1
0
mirror of https://github.com/speed47/spectre-meltdown-checker synced 2025-01-05 02:48:41 +01:00

Compare commits

...

2 Commits

Author SHA1 Message Date
Stéphane Lesimple
f835f4d07d Explain that Enhanced IBRS is better for performance than classic IBRS 2019-08-16 12:53:39 +02:00
Agata Gruza
482d6c200a Enhanced IBRS capabilities
There are two flavors of IBRS: plain and enhanced. This patch tells which flavor of IBRS is in use.
2019-08-16 12:53:39 +02:00

View File

@ -2999,11 +2999,20 @@ check_CVE_2017_5715_linux()
ibrs_fw_enabled=1
fi
# when IBRS is enabled on 4.15+, we can see it in sysfs
# on a more recent kernel, classic "IBRS" is not even longer an option, because of the performance impact.
# only "Enhanced IBRS" is available (on CPUs with the IBRS_ALL flag)
if echo "$fullmsg" | grep -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
_debug "ibrs: found IBRS in sysfs"
[ -z "$ibrs_supported" ] && ibrs_supported='found IBRS in sysfs'
[ -z "$ibrs_enabled" ] && ibrs_enabled=3
fi
# checking for 'Enhanced IBRS' in sysfs, enabled on CPUs with IBRS_ALL
if echo "$fullmsg" | grep -q -e 'Enhanced IBRS'; then
[ -z "$ibrs_supported" ] && ibrs_supported='found Enhanced IBRS in sysfs'
# 4 isn't actually a valid value of the now extinct "ibrs_enabled" flag file,
# that only went from 0 to 3, so we use 4 as "enhanced ibrs is enabled"
ibrs_enabled=4
fi
fi
# in live mode, if ibrs or ibpb is supported and we didn't find these are enabled, then they are not
[ -n "$ibrs_supported" ] && [ -z "$ibrs_enabled" ] && ibrs_enabled=0
@ -3076,6 +3085,7 @@ check_CVE_2017_5715_linux()
# 1 is enabled only for kernel space
# 2 is enabled for kernel and user space
# 3 is enabled
# 4 is enhanced ibrs enabled
case "$ibrs_enabled" in
0)
if [ "$ibrs_fw_enabled" = 1 ]; then
@ -3087,6 +3097,7 @@ check_CVE_2017_5715_linux()
1) if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel space and firmware code"; else pstatus green YES "for kernel space"; fi;;
2) if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel, user space, and firmware code" ; else pstatus green YES "for both kernel and user space"; fi;;
3) if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and firmware code"; else pstatus green YES; fi;;
4) pstatus green YES "Enhanced flavor, performance impact will be greatly reduced";;
*) if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ];
then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
else
@ -3297,7 +3308,11 @@ check_CVE_2017_5715_linux()
_warn "IBPB is considered as a good addition to retpoline for Variant 2 mitigation, but your CPU microcode doesn't support it"
fi
elif [ -n "$ibrs_enabled" ] && [ -n "$ibpb_enabled" ] && [ "$ibrs_enabled" -ge 1 ] && [ "$ibpb_enabled" -ge 1 ]; then
pvulnstatus $cve OK "IBRS + IBPB are mitigating the vulnerability"
if [ "$ibrs_enabled" = 4 ]; then
pvulnstatus $cve OK "Enhanced IBRS + IBPB are mitigating the vulnerability"
else
pvulnstatus $cve OK "IBRS + IBPB are mitigating the vulnerability"
fi
elif [ "$ibpb_enabled" = 2 ] && ! is_cpu_smt_enabled; then
pvulnstatus $cve OK "Full IBPB is mitigating the vulnerability"
elif [ -n "$bp_harden" ]; then