Stéphane Lesimple
d8f0ddd7a5
chore: fix indentation
2020-06-10 00:07:14 +02:00
Agata Gruza
62d3448a54
Added support for SRBDS related vulnerabilities
2020-06-10 00:07:14 +02:00
Stéphane Lesimple
33cf1cde79
enh: arm: add experimental support for binary arm images
2020-06-06 17:29:32 +02:00
Stéphane Lesimple
4a3006e196
fix: arm64: cve-2017-5753: kernels 4.19+ use a different nospec macro
2020-06-06 17:29:32 +02:00
Stéphane Lesimple
36f98eff95
fwdb: update MCEdb to v147 & Intel firmwares to 2020-04-27
2020-05-31 13:03:58 +02:00
xaitax
fa7b8f9567
Typo
2020-05-08 16:17:09 +02:00
Stéphane Lesimple
3beefc2587
enh: rsb filling: no longer need the 'strings' tool to check for kernel support in live mode
2020-03-10 22:29:54 +01:00
Stéphane Lesimple
27c36fdb80
fwdb: update to v135.20200303+i20200205
2020-03-10 22:29:39 +01:00
Matt Christian
3d21dae168
Fixes for FreeBSD to parse CPU info.
2020-02-06 19:56:35 +01:00
Stéphane Lesimple
7d2a510146
chore: update fwdb to v132.20200108+i20191124
2020-02-01 18:58:25 +01:00
Stéphane Lesimple
eec77e1ab9
fix: fwdb update: remove Intel extract tempdir on exit
2019-12-10 20:21:52 +01:00
Stéphane Lesimple
5633d374de
fix: has_vmm: ignore kernel threads when looking for a hypervisor ( fixes #278 )
2019-12-10 19:10:45 +01:00
Stéphane Lesimple
a343bccb49
bump to v0.43
2019-12-08 15:37:17 +01:00
Stéphane Lesimple
1f604c119b
fix var typo
2019-12-08 15:25:54 +01:00
Stéphane Lesimple
bfed3187a6
fix: variant3a: Silvermont CPUs are not vulnerable to variant 3a
2019-12-08 14:39:31 +01:00
Stéphane Lesimple
0cd7e1164f
feat: detect vanilla 5.4+ locked down mode
2019-12-06 23:03:36 +01:00
Stéphane Lesimple
71129d6b48
fix: tsx: rtm feature bit is in EBX(11)
2019-12-02 19:07:10 +01:00
Stéphane Lesimple
6e799e8b01
fix: mcepsc: fix logic error on non-speculative CPUs that prevented detection of MCEPSC immunity
2019-11-25 23:03:04 +01:00
Stéphane Lesimple
4993b04922
fix: taa: CPUs having TAA_NO bit set are not vulnerable
2019-11-25 21:14:54 +01:00
Stéphane Lesimple
4fc2afe1bc
feat: add TSX_CTRL MSR detection in hardware info
2019-11-25 20:58:49 +01:00
Stéphane Lesimple
bd47275501
feat: add detection of iTLB Multihit vuln/mitigation (CVE-2018-12207)
2019-11-25 19:13:09 +01:00
Stéphane Lesimple
8ddf6b2d6d
enh: replace shell wildcard by a find to avoid potiental error (list of args too long)
2019-11-24 17:26:13 +01:00
Stéphane Lesimple
16b6490ffc
chore: avoid ${var:-]} syntax, badly confusing vim's syntax highlighter
2019-11-24 17:26:13 +01:00
Stéphane Lesimple
18df38fae6
fix: sgx: on locked down kernels, fallback to CPUID bit for detection
...
on locked down kernels (Fedora / Red Hat feature that prevents writing
to MSRs from userspace, even if root), we can't write to FLUSH_CMD MSR
to verify that it's present. So fallback to checking the existence of
the L1D flush CPUID feature bit to infer that the microcode has been
updated in a recent enough version that also mitigates SGX (fixes for
both issues have been included in the same microcode updates for all
Intel CPUs)
2019-11-24 17:26:01 +01:00
Stéphane Lesimple
a306757c22
fix: detect Red Hat locked down kernels (impacts MSR writes)
2019-11-24 17:26:01 +01:00
Stéphane Lesimple
e01f97ee75
fix: fwdb: don't use local db if it's older than our builtin version
2019-11-24 17:25:41 +01:00
Stéphane Lesimple
fa7f814f4f
chore: rename mcedb cmdline parameters to fwdb
2019-11-24 17:25:41 +01:00
Stéphane Lesimple
bb32a16a86
update fwdb to v130.20191104+i20191027
2019-11-24 17:25:41 +01:00
Stéphane Lesimple
8c84c0ba17
enh: fwdb: use both Intel GitHub repo and MCEdb to build our database
2019-11-24 17:25:41 +01:00
Stéphane Lesimple
6abe1bc62b
enh: kernel decompression: better tolerance over missing tools
...
fixes #297
2019-11-23 16:43:00 +01:00
Stéphane Lesimple
5ca7fe91ff
fix: pteinv: don't check kernel image if not available
2019-11-23 14:01:56 +01:00
Stéphane Lesimple
4ba68fba74
fix: silence useless error from grep ( fixes #322 )
2019-11-23 13:51:00 +01:00
Stéphane Lesimple
59ad312773
fix: msr: fix msr module detection under Ubuntu 19.10 ( fixes #316 )
2019-11-19 22:35:08 +01:00
Stéphane Lesimple
3e757b6177
chore: add github check workflow
2019-11-18 11:28:20 -08:00
Stéphane Lesimple
f724f94085
enh: kernel: autodetect customized arch kernels from cmdline
2019-11-17 13:36:52 -08:00
Stéphane Lesimple
dcf540888d
enh: mock: implement reading from /proc/cmdline
2019-11-17 13:36:52 -08:00
Stéphane Lesimple
9911c243b2
feat: use --live with --kernel/--config/--map to override file detection in live mode
2019-11-17 13:36:52 -08:00
Stéphane Lesimple
cb279a49ec
enh(taa): more complete version
2019-11-13 01:07:10 +01:00
Stéphane Lesimple
c100ce4c0d
mcedb: update from v112 to v130
2019-11-12 21:19:03 +01:00
Stéphane Lesimple
4741b06160
fix: batch mode for TAA
2019-11-12 21:16:21 +01:00
Stéphane Lesimple
e0a1c2ec77
fix shellcheck warnings
2019-11-12 20:06:12 +01:00
Agata Gruza
c18b88d745
Fixing typo
2019-11-12 19:40:47 +01:00
Agata Gruza
d623524342
Added support for TAA related vulnerabilities
2019-11-12 19:40:47 +01:00
Stéphane Lesimple
f5ec320fe5
enh: rework the vuln logic of MDS with --paranoid ( fixes #307 )
2019-09-22 04:02:33 +02:00
Stéphane Lesimple
cc224c0522
fix: mocking value for read_msr
...
we were returning the mocking value before actually setting it.
also remove spaces around the returned value (no behavior change)
2019-09-22 01:38:18 +02:00
Corey Wright
0518604fe6
Use kernel_err to avoid misreporting missing Linux kernel image
...
When checking for CVE-2017-5715 (i.e. `check_CVE_2017_5715_linux()`),
if we can't inspect (with `readelf`) or decompress the Linux kernel
image, then we report there is no kernel image (i.e. `we need the
kernel image` or `kernel image missing`, respectively), which confuses
users when the associated file exists.
Instead use `kernel_err` to provide a correct and detailed description
of the problem (e.g. `missing '...' tool, please install it, usually
it's in the '...' package`), so the user can take the prescribed
action.
2019-09-22 01:09:58 +02:00
Erik Zettel
d57fecec91
spectre-meltdown-checker.sh: fix typos
2019-09-20 23:50:52 +02:00
Stéphane Lesimple
f835f4d07d
Explain that Enhanced IBRS is better for performance than classic IBRS
2019-08-16 12:53:39 +02:00
Agata Gruza
482d6c200a
Enhanced IBRS capabilities
...
There are two flavors of IBRS: plain and enhanced. This patch tells which flavor of IBRS is in use.
2019-08-16 12:53:39 +02:00
David Guglielmi
91d0699029
update MCEdb from v111 to v112
2019-06-03 22:49:03 +02:00
Stéphane Lesimple
fcc4ff4de2
update MCEdb from v110 to v111, bump to v0.42
2019-05-24 22:49:45 +02:00
Stéphane Lesimple
0bd38ddda0
enh: -v -v now implies --dump-mock-data
2019-05-24 11:36:39 +02:00
Stéphane Lesimple
e83dc818cd
feat(mds): implement FreeBSD mitigation detection
2019-05-24 11:17:04 +02:00
Stéphane Lesimple
d69ea67101
feat(mock): add --dump-mock-data
2019-05-24 10:49:40 +02:00
Stéphane Lesimple
dfe0d10f2a
fix(mds): remove useless display of MD_CLEAR info in non-hw section
2019-05-24 10:20:48 +02:00
Stéphane Lesimple
58a5acfdbb
fix(bsd): read_msr returned data in an incorrect format
2019-05-24 09:33:56 +02:00
Stéphane Lesimple
ccb4dbef7c
enh(mock): avoid reading the sysfs interface outside sys_interface_check() for higher mocking coverage
2019-05-24 09:28:18 +02:00
Stéphane Lesimple
afbb26277f
feat(mock): add mocking functionality to help reproducing issues under specific CPUs
2019-05-24 09:28:18 +02:00
Stéphane Lesimple
77b34d48c6
fix(mds): check MDS_NO bit in is_cpu_mds_free()
2019-05-24 09:28:18 +02:00
Stéphane Lesimple
497efe6a82
fix(l1tf): RDCL_NO bit didn't take precedence for vulnerability check on some Intel CPUs
2019-05-24 09:28:18 +02:00
Stéphane Lesimple
62b46df4e7
fix(l1tf): remove libvirtd from hypervisor detection ( #278 )
2019-05-18 14:22:42 +02:00
Stéphane Lesimple
7d1f269bed
fix(mds): AMD confirms they're not vulnerable
2019-05-16 11:31:28 +02:00
Erich Ritz
4f9ca803c8
Fix help text ( #285 )
...
* fix --help message
Commit 7b72c20f89
added help text for the
--cve switch, and the "can be specified multiple times" note got
associated with the --cve switch instead of staying with the --variant
switch. Restore the line to belong to the --variant switch help
message.
* Add new variants to error message
Commit 8e870db4f5
added new variants but
did not add them to the error message that listed the allowable
variants. Add them now.
2019-05-15 19:34:51 +02:00
Stéphane Lesimple
5788cec18b
fix(mds): ARM and CAVIUM are not thought to be vulnerable
2019-05-15 10:56:49 +02:00
Stéphane Lesimple
ae56ec0bc5
bump to v0.41
2019-05-15 09:57:28 +02:00
Stéphane Lesimple
8fd4e3ab01
fix(xen): remove xenbus and xenwatch as they also exist in domU
2019-05-15 00:23:05 +02:00
Stéphane Lesimple
de793a7204
feat(mds): more verbose info about kernel support and microcode support for mitigation
2019-05-15 00:21:08 +02:00
Stéphane Lesimple
5939c38c5c
update mcedb from v109 to v110 to better detect MDS microcodes
2019-05-14 20:31:27 +02:00
Stéphane Lesimple
db7d3206fd
feat(mds): add detection of availability of MD_CLEAR instruction
2019-05-14 20:30:47 +02:00
Stéphane Lesimple
1d13a423b8
adjust README
2019-05-14 20:16:01 +02:00
Agata Gruza
8e870db4f5
Added support for MDS related vulnerabilities ( #282 )
2019-05-14 19:21:20 +02:00
Stéphane Lesimple
d547ce4ab4
fix(ssb): fix error when no process uses prctl to set ssb mitigation
...
fixes #281
2019-05-13 15:35:58 +02:00
Stéphane Lesimple
d187827841
enh(vmm): add Xen daemons detection
2019-05-08 20:44:54 +02:00
Hans-Joachim Kliemeck
2e304ec617
enh(xen): improvements for xen systems ( #270 )
...
* add mitigation detection for l1tf for xen based systems
* add information for hardware mitigation
* add xen support for meltdown
2019-05-07 20:35:52 +02:00
Stéphane Lesimple
fcc04437e8
update builtin MCEdb from v96 to v109
2019-05-07 20:29:59 +02:00
Stéphane Lesimple
d31a9810e6
enhance previous commit logic
2019-05-05 20:09:53 +02:00
Stéphane Lesimple
4edb867def
fix(vmm): revert to checking the running processes to detect a hypervisor
...
More information available on #278
2019-05-05 20:04:25 +02:00
Stéphane Lesimple
1264b1c7a3
chore: more shellcheck 0.6 fixes
2019-05-05 18:34:09 +02:00
Stéphane Lesimple
7beca1ac50
fix: invalid names in json batch mode ( fixes #279 )
2019-05-05 18:15:41 +02:00
David
8ad10e15d3
chore: Comply with Shellcheck SC2209 ( #280 )
2019-05-05 17:31:18 +02:00
Stéphane Lesimple
bfa4de96e6
enh(l1tf): in paranoid mode, assume we're running a hypervisor unless stated otherwise
...
This change ensures we check for SMT and advise the user to disable it for maximum security.
Doing this, we'll help users mitigate a whole range of vulnerabilities taking advantage of SMT to attack purely from userland other userland processes, as seen in CVE-2018-5407 (also see #261 )
2019-04-21 14:05:43 +02:00
Stéphane Lesimple
b022b27a51
feat(ssbd): in live mode, report whether the mitigation is active ( fix #210 )
2019-04-20 20:27:45 +02:00
Dario Faggioli
c4bae6ee6a
IBRS kernel reported active even if sysfs has "IBRS_FW" only ( #275 ) ( #276 )
...
On a (pre-SkyLake) system, where /sys/.../vulnerabilities/spectre_v2 is
"Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, RSB filling"
the tool, incorrectly, reports, a couple of lines above:
* IBRS enabled and active: YES (for kernel and firmware code)
Use '\<IBRS\>', as suggested by @jirislaby, in upstream issue #275
(https://github.com/speed47/spectre-meltdown-checker/issues/275 ) when
checking whether IBRS is enabled/active for the kernel.
With that, the output becomes:
* IBRS enabled and active: YES (for firmware code only)
which is actually the case.
I double checked that, if the same kernel is used on a post-SkyLake
hardware, which on openSUSE uses IBRS as, even with this change, the
tool (this time correctly) reports:
* IBRS enabled and active: YES (for kernel and firmware code)
2019-04-20 14:04:29 +02:00
Stéphane Lesimple
23e7db044e
fix(bsd): load vmm if not already loaded, fixes #274
...
As we read sysctl values under the vmm hierarchy, the modules needs to be loaded,
so if not already done, we load it before testing for CVE-2018-3620 and CVE-2018-3646
2019-04-19 19:47:04 +02:00
Stéphane Lesimple
fc4981bb94
update MCEDB from v84 to v96
2019-01-20 19:52:46 +01:00
Dajiang Zhong
419508758e
add spectre and meltdown mitigation technologies checking for Hygon CPU ( #271 )
...
* add spectre and meltdown mitigation technologies checking for Hygon CPU
* update microarhitecture name for Hygon CPU family 24 with moksha
2019-01-20 19:32:36 +01:00
Stéphane Lesimple
d7d2e6934b
fix: typo in bare metal detection ( fixes #269 )
2018-12-12 00:24:17 +01:00
Lily Wilson
904a83c675
Fix Arch kernel image detection ( #268 )
...
currently, the script tries to use the wrong kernel image on Arch if an
alternative kernel (hardened, zen, or lts) is in use. Fortunately, all
the Arch kernel packages place a symlink to the kernel image as /usr/lib/modules/$(uname -r)/vmlinuz, so simply removing the guess for Arch fixes the issue.
2018-12-10 19:36:58 +01:00
Rob Gill
906f54cf9d
Improved hypervisor detection ( #259 )
...
* Code consistency
``` opt_batch_format="text" ``` replaced by ``` opt_batch_format='text' ```
```nrpe_vuln='"" ``` replaced by ``` nrpe_vuln='' ``` , as used by other parse options
Redundant ``` ! -z ``` replaced by ``` -n ```, as used elsewhere
Signed-off-by: Rob Gill <rrobgill@protonmail.com>
* Improved hypervisor detection
Tests for presence of hypervisor flag in /proc/cpuino
Tests for evidence of hypervisor in dmesg
Signed-off-by: Rob Gill <rrobgill@protonmail.com>
* formatting fix
Signed-off-by: Rob Gill <rrobgill@protonmail.com>
* Set $l1d_mode to -1 in cases where cpu/vulnerabilities/l1tf is not available
(prevents invalid number error when evaluating [ "$l1d_mode" -ge 1 ])
Signed-off-by: Rob Gill <rrobgill@protonmail.com>
* Update Intel Atom 6 cpu names to align with kernel
Update processor names of atom 6 family processors to align with those from kernel as of October 2018.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/arch/x86/include/asm/intel-family.h?id=f2c4db1bd80720cd8cb2a5aa220d9bc9f374f04e
Update list of known immune processors from
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/arch/x86/kernel/cpu/common.c?id=f2c4db1bd80720cd8cb2a5aa220d9bc9f374f04e
* Fix unset $l1d_mode
Another instance of unset l1d_mode causing error "./spectre-meltdown-checker.sh: 3867: [: Illegal number:"
* chore: update readme with brief summary of L1tfs
L1tf mitigation and impact details from
https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html and https://blogs.oracle.com/oraclesecurity/intel-l1tf
* typo
2018-12-10 19:33:07 +01:00
Brett T. Warden
c45a06f414
Warn on missing kernel info ( #265 )
...
Missing kernel information can cause all sorts of false positives or
negatives. This is worth at least a warning, and repeating immediately
following the status.
2018-11-25 18:37:03 +01:00
Brett T. Warden
4a6fa070a4
Fix misdetection of files under Clear Linux ( #264 )
2018-11-25 18:14:04 +01:00
Stéphane Lesimple
c705afe764
bump to v0.40
2018-10-03 20:56:46 +02:00
Stanislav Kholmanskikh
401ccd4b14
Correct aarch64 KPTI dmesg message
...
As it's seen in unmap_kernel_at_el0 (both the function definition
and its usage in arm64_features[]) from arch/arm64/kernel/cpufeature.c
the kernel reports this string:
CPU features: detected: Kernel page table isolation (KPTI)
or (before commit e0f6429dc1c0 ("arm64: cpufeature: Remove redundant "feature"
in reports")):
CPU features: detected feature: Kernel page table isolation (KPTI)
if KPTI is enabled on the system.
So on let's adjust check_variant3_linux() to make it grep these
strings if executed on an aarch64 platform.
Tested on a Cavium ThunderX2 machine.
Signed-off-by: Stanislav Kholmanskikh <stanislav.kholmanskikh@oracle.com>
2018-10-03 20:49:55 +02:00
Stanislav Kholmanskikh
55120839dd
Fix a typo in check_variant3_linux()
...
Signed-off-by: Stanislav Kholmanskikh <stanislav.kholmanskikh@oracle.com>
2018-10-03 20:49:55 +02:00
Stéphane Lesimple
f5106b3c02
update MCEDB from v83 to v84 (no actual change)
2018-09-30 16:57:35 +02:00
Stéphane Lesimple
68289dae1e
feat: add --update-builtin-mcedb to update the DB inside the script
2018-09-30 16:56:58 +02:00
Stéphane Lesimple
3b2d529654
feat(l1tf): read & report ARCH_CAPABILITIES bit 3 (SKIP_VMENTRY_L1DFLUSH)
2018-09-29 13:16:07 +02:00
Stéphane Lesimple
cbb18cb6b6
fix(l1tf): properly detect status under Red Hat/CentOS kernels
2018-09-29 13:01:13 +02:00
Stéphane Lesimple
299103a3ae
some fixes when script is not started as root
2018-09-29 13:01:13 +02:00
Stéphane Lesimple
dc5402b349
chore: speed optimization of hw check and indentation fixes
2018-09-29 13:01:13 +02:00