mirror of
https://github.com/speed47/spectre-meltdown-checker
synced 2025-01-03 01:55:51 +01:00
chore: fix indentation
This commit is contained in:
parent
62d3448a54
commit
d8f0ddd7a5
@ -1,5 +1,6 @@
|
|||||||
#! /bin/sh
|
#! /bin/sh
|
||||||
# SPDX-License-Identifier: GPL-3.0-only
|
# SPDX-License-Identifier: GPL-3.0-only
|
||||||
|
# vim: set ts=8 sw=8 sts=4 noet:
|
||||||
#
|
#
|
||||||
# Spectre & Meltdown checker
|
# Spectre & Meltdown checker
|
||||||
#
|
#
|
||||||
@ -719,7 +720,10 @@ is_cpu_srbds_free()
|
|||||||
# source: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/cpu/common.c
|
# source: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/cpu/common.c
|
||||||
#
|
#
|
||||||
# A processor is affected by SRBDS if its Family_Model and stepping is in the
|
# A processor is affected by SRBDS if its Family_Model and stepping is in the
|
||||||
# following list:
|
# following list, with the exception of the listed processors
|
||||||
|
# exporting MDS_NO while Intel TSX is available yet not enabled. The
|
||||||
|
# latter class of processors are only affected when Intel TSX is enabled
|
||||||
|
# by software using TSX_CTRL_MSR otherwise they are not affected.
|
||||||
#
|
#
|
||||||
# ============= ============ ========
|
# ============= ============ ========
|
||||||
# common name Family_Model Stepping
|
# common name Family_Model Stepping
|
||||||
@ -741,16 +745,16 @@ is_cpu_srbds_free()
|
|||||||
# Kabylake 06_9EH <=0xD (MDS_NO) (INTEL_FAM6_KABYLAKE)
|
# Kabylake 06_9EH <=0xD (MDS_NO) (INTEL_FAM6_KABYLAKE)
|
||||||
# ============= ============ ========
|
# ============= ============ ========
|
||||||
parse_cpu_details
|
parse_cpu_details
|
||||||
if is_intel; then
|
if is_intel; then
|
||||||
if [ "$cpu_family" = 6 ]; then
|
if [ "$cpu_family" = 6 ]; then
|
||||||
if [ "$cpu_model" = "$INTEL_FAM6_IVYBRIDGE" ] || \
|
if [ "$cpu_model" = "$INTEL_FAM6_IVYBRIDGE" ] || \
|
||||||
[ "$cpu_model" = "$INTEL_FAM6_HASWELL" ] || \
|
[ "$cpu_model" = "$INTEL_FAM6_HASWELL" ] || \
|
||||||
[ "$cpu_model" = "$INTEL_FAM6_HASWELL_L" ] || \
|
[ "$cpu_model" = "$INTEL_FAM6_HASWELL_L" ] || \
|
||||||
[ "$cpu_model" = "$INTEL_FAM6_HASWELL_G" ] || \
|
[ "$cpu_model" = "$INTEL_FAM6_HASWELL_G" ] || \
|
||||||
[ "$cpu_model" = "$INTEL_FAM6_BROADWELL_G" ] || \
|
[ "$cpu_model" = "$INTEL_FAM6_BROADWELL_G" ] || \
|
||||||
[ "$cpu_model" = "$INTEL_FAM6_BROADWELL" ] || \
|
[ "$cpu_model" = "$INTEL_FAM6_BROADWELL" ] || \
|
||||||
[ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_L" ] || \
|
[ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_L" ] || \
|
||||||
[ "$cpu_model" = "$INTEL_FAM6_SKYLAKE" ]; then
|
[ "$cpu_model" = "$INTEL_FAM6_SKYLAKE" ]; then
|
||||||
return 1
|
return 1
|
||||||
elif [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE_L" ] && [ "$cpu_stepping" -le 12 ] || \
|
elif [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE_L" ] && [ "$cpu_stepping" -le 12 ] || \
|
||||||
[ "$cpu_model" = "$INTEL_FAM6_KABYLAKE" ] && [ "$cpu_stepping" -le 13 ]; then
|
[ "$cpu_model" = "$INTEL_FAM6_KABYLAKE" ] && [ "$cpu_stepping" -le 13 ]; then
|
||||||
@ -5363,97 +5367,97 @@ check_CVE_2020_0543()
|
|||||||
|
|
||||||
check_CVE_2020_0543_linux()
|
check_CVE_2020_0543_linux()
|
||||||
{
|
{
|
||||||
status=UNK
|
status=UNK
|
||||||
sys_interface_available=0
|
sys_interface_available=0
|
||||||
msg=''
|
msg=''
|
||||||
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/srbds"; then
|
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/srbds"; then
|
||||||
# this kernel has the /sys interface, trust it over everything
|
# this kernel has the /sys interface, trust it over everything
|
||||||
sys_interface_available=1
|
sys_interface_available=1
|
||||||
fi
|
fi
|
||||||
if [ "$opt_sysfs_only" != 1 ]; then
|
if [ "$opt_sysfs_only" != 1 ]; then
|
||||||
_info_nol "* SRBDS mitigation control is supported by the kernel: "
|
_info_nol "* SRBDS mitigation control is supported by the kernel: "
|
||||||
kernel_srbds=''
|
kernel_srbds=''
|
||||||
if [ -n "$kernel_err" ]; then
|
if [ -n "$kernel_err" ]; then
|
||||||
kernel_srbds_err="$kernel_err"
|
kernel_srbds_err="$kernel_err"
|
||||||
elif grep -q 'Dependent on hypervisor' "$kernel"; then
|
elif grep -q 'Dependent on hypervisor' "$kernel"; then
|
||||||
kernel_srbds="found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation"
|
kernel_srbds="found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation"
|
||||||
fi
|
fi
|
||||||
if [ -n "$kernel_srbds" ]; then
|
if [ -n "$kernel_srbds" ]; then
|
||||||
pstatus green YES "$kernel_srbds"
|
pstatus green YES "$kernel_srbds"
|
||||||
elif [ -n "$kernel_srbds_err" ]; then
|
elif [ -n "$kernel_srbds_err" ]; then
|
||||||
pstatus yellow UNKNOWN "$kernel_srbds_err"
|
pstatus yellow UNKNOWN "$kernel_srbds_err"
|
||||||
else
|
else
|
||||||
pstatus yellow NO
|
pstatus yellow NO
|
||||||
fi
|
fi
|
||||||
_info_nol "* SRBDS mitigation control is enabled and active: "
|
_info_nol "* SRBDS mitigation control is enabled and active: "
|
||||||
if [ "$opt_live" = 1 ]; then
|
if [ "$opt_live" = 1 ]; then
|
||||||
if [ -n "$fullmsg" ]; then
|
if [ -n "$fullmsg" ]; then
|
||||||
if echo "$fullmsg" | grep -qE '^Mitigation'; then
|
if echo "$fullmsg" | grep -qE '^Mitigation'; then
|
||||||
pstatus green YES "$fullmsg"
|
pstatus green YES "$fullmsg"
|
||||||
else
|
else
|
||||||
pstatus yellow NO
|
pstatus yellow NO
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
pstatus yellow NO "SRBDS not found in sysfs hierarchy"
|
pstatus yellow NO "SRBDS not found in sysfs hierarchy"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
pstatus blue N/A "not testable in offline mode"
|
pstatus blue N/A "not testable in offline mode"
|
||||||
fi
|
fi
|
||||||
elif [ "$sys_interface_available" = 0 ]; then
|
elif [ "$sys_interface_available" = 0 ]; then
|
||||||
# we have no sysfs but were asked to use it only!
|
# we have no sysfs but were asked to use it only!
|
||||||
msg="/sys vulnerability interface use forced, but it's not available!"
|
msg="/sys vulnerability interface use forced, but it's not available!"
|
||||||
status=UNK
|
status=UNK
|
||||||
fi
|
fi
|
||||||
if ! is_cpu_vulnerable "$cve" ; then
|
if ! is_cpu_vulnerable "$cve" ; then
|
||||||
# override status & msg in case CPU is not vulnerable after all
|
# override status & msg in case CPU is not vulnerable after all
|
||||||
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not vulnerable"
|
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not vulnerable"
|
||||||
else
|
else
|
||||||
if [ "$opt_sysfs_only" != 1 ]; then
|
if [ "$opt_sysfs_only" != 1 ]; then
|
||||||
if [ "$cpuid_srbds" = 1 ]; then
|
if [ "$cpuid_srbds" = 1 ]; then
|
||||||
# SRBDS mitigation control exists
|
# SRBDS mitigation control exists
|
||||||
if [ "$srbds_on" = 1 ]; then
|
if [ "$srbds_on" = 1 ]; then
|
||||||
# SRBDS mitigation control is enabled
|
# SRBDS mitigation control is enabled
|
||||||
if [ -z "$msg" ]; then
|
if [ -z "$msg" ]; then
|
||||||
# if msg is empty, sysfs check didn't fill it, rely on our own test
|
# if msg is empty, sysfs check didn't fill it, rely on our own test
|
||||||
if [ "$opt_live" = 1 ]; then
|
if [ "$opt_live" = 1 ]; then
|
||||||
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
|
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
|
||||||
pvulnstatus "$cve" OK "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated"
|
pvulnstatus "$cve" OK "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if [ -n "$kernel_srbds" ]; then
|
if [ -n "$kernel_srbds" ]; then
|
||||||
pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for SRBDS mitigation control. Mitigation is enabled"
|
pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for SRBDS mitigation control. Mitigation is enabled"
|
||||||
else
|
else
|
||||||
pvulnstatus "$cve" OK "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated"
|
pvulnstatus "$cve" OK "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
elif [ "$srbds_on" = 0 ]; then
|
elif [ "$srbds_on" = 0 ]; then
|
||||||
# SRBDS mitigation control is disabled
|
# SRBDS mitigation control is disabled
|
||||||
if [ -z "$msg" ]; then
|
if [ -z "$msg" ]; then
|
||||||
if [ "$opt_live" = 1 ]; then
|
if [ "$opt_live" = 1 ]; then
|
||||||
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
|
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
|
||||||
pvulnstatus "$cve" VULN "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated. Mitigation is disabled"
|
pvulnstatus "$cve" VULN "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated. Mitigation is disabled"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if [ -n "$kernel_srbds" ]; then
|
if [ -n "$kernel_srbds" ]; then
|
||||||
pvulnstatus "$cve" VULN "Your microcode and kernel are both up to date for SRBDS mitigation control. Mitigation is disabled"
|
pvulnstatus "$cve" VULN "Your microcode and kernel are both up to date for SRBDS mitigation control. Mitigation is disabled"
|
||||||
else
|
else
|
||||||
pvulnstatus "$cve" VULN "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated. Mitigation is disabled"
|
pvulnstatus "$cve" VULN "Your microcode is up to date for SRBDS mitigation control. The kernel needs to be updated. Mitigation is disabled"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
# rdmsr: CPU 0 cannot read MSR 0x00000123
|
# rdmsr: CPU 0 cannot read MSR 0x00000123
|
||||||
pvulnstatus "$cve" UNK "Not able to enumerate MSR for SRBDS mitigation control"
|
pvulnstatus "$cve" UNK "Not able to enumerate MSR for SRBDS mitigation control"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
# [ $cpuid_srbds != 1 ]
|
# [ $cpuid_srbds != 1 ]
|
||||||
pvulnstatus "$cve" VULN "Your CPU microcode may need to be updated to mitigate the vulnerability"
|
pvulnstatus "$cve" VULN "Your CPU microcode may need to be updated to mitigate the vulnerability"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
# sysfs only: return the status/msg we got
|
# sysfs only: return the status/msg we got
|
||||||
pvulnstatus "$cve" "$status" "$fullmsg"
|
pvulnstatus "$cve" "$status" "$fullmsg"
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
#######################
|
#######################
|
||||||
|
Loading…
Reference in New Issue
Block a user