1
0
mirror of https://github.com/speed47/spectre-meltdown-checker synced 2025-01-10 13:08:14 +01:00

Compare commits

..

No commits in common. "6e799e8b013c6543c5d1fef3f7d69ce172a9ff52" and "8ddf6b2d6d172fe7d2b1fb451df2d452edb8dbec" have entirely different histories.

3 changed files with 160 additions and 361 deletions

View File

@ -24,7 +24,7 @@ jobs:
fi fi
- name: check direct execution - name: check direct execution
run: | run: |
expected=14 expected=13
nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l) nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
if [ "$nb" -ne "$expected" ]; then if [ "$nb" -ne "$expected" ]; then
echo "Invalid number of CVEs reported: $nb instead of $expected" echo "Invalid number of CVEs reported: $nb instead of $expected"
@ -34,7 +34,7 @@ jobs:
fi fi
- name: check docker-compose run execution - name: check docker-compose run execution
run: | run: |
expected=14 expected=13
docker-compose build docker-compose build
nb=$(docker-compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) nb=$(docker-compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
if [ "$nb" -ne "$expected" ]; then if [ "$nb" -ne "$expected" ]; then
@ -45,7 +45,7 @@ jobs:
fi fi
- name: check docker run execution - name: check docker run execution
run: | run: |
expected=14 expected=13
docker build -t spectre-meltdown-checker . docker build -t spectre-meltdown-checker .
nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
if [ "$nb" -ne "$expected" ]; then if [ "$nb" -ne "$expected" ]; then

View File

@ -14,8 +14,7 @@ A shell script to tell if your system is vulnerable against the several "specula
- CVE-2018-12130 [microarchitectural fill buffer data sampling (MFBDS)] aka 'ZombieLoad' - CVE-2018-12130 [microarchitectural fill buffer data sampling (MFBDS)] aka 'ZombieLoad'
- CVE-2018-12127 [microarchitectural load port data sampling (MLPDS)] aka 'RIDL' - CVE-2018-12127 [microarchitectural load port data sampling (MLPDS)] aka 'RIDL'
- CVE-2019-11091 [microarchitectural data sampling uncacheable memory (MDSUM)] aka 'RIDL' - CVE-2019-11091 [microarchitectural data sampling uncacheable memory (MDSUM)] aka 'RIDL'
- CVE-2019-11135 [TSX asynchronous abort] aka 'TAA' aka 'ZombieLoad V2' - CVE-2019-11135 [TSX asynchronous abort] aka 'TAA'
- CVE-2018-12207 [machine check exception on page size changes (MCEPSC)] aka 'No eXcuses' aka 'iTLB Multihit'
Supported operating systems: Supported operating systems:
- Linux (all versions, flavors and distros) - Linux (all versions, flavors and distros)
@ -147,18 +146,12 @@ docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/m
- Mitigation: microcode update + kernel update making possible to protect various CPU internal buffers from unprivileged speculative access to data - Mitigation: microcode update + kernel update making possible to protect various CPU internal buffers from unprivileged speculative access to data
- Performance impact of the mitigation: low to significant - Performance impact of the mitigation: low to significant
**CVE-2019-11135** TSX Asynchronous Abort (TAA, ZombieLoad V2) **CVE-2019-11135** TSX Asynchronous Abort (TAA)
- Impact: Kernel - Impact: Kernel
- Mitigation: microcode update + kernel update making possible to protect various CPU internal buffers from unprivileged speculative access to data - Mitigation: microcode update + kernel update making possible to protect various CPU internal buffers from unprivileged speculative access to data
- Performance impact of the mitigation: low to significant - Performance impact of the mitigation: low to significant
**CVE-2018-12207** machine check exception on page size changes (No eXcuses, iTLB Multihit)
- Impact: Virtualization software and Virtual Machine Monitors
- Mitigation: disable hugepages use in hypervisor, or update hypervisor to benefit from mitigation
- Performance impact of the mitigation: low to significant
## Understanding what this script does and doesn't ## Understanding what this script does and doesn't
This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the collectively named "speculative execution" vulnerabilities. It doesn't attempt to run any kind of exploit, and can't guarantee that your system is secure, but rather helps you verifying whether your system has the known correct mitigations in place. This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the collectively named "speculative execution" vulnerabilities. It doesn't attempt to run any kind of exploit, and can't guarantee that your system is secure, but rather helps you verifying whether your system has the known correct mitigations in place.

View File

@ -163,7 +163,7 @@ global_critical=0
global_unknown=0 global_unknown=0
nrpe_vuln='' nrpe_vuln=''
supported_cve_list='CVE-2017-5753 CVE-2017-5715 CVE-2017-5754 CVE-2018-3640 CVE-2018-3639 CVE-2018-3615 CVE-2018-3620 CVE-2018-3646 CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091 CVE-2019-11135 CVE-2018-12207' supported_cve_list='CVE-2017-5753 CVE-2017-5715 CVE-2017-5754 CVE-2018-3640 CVE-2018-3639 CVE-2018-3615 CVE-2018-3620 CVE-2018-3646 CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091 CVE-2019-11135'
# find a sane command to print colored messages, we prefer `printf` over `echo` # find a sane command to print colored messages, we prefer `printf` over `echo`
# because `printf` behavior is more standard across Linux/BSD # because `printf` behavior is more standard across Linux/BSD
@ -285,8 +285,7 @@ cve2name()
CVE-2018-12130) echo "ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)";; CVE-2018-12130) echo "ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)";;
CVE-2018-12127) echo "RIDL, microarchitectural load port data sampling (MLPDS)";; CVE-2018-12127) echo "RIDL, microarchitectural load port data sampling (MLPDS)";;
CVE-2019-11091) echo "RIDL, microarchitectural data sampling uncacheable memory (MDSUM)";; CVE-2019-11091) echo "RIDL, microarchitectural data sampling uncacheable memory (MDSUM)";;
CVE-2019-11135) echo "ZombieLoad V2, TSX Asynchronous Abort (TAA)";; CVE-2019-11135) echo "Transactional Synchronization Extensions (TSX) Asynchronous Abort (TAA)";;
CVE-2018-12207) echo "No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)";;
*) echo "$0: error: invalid CVE '$1' passed to cve2name()" >&2; exit 255;; *) echo "$0: error: invalid CVE '$1' passed to cve2name()" >&2; exit 255;;
esac esac
} }
@ -309,7 +308,6 @@ _is_cpu_vulnerable_cached()
CVE-2018-12127) return $variant_mlpds;; CVE-2018-12127) return $variant_mlpds;;
CVE-2019-11091) return $variant_mdsum;; CVE-2019-11091) return $variant_mdsum;;
CVE-2019-11135) return $variant_taa;; CVE-2019-11135) return $variant_taa;;
CVE-2018-12207) return $variant_itlbmh;;
*) echo "$0: error: invalid variant '$1' passed to is_cpu_vulnerable()" >&2; exit 255;; *) echo "$0: error: invalid variant '$1' passed to is_cpu_vulnerable()" >&2; exit 255;;
esac esac
} }
@ -337,7 +335,6 @@ is_cpu_vulnerable()
variant_mlpds='' variant_mlpds=''
variant_mdsum='' variant_mdsum=''
variant_taa='' variant_taa=''
variant_itlbmh=''
if is_cpu_mds_free; then if is_cpu_mds_free; then
[ -z "$variant_msbds" ] && variant_msbds=immune [ -z "$variant_msbds" ] && variant_msbds=immune
@ -409,25 +406,23 @@ is_cpu_vulnerable()
[ "$cpu_model" = "$INTEL_FAM6_ATOM_BONNELL_MID" ] || \ [ "$cpu_model" = "$INTEL_FAM6_ATOM_BONNELL_MID" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT" ] || \ [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ] || \ [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_D" ] || \ [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_X" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT" ] || \ [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT_MID" ] || \ [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT_MID" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT_NP" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] || \ [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] || \ [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_X" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ] || \ [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_TREMONT_D" ] || \
[ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] || \ [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] || \
[ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ]; then [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ]; then
_debug "is_cpu_vulnerable: intel family 6 but model known to be immune to l1tf" _debug "is_cpu_vulnerable: intel family 6 but model known to be immune"
[ -z "$variantl1tf" ] && variantl1tf=immune [ -z "$variantl1tf" ] && variantl1tf=immune
else else
_debug "is_cpu_vulnerable: intel family 6 is vuln to l1tf" _debug "is_cpu_vulnerable: intel family 6 is vuln"
variantl1tf=vuln [ -z "$variantl1tf" ] && variantl1tf=vuln
fi fi
elif [ "$cpu_family" -lt 6 ]; then elif [ "$cpu_family" -lt 6 ]; then
_debug "is_cpu_vulnerable: intel family < 6 is immune to l1tf" _debug "is_cpu_vulnerable: intel family < 6 is immune"
[ -z "$variantl1tf" ] && variantl1tf=immune [ -z "$variantl1tf" ] && variantl1tf=immune
fi fi
elif is_amd || is_hygon; then elif is_amd || is_hygon; then
@ -537,54 +532,18 @@ is_cpu_vulnerable()
done done
variantl1tf=immune variantl1tf=immune
fi fi
# we handle iTLB Multihit here (not linked to is_specex_free)
if is_intel; then
# commit f9aa6b73a407b714c9aac44734eb4045c893c6f7
if [ "$cpu_family" = 6 ]; then
if [ "$cpu_model" = "$INTEL_FAM6_ATOM_SALTWELL" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SALTWELL_TABLET" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SALTWELL_MID" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_BONNELL" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_BONNELL_MID" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_D" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT" ] || \
[ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] || \
[ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT_MID" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ]; then
_debug "is_cpu_vulnerable: intel family 6 but model known to be immune to itlbmh"
[ -z "$variant_itlbmh" ] && variant_itlbmh=immune
else
_debug "is_cpu_vulnerable: intel family 6 is vuln to itlbmh"
variant_itlbmh=vuln
fi
elif [ "$cpu_family" -lt 6 ]; then
_debug "is_cpu_vulnerable: intel family < 6 is immune to itlbmh"
[ -z "$variant_itlbmh" ] && variant_itlbmh=immune
fi
else
_debug "is_cpu_vulnerable: non-intel not vulnerable to itlbmh"
[ -z "$variant_itlbmh" ] && variant_itlbmh=immune
fi
_debug "is_cpu_vulnerable: temp results are <$variant1> <$variant2> <$variant3> <$variant3a> <$variant4> <$variantl1tf>" _debug "is_cpu_vulnerable: temp results are <$variant1> <$variant2> <$variant3> <$variant3a> <$variant4> <$variantl1tf>"
[ "$variant1" = "immune" ] && variant1=1 || variant1=0 [ "$variant1" = "immune" ] && variant1=1 || variant1=0
[ "$variant2" = "immune" ] && variant2=1 || variant2=0 [ "$variant2" = "immune" ] && variant2=1 || variant2=0
[ "$variant3" = "immune" ] && variant3=1 || variant3=0 [ "$variant3" = "immune" ] && variant3=1 || variant3=0
[ "$variant3a" = "immune" ] && variant3a=1 || variant3a=0 [ "$variant3a" = "immune" ] && variant3a=1 || variant3a=0
[ "$variant4" = "immune" ] && variant4=1 || variant4=0 [ "$variant4" = "immune" ] && variant4=1 || variant4=0
[ "$variantl1tf" = "immune" ] && variantl1tf=1 || variantl1tf=0 [ "$variantl1tf" = "immune" ] && variantl1tf=1 || variantl1tf=0
[ "$variant_msbds" = "immune" ] && variant_msbds=1 || variant_msbds=0 [ "$variant_msbds" = "immune" ] && variant_msbds=1 || variant_msbds=0
[ "$variant_mfbds" = "immune" ] && variant_mfbds=1 || variant_mfbds=0 [ "$variant_mfbds" = "immune" ] && variant_mfbds=1 || variant_mfbds=0
[ "$variant_mlpds" = "immune" ] && variant_mlpds=1 || variant_mlpds=0 [ "$variant_mlpds" = "immune" ] && variant_mlpds=1 || variant_mlpds=0
[ "$variant_mdsum" = "immune" ] && variant_mdsum=1 || variant_mdsum=0 [ "$variant_mdsum" = "immune" ] && variant_mdsum=1 || variant_mdsum=0
[ "$variant_taa" = "immune" ] && variant_taa=1 || variant_taa=0 [ "$variant_taa" = "immune" ] && variant_taa=1 || variant_taa=0
[ "$variant_itlbmh" = "immune" ] && variant_itlbmh=1 || variant_itlbmh=0
variantl1tf_sgx="$variantl1tf" variantl1tf_sgx="$variantl1tf"
# even if we are vulnerable to L1TF, if there's no SGX, we're safe for the original foreshadow # even if we are vulnerable to L1TF, if there's no SGX, we're safe for the original foreshadow
[ "$cpuid_sgx" = 0 ] && variantl1tf_sgx=1 [ "$cpuid_sgx" = 0 ] && variantl1tf_sgx=1
@ -649,7 +608,7 @@ is_cpu_mds_free()
if is_intel; then if is_intel; then
if [ "$cpu_family" = 6 ]; then if [ "$cpu_family" = 6 ]; then
if [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] || \ if [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_D" ] || \ [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_X" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ]; then [ "$cpu_model" = "$INTEL_FAM6_ATOM_GOLDMONT_PLUS" ]; then
return 0 return 0
fi fi
@ -686,7 +645,7 @@ is_cpu_taa_free()
if ! is_intel; then if ! is_intel; then
return 0 return 0
# is intel # is intel
elif [ "$capabilities_taa_no" = 1 ] || [ "$cpuid_rtm" = 0 ]; then elif [ "$capabilities_taa_no" = 0 ] || [ "$cpuid_rtm" = 0 ]; then
return 0 return 0
fi fi
@ -716,7 +675,7 @@ is_cpu_ssb_free()
if [ "$cpu_family" = 6 ]; then if [ "$cpu_family" = 6 ]; then
if [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT" ] || \ if [ "$cpu_model" = "$INTEL_FAM6_ATOM_AIRMONT" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT" ] || \ [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_D" ] || \ [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_X" ] || \
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ]; then [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ]; then
return 0 return 0
elif [ "$cpu_model" = "$INTEL_FAM6_CORE_YONAH" ] || \ elif [ "$cpu_model" = "$INTEL_FAM6_CORE_YONAH" ] || \
@ -1118,7 +1077,6 @@ pvulnstatus()
CVE-2018-12127) aka="MLPDS";; CVE-2018-12127) aka="MLPDS";;
CVE-2019-11091) aka="MDSUM";; CVE-2019-11091) aka="MDSUM";;
CVE-2019-11135) aka="TAA";; CVE-2019-11135) aka="TAA";;
CVE-2018-12207) aka="ITLBMH";;
*) echo "$0: error: invalid CVE '$1' passed to pvulnstatus()" >&2; exit 255;; *) echo "$0: error: invalid CVE '$1' passed to pvulnstatus()" >&2; exit 255;;
esac esac
@ -1555,68 +1513,66 @@ parse_cpu_details()
ucode_found=$(printf "model 0x%x family 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x" "$cpu_model" "$cpu_family" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid") ucode_found=$(printf "model 0x%x family 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x" "$cpu_model" "$cpu_family" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid")
# also define those that we will need in other funcs # also define those that we will need in other funcs
# taken from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/include/asm/intel-family.h # taken from ttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/include/asm/intel-family.h
# curl -s 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/arch/x86/include/asm/intel-family.h' | awk '/#define INTEL_FAM6/ {print $2"=$(( "$3" )) # "$4,$5,$6,$7,$8,$9}'
# shellcheck disable=SC2034 # shellcheck disable=SC2034
{ {
INTEL_FAM6_CORE_YONAH=$(( 0x0E )) #
INTEL_FAM6_CORE2_MEROM=$(( 0x0F )) #
INTEL_FAM6_CORE2_MEROM_L=$(( 0x16 )) #
INTEL_FAM6_CORE2_PENRYN=$(( 0x17 )) #
INTEL_FAM6_CORE2_DUNNINGTON=$(( 0x1D )) #
INTEL_FAM6_NEHALEM=$(( 0x1E )) #
INTEL_FAM6_NEHALEM_G=$(( 0x1F )) # /* Auburndale / Havendale */
INTEL_FAM6_NEHALEM_EP=$(( 0x1A )) #
INTEL_FAM6_NEHALEM_EX=$(( 0x2E )) #
INTEL_FAM6_WESTMERE=$(( 0x25 )) #
INTEL_FAM6_WESTMERE_EP=$(( 0x2C )) #
INTEL_FAM6_WESTMERE_EX=$(( 0x2F )) #
INTEL_FAM6_SANDYBRIDGE=$(( 0x2A )) #
INTEL_FAM6_SANDYBRIDGE_X=$(( 0x2D )) #
INTEL_FAM6_IVYBRIDGE=$(( 0x3A )) #
INTEL_FAM6_IVYBRIDGE_X=$(( 0x3E )) #
INTEL_FAM6_HASWELL=$(( 0x3C )) #
INTEL_FAM6_HASWELL_X=$(( 0x3F )) #
INTEL_FAM6_HASWELL_L=$(( 0x45 )) #
INTEL_FAM6_HASWELL_G=$(( 0x46 )) #
INTEL_FAM6_BROADWELL=$(( 0x3D )) #
INTEL_FAM6_BROADWELL_G=$(( 0x47 )) #
INTEL_FAM6_BROADWELL_X=$(( 0x4F )) #
INTEL_FAM6_BROADWELL_D=$(( 0x56 )) #
INTEL_FAM6_SKYLAKE_L=$(( 0x4E )) #
INTEL_FAM6_SKYLAKE=$(( 0x5E )) #
INTEL_FAM6_SKYLAKE_X=$(( 0x55 )) #
INTEL_FAM6_KABYLAKE_L=$(( 0x8E )) #
INTEL_FAM6_KABYLAKE=$(( 0x9E )) #
INTEL_FAM6_CANNONLAKE_L=$(( 0x66 )) #
INTEL_FAM6_ICELAKE_X=$(( 0x6A )) #
INTEL_FAM6_ICELAKE_D=$(( 0x6C )) #
INTEL_FAM6_ICELAKE=$(( 0x7D )) #
INTEL_FAM6_ICELAKE_L=$(( 0x7E )) #
INTEL_FAM6_ICELAKE_NNPI=$(( 0x9D )) #
INTEL_FAM6_TIGERLAKE_L=$(( 0x8C )) #
INTEL_FAM6_TIGERLAKE=$(( 0x8D )) #
INTEL_FAM6_COMETLAKE=$(( 0xA5 )) #
INTEL_FAM6_COMETLAKE_L=$(( 0xA6 )) #
INTEL_FAM6_ATOM_BONNELL=$(( 0x1C )) # /* Diamondville, Pineview */
INTEL_FAM6_ATOM_BONNELL_MID=$(( 0x26 )) # /* Silverthorne, Lincroft */
INTEL_FAM6_ATOM_SALTWELL=$(( 0x36 )) # /* Cedarview */
INTEL_FAM6_ATOM_SALTWELL_MID=$(( 0x27 )) # /* Penwell */
INTEL_FAM6_ATOM_SALTWELL_TABLET=$(( 0x35 )) # /* Cloverview */
INTEL_FAM6_ATOM_SILVERMONT=$(( 0x37 )) # /* Bay Trail, Valleyview */
INTEL_FAM6_ATOM_SILVERMONT_D=$(( 0x4D )) # /* Avaton, Rangely */
INTEL_FAM6_ATOM_SILVERMONT_MID=$(( 0x4A )) # /* Merriefield */
INTEL_FAM6_ATOM_AIRMONT=$(( 0x4C )) # /* Cherry Trail, Braswell */
INTEL_FAM6_ATOM_AIRMONT_MID=$(( 0x5A )) # /* Moorefield */
INTEL_FAM6_ATOM_AIRMONT_NP=$(( 0x75 )) # /* Lightning Mountain */
INTEL_FAM6_ATOM_GOLDMONT=$(( 0x5C )) # /* Apollo Lake */
INTEL_FAM6_ATOM_GOLDMONT_D=$(( 0x5F )) # /* Denverton */
INTEL_FAM6_ATOM_GOLDMONT_PLUS=$(( 0x7A )) # /* Gemini Lake */
INTEL_FAM6_ATOM_TREMONT_D=$(( 0x86 )) # /* Jacobsville */
INTEL_FAM6_ATOM_TREMONT=$(( 0x96 )) # /* Elkhart Lake */
INTEL_FAM6_XEON_PHI_KNL=$(( 0x57 )) # /* Knights Landing */
INTEL_FAM6_XEON_PHI_KNM=$(( 0x85 )) # /* Knights Mill */
INTEL_FAM6_CORE_YONAH=$(( 0x0E )) INTEL_FAM6_CORE_YONAH=$(( 0x0E ))
INTEL_FAM6_CORE2_MEROM=$(( 0x0F ))
INTEL_FAM6_CORE2_MEROM_L=$(( 0x16 ))
INTEL_FAM6_CORE2_PENRYN=$(( 0x17 ))
INTEL_FAM6_CORE2_DUNNINGTON=$(( 0x1D ))
INTEL_FAM6_NEHALEM=$(( 0x1E ))
INTEL_FAM6_NEHALEM_G=$(( 0x1F ))
INTEL_FAM6_NEHALEM_EP=$(( 0x1A ))
INTEL_FAM6_NEHALEM_EX=$(( 0x2E ))
INTEL_FAM6_WESTMERE=$(( 0x25 ))
INTEL_FAM6_WESTMERE_EP=$(( 0x2C ))
INTEL_FAM6_WESTMERE_EX=$(( 0x2F ))
INTEL_FAM6_SANDYBRIDGE=$(( 0x2A ))
INTEL_FAM6_SANDYBRIDGE_X=$(( 0x2D ))
INTEL_FAM6_IVYBRIDGE=$(( 0x3A ))
INTEL_FAM6_IVYBRIDGE_X=$(( 0x3E ))
INTEL_FAM6_HASWELL_CORE=$(( 0x3C ))
INTEL_FAM6_HASWELL_X=$(( 0x3F ))
INTEL_FAM6_HASWELL_ULT=$(( 0x45 ))
INTEL_FAM6_HASWELL_GT3E=$(( 0x46 ))
INTEL_FAM6_BROADWELL_CORE=$(( 0x3D ))
INTEL_FAM6_BROADWELL_GT3E=$(( 0x47 ))
INTEL_FAM6_BROADWELL_X=$(( 0x4F ))
INTEL_FAM6_BROADWELL_XEON_D=$(( 0x56 ))
INTEL_FAM6_SKYLAKE_MOBILE=$(( 0x4E ))
INTEL_FAM6_SKYLAKE_DESKTOP=$(( 0x5E ))
INTEL_FAM6_SKYLAKE_X=$(( 0x55 ))
INTEL_FAM6_KABYLAKE_MOBILE=$(( 0x8E ))
INTEL_FAM6_KABYLAKE_DESKTOP=$(( 0x9E ))
# /* "Small Core" Processors (Atom) */
INTEL_FAM6_ATOM_BONNELL=$(( 0x1C ))
INTEL_FAM6_ATOM_BONNELL_MID=$(( 0x26 ))
INTEL_FAM6_ATOM_SALTWELL_MID=$(( 0x27 ))
INTEL_FAM6_ATOM_SALTWELL_TABLET=$(( 0x35 ))
INTEL_FAM6_ATOM_SALTWELL=$(( 0x36 ))
INTEL_FAM6_ATOM_SILVERMONT=$(( 0x37 ))
INTEL_FAM6_ATOM_SILVERMONT_MID=$(( 0x4A ))
INTEL_FAM6_ATOM_SILVERMONT_X=$(( 0x4D ))
INTEL_FAM6_ATOM_AIRMONT=$(( 0x4C ))
INTEL_FAM6_ATOM_AIRMONT_MID=$(( 0x5A ))
INTEL_FAM6_ATOM_GOLDMONT=$(( 0x5C ))
INTEL_FAM6_ATOM_GOLDMONT_X=$(( 0x5F ))
INTEL_FAM6_ATOM_GOLDMONT_PLUS=$(( 0x7A ))
# /* Xeon Phi */
INTEL_FAM6_XEON_PHI_KNL=$(( 0x57 ))
INTEL_FAM6_XEON_PHI_KNM=$(( 0x85 ))
} }
parse_cpu_details_done=1 parse_cpu_details_done=1
} }
@ -1683,7 +1639,7 @@ is_ucode_blacklisted()
$INTEL_FAM6_BROADWELL_XEON_D,0x03,0x07000011 \ $INTEL_FAM6_BROADWELL_XEON_D,0x03,0x07000011 \
$INTEL_FAM6_BROADWELL_X,0x01,0x0b000023 \ $INTEL_FAM6_BROADWELL_X,0x01,0x0b000023 \
$INTEL_FAM6_BROADWELL_X,0x01,0x0b000025 \ $INTEL_FAM6_BROADWELL_X,0x01,0x0b000025 \
$INTEL_FAM6_HASWELL_L,0x01,0x21 \ $INTEL_FAM6_HASWELL_ULT,0x01,0x21 \
$INTEL_FAM6_HASWELL_GT3E,0x01,0x18 \ $INTEL_FAM6_HASWELL_GT3E,0x01,0x18 \
$INTEL_FAM6_HASWELL_CORE,0x03,0x23 \ $INTEL_FAM6_HASWELL_CORE,0x03,0x23 \
$INTEL_FAM6_HASWELL_X,0x02,0x3b \ $INTEL_FAM6_HASWELL_X,0x02,0x3b \
@ -1692,10 +1648,10 @@ is_ucode_blacklisted()
$INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b \ $INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b \
$INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712 $INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712
do do
model=$(echo "$tuple" | cut -d, -f1) model=$(echo $tuple | cut -d, -f1)
stepping=$(( $(echo "$tuple" | cut -d, -f2) )) stepping=$(( $(echo $tuple | cut -d, -f2) ))
if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" = "$stepping" ]; then if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" = "$stepping" ]; then
ucode=$(( $(echo "$tuple" | cut -d, -f3) )) ucode=$(( $(echo $tuple | cut -d, -f3) ))
if [ "$cpu_ucode" = "$ucode" ]; then if [ "$cpu_ucode" = "$ucode" ]; then
_debug "is_ucode_blacklisted: we have a match! ($cpu_model/$cpu_stepping/$cpu_ucode)" _debug "is_ucode_blacklisted: we have a match! ($cpu_model/$cpu_stepping/$cpu_ucode)"
return 0 return 0
@ -1722,11 +1678,11 @@ is_skylake_cpu()
parse_cpu_details parse_cpu_details
is_intel || return 1 is_intel || return 1
[ "$cpu_family" = 6 ] || return 1 [ "$cpu_family" = 6 ] || return 1
if [ "$cpu_model" = $INTEL_FAM6_SKYLAKE_L ] || \ if [ "$cpu_model" = $INTEL_FAM6_SKYLAKE_MOBILE ] || \
[ "$cpu_model" = $INTEL_FAM6_SKYLAKE ] || \ [ "$cpu_model" = $INTEL_FAM6_SKYLAKE_DESKTOP ] || \
[ "$cpu_model" = $INTEL_FAM6_SKYLAKE_X ] || \ [ "$cpu_model" = $INTEL_FAM6_SKYLAKE_X ] || \
[ "$cpu_model" = $INTEL_FAM6_KABYLAKE_L ] || \ [ "$cpu_model" = $INTEL_FAM6_KABYLAKE_MOBILE ] || \
[ "$cpu_model" = $INTEL_FAM6_KABYLAKE ]; then [ "$cpu_model" = $INTEL_FAM6_KABYLAKE_DESKTOP ]; then
return 0 return 0
fi fi
return 1 return 1
@ -2182,7 +2138,7 @@ sys_interface_check()
# Not affected # Not affected
status=OK status=OK
pstatus green YES "$fullmsg" pstatus green YES "$fullmsg"
elif echo "$msg" | grep -qEi '^(kvm: )?mitigation'; then elif echo "$msg" | grep -qi '^mitigation'; then
# Mitigation: PTI # Mitigation: PTI
status=OK status=OK
pstatus green YES "$fullmsg" pstatus green YES "$fullmsg"
@ -2323,15 +2279,15 @@ read_msr()
return 200 # permission error return 200 # permission error
# if rdmsr is available, use it # if rdmsr is available, use it
elif command -v rdmsr >/dev/null 2>&1 && [ "$SMC_NO_RDMSR" != 1 ]; then elif command -v rdmsr >/dev/null 2>&1 && [ "$SMC_NO_RDMSR" != 1 ]; then
_debug "read_msr: using rdmsr on $_msr" _debug "read_msr: using rdmsr"
read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | od -t u8 -A n) read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | od -t u8 -A n)
# or if we have perl, use it, any 5.x version will work # or if we have perl, use it, any 5.x version will work
elif command -v perl >/dev/null 2>&1 && [ "$SMC_NO_PERL" != 1 ]; then elif command -v perl >/dev/null 2>&1 && [ "$SMC_NO_PERL" != 1 ]; then
_debug "read_msr: using perl on $_msr" _debug "read_msr: using perl"
read_msr_value=$(perl -e "open(M,'<','/dev/cpu/$_cpu/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | od -t u8 -A n) read_msr_value=$(perl -e "open(M,'<','/dev/cpu/$_cpu/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | od -t u8 -A n)
# fallback to dd if it supports skip_bytes # fallback to dd if it supports skip_bytes
elif dd if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then elif dd if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
_debug "read_msr: using dd on $_msr" _debug "read_msr: using dd"
read_msr_value=$(dd if=/dev/cpu/"$_cpu"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8 -A n) read_msr_value=$(dd if=/dev/cpu/"$_cpu"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8 -A n)
else else
_debug "read_msr: got no rdmsr, perl or recent enough dd!" _debug "read_msr: got no rdmsr, perl or recent enough dd!"
@ -2713,6 +2669,22 @@ check_cpu()
fi fi
fi fi
if is_intel; then
_info " * TSX Asynchronous Abort"
_info_nol " * TSX support is available: "
read_cpuid 0x7 $EDX 11 1 1; ret=$?
if [ $ret -eq 0 ]; then
cpuid_rtm=1
pstatus green YES "TSX RTM feature bit"
elif [ $ret -eq 2 ]; then
cpuid_rtm=-1
pstatus yellow UNKNOWN "is cpuid kernel module available?"
else
cpuid_rtm=0
pstatus yellow NO
fi
fi
if is_intel; then if is_intel; then
_info " * Enhanced IBRS (IBRS_ALL)" _info " * Enhanced IBRS (IBRS_ALL)"
_info_nol " * CPU indicates ARCH_CAPABILITIES MSR availability: " _info_nol " * CPU indicates ARCH_CAPABILITIES MSR availability: "
@ -2737,8 +2709,6 @@ check_cpu()
capabilities_rsba=-1 capabilities_rsba=-1
capabilities_l1dflush_no=-1 capabilities_l1dflush_no=-1
capabilities_ssb_no=-1 capabilities_ssb_no=-1
capabilities_pschange_msc_no=-1
capabilities_tsx_ctrl_msr=-1
if [ "$cpuid_arch_capabilities" = -1 ]; then if [ "$cpuid_arch_capabilities" = -1 ]; then
pstatus yellow UNKNOWN pstatus yellow UNKNOWN
elif [ "$cpuid_arch_capabilities" != 1 ]; then elif [ "$cpuid_arch_capabilities" != 1 ]; then
@ -2749,8 +2719,6 @@ check_cpu()
capabilities_rsba=0 capabilities_rsba=0
capabilities_l1dflush_no=0 capabilities_l1dflush_no=0
capabilities_ssb_no=0 capabilities_ssb_no=0
capabilities_pschange_msc_no=0
capabilities_tsx_ctrl_msr=0
pstatus yellow NO pstatus yellow NO
elif [ ! -e /dev/cpu/0/msr ] && [ ! -e /dev/cpuctl0 ]; then elif [ ! -e /dev/cpu/0/msr ] && [ ! -e /dev/cpuctl0 ]; then
spec_ctrl_msr=-1 spec_ctrl_msr=-1
@ -2784,10 +2752,7 @@ check_cpu()
capabilities_rsba=0 capabilities_rsba=0
capabilities_l1dflush_no=0 capabilities_l1dflush_no=0
capabilities_ssb_no=0 capabilities_ssb_no=0
capabilities_pschange_msc_no=0
capabilities_tsx_ctrl_msr=0
if [ $val -eq 0 ]; then if [ $val -eq 0 ]; then
# https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/arch/x86/include/asm/msr-index.h#n82
_debug "capabilities MSR is $capabilities (decimal)" _debug "capabilities MSR is $capabilities (decimal)"
[ $(( capabilities >> 0 & 1 )) -eq 1 ] && capabilities_rdcl_no=1 [ $(( capabilities >> 0 & 1 )) -eq 1 ] && capabilities_rdcl_no=1
[ $(( capabilities >> 1 & 1 )) -eq 1 ] && capabilities_ibrs_all=1 [ $(( capabilities >> 1 & 1 )) -eq 1 ] && capabilities_ibrs_all=1
@ -2795,10 +2760,8 @@ check_cpu()
[ $(( capabilities >> 3 & 1 )) -eq 1 ] && capabilities_l1dflush_no=1 [ $(( capabilities >> 3 & 1 )) -eq 1 ] && capabilities_l1dflush_no=1
[ $(( capabilities >> 4 & 1 )) -eq 1 ] && capabilities_ssb_no=1 [ $(( capabilities >> 4 & 1 )) -eq 1 ] && capabilities_ssb_no=1
[ $(( capabilities >> 5 & 1 )) -eq 1 ] && capabilities_mds_no=1 [ $(( capabilities >> 5 & 1 )) -eq 1 ] && capabilities_mds_no=1
[ $(( capabilities >> 6 & 1 )) -eq 1 ] && capabilities_pschange_msc_no=1
[ $(( capabilities >> 7 & 1 )) -eq 1 ] && capabilities_tsx_ctrl_msr=1
[ $(( capabilities >> 8 & 1 )) -eq 1 ] && capabilities_taa_no=1 [ $(( capabilities >> 8 & 1 )) -eq 1 ] && capabilities_taa_no=1
_debug "capabilities says rdcl_no=$capabilities_rdcl_no ibrs_all=$capabilities_ibrs_all rsba=$capabilities_rsba l1dflush_no=$capabilities_l1dflush_no ssb_no=$capabilities_ssb_no mds_no=$capabilities_mds_no taa_no=$capabilities_taa_no pschange_msc_no=$capabilities_pschange_msc_no" _debug "capabilities says rdcl_no=$capabilities_rdcl_no ibrs_all=$capabilities_ibrs_all rsba=$capabilities_rsba l1dflush_no=$capabilities_l1dflush_no ssb_no=$capabilities_ssb_no mds_no=$capabilities_mds_no taa_no=$capabilities_taa_no"
if [ "$capabilities_ibrs_all" = 1 ]; then if [ "$capabilities_ibrs_all" = 1 ]; then
if [ $cpu_mismatch -eq 0 ]; then if [ $cpu_mismatch -eq 0 ]; then
pstatus green YES pstatus green YES
@ -2864,7 +2827,7 @@ check_cpu()
pstatus yellow NO pstatus yellow NO
fi fi
_info_nol " * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): " _info_nol " * CPU explicitly indicates not being vulnerable to TSX Asynchrnonous Abort (TAA_NO): "
if [ "$capabilities_taa_no" = -1 ]; then if [ "$capabilities_taa_no" = -1 ]; then
pstatus yellow UNKNOWN pstatus yellow UNKNOWN
elif [ "$capabilities_taa_no" = 1 ]; then elif [ "$capabilities_taa_no" = 1 ]; then
@ -2872,67 +2835,6 @@ check_cpu()
else else
pstatus yellow NO pstatus yellow NO
fi fi
_info_nol " * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): "
if [ "$capabilities_pschange_msc_no" = -1 ]; then
pstatus yellow UNKNOWN
elif [ "$capabilities_pschange_msc_no" = 1 ]; then
pstatus green YES
else
pstatus yellow NO
fi
_info_nol " * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): "
if [ "$capabilities_tsx_ctrl_msr" = -1 ]; then
pstatus yellow UNKNOWN
elif [ "$capabilities_tsx_ctrl_msr" = 1 ]; then
pstatus green YES
else
pstatus yellow NO
fi
if [ "$capabilities_tsx_ctrl_msr" = 1 ]; then
read_msr 0x122 0; ret=$?
if [ "$ret" = 0 ]; then
tsx_ctrl_msr=$read_msr_value
tsx_ctrl_msr_rtm_disable=$(( tsx_ctrl_msr >> 0 & 1 ))
tsx_ctrl_msr_cpuid_clear=$(( tsx_ctrl_msr >> 1 & 1 ))
fi
_info_nol " * TSX_CTRL MSR indicates TSX RTM is disabled: "
if [ "$tsx_ctrl_msr_rtm_disable" = 1 ]; then
pstatus blue YES
elif [ "$tsx_ctrl_msr_rtm_disable" = 0 ]; then
pstatus blue NO
else
pstatus yellow UNKNOWN "couldn't read MSR"
fi
_info_nol " * TSX_CTRL MSR indicates TSX CPUID bit is cleared: "
if [ "$tsx_ctrl_msr_cpuid_clear" = 1 ]; then
pstatus blue YES
elif [ "$tsx_ctrl_msr_cpuid_clear" = 0 ]; then
pstatus blue NO
else
pstatus yellow UNKNOWN "couldn't read MSR"
fi
fi
fi
_info_nol " * CPU supports Transactional Synchronization Extensions (TSX): "
ret=1
cpuid_rtm=0
if is_intel; then
read_cpuid 0x7 $EDX 11 1 1; ret=$?
fi
if [ $ret -eq 0 ]; then
cpuid_rtm=1
pstatus green YES
elif [ $ret -eq 2 ]; then
cpuid_rtm=-1
pstatus yellow UNKNOWN "is cpuid kernel module available?"
else
pstatus yellow NO
fi fi
_info_nol " * CPU supports Software Guard Extensions (SGX): " _info_nol " * CPU supports Software Guard Extensions (SGX): "
@ -3016,52 +2918,6 @@ check_redhat_canonical_spectre()
fi fi
} }
check_has_vmm()
{
_info_nol "* This system is a host running a hypervisor: "
has_vmm=$opt_vmm
if [ "$has_vmm" = -1 ] && [ "$opt_paranoid" = 1 ]; then
# In paranoid mode, if --vmm was not specified on the command-line,
# we want to be secure before everything else, so assume we're running
# a hypervisor, as this requires more mitigations
has_vmm=2
elif [ "$has_vmm" = -1 ]; then
# Here, we want to know if we are hosting a hypervisor, and running some VMs on it.
# If we find no evidence that this is the case, assume we're not (to avoid scaring users),
# this can always be overridden with --vmm in any case.
has_vmm=0
if command -v pgrep >/dev/null 2>&1; then
# remove xenbus and xenwatch, also present inside domU
# remove libvirtd as it can also be used to manage containers and not VMs
if pgrep qemu >/dev/null || pgrep kvm >/dev/null || \
pgrep xenstored >/dev/null || pgrep xenconsoled >/dev/null; then
has_vmm=1
fi
else
# ignore SC2009 as `ps ax` is actually used as a fallback if `pgrep` isn't installed
# shellcheck disable=SC2009
if ps ax | grep -vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then
has_vmm=1
fi
fi
fi
if [ "$has_vmm" = 0 ]; then
if [ "$opt_vmm" != -1 ]; then
pstatus green NO "forced from command line"
else
pstatus green NO
fi
else
if [ "$opt_vmm" != -1 ]; then
pstatus blue YES "forced from command line"
elif [ "$has_vmm" = 2 ]; then
pstatus blue YES "paranoid mode"
else
pstatus blue YES
fi
fi
}
################### ###################
# SPECTRE 1 SECTION # SPECTRE 1 SECTION
@ -4330,8 +4186,7 @@ check_CVE_2018_3639_bsd()
pvulnstatus $cve OK "SSBD mitigates the vulnerability" pvulnstatus $cve OK "SSBD mitigates the vulnerability"
elif [ -n "$cpuid_ssbd" ]; then elif [ -n "$cpuid_ssbd" ]; then
if [ "$kernel_ssb" = 1 ]; then if [ "$kernel_ssb" = 1 ]; then
pvulnstatus $cve VULN "you need to enable SSBD through sysctl to mitigate the vulnerability" pvulnstatus $cve VULN "you need to enable ssbd through sysctl to mitigate the vulnerability"
explain "To enable SSBD right now, you can run \`sysctl hw.spec_store_bypass_disable=2'. To make this change persistent across reboots, you can add 'sysctl hw.spec_store_bypass_disable=2' to /etc/sysctl.conf."
else else
pvulnstatus $cve VULN "your kernel needs to be updated" pvulnstatus $cve VULN "your kernel needs to be updated"
fi fi
@ -4355,7 +4210,7 @@ check_CVE_2018_3615()
_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
_info_nol "* CPU microcode mitigates the vulnerability: " _info_nol "* CPU microcode mitigates the vulnerability: "
if { [ "$cpu_flush_cmd" = 1 ] || { [ "$msr_locked_down" = 1 ] && [ "$cpuid_l1df" = 1 ]; }; } && [ "$cpuid_sgx" = 1 ]; then if ( [ "$cpu_flush_cmd" = 1 ] || ( [ "$msr_locked_down" = 1 ] && [ "$cpuid_l1df" = 1 ] ) ) && [ "$cpuid_sgx" = 1 ]; then
# no easy way to detect a fixed SGX but we know that # no easy way to detect a fixed SGX but we know that
# microcodes that have the FLUSH_CMD MSR also have the # microcodes that have the FLUSH_CMD MSR also have the
# fixed SGX (for CPUs that support it), because Intel # fixed SGX (for CPUs that support it), because Intel
@ -4374,7 +4229,7 @@ check_CVE_2018_3615()
if ! is_cpu_vulnerable "$cve"; then if ! is_cpu_vulnerable "$cve"; then
# override status & msg in case CPU is not vulnerable after all # override status & msg in case CPU is not vulnerable after all
pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable" pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable"
elif [ "$cpu_flush_cmd" = 1 ] || { [ "$msr_locked_down" = 1 ] && [ "$cpuid_l1df" = 1 ]; } ; then elif [ "$cpu_flush_cmd" = 1 ] || ( [ "$msr_locked_down" = 1 ] && [ "$cpuid_l1df" = 1 ] ) ; then
pvulnstatus $cve OK "your CPU microcode mitigates the vulnerability" pvulnstatus $cve OK "your CPU microcode mitigates the vulnerability"
else else
pvulnstatus $cve VULN "your CPU supports SGX and the microcode is not up to date" pvulnstatus $cve VULN "your CPU supports SGX and the microcode is not up to date"
@ -4522,7 +4377,48 @@ check_CVE_2018_3646_linux()
fi fi
l1d_mode=-1 l1d_mode=-1
if [ "$opt_sysfs_only" != 1 ]; then if [ "$opt_sysfs_only" != 1 ]; then
check_has_vmm _info_nol "* This system is a host running a hypervisor: "
has_vmm=$opt_vmm
if [ "$has_vmm" = -1 ] && [ "$opt_paranoid" = 1 ]; then
# In paranoid mode, if --vmm was not specified on the command-line,
# we want to be secure before everything else, so assume we're running
# a hypervisor, as this requires more mitigations
has_vmm=2
elif [ "$has_vmm" = -1 ]; then
# Here, we want to know if we are hosting a hypervisor, and running some VMs on it.
# If we find no evidence that this is the case, assume we're not (to avoid scaring users),
# this can always be overridden with --vmm in any case.
has_vmm=0
if command -v pgrep >/dev/null 2>&1; then
# remove xenbus and xenwatch, also present inside domU
# remove libvirtd as it can also be used to manage containers and not VMs
if pgrep qemu >/dev/null || pgrep kvm >/dev/null || \
pgrep xenstored >/dev/null || pgrep xenconsoled >/dev/null; then
has_vmm=1
fi
else
# ignore SC2009 as `ps ax` is actually used as a fallback if `pgrep` isn't installed
# shellcheck disable=SC2009
if ps ax | grep -vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then
has_vmm=1
fi
fi
fi
if [ "$has_vmm" = 0 ]; then
if [ "$opt_vmm" != -1 ]; then
pstatus green NO "forced from command line"
else
pstatus green NO
fi
else
if [ "$opt_vmm" != -1 ]; then
pstatus blue YES "forced from command line"
elif [ "$has_vmm" = 2 ]; then
pstatus blue YES "paranoid mode"
else
pstatus blue YES
fi
fi
_info "* Mitigation 1 (KVM)" _info "* Mitigation 1 (KVM)"
_info_nol " * EPT is disabled: " _info_nol " * EPT is disabled: "
@ -4850,7 +4746,6 @@ check_mds_bsd()
fi fi
else else
pvulnstatus "$cve" VULN "Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active" pvulnstatus "$cve" VULN "Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active"
explain "To enable mitigation, run \`sysctl hw.mds_disable=1'. To make this change persistent across reboots, you can add 'hw.mds_disable=1' to /etc/sysctl.conf."
fi fi
else else
pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for this mitigation" pvulnstatus "$cve" OK "Your microcode and kernel are both up to date for this mitigation"
@ -5083,95 +4978,6 @@ check_CVE_2019_11135_linux()
fi fi
} }
#######################
# iTLB Multihit section
check_CVE_2018_12207()
{
cve='CVE-2018-12207'
_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
if [ "$os" = Linux ]; then
check_CVE_2018_12207_linux
#elif echo "$os" | grep -q BSD; then
# check_CVE_2018_12207_bsd
else
_warn "Unsupported OS ($os)"
fi
}
check_CVE_2018_12207_linux()
{
status=UNK
sys_interface_available=0
msg=''
if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/itlb_multihit"; then
# this kernel has the /sys interface, trust it over everything
sys_interface_available=1
fi
if [ "$opt_sysfs_only" != 1 ]; then
check_has_vmm
_info_nol "* iTLB Multihit mitigation is supported by kernel: "
kernel_itlbmh=''
if [ -n "$kernel_err" ]; then
kernel_itlbmh_err="$kernel_err"
# commit 5219505fcbb640e273a0d51c19c38de0100ec5a9
elif grep -q 'itlb_multihit' "$kernel"; then
kernel_itlbmh="found itlb_multihit in kernel image"
fi
if [ -n "$kernel_itlbmh" ]; then
pstatus green YES "$kernel_itlbmh"
elif [ -n "$kernel_itlbmh_err" ]; then
pstatus yellow UNKNOWN "$kernel_itlbmh_err"
else
pstatus yellow NO
fi
_info_nol "* iTLB Multihit mitigation enabled and active: "
if [ "$opt_live" = 1 ]; then
if [ -n "$fullmsg" ]; then
if echo "$fullmsg" | grep -qF 'Mitigation'; then
pstatus green YES "$fullmsg"
else
pstatus yellow NO
fi
else
pstatus yellow NO "itlb_multihit not found in sysfs hierarchy"
fi
else
pstatus blue N/A "not testable in offline mode"
fi
elif [ "$sys_interface_available" = 0 ]; then
# we have no sysfs but were asked to use it only!
msg="/sys vulnerability interface use forced, but it's not available!"
status=UNK
fi
if ! is_cpu_vulnerable "$cve" ; then
# override status & msg in case CPU is not vulnerable after all
pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not vulnerable"
elif [ "$has_vmm" = 0 ]; then
pvulnstatus "$cve" OK "this system is not running a hypervisor"
elif [ -z "$msg" ]; then
# if msg is empty, sysfs check didn't fill it, rely on our own test
if [ "$opt_live" = 1 ]; then
# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
pvulnstatus $cve VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
else
if [ -n "$kernel_itlbmh" ]; then
pvulnstatus $cve OK "Your kernel supports iTLB Multihit mitigation"
else
pvulnstatus $cve VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
fi
fi
else
pvulnstatus $cve "$status" "$msg"
fi
}
#######################
# END OF VULNS SECTIONS
if [ "$opt_no_hw" = 0 ] && [ -z "$opt_arch_prefix" ]; then if [ "$opt_no_hw" = 0 ] && [ -z "$opt_arch_prefix" ]; then
check_cpu check_cpu
check_cpu_vulnerabilities check_cpu_vulnerabilities