Stéphane Lesimple
b2f64e1132
fix README after merge
2018-08-18 12:09:34 +02:00
unrealization
42a3a61f1d
Slightly improved Docker configuration ( #230 )
...
* Listed the required volumes in the Dockerfile.
* Added docker-compose.yml for convenience as users won't need to manually
specify volumes and stuff when running through docker-compose.
Adjusted README.md to reflect this change.
2018-08-18 12:06:16 +02:00
Karsten Weiss
afb36c519d
Fix typo: 'RBS filling' => 'RSB filling' ( #237 )
2018-08-18 12:05:17 +02:00
Stéphane Lesimple
0009c0d473
fix: --batch now implies --no-color to avoid colored warnings
2018-08-18 12:04:18 +02:00
Stéphane Lesimple
dd67fd94d7
feat: add FLUSH_CMD MSR availability detection (part of L1TF mitigation)
2018-08-16 19:05:09 +02:00
Stéphane Lesimple
339ad31757
fix: add missing l1tf CPU vulnerability display in hw section
2018-08-16 15:19:29 +02:00
Stéphane Lesimple
794c5be1d2
feat: add optional git describe support to display inter-release version numbers
2018-08-16 15:18:47 +02:00
Stéphane Lesimple
a7afc585a9
fix several incorrect ucode version numbers
2018-08-16 10:51:55 +02:00
Stéphane Lesimple
fc1dffd09a
feat: implement detection of latest known versions of intel microcodes
2018-08-15 12:53:49 +02:00
Stéphane Lesimple
e942616189
feat: initial support for L1TF
2018-08-15 12:05:08 +02:00
Stéphane Lesimple
360be7b35f
fix: hide arch_capabilities_msr_not_read warning under !intel
2018-08-13 15:42:56 +02:00
Stéphane Lesimple
5f59257826
bump to v0.39
2018-08-13 15:33:03 +02:00
Stéphane Lesimple
92d59cbdc1
chore: adjust some comments, add 2 missing inits
2018-08-11 10:31:10 +02:00
Stéphane Lesimple
4747b932e7
feat: add detection of RSBA feature bit and adjust logic accordingly
2018-08-10 10:26:23 +02:00
Stéphane Lesimple
860023a806
fix: ARCH MSR was not read correctly, preventing proper SSB_NO and RDCL_NO detection
2018-08-10 10:26:23 +02:00
Stéphane Lesimple
ab67a9221d
feat: read/write msr now supports msr-tools or perl as dd fallback
2018-08-10 10:26:23 +02:00
0x9fff00
f4592bf3a8
Add Arch armv5/armv7 kernel image location ( #227 )
2018-08-09 22:13:30 +02:00
Stéphane Lesimple
be15e47671
chore: setting master to v0.38+
2018-08-09 14:25:22 +02:00
Nathan Parsons
d3481d9524
Add support for the kernel being within a btrfs subvolume ( #226 )
...
- /boot may be within a named root subvolume (eg. "/@/boot")
- /boot may be in its own subvolume (eg. "/@boot")
2018-08-09 14:00:35 +02:00
Stéphane Lesimple
21af561148
bump to v0.38
2018-08-07 10:55:50 +02:00
Stéphane Lesimple
cb740397f3
feat(arm32): add spectrev1 mitigation detection
2018-08-07 10:42:03 +02:00
Stéphane Lesimple
84195689af
change: default to --no-explain, use --explain to get detailed mitigation help
2018-08-04 16:31:41 +02:00
Stéphane Lesimple
b637681fa8
fix: debug output: msg inaccuracy for ARM checks
2018-08-04 16:19:54 +02:00
Stéphane Lesimple
9316c30577
fix: armv8: models < 0xd07 are not vulnerable
2018-08-04 16:19:54 +02:00
Lily Wilson
f9dd9d8cb9
add guess for archlinuxarm aarch64 kernel image on raspberry pi 3 ( #222 )
2018-08-01 00:15:52 +02:00
Stéphane Lesimple
0f0d103a89
fix: correctly init capabilities_ssb_no var in all cases
2018-07-26 10:18:14 +02:00
Stéphane Lesimple
b262c40541
fix: remove spurious character after an else statement
2018-07-25 21:55:50 +02:00
Stéphane Lesimple
cc2910fbbc
fix: read_cpuid: don't use iflag=skip_bytes for compat with old dd versions
...
This closes #215 #199 #193
2018-07-23 09:12:30 +02:00
manish jaggi
30c4a1f6d2
arm64: cavium: Add CPU Implementer Cavium ( #216 )
...
This patch adds 0x43 check for cavium implementor id in function
parse_cpu_details. Also adds that Cavium Soc is not vulnerable to variant 3/3a
Signed-off-by: Manish Jaggi <manish.jagg@cavium.com>
2018-07-22 19:06:19 +02:00
Stéphane Lesimple
cf06636a3f
fix: prometheus output: use printf for proper \n interpretation ( #204 )
2018-06-21 23:35:51 +02:00
Stéphane Lesimple
60077c8d12
fix(arm): rewrite vuln logic from latest arm statement for Cortex A8 to A76
2018-06-21 23:24:18 +02:00
Rob Gill
c181978d7c
fix(arm): Updated arm cortex status ( #209 )
...
* Cortex A8 Vulnerable
Arm Cortex A8 is vulnerable to variants 1 & 2 (https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability )
Part number is 0xc08 (https://developer.arm.com/docs/ddi0344/b/system-control-coprocessor/system-control-coprocessorregisters/c0-main-id-register )
False negative reported by @V10lator in #206
* ARM Cortex A12 Vulnerable to 1&2
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
* A76 vulnerable to variant 4
All arch 8 cortex A57-A76 are vulnerable to variant 4.
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
* Whitelist variant4 nonvuln Arms
* ARM Cortex Whitelist & Cumulative Blacklist
Applies all information about vulnerabilities of ARM Cortex processors (from https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability ).
Whitelist & blacklist approach, using both vulnerable and non vulnerable status for each identified CPU, with vulnerabilities tracked cumulatively for multi CPU systems.
2018-06-16 12:14:39 +02:00
Jan
9a6406a9a2
chore: add docker support ( #203 )
2018-06-14 20:25:35 +02:00
Rob Gill
5962d20ba7
fix(variant4): whitelist from common.c::cpu_no_spec_store_bypass ( #202 )
...
* variant4 from common.c::cpu_no_spec_store_bypass
Variant 4 - Add function to 'whitelist' the hand-full of CPUs unaffected by speculative store bypass.
This would allow improved determination of variant 4 status ( #189 ) of immune CPUs while waiting for the 4.17/stable patches to be backported to distro kernels.
Source of cpu list : https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/cpu/common.c#n945 )
Modeled after is_cpu_specex_free()
* amd families fix
amd families are reported by parse_cpu_details() in decimal
* remove duplicates
Only list processors which speculate and are immune to variant 4.
Avoids duplication with non-speculating CPUs listed in is_cpu_specex_free()
2018-05-27 15:14:29 +02:00
Rob Gill
17a3488505
fix(help): add missing references to variants 3a & 4 ( #201 )
2018-05-24 16:35:57 +02:00
Stéphane Lesimple
e54e8b3e84
chore: remove warning in README, fix display indentation
2018-05-24 16:32:53 +02:00
Stéphane Lesimple
39c778e3ac
fix(amd): AMD families 0x15-0x17 non-arch MSRs are a valid way to control SSB
2018-05-23 23:08:07 +02:00
Stéphane Lesimple
2cde6e4649
feat(ssbd): add detection of proper CPUID bits on AMD
2018-05-23 22:50:52 +02:00
Stéphane Lesimple
f4d51e7e53
fix(variant4): add another detection way for Red Hat kernel
2018-05-23 22:47:54 +02:00
Stéphane Lesimple
85d46b2799
feat(variant4): add more detailed explanations
2018-05-23 21:08:58 +02:00
Stéphane Lesimple
61e02abd0c
feat(variant3a): detect up to date microcode
2018-05-23 21:08:08 +02:00
Stéphane Lesimple
114756fab7
fix(amd): not vulnerable to variant3a
2018-05-23 20:38:43 +02:00
Rob Gill
ea75969eb7
fix(help): Update variant options in usage message ( #200 )
2018-05-22 15:54:25 +02:00
Stéphane Lesimple
ca391cbfc9
fix(variant2): correctly detect IBRS/IBPB in SLES kernels
2018-05-22 12:06:46 +02:00
Stéphane Lesimple
68af5c5f92
feat(variant4): detect SSBD-aware kernel
2018-05-22 12:05:46 +02:00
Stéphane Lesimple
19be8f79eb
doc: update README with some info about variant3 and variant4
2018-05-22 09:43:29 +02:00
Stéphane Lesimple
f75cc0bb6f
feat(variant4): add sysfs mitigation hint and some explanation about the vuln
2018-05-22 09:39:11 +02:00
Stéphane Lesimple
f33d65ff71
feat(variant3a): add information about microcode-sufficient mitigation
2018-05-22 09:38:29 +02:00
Stéphane Lesimple
725eaa8bf5
feat(arm): adjust vulnerable ARM CPUs for variant3a and variant4
2018-05-22 09:19:29 +02:00
Stéphane Lesimple
c6ee0358d1
feat(variant4): report SSB_NO CPUs as not vulnerable
2018-05-22 09:18:30 +02:00