diff options
| -rwxr-xr-x | spectre-meltdown-checker.sh | 47 |
1 files changed, 39 insertions, 8 deletions
diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index 1ede439..93b93a1 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -1,7 +1,7 @@ #! /bin/sh # Spectre & Meltdown checker # Stephane Lesimple -VERSION=0.13 +VERSION=0.15 # print status function pstatus() @@ -213,14 +213,12 @@ case "$ibrs_enabled" in "") [ "$ibrs_supported" = 1 ] && pstatus yellow UNKNOWN || pstatus red NO;; 0 | 1) pstatus red NO;; 2) pstatus green YES;; - *) pstatus yellow unknown;; + *) pstatus yellow UNKNOWN;; esac /bin/echo "* Mitigation 2" -/bin/echo -n "* Kernel compiled with retpolines: " +/bin/echo -n "* Kernel compiled with retpoline option: " # We check the RETPOLINE kernel options -# XXX this doesn't mean the kernel has been compiled with a retpoline-aware gcc -# still looking for a way do detect that ... if [ -e /proc/config.gz ]; then # either the running kernel exports his own config if zgrep -q '^CONFIG_RETPOLINE=y' /proc/config.gz; then @@ -241,15 +239,48 @@ else pstatus yellow UNKNOWN "couldn't read your kernel configuration" fi +/bin/echo -n "* Kernel compiled with a retpoline-aware compiler: " +# Now check if the compiler used to compile the kernel knows how to insert retpolines in generated asm +# For gcc, this is -mindirect-branch=thunk-extern (detected by the kernel makefiles) +# See gcc commit https://github.com/hjl-tools/gcc/commit/23b517d4a67c02d3ef80b6109218f2aadad7bd79 +# In latest retpoline LKML patches, the noretpoline_setup symbol exists only if CONFIG_RETPOLINE is set +# *AND* if the compiler is retpoline-compliant, so look for that symbol +if [ -n "$vmlinux" ]; then + # look for the symbol + if [ -e /boot/System.map-$(uname -r) ]; then + if grep -qw noretpoline_setup /boot/System.map-$(uname -r); then + retpoline_compiler=1 + pstatus green YES "noretpoline_setup symbol found in System.map" + fi + elif which nm >/dev/null 2>&1; then + # the proper way: use nm and look for the symbol + if nm "$vmlinux" 2>/dev/null | grep -qw 'noretpoline_setup'; then + retpoline_compiler=1 + pstatus green YES "noretpoline_setup symbol found in vmlinux" + fi + elif grep -q noretpoline_setup "$vmlinux"; then + # if we don't have nm, nevermind, the symbol name is long enough to not have + # any false positive using good old grep directly on the binary + retpoline_compiler=1 + pstatus green YES "noretpoline_setup symbol found in vmlinux" + fi + if [ "$retpoline_compiler" != 1 ]; then + pstatus red NO + fi +else + pstatus yellow UNKNOWN "couldn't find your kernel image" +fi + + /bin/echo -ne "> \033[46m\033[30mSTATUS:\033[0m " if grep -q AMD /proc/cpuinfo; then pstatus green "NOT VULNERABLE" "your CPU is not vulnerable as per the vendor" elif [ "$ibrs_enabled" = 1 -o "$ibrs_enabled" = 2 ]; then pstatus green "NOT VULNERABLE" "IBRS mitigates the vulnerability" -elif [ "$retpoline" = 1 ]; then - pstatus green "NOT VULNERABLE" "retpolines mitigate the vulnerability" +elif [ "$retpoline" = 1 -a "$retpoline_compiler" = 1 ]; then + pstatus green "NOT VULNERABLE" "retpoline mitigate the vulnerability" else - pstatus red VULNERABLE "IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability" + pstatus red VULNERABLE "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability" fi ########## |