1
0
mirror of https://github.com/speed47/spectre-meltdown-checker synced 2025-01-10 13:08:14 +01:00

Compare commits

...

3 Commits

Author SHA1 Message Date
Stéphane Lesimple
f724f94085 enh: kernel: autodetect customized arch kernels from cmdline 2019-11-17 13:36:52 -08:00
Stéphane Lesimple
dcf540888d enh: mock: implement reading from /proc/cmdline 2019-11-17 13:36:52 -08:00
Stéphane Lesimple
9911c243b2 feat: use --live with --kernel/--config/--map to override file detection in live mode 2019-11-17 13:36:52 -08:00

View File

@ -41,8 +41,9 @@ show_usage()
# shellcheck disable=SC2086 # shellcheck disable=SC2086
cat <<EOF cat <<EOF
Usage: Usage:
Live mode: $(basename $0) [options] [--live] Live mode (auto): $(basename $0) [options]
Offline mode: $(basename $0) [options] [--kernel <kernel_file>] [--config <kernel_config>] [--map <kernel_map_file>] Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
Offline mode: $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
Modes: Modes:
Two modes are available. Two modes are available.
@ -51,12 +52,16 @@ show_usage()
To run under this mode, just start the script without any option (you can also use --live explicitly) To run under this mode, just start the script without any option (you can also use --live explicitly)
Second mode is the "offline" mode, where you can inspect a non-running kernel. Second mode is the "offline" mode, where you can inspect a non-running kernel.
You'll need to specify the location of the kernel file, config and System.map files: This mode is automatically enabled when you specify the location of the kernel file, config and System.map files:
--kernel kernel_file specify a (possibly compressed) Linux or BSD kernel file --kernel kernel_file specify a (possibly compressed) Linux or BSD kernel file
--config kernel_config specify a kernel config file (Linux only) --config kernel_config specify a kernel config file (Linux only)
--map kernel_map_file specify a kernel System.map file (Linux only) --map kernel_map_file specify a kernel System.map file (Linux only)
If you want to use live mode while specifying the location of the kernel, config or map file yourself,
you can add --live to the above options, to tell the script to run in live mode instead of the offline mode,
which is enabled by default when at least one file is specified on the command line.
Options: Options:
--no-color don't use color codes --no-color don't use color codes
--verbose, -v increase verbosity level, possibly several times --verbose, -v increase verbosity level, possibly several times
@ -134,8 +139,7 @@ os=$(uname -s)
opt_kernel='' opt_kernel=''
opt_config='' opt_config=''
opt_map='' opt_map=''
opt_live_explicit=0 opt_live=-1
opt_live=1
opt_no_color=0 opt_no_color=0
opt_batch=0 opt_batch=0
opt_batch_format='text' opt_batch_format='text'
@ -796,22 +800,19 @@ while [ -n "$1" ]; do
opt_kernel=$(parse_opt_file kernel "$2"); ret=$? opt_kernel=$(parse_opt_file kernel "$2"); ret=$?
[ $ret -ne 0 ] && exit 255 [ $ret -ne 0 ] && exit 255
shift 2 shift 2
opt_live=0
elif [ "$1" = "--config" ]; then elif [ "$1" = "--config" ]; then
opt_config=$(parse_opt_file config "$2"); ret=$? opt_config=$(parse_opt_file config "$2"); ret=$?
[ $ret -ne 0 ] && exit 255 [ $ret -ne 0 ] && exit 255
shift 2 shift 2
opt_live=0
elif [ "$1" = "--map" ]; then elif [ "$1" = "--map" ]; then
opt_map=$(parse_opt_file map "$2"); ret=$? opt_map=$(parse_opt_file map "$2"); ret=$?
[ $ret -ne 0 ] && exit 255 [ $ret -ne 0 ] && exit 255
shift 2 shift 2
opt_live=0
elif [ "$1" = "--arch-prefix" ]; then elif [ "$1" = "--arch-prefix" ]; then
opt_arch_prefix="$2" opt_arch_prefix="$2"
shift 2 shift 2
elif [ "$1" = "--live" ]; then elif [ "$1" = "--live" ]; then
opt_live_explicit=1 opt_live=1
shift shift
elif [ "$1" = "--no-color" ]; then elif [ "$1" = "--no-color" ]; then
opt_no_color=1 opt_no_color=1
@ -954,6 +955,15 @@ if [ "$opt_no_hw" = 1 ] && [ "$opt_hw_only" = 1 ]; then
exit 255 exit 255
fi fi
if [ "$opt_live" = -1 ]; then
if [ -n "$opt_kernel" ] || [ -n "$opt_config" ] || [ -n "$opt_map" ]; then
# no --live specified and we have a least one of the kernel/config/map files on the cmdline: offline mode
opt_live=0
else
opt_live=1
fi
fi
# print status function # print status function
pstatus() pstatus()
{ {
@ -1711,6 +1721,23 @@ is_latest_known_ucode()
return 2 return 2
} }
get_cmdline()
{
if [ -n "$kernel_cmdline" ]; then
return
fi
if [ -n "$SMC_MOCK_CMDLINE" ]; then
mocked=1
_debug "get_cmdline: using mocked cmdline '$SMC_MOCK_CMDLINE'"
kernel_cmdline="$SMC_MOCK_CMDLINE"
return
else
kernel_cmdline=$(cat "$procfs/cmdline")
mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CMDLINE='$kernel_cmdline'")
fi
}
# ENTRYPOINT # ENTRYPOINT
# we can't do anything useful under WSL # we can't do anything useful under WSL
@ -1722,13 +1749,6 @@ if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then
fi fi
# check for mode selection inconsistency # check for mode selection inconsistency
if [ "$opt_live_explicit" = 1 ]; then
if [ -n "$opt_kernel" ] || [ -n "$opt_config" ] || [ -n "$opt_map" ]; then
show_usage
echo "$0: error: incompatible modes specified, use either --live or --kernel/--config/--map" >&2
exit 255
fi
fi
if [ "$opt_hw_only" = 1 ]; then if [ "$opt_hw_only" = 1 ]; then
if [ "$opt_cve_all" = 0 ]; then if [ "$opt_cve_all" = 0 ]; then
show_usage show_usage
@ -1782,6 +1802,8 @@ if echo "$os" | grep -q BSD; then
fi fi
parse_cpu_details parse_cpu_details
get_cmdline
if [ "$opt_live" = 1 ]; then if [ "$opt_live" = 1 ]; then
# root check (only for live mode, for offline mode, we already checked if we could read the files) # root check (only for live mode, for offline mode, we already checked if we could read the files)
if [ "$(id -u)" -ne 0 ]; then if [ "$(id -u)" -ne 0 ]; then
@ -1795,9 +1817,12 @@ if [ "$opt_live" = 1 ]; then
_info "CPU is \033[35m$cpu_friendly_name\033[0m" _info "CPU is \033[35m$cpu_friendly_name\033[0m"
# try to find the image of the current running kernel # try to find the image of the current running kernel
if [ -n "$opt_kernel" ]; then
# specified by user on cmdline, with --live, don't override
:
# first, look for the BOOT_IMAGE hint in the kernel cmdline # first, look for the BOOT_IMAGE hint in the kernel cmdline
if [ -r "$procfs/cmdline" ] && grep -q 'BOOT_IMAGE=' "$procfs/cmdline"; then elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then
opt_kernel=$(grep -Eo 'BOOT_IMAGE=[^ ]+' "$procfs/cmdline" | cut -d= -f2) opt_kernel=$(echo "$kernel_cmdline" | grep -Eo 'BOOT_IMAGE=[^ ]+' | cut -d= -f2)
_debug "found opt_kernel=$opt_kernel in $procfs/cmdline" _debug "found opt_kernel=$opt_kernel in $procfs/cmdline"
# if the boot partition is within a btrfs subvolume, strip the subvolume name # if the boot partition is within a btrfs subvolume, strip the subvolume name
# if /boot is a separate subvolume, the remainder of the code in this section should handle it # if /boot is a separate subvolume, the remainder of the code in this section should handle it
@ -1840,10 +1865,19 @@ if [ "$opt_live" = 1 ]; then
str_uname=$(uname -r) str_uname=$(uname -r)
clear_linux_kernel="/lib/kernel/org.clearlinux.${str_uname##*.}.${str_uname%.*}" clear_linux_kernel="/lib/kernel/org.clearlinux.${str_uname##*.}.${str_uname%.*}"
[ -e "$clear_linux_kernel" ] && opt_kernel=$clear_linux_kernel [ -e "$clear_linux_kernel" ] && opt_kernel=$clear_linux_kernel
# Custom Arch seems to have the kernel path in its cmdline in the form "\directory\kernelimage",
# with actual \'s instead of /'s:
custom_arch_kernel=$(echo "$kernel_cmdline" | grep -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d '[:space:]')
if [ -n "$custom_arch_kernel" ] && [ -e "$custom_arch_kernel" ]; then
opt_kernel="$custom_arch_kernel"
fi
fi fi
# system.map # system.map
if [ -e "$procfs/kallsyms" ] ; then if [ -n "$opt_map" ]; then
# specified by user on cmdline, with --live, don't override
:
elif [ -e "$procfs/kallsyms" ] ; then
opt_map="$procfs/kallsyms" opt_map="$procfs/kallsyms"
elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then
opt_map="/lib/modules/$(uname -r)/System.map" opt_map="/lib/modules/$(uname -r)/System.map"
@ -1854,7 +1888,10 @@ if [ "$opt_live" = 1 ]; then
fi fi
# config # config
if [ -e "$procfs/config.gz" ] ; then if [ -n "$opt_config" ]; then
# specified by user on cmdline, with --live, don't override
:
elif [ -e "$procfs/config.gz" ] ; then
dumped_config="$(mktemp /tmp/config-XXXXXX)" dumped_config="$(mktemp /tmp/config-XXXXXX)"
gunzip -c "$procfs/config.gz" > "$dumped_config" gunzip -c "$procfs/config.gz" > "$dumped_config"
# dumped_config will be deleted at the end of the script # dumped_config will be deleted at the end of the script
@ -3755,7 +3792,7 @@ check_CVE_2017_5754_linux()
if [ -n "$kpti_support" ]; then if [ -n "$kpti_support" ]; then
if [ -e "/sys/kernel/debug/x86/pti_enabled" ]; then if [ -e "/sys/kernel/debug/x86/pti_enabled" ]; then
explain "Your kernel supports PTI but it's disabled, you can enable it with \`echo 1 > /sys/kernel/debug/x86/pti_enabled\`" explain "Your kernel supports PTI but it's disabled, you can enable it with \`echo 1 > /sys/kernel/debug/x86/pti_enabled\`"
elif grep -q -w -e nopti -e pti=off "$procfs/cmdline"; then elif echo "$kernel_cmdline" | grep -q -w -e nopti -e pti=off; then
explain "Your kernel supports PTI but it has been disabled on command-line, remove the nopti or pti=off option from your bootloader configuration" explain "Your kernel supports PTI but it has been disabled on command-line, remove the nopti or pti=off option from your bootloader configuration"
else else
explain "Your kernel supports PTI but it has been disabled, check \`dmesg\` right after boot to find clues why the system disabled it" explain "Your kernel supports PTI but it has been disabled, check \`dmesg\` right after boot to find clues why the system disabled it"