1
0
mirror of https://github.com/speed47/spectre-meltdown-checker synced 2024-12-23 04:43:37 +01:00

feat: implement support for NetBSD/FreeBSD/DragonFlyBSD

This commit is contained in:
Stéphane Lesimple 2018-03-25 12:23:46 +02:00
parent 889172dbb1
commit ece25b98a1
2 changed files with 376 additions and 124 deletions

View File

@ -1,10 +1,13 @@
Spectre & Meltdown Checker
==========================
A simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
A shell script to tell if your system is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Without options, it'll inspect your currently running kernel.
You can also specify a kernel image on the command line, if you'd like to inspect a kernel you're not running.
Supported systems:
- Linux (all versions and flavors)
- FreeBSD
- NetBSD
- DragonFlyBSD
The script will do its best to detect mitigations, including backported non-vanilla patches, regardless of the advertised kernel version number.

View File

@ -20,8 +20,10 @@ exit_cleanup()
[ -n "$vmlinuxtmp" ] && [ -f "$vmlinuxtmp" ] && rm -f "$vmlinuxtmp"
[ -n "$vmlinuxtmp2" ] && [ -f "$vmlinuxtmp2" ] && rm -f "$vmlinuxtmp2"
[ "$mounted_debugfs" = 1 ] && umount /sys/kernel/debug 2>/dev/null
[ "$mounted_procfs" = 1 ] && umount "$procfs" 2>/dev/null
[ "$insmod_cpuid" = 1 ] && rmmod cpuid 2>/dev/null
[ "$insmod_msr" = 1 ] && rmmod msr 2>/dev/null
[ "$kldload_cpuctl" = 1 ] && kldunload cpuctl 2>/dev/null
}
show_usage()
@ -41,9 +43,9 @@ show_usage()
Second mode is the "offline" mode, where you can inspect a non-running kernel.
You'll need to specify the location of the vmlinux file, config and System.map files:
--kernel vmlinux_file Specify a (possibly compressed) vmlinux file
--config kernel_config Specify a kernel config file
--map kernel_map_file Specify a kernel System.map file
--kernel kernel_file Specify a (possibly compressed) Linux or BSD kernel file
--config kernel_config Specify a kernel config file (Linux only)
--map kernel_map_file Specify a kernel System.map file (Linux only)
Options:
--no-color Don't use color codes
@ -100,6 +102,8 @@ This tool has been released in the hope that it'll be useful, but don't use it t
EOF
}
os=$(uname -s)
# parse options
opt_kernel=''
opt_config=''
@ -123,12 +127,19 @@ global_critical=0
global_unknown=0
nrpe_vuln=""
# find a sane `echo` command
# find a sane command to print colored messages, we prefer `printf` over `echo`
# because `printf` behavior is more standard across Linux/BSD
# we'll try to avoid using shell builtins that might not take options
if which echo >/dev/null 2>&1; then
echo_cmd_type=echo
if which printf >/dev/null 2>&1; then
echo_cmd=$(which printf)
echo_cmd_type=printf
elif which echo >/dev/null 2>&1; then
echo_cmd=$(which echo)
else
# which command is broken?
[ -x /bin/echo ] && echo_cmd=/bin/echo
# for Android
[ -x /system/bin/echo ] && echo_cmd=/system/bin/echo
fi
# still empty ? fallback to builtin
@ -143,11 +154,24 @@ __echo()
# strip ANSI color codes
# some sed versions (i.e. toybox) can't seem to handle
# \033 aka \x1B correctly, so do it for them.
_ctrlchar=$($echo_cmd -e "\033")
_msg=$($echo_cmd -e "$_msg" | sed -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
if [ "$echo_cmd_type" = printf ]; then
_interpret_chars=''
else
_interpret_chars='-e'
fi
_ctrlchar=$($echo_cmd $_interpret_chars "\033")
_msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
fi
if [ "$echo_cmd_type" = printf ]; then
if [ "$opt" = "-n" ]; then
$echo_cmd "$_msg"
else
$echo_cmd "$_msg\n"
fi
else
# shellcheck disable=SC2086
$echo_cmd $opt -e "$_msg"
fi
}
_echo()
@ -234,7 +258,7 @@ is_cpu_vulnerable()
# https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not vulnerable
# https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown vulnerable
# model name : Pentium(R) Dual-Core CPU E5200 @ 2.50GHz
if grep -qE '^model name.+ Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K? ' /proc/cpuinfo; then
if grep -qE '^model name.+ Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K? ' "$procfs/cpuinfo"; then
variant1=vuln
[ -z "$variant2" ] && variant2=immune
variant3=vuln
@ -669,14 +693,32 @@ mount_debugfs()
load_msr()
{
if [ "$os" = Linux ]; then
modprobe msr 2>/dev/null && insmod_msr=1
_debug "attempted to load module msr, insmod_msr=$insmod_msr"
else
if ! kldstat -q -m cpuctl; then
kldload cpuctl 2>/dev/null && kldload_cpuctl=1
_debug "attempted to load module cpuctl, kldload_cpuctl=$kldload_cpuctl"
else
_debug "cpuctl module already loaded"
fi
fi
}
load_cpuid()
{
if [ "$os" = Linux ]; then
modprobe cpuid 2>/dev/null && insmod_cpuid=1
_debug "attempted to load module cpuid, insmod_cpuid=$insmod_cpuid"
else
if ! kldstat -q -m cpuctl; then
kldload cpuctl 2>/dev/null && kldload_cpuctl=1
_debug "attempted to load module cpuctl, kldload_cpuctl=$kldload_cpuctl"
else
_debug "cpuctl module already loaded"
fi
fi
}
read_cpuid()
@ -685,19 +727,19 @@ read_cpuid()
_bytenum="$2"
_and_operand="$3"
if [ ! -e /dev/cpu/0/cpuid ]; then
if [ ! -e /dev/cpu/0/cpuid ] && [ ! -e /dev/cpuctl0 ]; then
# try to load the module ourselves (and remember it so we can rmmod it afterwards)
load_cpuid
fi
if [ ! -e /dev/cpu/0/cpuid ]; then
return 2
fi
if [ -e /dev/cpu/0/cpuid ]; then
# Linux
# we need _leaf to be converted to decimal for dd
_leaf=$(( _leaf ))
if [ "$opt_verbose" -ge 3 ]; then
dd if=/dev/cpu/0/cpuid bs=16 skip="$_leaf" iflag=skip_bytes count=1 >/dev/null 2>/dev/null
_debug "cpuid: reading leaf$_leaf of cpuid on cpu0, ret=$?"
_debug "cpuid: leaf$_leaf eax-ebx-ecx-edx: $( dd if=/dev/cpu/0/cpuid bs=16 skip="$_leaf" iflag=skip_bytes count=1 2>/dev/null | od -x -A n)"
_debug "cpuid: leaf$_leaf edx higher byte is: $(dd if=/dev/cpu/0/cpuid bs=16 skip="$_leaf" iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip="$_bytenum" count=1 2>/dev/null | od -x -A n)"
fi
# getting proper byte of edx on leaf$_leaf of cpuinfo in decimal
_reg_byte=$(dd if=/dev/cpu/0/cpuid bs=16 skip="$_leaf" iflag=skip_bytes count=1 2>/dev/null | dd bs=1 skip="$_bytenum" count=1 2>/dev/null | od -t u1 -A n | awk '{print $1}')
@ -707,6 +749,48 @@ read_cpuid()
[ "$_reg_bit" -eq 0 ] && return 1
# $_reg_bit is > 0, so the bit was found: return true (aka 0)
return 0
elif [ -e /dev/cpuctl0 ]; then
# BSD
_cpuid=$(cpucontrol -i "$_leaf" /dev/cpuctl0 2>/dev/null | awk '{print $4,$5,$6,$7}')
# cpuid level 0x1: 0x000306d4 0x00100800 0x4dfaebbf 0xbfebfbff
_debug "cpuid: got $_cpuid for leaf $_leaf"
if [ "$_bytenum" -lt 4 ]; then
_reg_byte=$(echo "$_cpuid" | awk '{print $1}')
_debug "cpuid: $_bytenum is part of EAX ($_reg_byte)"
elif [ "$_bytenum" -lt 8 ]; then
_reg_byte=$(echo "$_cpuid" | awk '{print $2}')
_debug "cpuid: $_bytenum is part of EBX ($_reg_byte)"
elif [ "$_bytenum" -lt 12 ]; then
_reg_byte=$(echo "$_cpuid" | awk '{print $3}')
_debug "cpuid: $_bytenum is part of ECX ($_reg_byte)"
elif [ "$_bytenum" -lt 16 ]; then
_reg_byte=$(echo "$_cpuid" | awk '{print $4}')
_debug "cpuid: $_bytenum is part of EDX ($_reg_byte)"
else
_warn "read_cpuid: error in the program, please report to the developer ($_leaf/$_bytenum/$_and_operand)"
exit 1
fi
_bytenum=$(( _bytenum % 4 ))
case "$_bytenum" in
0) _reg_byte=0x$(echo "$_reg_byte" | cut -c9-10) ;;
1) _reg_byte=0x$(echo "$_reg_byte" | cut -c7-8) ;;
2) _reg_byte=0x$(echo "$_reg_byte" | cut -c5-6) ;;
3) _reg_byte=0x$(echo "$_reg_byte" | cut -c3-4) ;;
*) exit 8;
esac
_debug "cpuid: wanted byte is $_reg_byte"
# convert to decimal
_reg_byte=$(( _reg_byte ))
_debug "cpuid: decimal value is $_reg_byte"
_reg_bit=$(( _reg_byte & _and_operand ))
_debug "cpuid: leaf$_leaf byte $_bytenum & $_and_operand = $_reg_bit"
[ "$_reg_bit" -eq 0 ] && return 1
# $_reg_bit is > 0, so the bit was found: return true (aka 0)
return 0
fi
return 2
}
dmesg_grep()
@ -714,7 +798,7 @@ dmesg_grep()
# grep for something in dmesg, ensuring that the dmesg buffer
# has not been truncated
dmesg_grepped=''
if ! dmesg | grep -qE '(^|\] )Linux version [0-9]'; then
if ! dmesg | grep -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then
# dmesg truncated
return 2
fi
@ -734,15 +818,17 @@ is_coreos()
parse_cpu_details()
{
[ "$parse_cpu_details_done" = 1 ] && return 0
cpu_vendor=$( grep '^vendor_id' /proc/cpuinfo | awk '{print $3}' | head -1)
cpu_friendly_name=$(grep '^model name' /proc/cpuinfo | cut -d: -f2- | head -1 | sed -e 's/^ *//')
if [ -e "$procfs/cpuinfo" ]; then
cpu_vendor=$( grep '^vendor_id' "$procfs/cpuinfo" | awk '{print $3}' | head -1)
cpu_friendly_name=$(grep '^model name' "$procfs/cpuinfo" | cut -d: -f2- | head -1 | sed -e 's/^ *//')
# special case for ARM follows
if grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' /proc/cpuinfo; then
if grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
cpu_vendor='ARM'
# some devices (phones or other) have several ARMs and as such different part numbers,
# an example is "bigLITTLE", so we need to store the whole list, this is needed for is_cpu_vulnerable
cpu_part_list=$(awk '/CPU part/ {print $4}' /proc/cpuinfo)
cpu_arch_list=$(awk '/CPU architecture/ {print $3}' /proc/cpuinfo)
cpu_part_list=$(awk '/CPU part/ {print $4}' "$procfs/cpuinfo")
cpu_arch_list=$(awk '/CPU architecture/ {print $3}' "$procfs/cpuinfo")
# take the first one to fill the friendly name, do NOT quote the vars below
# shellcheck disable=SC2086
cpu_arch=$(echo $cpu_arch_list | awk '{ print $1 }')
@ -754,11 +840,14 @@ parse_cpu_details()
[ -n "$cpu_part" ] && cpu_friendly_name="$cpu_friendly_name model $cpu_part"
fi
cpu_family=$( grep '^cpu family' /proc/cpuinfo | awk '{print $4}' | grep -E '^[0-9]+$' | head -1)
cpu_model=$( grep '^model' /proc/cpuinfo | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
cpu_stepping=$(grep '^stepping' /proc/cpuinfo | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
cpu_ucode=$( grep '^microcode' /proc/cpuinfo | awk '{print $3}' | head -1)
cpu_family=$( grep '^cpu family' "$procfs/cpuinfo" | awk '{print $4}' | grep -E '^[0-9]+$' | head -1)
cpu_model=$( grep '^model' "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
cpu_stepping=$(grep '^stepping' "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
cpu_ucode=$( grep '^microcode' "$procfs/cpuinfo" | awk '{print $3}' | head -1)
echo "$cpu_ucode" | grep -q ^0x && cpu_ucode_decimal=$(( cpu_ucode ))
else
cpu_friendly_name=$(sysctl -n hw.model)
fi
# also define those that we will need in other funcs
# taken from ttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/include/asm/intel-family.h
@ -903,6 +992,16 @@ is_skylake_cpu()
return 1
}
# ENTRYPOINT
# we can't do anything useful under WSL
if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then
_warn "This script doesn't work under Windows Subsystem for Linux"
_warn "You should use the official Microsoft tool instead."
_warn "It can be found under https://aka.ms/SpeculationControlPS"
exit 1
fi
# check for mode selection inconsistency
if [ "$opt_live_explicit" = 1 ]; then
if [ -n "$opt_kernel" ] || [ -n "$opt_config" ] || [ -n "$opt_map" ]; then
@ -932,6 +1031,27 @@ else
fi
fi
# if we're under a BSD, try to mount linprocfs for "$procfs/cpuinfo"
procfs=/proc
if echo "$os" | grep -q BSD; then
_debug "We're under BSD, check if we have procfs"
procfs=$(mount | awk '/^linprocfs/ { print $3; exit; }')
if [ -z "$procfs" ]; then
_debug "we don't, try to mount it"
procfs=/proc
[ -d /compat/linux/proc ] && procfs=/compat/linux/proc
test -d $procfs || mkdir $procfs
if mount -t linprocfs linprocfs $procfs 2>/dev/null; then
mounted_procfs=1
_debug "procfs just mounted at $procfs"
else
procfs=''
fi
else
_debug "We do: $procfs"
fi
fi
parse_cpu_details
if [ "$opt_live" = 1 ]; then
# root check (only for live mode, for offline mode, we already checked if we could read the files)
@ -1014,30 +1134,32 @@ else
bad_accuracy=1
fi
if [ -n "$opt_config" ] && ! grep -q '^CONFIG_' "$opt_config"; then
if [ "$os" = Linux ]; then
if [ -n "$opt_config" ] && ! grep -q '^CONFIG_' "$opt_config"; then
# given file is invalid!
_warn "The kernel config file seems invalid, was expecting a plain-text file, ignoring it!"
opt_config=''
fi
fi
if [ -n "$dumped_config" ] && [ -n "$opt_config" ]; then
if [ -n "$dumped_config" ] && [ -n "$opt_config" ]; then
_verbose "Will use kconfig \033[35m/proc/config.gz (decompressed)\033[0m"
elif [ -n "$opt_config" ]; then
elif [ -n "$opt_config" ]; then
_verbose "Will use kconfig \033[35m$opt_config\033[0m"
else
else
_verbose "Will use no kconfig (accuracy might be reduced)"
bad_accuracy=1
fi
fi
if [ -n "$opt_map" ]; then
if [ -n "$opt_map" ]; then
_verbose "Will use System.map file \033[35m$opt_map\033[0m"
else
else
_verbose "Will use no System.map file (accuracy might be reduced)"
bad_accuracy=1
fi
fi
if [ "$bad_accuracy" = 1 ]; then
if [ "$bad_accuracy" = 1 ]; then
_info "We're missing some kernel info (see -v), accuracy might be reduced"
fi
fi
if [ -e "$opt_kernel" ]; then
@ -1065,13 +1187,16 @@ else
# try even harder with some kernels (such as ARM) that split the release (uname -r) and version (uname -v) in 2 adjacent strings
vmlinux_version=$("${opt_arch_prefix}strings" "$vmlinux" 2>/dev/null | grep -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | tr "\n" " ")
fi
if [ -z "$vmlinux_version" ]; then
# FreeBSD?
vmlinux_version=$("${opt_arch_prefix}strings" "$vmlinux" 2>/dev/null | grep -E '^FreeBSD [0-9]' | head -1)
fi
if [ -n "$vmlinux_version" ]; then
# in live mode, check if the img we found is the correct one
if [ "$opt_live" = 1 ]; then
_verbose "Kernel image is \033[35m$vmlinux_version"
if ! echo "$vmlinux_version" | grep -qF "$(uname -r)" || \
! echo "$vmlinux_version" | grep -qF "$(uname -v)"; then
_warn "Possible disrepancy between your running kernel and the image we found ($opt_kernel), results might be incorrect"
if ! echo "$vmlinux_version" | grep -qF "$(uname -r)"; then
_warn "Possible disrepancy between your running kernel '$(uname -r)' and the image '$vmlinux_version' we found ($opt_kernel), results might be incorrect"
fi
else
_info "Kernel image is \033[35m$vmlinux_version"
@ -1115,24 +1240,29 @@ sys_interface_check()
number_of_cpus()
{
n=$(grep -c ^processor /proc/cpuinfo)
if echo "$os" | grep BSD; then
n=$(sysctl -n hw.ncpu 2>/dev/null || echo 1)
elif [ -e "$procfs/cpuinfo" ]; then
n=$(grep -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1)
else
# if we don't know, default to 1 CPU
n=1
fi
return "$n"
}
# $1 - msr number
# $2 - cpu index
check_msr_enable()
write_msr()
{
dd if=/dev/cpu/"$2"/msr of=/dev/null bs=8 count=1 skip="$1" iflag=skip_bytes 2>/dev/null; ret=$?
return $ret
}
# $1 - msr number
# $2 - cpu index
# $3 - value
write_to_msr()
{
$echo_cmd -ne "$3" | dd of=/dev/cpu/"$2"/msr bs=8 count=1 seek="$1" oflag=seek_bytes 2>/dev/null; ret=$?
if [ "$os" != Linux ]; then
cpucontrol -m "$1=0" "/dev/cpuctl$2" >/dev/null 2>&1; ret=$?
else
# convert to decimal
_msrindex=$(( $1 ))
_echo_nol -9 "\0\0\0\0\0\0\0\0" | dd of=/dev/cpu/"$2"/msr bs=8 count=1 seek="$_msrindex" oflag=seek_bytes 2>/dev/null; ret=$?
fi
_debug "write_msr: for cpu $2 on msr $1 ($_msrindex), ret=$ret"
return $ret
}
@ -1140,8 +1270,26 @@ write_to_msr()
# $2 - cpu index
read_msr()
{
msr=$(dd if=/dev/cpu/"$2"/msr bs=8 count=1 skip="$1" iflag=skip_bytes 2>/dev/null | od -t u1 -A n | awk '{print $8}');
return "$msr"
read_msr_value=''
if [ "$os" != Linux ]; then
_msr=$(cpucontrol -m "$1" "/dev/cpuctl$2" 2>/dev/null); ret=$?
[ $ret -ne 0 ] && return 1
# MSR 0x10: 0x000003e1 0xb106dded
_msr_h=$(echo "$_msr" | awk '{print $3}');
_msr_h="$(( _msr_h >> 24 & 0xFF )) $(( _msr_h >> 16 & 0xFF )) $(( _msr_h >> 8 & 0xFF )) $(( _msr_h & 0xFF ))"
_msr_l=$(echo "$_msr" | awk '{print $4}');
_msr_l="$(( _msr_l >> 24 & 0xFF )) $(( _msr_l >> 16 & 0xFF )) $(( _msr_l >> 8 & 0xFF )) $(( _msr_l & 0xFF ))"
read_msr_value="$_msr_h $_msr_l"
else
# convert to decimal
_msrindex=$(( $1 ))
if ! dd if=/dev/cpu/"$2"/msr bs=8 count=1 skip="$_msrindex" iflag=skip_bytes 2>/dev/null; then
return 1
fi
read_msr_value=$(dd if=/dev/cpu/"$2"/msr bs=8 count=1 skip="$_msrindex" iflag=skip_bytes 2>/dev/null | od -t u1 -A n)
fi
_debug "read_msr: MSR=$1 value is $read_msr_value"
return 0
}
@ -1159,13 +1307,13 @@ check_cpu()
number_of_cpus
ncpus=$?
idx_max_cpu=$((ncpus-1))
if [ ! -e /dev/cpu/0/msr ]; then
if [ ! -e /dev/cpu/0/msr ] && [ ! -e /dev/cpuctl0 ]; then
# try to load the module ourselves (and remember it so we can rmmod it afterwards)
load_msr
fi
if [ ! -e /dev/cpu/0/msr ]; then
if [ ! -e /dev/cpu/0/msr ] && [ ! -e /dev/cpuctl0 ]; then
spec_ctrl_msr=-1
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?"
pstatus yellow UNKNOWN "couldn't read MSR, is MSR support enabled in your kernel?"
else
# the new MSR 'SPEC_CTRL' is at offset 0x48
# here we use dd, it's the same as using 'rdmsr 0x48' but without needing the rdmsr tool
@ -1175,8 +1323,7 @@ check_cpu()
cpu_mismatch=0
for i in $(seq 0 "$idx_max_cpu")
do
check_msr_enable 72 "$i"
ret=$?
read_msr 0x48 "$i"; ret=$?
if [ "$i" -eq 0 ]; then
val=$ret
else
@ -1203,7 +1350,7 @@ check_cpu()
_info_nol " * CPU indicates IBRS capability: "
# from kernel src: { X86_FEATURE_SPEC_CTRL, CPUID_EDX,26, 0x00000007, 0 },
read_cpuid 7 15 4; ret=$?
read_cpuid 0x7 15 4; ret=$?
if [ $ret -eq 0 ]; then
pstatus green YES "SPEC_CTRL feature bit"
cpuid_spec_ctrl=1
@ -1220,7 +1367,7 @@ check_cpu()
# but let's check it anyway (in verbose mode only)
_verbose_nol " * Kernel has set the spec_ctrl flag in cpuinfo: "
if [ "$opt_live" = 1 ]; then
if grep ^flags /proc/cpuinfo | grep -qw spec_ctrl; then
if grep ^flags "$procfs/cpuinfo" | grep -qw spec_ctrl; then
pstatus green YES
else
pstatus blue NO
@ -1233,7 +1380,7 @@ check_cpu()
# IBPB
_info " * Indirect Branch Prediction Barrier (IBPB)"
_info_nol " * PRED_CMD MSR is available: "
if [ ! -e /dev/cpu/0/msr ]; then
if [ ! -e /dev/cpu/0/msr ] && [ ! -e /dev/cpuctl0 ]; then
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?"
else
# the new MSR 'PRED_CTRL' is at offset 0x49, write-only
@ -1243,8 +1390,7 @@ check_cpu()
cpu_mismatch=0
for i in $(seq 0 "$idx_max_cpu")
do
write_to_msr 73 "$i" "\0\0\0\0\0\0\0\0"
ret=$?
write_msr 0x49 "$i"; ret=$?
if [ "$i" -eq 0 ]; then
val=$ret
else
@ -1269,7 +1415,7 @@ check_cpu()
_info_nol " * CPU indicates IBPB capability: "
# CPUID EAX=0x80000008, ECX=0x00 return EBX[12] indicates support for just IBPB.
read_cpuid 2147483656 5 16; ret=$?
read_cpuid 0x80000008 5 16; ret=$?
if [ $ret -eq 0 ]; then
pstatus green YES "IBPB_SUPPORT feature bit"
elif [ "$cpuid_spec_ctrl" = 1 ]; then
@ -1293,7 +1439,7 @@ check_cpu()
_info_nol " * CPU indicates STIBP capability: "
# A processor supports STIBP if it enumerates CPUID (EAX=7H,ECX=0):EDX[27] as 1
read_cpuid 7 15 8; ret=$?
read_cpuid 0x7 15 8; ret=$?
if [ $ret -eq 0 ]; then
pstatus green YES
elif [ $ret -eq 2 ]; then
@ -1306,7 +1452,7 @@ check_cpu()
_info_nol " * CPU indicates ARCH_CAPABILITIES MSR availability: "
cpuid_arch_capabilities=-1
# A processor supports STIBP if it enumerates CPUID (EAX=7H,ECX=0):EDX[27] as 1
read_cpuid 7 15 32; ret=$?
read_cpuid 0x7 15 32; ret=$?
if [ $ret -eq 0 ]; then
pstatus green YES
cpuid_arch_capabilities=1
@ -1326,7 +1472,7 @@ check_cpu()
capabilities_rdcl_no=0
capabilities_ibrs_all=0
pstatus red NO
elif [ ! -e /dev/cpu/0/msr ]; then
elif [ ! -e /dev/cpu/0/msr ] && [ ! -e /dev/cpuctl0 ]; then
spec_ctrl_msr=-1
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?"
else
@ -1338,10 +1484,8 @@ check_cpu()
cpu_mismatch=0
for i in $(seq 0 "$idx_max_cpu")
do
check_msr_enable 266 "$i"
ret=$?
read_msr 266 "$i"
capabilities=$?
read_msr 0x10a "$i"; ret=$?
capabilities=$(echo "$read_msr_value" | awk '{print $8}')
if [ "$i" -eq 0 ]; then
val=$ret
val_cap_msr=$capabilities
@ -1445,7 +1589,17 @@ check_redhat_canonical_spectre()
check_variant1()
{
_info "\033[1;34mCVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'\033[0m"
if [ "$os" = Linux ]; then
check_variant1_linux
elif echo "$os" | grep -q BSD; then
check_variant1_bsd
else
_warn "Unsupported OS ($os)"
fi
}
check_variant1_linux()
{
status=UNK
sys_interface_available=0
msg=''
@ -1566,12 +1720,34 @@ check_variant1()
fi
}
check_variant1_bsd()
{
cve='CVE-2017-5753'
if ! is_cpu_vulnerable 1; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
else
pvulnstatus $cve VULN "no mitigation for BSD yet"
fi
}
###################
# SPECTRE VARIANT 2
check_variant2()
{
_info "\033[1;34mCVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'\033[0m"
if [ "$os" = Linux ]; then
check_variant2_linux
elif echo "$os" | grep -q BSD; then
check_variant2_bsd
else
_warn "Unsupported OS ($os)"
fi
}
check_variant2_linux()
{
status=UNK
sys_interface_available=0
msg=''
@ -1613,13 +1789,13 @@ check_variant2()
_debug "ibrs: $dir/ibrs_enabled file doesn't exist"
fi
done
# on some newer kernels, the spec_ctrl_ibrs flag in /proc/cpuinfo
# on some newer kernels, the spec_ctrl_ibrs flag in "$procfs/cpuinfo"
# is set when ibrs has been administratively enabled (usually from cmdline)
# which in that case means ibrs is supported *and* enabled for kernel & user
# as per the ibrs patch series v3
if [ "$ibrs_supported" = 0 ]; then
if grep ^flags /proc/cpuinfo | grep -qw spec_ctrl_ibrs; then
_debug "ibrs: found spec_ctrl_ibrs flag in /proc/cpuinfo"
if grep ^flags "$procfs/cpuinfo" | grep -qw spec_ctrl_ibrs; then
_debug "ibrs: found spec_ctrl_ibrs flag in $procfs/cpuinfo"
ibrs_supported=1
# enabled=2 -> kernel & user
ibrs_enabled=2
@ -1851,12 +2027,55 @@ check_variant2()
fi
}
check_variant2_bsd()
{
_info_nol "* Kernel supports IBRS: "
ibrs_disabled=$(sysctl -n hw.ibrs_disable 2>/dev/null)
if [ -z "$ibrs_disabled" ]; then
pstatus red NO
else
pstatus green YES
fi
_info_nol "* IBRS enabled and active: "
ibrs_active=$(sysctl -n hw.ibrs_active 2>/dev/null)
if [ "$ibrs_active" = 1 ]; then
pstatus green YES
else
pstatus red NO
fi
cve='CVE-2017-5715'
if ! is_cpu_vulnerable 2; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
elif [ "$ibrs_active" = 1 ]; then
pvulnstatus $cve OK "IBRS mitigates the vulnerability"
elif [ "$ibrs_disabled" = 0 ]; then
pvulnstatus $cve VULN "IBRS is supported by your kernel but your CPU microcode lacks support"
elif [ "$ibrs_disabled" = 1 ]; then
pvulnstatus $cve VULN "IBRS is supported but administratively disabled on your system"
else
pvulnstatus $cve VULN "IBRS is needed to mitigate the vulnerability but your kernel is missing support"
fi
}
########################
# MELTDOWN aka VARIANT 3
check_variant3()
{
_info "\033[1;34mCVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'\033[0m"
if [ "$os" = Linux ]; then
check_variant3_linux
elif echo "$os" | grep -q BSD; then
check_variant3_bsd
else
_warn "Unsupported OS ($os)"
fi
}
check_variant3_linux()
{
status=UNK
sys_interface_available=0
msg=''
@ -1913,13 +2132,13 @@ check_variant3()
dmesg_grep="Kernel/User page tables isolation: enabled"
dmesg_grep="$dmesg_grep|Kernel page table isolation enabled"
dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
if grep ^flags /proc/cpuinfo | grep -qw pti; then
if grep ^flags "$procfs/cpuinfo" | grep -qw pti; then
# vanilla PTI patch sets the 'pti' flag in cpuinfo
_debug "kpti_enabled: found 'pti' flag in /proc/cpuinfo"
_debug "kpti_enabled: found 'pti' flag in $procfs/cpuinfo"
kpti_enabled=1
elif grep ^flags /proc/cpuinfo | grep -qw kaiser; then
elif grep ^flags "$procfs/cpuinfo" | grep -qw kaiser; then
# kernel line 4.9 sets the 'kaiser' flag in cpuinfo
_debug "kpti_enabled: found 'kaiser' flag in /proc/cpuinfo"
_debug "kpti_enabled: found 'kaiser' flag in $procfs/cpuinfo"
kpti_enabled=1
elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then
# Red Hat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301
@ -1960,13 +2179,13 @@ check_variant3()
if [ "$opt_verbose" -ge 2 ]; then
_info "* Performance impact if PTI is enabled"
_info_nol " * CPU supports PCID: "
if grep ^flags /proc/cpuinfo | grep -qw pcid; then
if grep ^flags "$procfs/cpuinfo" | grep -qw pcid; then
pstatus green YES 'performance degradation with PTI will be limited'
else
pstatus blue NO 'no security impact but performance will be degraded with PTI'
fi
_info_nol " * CPU supports INVPCID: "
if grep ^flags /proc/cpuinfo | grep -qw invpcid; then
if grep ^flags "$procfs/cpuinfo" | grep -qw invpcid; then
pstatus green YES 'performance degradation with PTI will be limited'
else
pstatus blue NO 'no security impact but performance will be degraded with PTI'
@ -2058,6 +2277,36 @@ check_variant3()
fi
}
check_variant3_bsd()
{
_info_nol "* Kernel supports Page Table Isolation (PTI): "
kpti_enabled=$(sysctl -n vm.pmap.pti 2>/dev/null)
if [ -z "$kpti_enabled" ]; then
pstatus red NO
else
pstatus green YES
fi
_info_nol "* PTI enabled and active: "
if [ "$kpti_enabled" = 1 ]; then
pstatus green YES
else
pstatus red NO
fi
cve='CVE-2017-5754'
if ! is_cpu_vulnerable 3; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
elif [ "$kpti_enabled" = 1 ]; then
pvulnstatus $cve OK "PTI mitigates the vulnerability"
elif [ -n "$kpti_enabled" ]; then
pvulnstatus $cve VULN "PTI is supported but disabled on your system"
else
pvulnstatus $cve VULN "PTI is needed to mitigate the vulnerability"
fi
}
check_cpu
check_cpu_vulnerabilities
_info