dsanchez/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker synced 2024-11-07 06:33:38 +01:00
Code Issues Releases Wiki Activity
337 Commits 1 Branch 46 Tags 16 MiB
dd67fd94d7
Commit Graph

303 Commits

Author SHA1 Message Date
rrobgill
1c0f6d9580 cpuid and msr module check 
This adds a check before loading the cpuid and msr modules under linux, ensuring they are not unloaded in exit_cleanup() if they were initially present.
 2018-05-05 13:00:44 +02:00
Onno Zweers
4acd0f647a Suggestion to change VM to a CPU with IBRS capability 2018-04-20 20:35:12 +02:00
Stéphane Lesimple
fb52dbe7bf set master branch to v0.37+ 2018-04-20 20:34:42 +02:00
Stéphane Lesimple
edebe4dcd4 bump to v0.37 2018-04-18 23:51:45 +02:00
Stéphane Lesimple
83ea78f523 fix: arm: also detect variant 1 mitigation when using native objdump 2018-04-17 18:50:32 +02:00
Stéphane Lesimple
602b68d493 fix(spectrev2): explain that retpoline is possible for Skylake+ if there is RSB filling, even if IBRS is still better 2018-04-16 09:27:28 +02:00
Stéphane Lesimple
97bccaa0d7 feat: rephrase IBPB warning when only retpoline is enabled in non-paranoid mode 2018-04-16 09:13:25 +02:00
Stéphane Lesimple
68e619b0d3 feat: show RSB filling capability for non-Skylake in verbose mode 2018-04-16 09:08:25 +02:00
Stéphane Lesimple
a6f4475cee feat: make IBRS_FW blue instead of green 2018-04-16 09:07:54 +02:00
Stéphane Lesimple
223f5028df feat: add --paranoid to choose whether we require IBPB 2018-04-15 23:05:30 +02:00
Stéphane Lesimple
c0108b9690 fix(spectre2): don't explain how to fix when NOT VULNERABLE 2018-04-15 20:55:55 +02:00
Stéphane Lesimple
a3016134bd feat: make RSB filling support mandatory for Skylake+ CPUs 2018-04-15 20:55:31 +02:00
Stéphane Lesimple
59d85b39c9 feat: detect RSB filling capability in the kernel 2018-04-15 20:55:01 +02:00
Stéphane Lesimple
baaefb0c31 fix: remove shellcheck warnings 2018-04-11 22:24:03 +02:00
Igor Lubashev
d452aca03a fix: invalid bash syntax when ibpb_enabled or ibrs_enabled are empty 2018-04-11 10:29:42 +02:00
Stéphane Lesimple
10b8d94724 feat: detect latest Red Hat kernels' RO ibpb_enabled knob 2018-04-10 22:51:45 +02:00
Stéphane Lesimple
8606e60ef7 refactor: no longer display the retoline-aware compiler test when we can't tell for sure 2018-04-10 22:51:45 +02:00
Stéphane Lesimple
6a48251647 fix: regression in 51aeae25, when retpoline & ibpb are enabled 2018-04-10 22:51:45 +02:00
Stéphane Lesimple
f4bf5e95ec fix: typos 2018-04-10 22:51:45 +02:00
Stéphane Lesimple
60eac1ad43 feat: also do PTI performance check with (inv)pcid for BSD 2018-04-10 22:51:45 +02:00
Stéphane Lesimple
b3cc06a6ad fix regression introduced by 82c25dc 2018-04-10 22:51:45 +02:00
Stéphane Lesimple
5553576e31 feat(amd/zen): re-introduce IBRS for AMD except ZEN family 2018-04-10 22:51:45 +02:00
Stéphane Lesimple
e16ad802da feat(ibpb=2): add detection of SMT before concluding the system is not vulnerable 2018-04-10 22:51:45 +02:00
Stéphane Lesimple
29c294edff feat(bsd): explain how to mitigate variant2 2018-04-10 22:51:45 +02:00
Stéphane Lesimple
59714011db refactor: IBRS_ALL & RDCL_NO are Intel-only 2018-04-10 22:51:45 +02:00
Stéphane Lesimple
51e8261a32 refactor: separate hw checks for Intel & AMD 2018-04-10 22:49:28 +02:00
Stéphane Lesimple
2a4bfad835 refactor: add is_amd and is_intel funcs 2018-04-10 22:49:28 +02:00
Stéphane Lesimple
7e52cea66e feat(spectre2): refined how status of this vuln is decided and more precise explanations on how to fix 2018-04-10 22:49:28 +02:00
Benjamin Bouvier
417d7aab91 Fix trailing whitespace and mixed indent styles; 2018-04-10 22:42:47 +02:00
Sylvestre Ledru
67bf761029 Fix some user facing typos with codespell -w -q3 . 2018-04-08 18:44:13 +02:00
Stéphane Lesimple
0eabd266ad refactor: decrease default verbosity for some tests 2018-04-05 22:20:16 +02:00
Stéphane Lesimple
b77fb0f226 fix: don't override ibrs/ibpb results with later tests 2018-04-05 22:04:20 +02:00
Stéphane Lesimple
89c2e0fb21 fix(amd): show cpuinfo and ucode details 2018-04-05 21:39:27 +02:00
Stéphane Lesimple
b88f32ed95 feat: print raw cpuid, and fetch ucode version under BSD 2018-04-05 00:07:12 +02:00
Stéphane Lesimple
7a4ebe8009 refactor: rewrite read_cpuid to get more common code parts between BSD and Linux 2018-04-05 00:06:24 +02:00
Stéphane Lesimple
0919f5c236 feat: add explanations of what to do when a vulnerability is not mitigated 2018-04-05 00:03:04 +02:00
Stéphane Lesimple
de02dad909 feat: rework Spectre V2 mitigations detection w/ latest vanilla & Red Hat 7 kernels 2018-04-05 00:01:54 +02:00
Stéphane Lesimple
07484d0ea7 add dump of variables at end of script in debug mode 2018-04-04 23:58:15 +02:00
Stéphane Lesimple
a8b557b9e2 fix(cpu): skip CPU checks if asked to (--no-hw) or if inspecting a kernel of another architecture 2018-04-03 19:36:28 +02:00
Stéphane Lesimple
619b2749d8 fix(sysfs): only check for sysfs for spectre2 when in live mode 2018-04-03 19:32:36 +02:00
Stéphane Lesimple
056ed00baa feat(arm): detect spectre variant 1 mitigation 2018-04-03 15:52:25 +02:00
Stéphane Lesimple
aef99d20f3 fix(pti): when PTI activation is unknown, don't say we're vulnerable 2018-04-03 12:45:17 +02:00
Stéphane Lesimple
e2d7ed2243 feat(arm): support for variant2 and meltdown mitigation detection 2018-04-01 17:50:18 +02:00
Stéphane Lesimple
eeaeff8ec3 set version to v0.36+ for master branch between releases 2018-04-01 17:45:01 +02:00
Stéphane Lesimple
f5269a362a feat(bsd): add retpoline detection for BSD 2018-04-01 17:42:29 +02:00
Stéphane Lesimple
f3883a37a0 fix(xen): adjust message for DomUs w/ sysfs 2018-03-31 13:44:04 +02:00
Stéphane Lesimple
b6fd69a022 release: v0.36 2018-03-27 23:08:38 +02:00
Stéphane Lesimple
7adb7661f3 enh: change colors and use red only to report vulnerability 2018-03-25 18:15:08 +02:00
Stéphane Lesimple
aa74315df4 feat: speed up kernel version detection 2018-03-25 13:42:19 +02:00
Stéphane Lesimple
0b8a09ec70 fix: mis adjustments for BSD compat 2018-03-25 13:26:00 +02:00
Stéphane Lesimple
b42d8f2f27 fix(write_msr): use /dev/zero instead of manually echoing zeroes 2018-03-25 12:53:50 +02:00
Stéphane Lesimple
f191ec7884 feat: add --hw-only to only show CPU microcode/cpuid/msr details 2018-03-25 12:48:37 +02:00
Stéphane Lesimple
28da7a0103 misc: message clarifications 2018-03-25 12:48:03 +02:00
Stéphane Lesimple
ece25b98a1 feat: implement support for NetBSD/FreeBSD/DragonFlyBSD 2018-03-25 12:28:02 +02:00
Stéphane Lesimple
889172dbb1 feat: add special extract_vmlinux mode for old RHEL kernels 2018-03-25 11:55:44 +02:00
Stéphane Lesimple
37ce032888 fix: bypass MSR/CPUID checks for non-x86 CPUs 2018-03-25 11:55:44 +02:00
Stéphane Lesimple
701cf882ad feat: more robust validation of extracted kernel image 2018-03-25 11:55:44 +02:00
Stéphane Lesimple
6a94c3f158 feat(extract_vmlinux): look for ELF magic in decompressed blob and cut at found offset 2018-03-25 11:55:42 +02:00
Stéphane Lesimple
2d993812ab feat: add --prefix-arch for cross-arch kernel inspection 2018-03-25 11:55:10 +02:00
Stéphane Lesimple
4961f8327f fix(ucode): fix blacklist detection for some ucode versions 2018-03-19 12:09:39 +01:00
Alex
ecdc448531 Check MSR in each CPU/Thread (#136) 2018-03-17 17:17:15 +01:00
Stéphane Lesimple
12ea49fe0c fix(kvm): properly detect PVHVM mode (fixes #163) 2018-03-16 18:29:58 +01:00
Stéphane Lesimple
053f1613de fix(doc): use https:// URLs in the script comment header 2018-03-16 18:24:59 +01:00
Stéphane Lesimple
bda18d04a0 fix: pine64: re-add vmlinuz location and some error checks 2018-03-10 16:02:44 +01:00
Stéphane Lesimple
d5832dc1dc feat: add ELF magic detection on kernel image blob for some arm64 systems 2018-03-10 14:57:25 +01:00
Stéphane Lesimple
d2f46740e9 feat: enhance kernel image version detection for some old kernels 2018-03-10 14:57:25 +01:00
Sam Morris
2f6a6554a2 Produce output for consumption by prometheus-node-exporter 
A report of all vulnerable machines to be produced with a query such as:

    spexec_vuln_status{status!="OK"}
 2018-02-27 11:08:39 +01:00
Stéphane Lesimple
30842dd9c0 release: bump to v0.35 2018-02-16 10:35:49 +01:00
Stéphane Lesimple
b4ac5fcbe3 feat(variant2): better explanation when kernel supports IBRS but CPU does not 2018-02-16 10:34:01 +01:00
Stéphane Lesimple
55a6fd3911 feat(variant1): better detection for Red Hat/Ubuntu patch 2018-02-15 21:19:49 +01:00
Sylvestre Ledru
35c8a63de6 Remove the color in the title 2018-02-15 20:21:00 +01:00
Stéphane Lesimple
5f914e555e fix(xen): declare Xen's PTI patch as a valid mitigation for variant3 2018-02-14 14:24:55 +01:00
Stéphane Lesimple
66dce2c158 fix(ucode): update blacklisted ucodes list from latest Intel info 2018-02-14 14:14:16 +01:00
Calvin Walton
155cac2102 Teach checker how to find kernels installed by systemd kernel-install 2018-02-10 20:51:33 +01:00
Stéphane Lesimple
22cae605e1 fix(retpoline): remove the "retpoline enabled" test 
This test worked for some early versions of the retpoline
implementation in vanilla kernels, but the corresponding
flag has been removed from /proc/cpuinfo in latest kernels.
The full information is available in /sys instead, which
was already implemented in the script.
 2018-02-09 20:12:33 +01:00
Stéphane Lesimple
eb75e51975 fix(ucode): update list of blacklisted ucodes from 2018-02-08 Intel document 
Removed 2 ucodes and added 2 other ones
 2018-02-09 19:56:27 +01:00
積丹尼 Dan Jacobson
253e180807 Update spectre-meltdown-checker.sh 
Dots better than colon for indicating waiting.
 2018-02-06 19:02:56 +01:00
Stéphane Lesimple
5d6102a00e enh: show kernel version in offline mode 2018-02-02 11:27:04 +01:00
Stéphane Lesimple
a2dfca671e feat: detect disrepancy between found kernel image and running kernel 2018-02-02 11:13:54 +01:00
Stéphane Lesimple
36bd80d75f enh: speedup by not decompressing kernel on --sysfs-only 2018-02-02 11:13:31 +01:00
Stéphane Lesimple
1834dd6201 feat: add skylake era cpu detection routine 2018-02-02 11:12:10 +01:00
Stéphane Lesimple
3d765bc703 enh: lazy loading of cpu informations 2018-02-02 11:11:51 +01:00
Stéphane Lesimple
07afd95b63 feat: better cleanup routine on exit & interrupt 2018-02-02 11:09:36 +01:00
Stéphane Lesimple
b7a10126d1 fix: ARM CPU display name & detection 
Fix ARM CPU display name, and properly
detect known vulnerable ARM CPUs when
multiple different model cores are
present (mostly Android phones)
 2018-02-02 11:00:23 +01:00
Stéphane Lesimple
6346a0deaa fix: --no-color workaround for android's sed 2018-02-02 10:59:49 +01:00
Stéphane Lesimple
8106f91981 release: bump to v0.34 2018-01-31 16:28:54 +01:00
Stéphane Lesimple
b1fdf88f28 enh: display ucode info even when not blacklisted 2018-01-31 16:21:32 +01:00
Stéphane Lesimple
4d29607630 cleanup: shellcheck pass 2018-01-31 16:15:20 +01:00
Stéphane Lesimple
0267659adc cleanup: remove superseded atom detection code 
This is now handled properly by checking the CPU
vendor, family, model instead of looking for the
commercial name of the CPU in /proc/cpuinfo
 2018-01-31 16:15:20 +01:00
Stéphane Lesimple
247b176882 feat: detect known speculative-execution free CPUs 
Based on a kernel patch that has been merged to Linus' tree.
Some of the detections we did by grepping the model name
will probably no longer be needed.
 2018-01-31 16:15:20 +01:00
Stéphane Lesimple
bcae8824ec refacto: create a dedicated func to read cpuid bits 2018-01-31 16:15:20 +01:00
Stéphane Lesimple
71e7109c22 refacto: move cpu discovery bits to a dedicated function 2018-01-31 16:15:20 +01:00
Stéphane Lesimple
aa18b51e1c fix(variant1): smarter lfence check 
Instead of just counting the number of LFENCE
instructions, now we're only counting the those
that directly follow a jump instruction.
 2018-01-31 14:34:54 +01:00
Stéphane Lesimple
b738ac4bd7 fix: regression introduced by previous commit 
449: ./spectre-meltdown-checker.sh: 3: parameter not set
This happened only on blacklisted microcodes, fixed by
adding set +u before the return
 2018-01-31 12:13:50 +01:00
Stéphane Lesimple
799ce3eb30 update blacklisted ucode list from kernel source 2018-01-31 11:26:23 +01:00
Stéphane Lesimple
f1e18c136f doc(disclaimer): Spectre affects all software 
Add a paragraph in the disclaimer stating that this tool focuses
on the kernel side of things, and that for Spectre, any software
might be vulnerable.
 2018-01-30 14:37:52 +01:00
Stéphane Lesimple
e05ec5c85f feat(variant1): detect vanilla mitigation 
Implement detection of mitigation for Variant 1 that is
being pushed on vanilla kernel.
Current name of the patch:
"spectre variant1 mitigations for tip/x86/pti" (v6)
Also detect some distros that already backported this
patch without modifying the vulnerabilities sysfs hierarchy.
This detection is more reliable than the LFENCE one, trust
it and skip the LFENCE heuristic if a match is found.
 2018-01-30 12:55:34 +01:00
Stéphane Lesimple
6e544d6055 fix(cpu): Pentium Exxxx are vulnerable to Meltdown 2018-01-29 11:18:15 +01:00
Stéphane Lesimple
90a65965ff adjust: show how to enable IBRS/IBPB in -v only 2018-01-29 11:06:15 +01:00
Stéphane Lesimple
9b53635eda refacto: fix shellcheck warnings for better compat 
Now `shellcheck -s sh` no longer shows any warnings.
This should improve compatibility with exotic shells
as long as they're POSIX compliant.
 2018-01-29 10:34:08 +01:00