From eee38167579b5ba7909d7a86d9c8845dc7c9e51f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Sun, 20 Mar 2022 13:05:48 +0100 Subject: [PATCH] feat: implement detection for MCEPSC under BSD --- spectre-meltdown-checker.sh | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index b077319..d45b803 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -5461,8 +5461,8 @@ check_CVE_2018_12207() _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" if [ "$os" = Linux ]; then check_CVE_2018_12207_linux - #elif echo "$os" | grep -q BSD; then - # check_CVE_2018_12207_bsd + elif echo "$os" | grep -q BSD; then + check_CVE_2018_12207_bsd else _warn "Unsupported OS ($os)" fi @@ -5538,6 +5538,36 @@ check_CVE_2018_12207_linux() fi } +check_CVE_2018_12207_bsd() +{ + _info_nol "* Kernel supports disabling superpages for executable mappings under EPT: " + kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept 2>/dev/null) + if [ -z "$kernel_2m_x_ept" ]; then + pstatus yellow NO + else + pstatus green YES + fi + + _info_nol "* Superpages are disabled for executable mappings under EPT: " + if [ "$kernel_2m_x_ept" = 0 ]; then + pstatus green YES + else + pstatus yellow NO + fi + + if ! is_cpu_vulnerable "$cve"; then + # override status & msg in case CPU is not vulnerable after all + pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable" + elif [ -z "$kernel_2m_x_ept" ]; then + pvulnstatus $cve VULN "Your kernel doesn't support mitigating this CVE, you should update it" + elif [ "$kernel_2m_x_ept" != 0 ]; then + pvulnstatus $cve VULN "Your kernel supports mitigating this CVE, but the mitigation is disabled" + explain "To enable the mitigation, use \`sysctl vm.pmap.allow_2m_x_ept=0\`" + else + pvulnstatus $cve OK "Your kernel has support for mitigation and the mitigation is enabled" + fi +} + ################### # SRBDS SECTION