnerable|disabled)
|
||||||
if grep -Eq '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)' "/sys/devices/system/cpu/vulnerabilities/l1tf"; then
|
# can also just be "Not affected"
|
||||||
|
if echo "$fullmsg" | grep -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then
|
||||||
l1d_mode=0
|
l1d_mode=0
|
||||||
pstatus yellow NO
|
pstatus yellow NO
|
||||||
elif grep -Eq '(VMX:|L1D) conditional cache flushes' "/sys/devices/system/cpu/vulnerabilities/l1tf"; then
|
elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) conditional cache flushes'; then
|
||||||
l1d_mode=1
|
l1d_mode=1
|
||||||
pstatus green YES "conditional flushes"
|
pstatus green YES "conditional flushes"
|
||||||
elif grep -Eq '(VMX:|L1D) cache flushes' "/sys/devices/system/cpu/vulnerabilities/l1tf"; then
|
elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) cache flushes'; then
|
||||||
l1d_mode=2
|
l1d_mode=2
|
||||||
pstatus green YES "unconditional flushes"
|
pstatus green YES "unconditional flushes"
|
||||||
else
|
else
|
||||||
@ -4214,6 +4219,9 @@ check_CVE_2018_3646_linux()
|
|||||||
if ! is_cpu_vulnerable "$cve"; then
|
if ! is_cpu_vulnerable "$cve"; then
|
||||||
# override status & msg in case CPU is not vulnerable after all
|
# override status & msg in case CPU is not vulnerable after all
|
||||||
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
|
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
|
||||||
|
elif [ "$fullmsg" = "Not affected" ]; then
|
||||||
|
# just in case a very recent kernel knows better than we do
|
||||||
|
pvulnstatus $cve OK "your kernel reported your CPU model as not vulnerable"
|
||||||
elif [ "$has_vmm" = 0 ]; then
|
elif [ "$has_vmm" = 0 ]; then
|
||||||
pvulnstatus $cve OK "this system is not running a hypervisor"
|
pvulnstatus $cve OK "this system is not running a hypervisor"
|
||||||
else
|
else
|
||||||
@ -4375,7 +4383,7 @@ check_mds()
|
|||||||
|
|
||||||
if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then
|
if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then
|
||||||
_info_nol "* Kernel mitigation is enabled and active: "
|
_info_nol "* Kernel mitigation is enabled and active: "
|
||||||
if grep -qi ^mitigation /sys/devices/system/cpu/vulnerabilities/mds; then
|
if echo "$fullmsg" | grep -qi ^mitigation; then
|
||||||
mds_mitigated=1
|
mds_mitigated=1
|
||||||
pstatus green YES
|
pstatus green YES
|
||||||
else
|
else
|
||||||
@ -4383,7 +4391,7 @@ check_mds()
|
|||||||
pstatus yellow NO
|
pstatus yellow NO
|
||||||
fi
|
fi
|
||||||
_info_nol "* SMT is either mitigated or disabled: "
|
_info_nol "* SMT is either mitigated or disabled: "
|
||||||
if grep -Eq 'SMT (disabled|mitigated)' /sys/devices/system/cpu/vulnerabilities/mds; then
|
if echo "$fullmsg" | grep -Eq 'SMT (disabled|mitigated)'; then
|
||||||
mds_smt_mitigated=1
|
mds_smt_mitigated=1
|
||||||
pstatus green YES
|
pstatus green YES
|
||||||
else
|
else
|
||||||
@ -4431,7 +4439,7 @@ check_mds()
|
|||||||
else
|
else
|
||||||
if [ "$opt_paranoid" = 1 ]; then
|
if [ "$opt_paranoid" = 1 ]; then
|
||||||
# in paranoid mode, we don't only need microcode + kernel update, we also want SMT mitigation
|
# in paranoid mode, we don't only need microcode + kernel update, we also want SMT mitigation
|
||||||
if grep -qF -e 'SMT mitigated' -e 'SMT disabled' /sys/devices/system/cpu/vulnerabilities/mds; then
|
if echo "$fullmsg" | grep -qF -e 'SMT mitigated' -e 'SMT disabled'; then
|
||||||
pvulnstatus "$cve" OK "$fullmsg"
|
pvulnstatus "$cve" OK "$fullmsg"
|
||||||
else
|
else
|
||||||
pvulnstatus "$cve" VULN "Your kernel and microcode partially mitigate the vulnerability, but you must disable SMT (Hyper-Threading) for a complete mitigation"
|
pvulnstatus "$cve" VULN "Your kernel and microcode partially mitigate the vulnerability, but you must disable SMT (Hyper-Threading) for a complete mitigation"
|
||||||
|
Loading…
Reference in New Issue
Block a user