diff options
| author | Stéphane Lesimple <speed47_github@speed47.net> | 2018-01-14 18:33:01 +0100 |
|---|---|---|
| committer | Stéphane Lesimple <speed47_github@speed47.net> | 2018-01-14 22:31:21 +0100 |
| commit | b89d67dd153acc6ad1d274ebbb6749b789347e2c (patch) | |
| tree | d415f8bc894493d191b2463913357ffaeffe5c35 | |
| parent | 704e54019a6b589bf7679957d678a9f427f6e5d2 (diff) | |
| download | spectre-meltdown-checker-b89d67dd153acc6ad1d274ebbb6749b789347e2c.tar.lz spectre-meltdown-checker-b89d67dd153acc6ad1d274ebbb6749b789347e2c.tar.xz spectre-meltdown-checker-b89d67dd153acc6ad1d274ebbb6749b789347e2c.zip | |
meltdown: detecting Xen PV, reporting as not vulnerable
| -rwxr-xr-x | spectre-meltdown-checker.sh | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index da5dfda..e62fa6e 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -8,7 +8,7 @@ # # Stephane Lesimple # -VERSION=0.30 +VERSION=0.30+xen-test1 show_usage() { @@ -1013,6 +1013,25 @@ check_variant3() pstatus blue NO 'no security impact but performance will be degraded with PTI' fi fi + + if [ "$opt_live" = 1 ]; then + # checking whether we're running under Xen PV 64 bits. If yes, we're not affected by variant3 + _info_nol "* Checking if we're running under Xen PV (64 bits): " + if [ "$(uname -m)" = "x86_64" ]; then + # XXX do we have a better way that relying on dmesg? + if dmesg | grep -q 'Booting paravirtualized kernel on Xen$' ; then + pstatus green YES 'Xen PV is not vulnerable' + xen_pv=1 + elif [ -r /var/log/dmesg ] && grep -q 'Booting paravirtualized kernel on Xen$' /var/log/dmesg; then + pstatus green YES 'Xen PV is not vulnerable' + xen_pv=1 + else + pstatus blue NO + fi + else + pstatus blue NO + fi + fi fi # if we have the /sys interface, don't even check is_cpu_vulnerable ourselves, the kernel already does it @@ -1025,6 +1044,8 @@ check_variant3() if [ "$opt_live" = 1 ]; then if [ "$kpti_enabled" = 1 ]; then pvulnstatus $cve OK "PTI mitigates the vulnerability" + elif [ "$xen_pv" = 1 ]; then + pvulnstatus $cve OK "Xen PV 64 bits is not vulnerable" else pvulnstatus $cve VULN "PTI is needed to mitigate the vulnerability" fi |