mirror of
https://github.com/speed47/spectre-meltdown-checker
synced 2025-01-07 03:43:06 +01:00
Compare commits
No commits in common. "a343bccb49ba4755c8a7cc583aff02612886dd95" and "0cd7e1164f1ebcbcc13484fe1b1218f1154ecbb2" have entirely different histories.
a343bccb49
...
0cd7e1164f
@ -11,7 +11,7 @@
|
||||
#
|
||||
# Stephane Lesimple
|
||||
#
|
||||
VERSION='0.43'
|
||||
VERSION='0.42'
|
||||
|
||||
trap 'exit_cleanup' EXIT
|
||||
trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT
|
||||
@ -84,14 +84,14 @@ show_usage()
|
||||
--batch prometheus produce output for consumption by prometheus-node-exporter
|
||||
|
||||
--variant VARIANT specify which variant you'd like to check, by default all variants are checked
|
||||
VARIANT can be one of 1, 2, 3, 3a, 4, l1tf, msbds, mfbds, mlpds, mdsum, taa, mcepsc
|
||||
VARIANT can be one of 1, 2, 3, 3a, 4, l1tf, msbds, mfbds, mlpds, mdsum, taa
|
||||
can be specified multiple times (e.g. --variant 2 --variant 3)
|
||||
--cve [cve1,cve2,...] specify which CVE you'd like to check, by default all supported CVEs are checked
|
||||
--hw-only only check for CPU information, don't check for any variant
|
||||
--no-hw skip CPU information and checks, if you're inspecting a kernel not to be run on this host
|
||||
--vmm [auto,yes,no] override the detection of the presence of a hypervisor, default: auto
|
||||
--update-fwdb update our local copy of the CPU microcodes versions database (using the awesome
|
||||
MCExtractor project and the Intel firmwares GitHub repository)
|
||||
--vmm [auto,yes,no] override the detection of the presence of a hypervisor (for CVE-2018-3646), default: auto
|
||||
--update-fwdb update our local copy of the CPU microcodes versions database (using the awesome MCExtractor project
|
||||
and the Intel firmwares GitHub repository)
|
||||
--update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself
|
||||
--dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script
|
||||
|
||||
@ -393,20 +393,11 @@ is_cpu_vulnerable()
|
||||
[ -z "$variant4" ] && variant4=immune
|
||||
_debug "is_cpu_vulnerable: cpu not affected by speculative store bypass so not vuln to variant4"
|
||||
fi
|
||||
# variant 3a
|
||||
# variant 4a for xeon phi
|
||||
if [ "$cpu_family" = 6 ]; then
|
||||
if [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNL" ] || [ "$cpu_model" = "$INTEL_FAM6_XEON_PHI_KNM" ]; then
|
||||
_debug "is_cpu_vulnerable: xeon phi immune to variant 3a"
|
||||
[ -z "$variant3a" ] && variant3a=immune
|
||||
elif [ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT" ] || \
|
||||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_MID" ] || \
|
||||
[ "$cpu_model" = "$INTEL_FAM6_ATOM_SILVERMONT_D" ]; then
|
||||
# https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html
|
||||
# https://github.com/speed47/spectre-meltdown-checker/issues/310
|
||||
# => silvermont CPUs (aka cherry lake for tablets and brawsell for mobile/desktop) don't seem to be vulnerable
|
||||
# => goldmont ARE vulnerable
|
||||
_debug "is_cpu_vulnerable: silvermont immune to variant 3a"
|
||||
[ -z "$variant3a" ] && variant3a=immune
|
||||
fi
|
||||
fi
|
||||
# L1TF (RDCL_NO already checked above)
|
||||
@ -1040,9 +1031,8 @@ while [ -n "$1" ]; do
|
||||
mdsum) opt_cve_list="$opt_cve_list CVE-2019-11091"; opt_cve_all=0;;
|
||||
l1tf) opt_cve_list="$opt_cve_list CVE-2018-3615 CVE-2018-3620 CVE-2018-3646"; opt_cve_all=0;;
|
||||
taa) opt_cve_list="$opt_cve_list CVE-2019-11135"; opt_cve_all=0;;
|
||||
mcepsc) opt_cve_list="$opt_cve_list CVE-2018-12207"; opt_cve_all=0;;
|
||||
*)
|
||||
echo "$0: error: invalid parameter '$2' for --variant, expected either 1, 2, 3, 3a, 4, l1tf, msbds, mfbds, mlpds, mdsum, taa or mcepsc" >&2;
|
||||
echo "$0: error: invalid parameter '$2' for --variant, expected either 1, 2, 3, 3a, 4, msbds, mfbds, mlpds, mdsum, taa or l1tf" >&2;
|
||||
exit 255
|
||||
;;
|
||||
esac
|
||||
|
Loading…
Reference in New Issue
Block a user