mirror of
https://github.com/speed47/spectre-meltdown-checker
synced 2025-01-08 04:15:09 +01:00
Compare commits
No commits in common. "a343bccb49ba4755c8a7cc583aff02612886dd95" and "0cd7e1164f1ebcbcc13484fe1b1218f1154ecbb2" have entirely different histories.
a343bccb49
...
0cd7e1164f
@ -11,7 +11,7 @@
|
|||||||
#
|
#
|
||||||
# Stephane Lesimple
|
# Stephane Lesimple
|
||||||
#
|
#
|
||||||
VERSION='0.43'
|
VERSION='0.42'
|
||||||
|
|
||||||
trap 'exit_cleanup' EXIT
|
trap 'exit_cleanup' EXIT
|
||||||
trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT
|
trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT
|
||||||
@ -84,14 +84,14 @@ show_usage()
|
|||||||
--batch prometheus produce output for consumption by prometheus-node-exporter
|
--batch prometheus produce output for consumption by prometheus-node-exporter
|
||||||
|
|
||||||
--variant VARIANT specify which variant you'd like to check, by default all variants are checked
|
--variant VARIANT specify which variant you'd like to check, by default all variants are checked
|
||||||
VARIANT can be one of 1, 2, 3, 3a, 4, l1tf, msbds, mfbds, mlpds, mdsum, taa, mcepsc
|
VARIANT can be one of 1, 2, 3, 3a, 4, l1tf, msbds, mfbds, mlpds, mdsum, taa
|
||||||
can be specified multiple times (e.g. --variant 2 --variant 3)
|
can be specified multiple times (e.g. --variant 2 --variant 3)
|
||||||
--cve [cve1,cve2,...] specify which CVE you'd like to check, by default all supported CVEs are checked
|
--cve [cve1,cve2,...] specify which CVE you'd like to check, by default all supported CVEs are checked
|
||||||
--hw-only only check for CPU information, don't check for any variant
|
--hw-only only check for CPU information, don't check for any variant
|
||||||
--no-hw skip CPU information and checks, if you're inspecting a kernel not to be run on this host
|
--no-hw skip CPU information and checks, if you're inspecting a kernel not to be run on this host
|
||||||
--vmm [auto,yes,no] override the detection of the presence of a hypervisor, default: auto
|
--vmm [auto,yes,no] override the detection of the presence of a hypervisor (for CVE-2018-3646), default: auto
|
||||||
--update-fwdb update our local copy of the CPU microcodes versions database (using the awesome
|
--update-fwdb update our local copy of the CPU microcodes versions database (using the awesome MCExtractor project
|
||||||
MCExtractor project and the Intel firmwares GitHub repository)
|
and the Intel firmwares GitHub repository)
|
||||||
--update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself
|
--update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself
|
||||||
--dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script
|
--dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script
|
||||||
|
|
||||||
@ -393,20 +393,11 @@ is_cpu_vulnerable()
|
|||||||
[ -z "$variant4" ] && variant4=immune
|
[ -z "$variant4" ] && variant4=immune
|
||||||
_debug "is_cpu_vulnerable: cpu not affected by speculative store bypass so not vuln to variant4"
|
_debug "is_cpu_vulnerable: cpu not affected by speculative store bypass so not vuln to variant4"
|
||||||
fi
|
fi
|
||||||
# variant 3a
|
# variant 4a for xeon phi
|
||||||
if [ "$cpu_family" = 6 ]; then
|
if [ "$cpu_family" = 6 ]; then
|
||||||
if [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] || [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ]; then
|
if [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] || [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ]; then
|
||||||
_debug "is_cpu_vulnerable: xeon phi immune to variant 3a"
|
_debug "is_cpu_vulnerable: xeon phi immune to variant 3a"
|
||||||
[ -z "$variant3a" ] && variant3a=immune
|
[ -z "$variant3a" ] && variant3a=immune
|
||||||
elif [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT" ] || \
|
|
||||||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ] || \
|
|
||||||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_D" ]; then
|
|
||||||
# https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html
|
|
||||||
# https://github.com/speed47/spectre-meltdown-checker/issues/310
|
|
||||||
# => silvermont CPUs (aka cherry lake for tablets and brawsell for mobile/desktop) don't seem to be vulnerable
|
|
||||||
# => goldmont ARE vulnerable
|
|
||||||
_debug "is_cpu_vulnerable: silvermont immune to variant 3a"
|
|
||||||
[ -z "$variant3a" ] && variant3a=immune
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
# L1TF (RDCL_NO already checked above)
|
# L1TF (RDCL_NO already checked above)
|
||||||
@ -1040,9 +1031,8 @@ while [ -n "$1" ]; do
|
|||||||
mdsum) opt_cve_list="$opt_cve_list CVE-2019-11091"; opt_cve_all=0;;
|
mdsum) opt_cve_list="$opt_cve_list CVE-2019-11091"; opt_cve_all=0;;
|
||||||
l1tf) opt_cve_list="$opt_cve_list CVE-2018-3615 CVE-2018-3620 CVE-2018-3646"; opt_cve_all=0;;
|
l1tf) opt_cve_list="$opt_cve_list CVE-2018-3615 CVE-2018-3620 CVE-2018-3646"; opt_cve_all=0;;
|
||||||
taa) opt_cve_list="$opt_cve_list CVE-2019-11135"; opt_cve_all=0;;
|
taa) opt_cve_list="$opt_cve_list CVE-2019-11135"; opt_cve_all=0;;
|
||||||
mcepsc) opt_cve_list="$opt_cve_list CVE-2018-12207"; opt_cve_all=0;;
|
|
||||||
*)
|
*)
|
||||||
echo "$0: error: invalid parameter '$2' for --variant, expected either 1, 2, 3, 3a, 4, l1tf, msbds, mfbds, mlpds, mdsum, taa or mcepsc" >&2;
|
echo "$0: error: invalid parameter '$2' for --variant, expected either 1, 2, 3, 3a, 4, msbds, mfbds, mlpds, mdsum, taa or l1tf" >&2;
|
||||||
exit 255
|
exit 255
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
Loading…
Reference in New Issue
Block a user