mirror of
https://github.com/speed47/spectre-meltdown-checker
synced 2025-01-10 13:08:14 +01:00
Compare commits
3 Commits
cb279a49ec
...
f724f94085
Author | SHA1 | Date | |
---|---|---|---|
|
f724f94085 | ||
|
dcf540888d | ||
|
9911c243b2 |
@ -41,8 +41,9 @@ show_usage()
|
||||
# shellcheck disable=SC2086
|
||||
cat <<EOF
|
||||
Usage:
|
||||
Live mode: $(basename $0) [options] [--live]
|
||||
Offline mode: $(basename $0) [options] [--kernel <kernel_file>] [--config <kernel_config>] [--map <kernel_map_file>]
|
||||
Live mode (auto): $(basename $0) [options]
|
||||
Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
|
||||
Offline mode: $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
|
||||
|
||||
Modes:
|
||||
Two modes are available.
|
||||
@ -51,12 +52,16 @@ show_usage()
|
||||
To run under this mode, just start the script without any option (you can also use --live explicitly)
|
||||
|
||||
Second mode is the "offline" mode, where you can inspect a non-running kernel.
|
||||
You'll need to specify the location of the kernel file, config and System.map files:
|
||||
This mode is automatically enabled when you specify the location of the kernel file, config and System.map files:
|
||||
|
||||
--kernel kernel_file specify a (possibly compressed) Linux or BSD kernel file
|
||||
--config kernel_config specify a kernel config file (Linux only)
|
||||
--map kernel_map_file specify a kernel System.map file (Linux only)
|
||||
|
||||
If you want to use live mode while specifying the location of the kernel, config or map file yourself,
|
||||
you can add --live to the above options, to tell the script to run in live mode instead of the offline mode,
|
||||
which is enabled by default when at least one file is specified on the command line.
|
||||
|
||||
Options:
|
||||
--no-color don't use color codes
|
||||
--verbose, -v increase verbosity level, possibly several times
|
||||
@ -134,8 +139,7 @@ os=$(uname -s)
|
||||
opt_kernel=''
|
||||
opt_config=''
|
||||
opt_map=''
|
||||
opt_live_explicit=0
|
||||
opt_live=1
|
||||
opt_live=-1
|
||||
opt_no_color=0
|
||||
opt_batch=0
|
||||
opt_batch_format='text'
|
||||
@ -796,22 +800,19 @@ while [ -n "$1" ]; do
|
||||
opt_kernel=$(parse_opt_file kernel "$2"); ret=$?
|
||||
[ $ret -ne 0 ] && exit 255
|
||||
shift 2
|
||||
opt_live=0
|
||||
elif [ "$1" = "--config" ]; then
|
||||
opt_config=$(parse_opt_file config "$2"); ret=$?
|
||||
[ $ret -ne 0 ] && exit 255
|
||||
shift 2
|
||||
opt_live=0
|
||||
elif [ "$1" = "--map" ]; then
|
||||
opt_map=$(parse_opt_file map "$2"); ret=$?
|
||||
[ $ret -ne 0 ] && exit 255
|
||||
shift 2
|
||||
opt_live=0
|
||||
elif [ "$1" = "--arch-prefix" ]; then
|
||||
opt_arch_prefix="$2"
|
||||
shift 2
|
||||
elif [ "$1" = "--live" ]; then
|
||||
opt_live_explicit=1
|
||||
opt_live=1
|
||||
shift
|
||||
elif [ "$1" = "--no-color" ]; then
|
||||
opt_no_color=1
|
||||
@ -954,6 +955,15 @@ if [ "$opt_no_hw" = 1 ] && [ "$opt_hw_only" = 1 ]; then
|
||||
exit 255
|
||||
fi
|
||||
|
||||
if [ "$opt_live" = -1 ]; then
|
||||
if [ -n "$opt_kernel" ] || [ -n "$opt_config" ] || [ -n "$opt_map" ]; then
|
||||
# no --live specified and we have a least one of the kernel/config/map files on the cmdline: offline mode
|
||||
opt_live=0
|
||||
else
|
||||
opt_live=1
|
||||
fi
|
||||
fi
|
||||
|
||||
# print status function
|
||||
pstatus()
|
||||
{
|
||||
@ -1711,6 +1721,23 @@ is_latest_known_ucode()
|
||||
return 2
|
||||
}
|
||||
|
||||
get_cmdline()
|
||||
{
|
||||
if [ -n "$kernel_cmdline" ]; then
|
||||
return
|
||||
fi
|
||||
|
||||
if [ -n "$SMC_MOCK_CMDLINE" ]; then
|
||||
mocked=1
|
||||
_debug "get_cmdline: using mocked cmdline '$SMC_MOCK_CMDLINE'"
|
||||
kernel_cmdline="$SMC_MOCK_CMDLINE"
|
||||
return
|
||||
else
|
||||
kernel_cmdline=$(cat "$procfs/cmdline")
|
||||
mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CMDLINE='$kernel_cmdline'")
|
||||
fi
|
||||
}
|
||||
|
||||
# ENTRYPOINT
|
||||
|
||||
# we can't do anything useful under WSL
|
||||
@ -1722,13 +1749,6 @@ if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then
|
||||
fi
|
||||
|
||||
# check for mode selection inconsistency
|
||||
if [ "$opt_live_explicit" = 1 ]; then
|
||||
if [ -n "$opt_kernel" ] || [ -n "$opt_config" ] || [ -n "$opt_map" ]; then
|
||||
show_usage
|
||||
echo "$0: error: incompatible modes specified, use either --live or --kernel/--config/--map" >&2
|
||||
exit 255
|
||||
fi
|
||||
fi
|
||||
if [ "$opt_hw_only" = 1 ]; then
|
||||
if [ "$opt_cve_all" = 0 ]; then
|
||||
show_usage
|
||||
@ -1782,6 +1802,8 @@ if echo "$os" | grep -q BSD; then
|
||||
fi
|
||||
|
||||
parse_cpu_details
|
||||
get_cmdline
|
||||
|
||||
if [ "$opt_live" = 1 ]; then
|
||||
# root check (only for live mode, for offline mode, we already checked if we could read the files)
|
||||
if [ "$(id -u)" -ne 0 ]; then
|
||||
@ -1795,9 +1817,12 @@ if [ "$opt_live" = 1 ]; then
|
||||
_info "CPU is \033[35m$cpu_friendly_name\033[0m"
|
||||
|
||||
# try to find the image of the current running kernel
|
||||
if [ -n "$opt_kernel" ]; then
|
||||
# specified by user on cmdline, with --live, don't override
|
||||
:
|
||||
# first, look for the BOOT_IMAGE hint in the kernel cmdline
|
||||
if [ -r "$procfs/cmdline" ] && grep -q 'BOOT_IMAGE=' "$procfs/cmdline"; then
|
||||
opt_kernel=$(grep -Eo 'BOOT_IMAGE=[^ ]+' "$procfs/cmdline" | cut -d= -f2)
|
||||
elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then
|
||||
opt_kernel=$(echo "$kernel_cmdline" | grep -Eo 'BOOT_IMAGE=[^ ]+' | cut -d= -f2)
|
||||
_debug "found opt_kernel=$opt_kernel in $procfs/cmdline"
|
||||
# if the boot partition is within a btrfs subvolume, strip the subvolume name
|
||||
# if /boot is a separate subvolume, the remainder of the code in this section should handle it
|
||||
@ -1840,10 +1865,19 @@ if [ "$opt_live" = 1 ]; then
|
||||
str_uname=$(uname -r)
|
||||
clear_linux_kernel="/lib/kernel/org.clearlinux.${str_uname##*.}.${str_uname%.*}"
|
||||
[ -e "$clear_linux_kernel" ] && opt_kernel=$clear_linux_kernel
|
||||
# Custom Arch seems to have the kernel path in its cmdline in the form "\directory\kernelimage",
|
||||
# with actual \'s instead of /'s:
|
||||
custom_arch_kernel=$(echo "$kernel_cmdline" | grep -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d '[:space:]')
|
||||
if [ -n "$custom_arch_kernel" ] && [ -e "$custom_arch_kernel" ]; then
|
||||
opt_kernel="$custom_arch_kernel"
|
||||
fi
|
||||
fi
|
||||
|
||||
# system.map
|
||||
if [ -e "$procfs/kallsyms" ] ; then
|
||||
if [ -n "$opt_map" ]; then
|
||||
# specified by user on cmdline, with --live, don't override
|
||||
:
|
||||
elif [ -e "$procfs/kallsyms" ] ; then
|
||||
opt_map="$procfs/kallsyms"
|
||||
elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then
|
||||
opt_map="/lib/modules/$(uname -r)/System.map"
|
||||
@ -1854,7 +1888,10 @@ if [ "$opt_live" = 1 ]; then
|
||||
fi
|
||||
|
||||
# config
|
||||
if [ -e "$procfs/config.gz" ] ; then
|
||||
if [ -n "$opt_config" ]; then
|
||||
# specified by user on cmdline, with --live, don't override
|
||||
:
|
||||
elif [ -e "$procfs/config.gz" ] ; then
|
||||
dumped_config="$(mktemp /tmp/config-XXXXXX)"
|
||||
gunzip -c "$procfs/config.gz" > "$dumped_config"
|
||||
# dumped_config will be deleted at the end of the script
|
||||
@ -3755,7 +3792,7 @@ check_CVE_2017_5754_linux()
|
||||
if [ -n "$kpti_support" ]; then
|
||||
if [ -e "/sys/kernel/debug/x86/pti_enabled" ]; then
|
||||
explain "Your kernel supports PTI but it's disabled, you can enable it with \`echo 1 > /sys/kernel/debug/x86/pti_enabled\`"
|
||||
elif grep -q -w -e nopti -e pti=off "$procfs/cmdline"; then
|
||||
elif echo "$kernel_cmdline" | grep -q -w -e nopti -e pti=off; then
|
||||
explain "Your kernel supports PTI but it has been disabled on command-line, remove the nopti or pti=off option from your bootloader configuration"
|
||||
else
|
||||
explain "Your kernel supports PTI but it has been disabled, check \`dmesg\` right after boot to find clues why the system disabled it"
|
||||
|
Loading…
Reference in New Issue
Block a user