1
0
mirror of https://github.com/speed47/spectre-meltdown-checker synced 2025-01-10 13:08:14 +01:00

Compare commits

..

No commits in common. "f724f94085ea5155511e296585be08d1e05b142a" and "cb279a49ecd45a78ceaccb9a85584a80d39f789f" have entirely different histories.

View File

@ -41,9 +41,8 @@ show_usage()
# shellcheck disable=SC2086
cat <<EOF
Usage:
Live mode (auto): $(basename $0) [options]
Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
Offline mode: $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
Live mode: $(basename $0) [options] [--live]
Offline mode: $(basename $0) [options] [--kernel <kernel_file>] [--config <kernel_config>] [--map <kernel_map_file>]
Modes:
Two modes are available.
@ -52,16 +51,12 @@ show_usage()
To run under this mode, just start the script without any option (you can also use --live explicitly)
Second mode is the "offline" mode, where you can inspect a non-running kernel.
This mode is automatically enabled when you specify the location of the kernel file, config and System.map files:
You'll need to specify the location of the kernel file, config and System.map files:
--kernel kernel_file specify a (possibly compressed) Linux or BSD kernel file
--config kernel_config specify a kernel config file (Linux only)
--map kernel_map_file specify a kernel System.map file (Linux only)
If you want to use live mode while specifying the location of the kernel, config or map file yourself,
you can add --live to the above options, to tell the script to run in live mode instead of the offline mode,
which is enabled by default when at least one file is specified on the command line.
Options:
--no-color don't use color codes
--verbose, -v increase verbosity level, possibly several times
@ -139,7 +134,8 @@ os=$(uname -s)
opt_kernel=''
opt_config=''
opt_map=''
opt_live=-1
opt_live_explicit=0
opt_live=1
opt_no_color=0
opt_batch=0
opt_batch_format='text'
@ -800,19 +796,22 @@ while [ -n "$1" ]; do
opt_kernel=$(parse_opt_file kernel "$2"); ret=$?
[ $ret -ne 0 ] && exit 255
shift 2
opt_live=0
elif [ "$1" = "--config" ]; then
opt_config=$(parse_opt_file config "$2"); ret=$?
[ $ret -ne 0 ] && exit 255
shift 2
opt_live=0
elif [ "$1" = "--map" ]; then
opt_map=$(parse_opt_file map "$2"); ret=$?
[ $ret -ne 0 ] && exit 255
shift 2
opt_live=0
elif [ "$1" = "--arch-prefix" ]; then
opt_arch_prefix="$2"
shift 2
elif [ "$1" = "--live" ]; then
opt_live=1
opt_live_explicit=1
shift
elif [ "$1" = "--no-color" ]; then
opt_no_color=1
@ -955,15 +954,6 @@ if [ "$opt_no_hw" = 1 ] && [ "$opt_hw_only" = 1 ]; then
exit 255
fi
if [ "$opt_live" = -1 ]; then
if [ -n "$opt_kernel" ] || [ -n "$opt_config" ] || [ -n "$opt_map" ]; then
# no --live specified and we have a least one of the kernel/config/map files on the cmdline: offline mode
opt_live=0
else
opt_live=1
fi
fi
# print status function
pstatus()
{
@ -1721,23 +1711,6 @@ is_latest_known_ucode()
return 2
}
get_cmdline()
{
if [ -n "$kernel_cmdline" ]; then
return
fi
if [ -n "$SMC_MOCK_CMDLINE" ]; then
mocked=1
_debug "get_cmdline: using mocked cmdline '$SMC_MOCK_CMDLINE'"
kernel_cmdline="$SMC_MOCK_CMDLINE"
return
else
kernel_cmdline=$(cat "$procfs/cmdline")
mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CMDLINE='$kernel_cmdline'")
fi
}
# ENTRYPOINT
# we can't do anything useful under WSL
@ -1749,6 +1722,13 @@ if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then
fi
# check for mode selection inconsistency
if [ "$opt_live_explicit" = 1 ]; then
if [ -n "$opt_kernel" ] || [ -n "$opt_config" ] || [ -n "$opt_map" ]; then
show_usage
echo "$0: error: incompatible modes specified, use either --live or --kernel/--config/--map" >&2
exit 255
fi
fi
if [ "$opt_hw_only" = 1 ]; then
if [ "$opt_cve_all" = 0 ]; then
show_usage
@ -1802,8 +1782,6 @@ if echo "$os" | grep -q BSD; then
fi
parse_cpu_details
get_cmdline
if [ "$opt_live" = 1 ]; then
# root check (only for live mode, for offline mode, we already checked if we could read the files)
if [ "$(id -u)" -ne 0 ]; then
@ -1817,12 +1795,9 @@ if [ "$opt_live" = 1 ]; then
_info "CPU is \033[35m$cpu_friendly_name\033[0m"
# try to find the image of the current running kernel
if [ -n "$opt_kernel" ]; then
# specified by user on cmdline, with --live, don't override
:
# first, look for the BOOT_IMAGE hint in the kernel cmdline
elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then
opt_kernel=$(echo "$kernel_cmdline" | grep -Eo 'BOOT_IMAGE=[^ ]+' | cut -d= -f2)
if [ -r "$procfs/cmdline" ] && grep -q 'BOOT_IMAGE=' "$procfs/cmdline"; then
opt_kernel=$(grep -Eo 'BOOT_IMAGE=[^ ]+' "$procfs/cmdline" | cut -d= -f2)
_debug "found opt_kernel=$opt_kernel in $procfs/cmdline"
# if the boot partition is within a btrfs subvolume, strip the subvolume name
# if /boot is a separate subvolume, the remainder of the code in this section should handle it
@ -1865,19 +1840,10 @@ if [ "$opt_live" = 1 ]; then
str_uname=$(uname -r)
clear_linux_kernel="/lib/kernel/org.clearlinux.${str_uname##*.}.${str_uname%.*}"
[ -e "$clear_linux_kernel" ] && opt_kernel=$clear_linux_kernel
# Custom Arch seems to have the kernel path in its cmdline in the form "\directory\kernelimage",
# with actual \'s instead of /'s:
custom_arch_kernel=$(echo "$kernel_cmdline" | grep -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d '[:space:]')
if [ -n "$custom_arch_kernel" ] && [ -e "$custom_arch_kernel" ]; then
opt_kernel="$custom_arch_kernel"
fi
fi
# system.map
if [ -n "$opt_map" ]; then
# specified by user on cmdline, with --live, don't override
:
elif [ -e "$procfs/kallsyms" ] ; then
if [ -e "$procfs/kallsyms" ] ; then
opt_map="$procfs/kallsyms"
elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then
opt_map="/lib/modules/$(uname -r)/System.map"
@ -1888,10 +1854,7 @@ if [ "$opt_live" = 1 ]; then
fi
# config
if [ -n "$opt_config" ]; then
# specified by user on cmdline, with --live, don't override
:
elif [ -e "$procfs/config.gz" ] ; then
if [ -e "$procfs/config.gz" ] ; then
dumped_config="$(mktemp /tmp/config-XXXXXX)"
gunzip -c "$procfs/config.gz" > "$dumped_config"
# dumped_config will be deleted at the end of the script
@ -3792,7 +3755,7 @@ check_CVE_2017_5754_linux()
if [ -n "$kpti_support" ]; then
if [ -e "/sys/kernel/debug/x86/pti_enabled" ]; then
explain "Your kernel supports PTI but it's disabled, you can enable it with \`echo 1 > /sys/kernel/debug/x86/pti_enabled\`"
elif echo "$kernel_cmdline" | grep -q -w -e nopti -e pti=off; then
elif grep -q -w -e nopti -e pti=off "$procfs/cmdline"; then
explain "Your kernel supports PTI but it has been disabled on command-line, remove the nopti or pti=off option from your bootloader configuration"
else
explain "Your kernel supports PTI but it has been disabled, check \`dmesg\` right after boot to find clues why the system disabled it"